Lesson 3 - System Reconnaissance

Lesson 3 - System Reconnaissance (08/11/25)

Basic commands for system and network enumeration - essential for pentesting.

ip

Network management and information (modern alternative to ifconfig).

ip addr show                                     # show all network interfaces
ip a                                             # short version
ip addr show eth0                                # info for specific interface
ip route                                         # routing table
ip neigh                                         # ARP cache (network neighbors)

ss

Socket statistics - display active connections and listening ports.

ss -tuln                                         # TCP/UDP listening ports (numeric)
ss -tunap                                        # all connections + processes
ss -tulpn                                        # listening ports with process names (needs sudo)
ss -t state established                          # only active TCP connections
ss -o state established                          # with timer information

netstat

Older alternative to ss (deprecated but still useful).

netstat -tuln                                    # listening ports
netstat -tunap                                   # all connections
netstat -rn                                      # routing table (numeric)

curl

HTTP client for downloads, testing APIs, and web enumeration.

curl https://example.com                         # simple GET request
curl -I https://example.com                      # headers only (HEAD request)
curl -o output.html https://example.com          # save to file
curl -L https://example.com                      # follow redirects
curl -X POST -d "user=admin" https://api.com     # POST request with data
curl -A "MyBot/1.0" https://example.com          # custom User-Agent
curl -s https://example.com | grep "title"       # silent mode + grep

wget

Download utility - useful for file downloads and mirroring.

wget https://example.com/file.zip                # download file
wget -O custom_name.zip https://example.com/f    # custom filename
wget -r -np https://example.com/directory/       # recursive download (no parent)
wget -c https://example.com/large_file.iso       # continue interrupted download

ps

Process listing - which processes are running.

ps aux                                           # all processes (BSD style)
ps -ef                                           # all processes (UNIX style)
ps aux | grep apache                             # find specific process
ps -u username                                   # processes of specific user
ps -eo pid,user,%cpu,%mem,cmd --sort=-%cpu      # custom format, sorted by CPU

top / htop

Interactive real-time process monitoring.

top                                              # basic usage
top -u username                                  # only for specific user
htop                                             # more user-friendly (if installed)

In top: press q to exit, k to kill process, M to sort by memory.

kill / pkill

Terminate processes.

kill 1234                                        # terminate process with PID 1234
kill -9 1234                                     # force kill (SIGKILL)
kill -15 1234                                    # graceful termination (SIGTERM)
pkill firefox                                    # terminate by name
killall apache2                                  # terminate all with name

whoami / id

Current user information.

whoami                                           # username
id                                               # UID, GID, groups
id username                                      # info for specific user
groups                                           # groups of current user

sudo

Execute commands as root or another user.

sudo command                                     # execute as root
sudo -u www-data command                         # execute as specific user
sudo -i                                          # root shell
sudo -l                                          # which commands can I run with sudo

chmod / chown

Change file permissions and ownership.

chmod 755 script.sh                              # rwxr-xr-x
chmod +x script.sh                               # add execute permission
chmod -R 644 /var/www/html                       # recursive on folder
chown user:group file.txt                        # change owner and group
chown -R www-data:www-data /var/www              # recursive ownership change

uname / hostname

System information.

uname -a                                         # all system information
uname -r                                         # kernel version
uname -m                                         # architecture (x86_64, aarch64, etc)
hostname                                         # machine name
hostname -I                                      # system IP addresses

w / who / uptime

Who is logged in and how long the system has been running.

w                                                # logged-in users + what they're doing
who                                              # logged-in users (simpler)
uptime                                           # how long system running + load average
last                                             # login/logout history

Useful Pentesting Combinations

# Find listening ports with their processes
sudo ss -tulpn | grep LISTEN

# Find which user is running specific service
ps aux | grep -i apache | grep -v grep

# Check sudo permissions without password
sudo -l

# Find SUID binaries (privilege escalation)
find / -perm -4000 -type f 2>/dev/null

# Network interfaces and IPs
ip -br addr show

# Active connections with IPs
ss -tunap | grep ESTAB

# Download and execute script
curl -s https://example.com/script.sh | bash

Security Notes

Use sudo carefully - never run untrusted commands as root.
kill -9 is aggressive - try kill -15 first.
SUID binaries can be used for privilege escalation.
Always check sudo -l in pentest engagements for misconfigured permissions.