Table of Contents
Learning Linux tools is an inevitable part of learning for an ethical hacker. Many of these tools are essential for moving smoothly through their career projects. In this blog we will learn about the top 10 Linux commands every ethical hacker should know.
Learn cybersecurity from the best mentors in the industry! Join the Entri cybersecurity course
Introduction: Why Linux Matters in Security?
Linux is the backbone of the modern internet. There are no arguments against this fact. Linus powers many things worldwide, such as:
- Web servers
- Cloud infrastructure
- Enterprise databases
- Internet of things (IoT) devices
Mastering the basics of the Linux operating system is a fundamental need, not an optional choice to make if you are planning to pursue a career as an ethical hacker, penetration tester, or any type of cybersecurity-related job.
The offensive environments, such as Kali Linux, Parrot Security OS, or BlackArch, as well as the target environments, have structures that are fundamentally built on Linux architecture. Therefore, the real power of a cybersecurity professional lies in understanding the Command-Line Interface (CLI). This doesn’t mean graphical tools and automated scanners are unimportant. But the speed, precision, and ability to script complex, automated workflows on the fly offered by CLI are unmatched.
Other than that, mastering built-in Linux binaries allows cybersecurity professionals to operate with more stealth. The amount of forensic footprint left behind can be minimized if one relies on native tools like find, grep, or tar. This is far better than dropping custom malware or noisy executables onto a target. In this blog, we will learn about the top 10 Linux commands every ethical hacker should know and guide you on how to use them effectively to:
- Navigate systems
- Manipulate files
- Analyze networks
- Conduct authorized assessments securely and effectively
At-a-glance Cheat Sheet
We must learn about many things in this blog, including specifics of syntax, defensive evasion, and complex attack chains. But before going deeper, it is better to have a brief overview. We have provided below a cheat sheet table on the top 10 Linux commands every ethical hacker should know. Make use of this quick-reference guide when you need a revision or want to check out something fast during a Capture the Flag (CTF) event or when you are amid an active penetration testing assessment or even a late-night troubleshooting session.
| Command | One-Line Purpose | Practical Example |
| nmap | Scans networks to find hosts and open ports. | nmap -sV -p- 192.168.1.100 |
| nc | Reads/writes network connections (the TCP/IP Swiss Army knife). | nc -lvnp 4444 |
| find | Searches the file system for specific files or permissions. | find / -perm -4000 -type f 2>/dev/null |
| grep | Searches text data for matching string patterns or regex. | grep -rN “password” /var/www/html |
| curl | Transfers data to or from a network server via URLs. | curl -I [http://target.local](http://target.local) |
| chmod | Changes file access permissions. | chmod +x payload.sh |
| ssh | Establishes secure, encrypted connections to remote systems. | ssh -D 9050 user@10.0.0.5 |
| ps | Displays currently running processes and PIDs. | ps aux | grep root |
| tar | Archives multiple files into a single compressed package. | tar -czvf exfil.tar.gz /sensitive/data |
| tcpdump | Captures and analyzes network packet traffic in real-time. | tcpdump -i eth0 -w capture.pcap |
Top 10 Linux Commands Every Ethical Hacker Should Know
The top 10 Linus commands every ethical hacker should know are discussed in this section.
nmap (Network Mapper)
The nmap tool is basically network mapper. The table below discusses the attributes and usage of this tool along with examples.
| Attribute | Details |
| What it Does |
|
| Typical Pentesting Use-Case |
|
| Example Command | $ nmap -sV -p 22,80 192.168.1.50
Starting Nmap 7.93 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 80/tcp open http Apache httpd 2.4.41 |
| Alternatives / Complementary Tools |
|
| Defensive / Detection Notes |
|
| Common Mistakes / Gotchas |
|
nc (Netcat)
The nc is another that is important to learn if you are a ethical hacker. More details of the said tool are as provided below.
| Attribute | Details |
| What it Does |
|
| Typical Pentesting Use-Case |
|
| Example Command | $ nc -lvnp 4444
listening on [any] 4444 … connect to [192.168.1.10] from (UNKNOWN) [192.168.1.50] 53122 root@target:~# |
| Alternatives / Complementary Tools |
|
| Defensive / Detection Notes |
|
| Common Mistakes / Gotchas |
|
find
The find is another important tool that ethical hackers need to learn. Its specialities are as discussed below.
| Attribute | Details |
| What it Does |
|
| Typical Pentesting Use-Case |
|
| Example Command | $ find / -perm -4000 -type f 2>/dev/null
/usr/bin/passwd / usr/bin/sudo / usr/local/bin/custom_backup_script |
| Alternatives / Complementary Tools |
|
| Defensive / Detection Notes |
|
| Common Mistakes / Gotchas |
|
grep
Another important tool to learn is grep. All the specifics of said tools are mentioned below.
| Attribute | Details |
| What it Does |
|
| Typical Pentesting Use-Case | Sift through config files
Search source code directories Extract hardcoded credentials, API keys, or PII during enumeration |
| Example Command | $ grep -rNi “password” /var/www/html/
/var/www/html/config.php:22: $db_password = “SuperSecretDBPass123!”; /var/www/html/login.php:45: // Check if password matches |
| Alternatives / Complementary Tools |
|
| Defensive / Detection Notes |
|
| Common Mistakes / Gotchas |
|
curl
The curl tool is one of the basics that an ethical hacker has to learn when it comes to Linux commands. The details of the tool are as provided below.
| Attribute | Details |
| What it Does |
|
| Typical Pentesting Use-Case |
|
| Example Command | $ curl -I http://10.10.10.20
HTTP/1.1 200 OK Date: Wed, 10 May 2026 12:00:00 GMT Server: Apache/2.4.41 (Ubuntu) X-Powered-By: PHP/7.4.3 |
| Alternatives / Complementary Tools |
|
| Defensive / Detection Notes |
|
| Common Mistakes / Gotchas |
|
chmod / chown
chmod (change file permissions) and chown (change file ownership) are some of the other tools that needs to be mentioned in the list. The table below lists all the things one needs to know about the said tools.
| Attribute | Details |
| What it Does |
|
| Typical Pentesting Use-Case |
|
| Example Command | $ chmod +x linpeas.sh
$ ls -l linpeas.sh -rwxr-xr-x 1 user user 824K May 10 12:05 linpeas.sh |
| Alternatives / Complementary Tools |
|
| Defensive / Detection Notes |
|
| Common Mistakes / Gotchas |
|
ssh (Secure Shell)
Another important tool that needs to be included in our list is ssh. The detailed overview of the usage of the said tool along with examples and other specifics are provided below.
| Attribute | Details |
| What it Does |
|
| Typical Pentesting Use-Case |
|
| Example Command | bash\n$ ssh -D 9050 -q -N user@10.0.0.5\n#
(No output, but port 9050 is now open locally to route traffic)\n |
| Alternatives / Complementary Tools |
|
| Defensive / Detection Notes |
|
| Common Mistakes / Gotchas |
|
ps / top
Another important tool that needs to be in our list are ps (snapshot of running processes) and top (dynamic, real‑time process view). The reasons for why you should learn this tool are given below.
| Attribute | Details |
| What it Does |
|
| Typical Pentesting Use-Case |
|
| Example Command | $ ps aux | grep root
root 1 0.0 0.1 167908 11468 ? Ss 09:01 0:01 /sbin/init root 652 0.0 0.0 14564 5344 ? Ss 09:02 0:00 / usr/sbin/sshd -D |
| Alternatives / Complementary Tools |
|
| Defensive / Detection Notes |
|
| Common Mistakes / Gotchas |
|
tar / zip
Some other tools that are also important enough to be added to this list are tar (archive & compress files) and zip (package files into compressed archives). The details are as given below.
| Attribute | Details |
| What it Does |
|
| Typical Pentesting Use-Case |
|
| Example Command | $ tar -czvf loot.tar.gz /var/www/html/config /etc/shadow
tar: Removing leading `/’ from member names / var/www/html/config/ /var/www/html/config/db.php /etc/shadow |
| Alternatives / Complementary Tools |
|
| Defensive / Detection Notes |
|
| Common Mistakes / Gotchas |
|
tcpdump
The last tool we are going to discuss in our blog is tcpdump. The specifics of the said tool are as given below.
| Attribute | Details |
| What it Does |
|
| Typical Pentesting Use-Case |
|
| Example Command | $ tcpdump -i eth0 -w capture.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C14 packets captured 14 packets received by filter |
| Alternatives / Complementary Tools |
|
| Defensive / Detection Notes |
|
| Common Mistakes / Gotchas |
|
Real Mini-Lab: Bringing It All Together
If you want to learn Linux commands in a way that you truly understand, then you have to chain them together in such a way that they form a logical workflow. In this sample real mini lab, we are to see a simulated scenario of how these tools connect during an assessment. This scenario will move from external reconnaissance to local enumeration and finally to data capture.
| Phase | Tool | Example Command | Result / Purpose |
| Reconnaissance | nmap | $ nmap -sV -p 80 10.10.10.20 | Apache web server detected on port 80 |
| Interaction | curl | curl -i [http://10.10.10.20](http://10.10.10.20) | Inspect headers & HTML Vulnerable plugin version spotted |
| Exploitation & Access | nc (Netcat) | $ nc -lvnp 4444 | Listener catches reverse shell Stable foothold established |
| Enumeration | ps / find | $ ps aux | grep root $ find /var/www/ -name “*.php” 2>/dev/null | Identify running processes Locate configuration files |
| Credential Hunting | grep | $ grep -rNi “db_pass” /var/www/html/ | Extract hardcoded MySQL credentials |
| Data Capture | tar + ssh | $ tar -czvf web_backup.tar.gz /var/www/html/configs/ | Package sensitive configs Exfiltrate via SSH tunnel |
Safety and Ethics
It is important to remember that the tools and techniques we have described in this blog should be used keeping laws and ethics in mind. What differentiates an ethical hacker from a malicious threat actor is authorization. You must never use tools like nmap, nc, or tcpdump against networks, servers, or applications that you do not own or do not have explicit, documented permission to test. Unauthorized access, scanning, or data extraction is illegal and violates computer fraud and abuse laws worldwide. Always ensure that you:
- Are operating within a defined scope
- Have signed Rules of Engagement (RoE)
- Prioritize the stability and integrity of the systems you are assessing.
You should use these skills to defend, patch, and protect the systems.
Join the Entri cybersecurity online course! Learn from the best in the industry!
Conclusion
If we are talking about the ultimate workspace for cybersecurity professionals, then the answer is the Linux command line. Learning and mastering the tools discussed above will help you in not relying on automated “point-and-click” tools that you might otherwise have to use to understand how systems interact. Once you master the tools, the next step is to apply them. Like any other craft, in ethical hacking too, practical application of tools should be practiced to solidify knowledge. You can put your skills to the test by spinning up a virtual machine and joining platforms like Hack The Box, TryHackMe, etc. So, are you ready to level up? Join Entri’s online cybersecurity online course, bookmark this cheat sheet, set up your home lab, and start practicing these essential Linux commands today. Take the first step towards your dream career today!
Frequently Asked Questions
Do I need to memorize all these Linux flags?
No. While memorizing common flags (like nmap -sV or tar -czvf) speeds up your workflow, the most important command to know is man. Typing man [command] (e.g., man grep) opens the manual page, explaining every flag. Using –help is also a great quick reference.
Why is using chmod 777 considered bad practice?
Setting permissions to 777 grants read, write, and execute permissions to the owner, the group, and every other user on the system. It is a massive security risk. In ethical hacking, OPSEC (Operational Security) is vital; leaving a payload globally writable means a defender (or another attacker) can easily modify or inspect it.
Is Kali Linux required to use these commands?
Not at all. Almost all the commands listed (find, grep, ps, tar, chmod, ssh, curl) are native to virtually every Linux distribution, from Ubuntu to CentOS. Tools like nmap or nc can be easily installed on any standard Linux system via the native package manager (like apt or yum).
How do Windows environments factor into this?
While this guide focuses on Linux, many modern attacks involve cross-platform networks. Windows has its own command line (PowerShell and CMD). However, with the advent of Windows Subsystem for Linux (WSL), you can now run native Linux commands directly on Windows machines, making these skills even more universally applicable.
What is the difference between curl and wget?
Both download data, but they operate differently. wget is primarily a simple file downloader that can recursively mirror directories. curl is designed to be a complex data transfer tool that supports a wider array of protocols, HTTP methods (POST, PUT), and is generally preferred for interacting with APIs or testing web parameters.
Can tcpdump read encrypted HTTPS traffic?
No. tcpdump captures the packets exactly as they are transmitted over the wire. If the traffic is encrypted via TLS/SSL (like HTTPS or SSH), tcpdump will only show the encrypted ciphertext. You would need the session keys to decrypt the packet capture later in a tool like Wireshark.
