UNDERSTANDING THE LINUX FILE SYSTEM

/
├── bin
├── boot
├── dev
├── etc
├── home
├── lib
├── media
├── mnt
├── opt
├── proc
├── root
├── sbin
├── tmp
├── usr
└── var
 / (Root Directory)
 What it is: The top-most directory in the file system. All other directories and files
stem from here.
 Example: Think of it as the trunk of a tree, from which all branches (other directories)
grow.

 /bin (Binaries)
 What it is: Contains essential user command binaries (executable programs) that are
used in single-user mode and for basic system operations.
 Examples:
o ls: Lists directory contents.
o cp: Copies files.
o mv: Moves files.
 Real-life Example: Imagine /bin as a toolbox containing essential tools that you need
to perform basic tasks, like a hammer or screwdriver.

 /boot

 What it is: Contains files required for the boot process, such as the Linux kernel and
bootloader configuration files.
 Examples:
o vmlinuz: The compressed Linux kernel.
o grub: The bootloader files.
 Real-life Example: This is like the ignition system of a car. Without the contents of
/boot, the system can't start.

 /dev (Device Files)

 What it is: Contains device files, which are special files that represent hardware
devices.
 Examples:
o sda: Represents a hard drive.
o tty: Represents terminal devices.
 Real-life Example: Imagine /dev as a collection of electrical outlets; each one
connects you to a different device, like a printer or a USB drive.
 /etc (Configuration Files)
 What it is: Contains all the system-wide configuration files and shell scripts that are
used to boot and initialize the system.
 Examples:
o passwd: Contains user account information.
o hosts: Maps hostnames to IP addresses.
 Real-life Example: Think of /etc as the control panel of your home, where you set
preferences for the heating, lighting, and security systems.

 /home (Home Directories)

 What it is: Contains personal directories for each user. Users store their personal files
and settings here.
 Example:
o /home/alex: Alex’s personal directory.
o /home/sam: Sam’s personal directory.
 Real-life Example: /home is like the individual bedrooms in a house. Each person has
their own space to keep their belongings.

 /lib (Libraries)
 What it is: Contains shared library files that are required by the binaries in /bin and
/sbin.
 Examples:
o libc.so.6: A critical library for C programs.
o ld-linux.so: The loader for dynamic libraries.
 Real-life Example: Libraries in /lib are like the utility pipes in a house that are shared
by all rooms (directories) to provide essential services like water or electricity.

 /media and /mnt (Mount Points)

 What they are: Directories where external storage devices are mounted (connected to
the system).
 Examples:
o /media/usb: Where a USB drive might be mounted.
o /mnt/cdrom: Where a CD-ROM might be mounted.
 Real-life Example: These are like docks or ports where you can temporarily connect
external devices, like plugging in a USB stick to access files.
 /opt (Optional Software)
 What it is: Contains add-on software packages that aren't part of the default
installation.
 Examples:
o /opt/google/chrome: Where Google Chrome might be installed.
 Real-life Example: Imagine /opt as an extra shelf in your garage where you store
new tools or gadgets that aren’t part of the standard toolkit.

 /proc (Process Information)

 What it is: A virtual filesystem that provides information about running processes and
the kernel. This is a pseudo-filesystem; the files are not actually stored on disk.
 Examples:
o /proc/cpuinfo: Contains information about the CPU.
o /proc/meminfo: Contains information about memory usage.
 Real-life Example: /proc is like a dashboard in a car that shows real-time information
about the engine, speed, and fuel consumption.

 /root (Root User's Home Directory)

 What it is: The home directory for the root (administrative) user.
 Example:
o /root: The root user’s personal directory, separate from the general /home
directory used by other users.
 Real-life Example: This is like the master suite in a house, reserved for the
homeowner (the root user).

 /sbin (System Binaries)

 What it is: Contains essential system binaries that are used for system administration.
 Examples:
o ifconfig: Configures network interfaces.
o shutdown: Shuts down the system.
 Real-life Example: /sbin is like a special toolkit that only the head of the household
(root user) can use for maintenance.

 /tmp (Temporary Files)

 What it is: A directory where temporary files are stored. Files here can be deleted by
the system when no longer needed.
 Examples:
o tmp12345: A temporary file created by an application.
 Real-life Example: /tmp is like a temporary holding area or workbench where you
can store items you’re working on but don’t plan to keep.
 /usr (User Binaries & Read-Only Data)
 What it is: Contains user binaries, libraries, documentation, and source code. It’s one
of the largest directories in the system.
 Examples:
o /usr/bin: User binaries like python, gcc.
o /usr/share: Shared data, such as icons and documentation.
 Real-life Example: /usr is like the community library and workshop, where you find
tools, reference materials, and shared resources.

 /var (Variable Files)

 What it is: Contains files that are expected to grow in size, such as log files, databases,
and email.
 Examples:
o /var/log: System log files.
o /var/mail: User email.
 Real-life Example: /var is like a storage area for logs and ongoing records, like a
filing cabinet that grows over time as you add documents.
 LINUX FILES AND DIRECTORIES FOR PENTESTING

 /etc/passwd

 What it is: Contains user account information.

 Key Details:
o Historically contained hashed passwords (now stored in /etc/shadow).
o Includes information like username, user ID (UID), group ID (GID), home directory, and
shell.
 Why it’s important:
o Used to enumerate users on the system.
o Can help identify which users have elevated privileges.

 /etc/shadow

 What it is: Stores hashed passwords for user accounts.

 Key Details:
o Only accessible by the root user and has more restrictive permissions than /etc/passwd.
o Contains usernames and password hashes along with password expiration data.
 Why it’s important:
o If an attacker gains access to this file, they can attempt to crack the password hashes,
potentially gaining access to user accounts, including root.

 /etc/group

 What it is: Contains group account information.

 Key Details:
o Lists groups and their members.
o Similar to /etc/passwd but for groups.
 Why it’s important:
o Helps identify group memberships, which can be used to elevate privileges or access
restricted resources.

 /etc/hosts

 What it is: Maps hostnames to IP addresses.

 Key Details:
o Used for local name resolution, before DNS queries.
 Why it’s important:
o Can be manipulated in attacks like local DNS spoofing.
o Useful for understanding internal network structure during reconnaissance.
 /etc/ssh/sshd_config

 What it is: Configuration file for the SSH daemon.

 Key Details:
o Controls settings for SSH access, such as allowed authentication methods, port number, and
root login permissions.
 Why it’s important:
o Misconfigurations (like permitting root login) can be exploited.
o Allows attackers to understand and potentially bypass SSH restrictions.

 ~/.ssh/authorized_keys

 What it is: Stores public keys for SSH key-based authentication.

 Key Details:
o Located in the user’s home directory.
 Why it’s important:
o If compromised, an attacker can insert their own public key to gain persistent access
without requiring a password.

 /var/log/auth.log or /var/log/secure
 What it is: Authentication logs.
 Key Details:
o Logs successful and failed login attempts.
o /var/log/auth.log is used in Debian-based systems, /var/log/secure in Red Hat-based
systems.
 Why it’s important:
o Useful for detecting brute force attacks or unauthorized access.
o Red teamers might clear or alter these logs to cover their tracks.

 /root/.bash_history

 What it is: History of commands executed by the root user.

 Key Details:
o Stores a record of shell commands.
 Why it’s important:
o Provides insights into the root user’s activities.
o Can reveal sensitive commands or passwords that were entered.

 /etc/cron.d/ and /etc/crontab

 What they are: Configuration files for scheduled tasks (cron jobs).
 Key Details:
o Define tasks that are executed at specified intervals.
 Why they’re important:
o Misconfigured cron jobs can be exploited to execute arbitrary code with elevated privileges.
 /var/www/html (or similar)
 What it is: Default directory for web server files.
 Key Details:
o Contains web application files, such as PHP scripts, HTML, and configuration files.
 Why it’s important:
o Web shells or malicious scripts can be uploaded here to gain further access.
o Configuration files may contain hard-coded credentials or sensitive information.

By: Rahul Kumar

Connect: LinkedIn