You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A complete guide to Linux system information and enumeration commands used for user management, process monitoring, package management, privilege escalation checks, SUID discovery, and system auditing. Essential for system administrators and cybersecurity professionals.
Linux System Information & Enumeration Commands (SysAdmin & Security Guide)
Host / identity / login info
nmblookup -A <ip>What it does: Queries NetBIOS name service to get the Windows/SMB hostname (and workgroup) for an IP (UDP/137). Example:
nmblookup -A 192.168.1.10
id What it does: Shows current user’s UID, GIDs, and group memberships. Great for checking privileges quickly.
w What it does: Shows who is logged in and what they are doing (TTY, remote IP, idle time, current command).
who -a What it does: Detailed logged-in user information (includes system boot time, runlevel on some systems, login processes).
last -a What it does: Shows login history from /var/log/wtmp (adds hostname/IP at the end with -a). Useful for auditing.
Process listing / runtime inspection
ps -ef What it does: Full process list snapshot.
-e = every process
-f = full format (UID, PID, PPID, start time, cmdline)
topWhat it does: Real-time view of CPU/mem usage and processes.
Disk / memory / kernel / OS info
df -h What it does: Shows filesystem disk space usage.
-h human readable (GiB/MiB)
free -hWhat it does: Shows RAM and swap usage.
uname -a What it does: Prints kernel name/version and architecture info (quick “what kernel and CPU arch is this?”).
mount What it does: Lists currently mounted filesystems (and mount options). Useful to find NFS, SMB mounts, noexec, etc.
cat /etc/issue What it does: Displays OS “banner” text (often distro name/version). Not always accurate, but quick.
cat /etc/*release(cat /etc/'release'; common is /etc/os-release or *release) What it does: Displays OS release/version info (usually authoritative). Examples:
cat /etc/os-release
cat /etc/*release
cat /proc/version What it does: Kernel version + compiler/build info (sometimes includes build user/host).
Users and accounts
getent passwd What it does: Lists users from the system’s Name Service Switch (NSS). This includes local users and also LDAP/AD/etc if configured. More complete than just reading /etc/passwd.
PATH / command discovery / shells
PATH=$PATH:/home/mypathWhat it does: Temporarily appends /home/mypath to your PATH for the current shell session. Note: Use export if you want child processes to inherit it:
export PATH="$PATH:/home/mypath"
which tcsh(and similarly: which csh, which ksh, which bash) What it does: Shows the path of an executable that would run from your current PATH. Examples:
which bash
which ksh
chmod -s /bin/tcshWhat it does: Removes the SUID/SGID bit from a binary (disabling “run as owner/group” behavior). Important: This does not “force bash”; it just removes special permission bits if they were set. Example:
sudo chmod -s /bin/tcsh
Killing processes
kill <pid> What it does: Sends a signal to a process (default is SIGTERM = request graceful stop).
Useful variants:
find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null What it does: Finds SUID files (permission bit 4000) and lists them with details; hides permission errors.
(Your original had minor syntax issues; \; is the usual terminator.)
find / -uid 0 -perm -4000 -type f 2>/dev/null What it does: Finds SUID files owned by root (common privilege escalation audit target).
find / -writable ! -user "$(whoami)" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null What it does: Finds files that are writable but not owned by the current user, excluding proc/sys pseudo-filesystems; prints details. Useful for misconfigurations.
Important additions for “system information”
OS / hardware / environment
hostnamectl: Hostname + OS + kernel + virtualization info (systemd systems)
uptime: How long system has been up + load average
