If you want to become an ethical hacker or penetration tester, Bash (the Linux shell) is your most powerful tool. Bash allows you to interact with the Linux system, automate tasks, and run security tools efficiently.
In Africa, where many learners rely on lightweight setups like Kali Linux on older laptops, VirtualBox labs, or even Raspberry Pi devices, learning Bash commands is the most affordable and effective way to sharpen your pentesting skills.
This guide will walk you through essential Bash commands for pentesters with step-by-step instructions and real examples you can practice in your lab.
Why Pentesters Need Bash
Before we dive into commands, let’s understand why Bash is so critical in ethical hacking:
- Automation – Pentesters can automate scanning, enumeration, and exploitation with simple Bash scripts.
- Flexibility – Every hacking tool (Nmap, Hydra, Metasploit) runs better when controlled from the Bash shell.
- Speed – Bash helps you chain commands together, saving time during engagements.
- Universality – Whether in Nigeria, Kenya, Ghana, or South Africa, Linux + Bash is free and works everywhere.
👉 Hacker Tip for Africans: If your laptop is slow, use lightweight Linux distros like Kali Light or Parrot Home Edition. Bash works the same everywhere!
Step 1: Navigating the File System
Pentesters often need to move through directories, find configuration files, and analyze logs.
Commands:
pwd # Shows current directory
ls -la # Lists files (including hidden ones)
cd /etc # Change directoryExample:
└─$ pwd
/home/ehis/nebitex
┌──(ehis㉿ehis)-[~/nebitex]
└─$ ls -la
total 12
drwxr-xr-x 3 ehis ehis 4096 Sep 6 01:06 .
drwx------ 32 ehis ehis 4096 Sep 2 08:26 ..
-rw-r--r-- 1 ehis ehis 0 Jul 11 2024 payloads.txt
drwxr-xr-x 2 ehis ehis 4096 Sep 6 01:07 scripts
┌──(ehis㉿ehis)-[~/nebitex]
└─$ cd scripts
┌──(ehis㉿ehis)-[~/nebitex/scripts]
└─$ ls
attack.sh
✅ You’ll see files like passwd, shadow, and hosts. These are gold mines for pentesters — containing user info, passwords, and network configs.
Step 2: Reading and Searching Files
During penetration testing, you often look for credentials, configs, or API keys inside files.
Commands:
cat filename # Display file contents
less filename # View long files page by page
grep keyword file # Search for a keywordExample:
─$ cat /etc/passwd
root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
mysql:x:100:107:MySQL Server,,,:/nonexistent:/bin/false
tss:x:101:108:TPM software stack,,,:/var/lib/tpm:/bin/false
strongswan:x:102:65534::/var/lib/strongswan:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
redsocks:x:103:109::/var/run/redsocks:/usr/sbin/nologin
rwhod:x:104:65534::/var/spool/rwho:/usr/sbin/nologin
iodine:x:105:65534::/run/iodine:/usr/sbin/nologin
messagebus:x:106:111::/nonexistent:/usr/sbin/nologin
miredo:x:107:65534::/var/run/miredo:/usr/sbin/nologin
redis:x:108:114::/var/lib/redis:/usr/sbin/nologin
usbmux:x:109:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
mosquitto:x:110:116::/var/lib/mosquitto:/usr/sbin/nologin
tcpdump:x:111:118::/nonexistent:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
_rpc:x:113:65534::/run/rpcbind:/usr/sbin/nologin
dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
statd:x:115:65534::/var/lib/nfs:/usr/sbin/nologin
avahi:x:116:122:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
stunnel4:x:996:996:stunnel service system account:/var/run/stunnel4:/usr/sbin/nologin
Debian-snmp:x:117:123::/var/lib/snmp:/bin/false
_gvm:x:118:124::/var/lib/openvas:/usr/sbin/nologin
speech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
sslh:x:120:125::/nonexistent:/usr/sbin/nologin
postgres:x:121:126:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
pulse:x:122:128:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
saned:x:123:131::/var/lib/saned:/usr/sbin/nologin
inetsim:x:124:132::/var/lib/inetsim:/usr/sbin/nologin
lightdm:x:125:133:Light Display Manager:/var/lib/lightdm:/bin/false
geoclue:x:126:134::/var/lib/geoclue:/usr/sbin/nologin
king-phisher:x:127:135::/var/lib/king-phisher:/usr/sbin/nologin
polkitd:x:994:994:polkit:/nonexistent:/usr/sbin/nologin
rtkit:x:128:136:RealtimeKit,,,:/proc:/usr/sbin/nologin
colord:x:129:137:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
nm-openvpn:x:130:138:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
nm-openconnect:x:131:139:NetworkManager OpenConnect plugin,,,:/var/lib/NetworkManager:/usr/sbin/nologin
ehis:x:1000:1000:Emmanuel Okaiwele,,,:/home/ehis:/usr/bin/zsh
beef-xss:x:132:142::/var/lib/beef-xss:/usr/sbin/nologin
┌──(ehis㉿ehis)-[~]
└─$ grep root /etc/passwd
root:x:0:0:root:/root:/usr/bin/zsh
nm-openvpn:x:130:138:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
✅ This shows the system users. On a compromised system, this is the first step to finding potential targets.
Step 3: Networking Essentials
Pentesters spend a lot of time analyzing networks. Bash provides quick ways to test connectivity and scan hosts.
Commands:
ip a # Show IP addresses
ping -c 4 8.8.8.8 # Test connectivity
netstat -tulnp # Show open ports and servicesExample:
─$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:b4:74:49 brd ff:ff:ff:ff:ff:ff
inet 192.168.71.131/24 brd 192.168.71.255 scope global dynamic noprefixroute eth0
valid_lft 1444sec preferred_lft 1444sec
inet6 fe80::20c:29ff:feb4:7449/64 scope link noprefixroute
valid_lft forever preferred_lft forever
─$ ping 192.168.71.128
PING 192.168.71.128 (192.168.71.128) 56(84) bytes of data.
64 bytes from 192.168.71.128: icmp_seq=1 ttl=64 time=1.74 ms
64 bytes from 192.168.71.128: icmp_seq=2 ttl=64 time=0.816 ms
64 bytes from 192.168.71.128: icmp_seq=3 ttl=64 time=1.91 ms
64 bytes from 192.168.71.128: icmp_seq=4 ttl=64 time=1.98 ms
64 bytes from 192.168.71.128: icmp_seq=5 ttl=64 time=2.75 ms
64 bytes from 192.168.71.128: icmp_seq=6 ttl=64 time=2.09 ms
64 bytes from 192.168.71.128: icmp_seq=7 ttl=64 time=2.65 ms
64 bytes from 192.168.71.128: icmp_seq=8 ttl=64 time=2.22 ms
64 bytes from 192.168.71.128: icmp_seq=9 ttl=64 time=2.47 ms
64 bytes from 192.168.71.128: icmp_seq=10 ttl=64 time=2.20 ms
64 bytes from 192.168.71.128: icmp_seq=11 ttl=64 time=2.97 ms
64 bytes from 192.168.71.128: icmp_seq=12 ttl=64 time=1.95 ms
64 bytes from 192.168.71.128: icmp_seq=13 ttl=64 time=2.30 ms
^C
--- 192.168.71.128 ping statistics ---
13 packets transmitted, 13 received, 0% packet loss, time 12228ms
rtt min/avg/max/mdev = 0.816/2.156/2.969/0.518 ms
✅ Use this to confirm your attacker machine’s IP before launching scans with tools like Nmap.
Step 5: Process and Service Management
Pentesters often check for running processes and services that could be exploited.
Commands:
$ ps aux | grep apache
root 979 0.0 0.3 205860 22624 ? Ss 02:01 0:00 /usr/sbin/apache2 -k start
www-data 1107 0.0 0.1 206588 11288 ? S 02:01 0:00 /usr/sbin/apache2 -k start
www-data 1108 0.0 0.1 206588 11288 ? S 02:01 0:00 /usr/sbin/apache2 -k start
www-data 1110 0.0 0.1 206588 11288 ? S 02:01 0:00 /usr/sbin/apache2 -k start
www-data 1111 0.0 0.1 206588 11288 ? S 02:01 0:00 /usr/sbin/apache2 -k start
www-data 1112 0.0 0.1 206588 11288 ? S 02:01 0:00 /usr/sbin/apache2 -k start
ehis 8532 0.0 0.0 6344 2100 pts/1 S+ 02:17 0:00 grep --color=auto apache
✅ This reveals if Apache (a web server) is running — useful before launching attacks.
Step 7: Writing Simple Bash Scripts
Automation makes you efficient. Let’s write a basic port scanner in Bash:
#!/bin/bash
for port in {1..100}
do
(echo >/dev/tcp/127.0.0.1/$port) 2>/dev/null && echo "Port $port is open"
doneSave it as scanner.sh, then:
chmod +x scanner.sh
./scanner.sh✅ This script scans ports 1–100 on localhost. In real pentests, scripts like this save hours.
Ready to go deeper? 🚀
👉 Join Nebitex Lite Members — FREE and gain access to more tutorials, micro-courses, walkthroughs, and exclusive hacking resources.
👉 Join the movement on WhatsApp: Cyber Warrior Africa — connect with like-minded Africans, share your passions, struggles, and wins as you grow in cybersecurity.
Start today at www.nebitex.africa.
Final Thoughts
For African learners aiming to become pentesters, mastering Bash is non-negotiable. With these commands, you can:
- Navigate Linux systems like a pro.
- Search sensitive files for credentials.
- Investigate networks before attacks.
- Automate scanning and exploitation.
👉 Remember: You don’t need expensive tools to start. A simple Kali Linux VM + Bash is enough to practice every day.
I’m Emmanuel Okaiwele, a Secure Web Developer, Offensive Security Engineer, Member Cybersecurity Experts Association of Nigeria – CSEAN, and the founder of Nebitex Africa — a platform dedicated to making cybersecurity simple, practical, and accessible for Africans.
