Below are some useful Linux commands for penetration testing, target reconaissance and capability assessment. Use them for good, not for evil.

traceroute:

$ traceroute <target>

$ traceroute google.com
traceroute to google.com (213.157.177.157), 24 hops max, 52 byte packets
 1  192-168-1-110.x.com (192.168.1.110)  9.403 ms  7.301 ms  3.264 ms
 2  10.10.10.10 (10.10.10.10)  47.823 ms  3.649 ms  2.436 ms
 	... etc ...

whois:

$ whois [-h whois_server] <name>

$ whois google.com
Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Aborting search 50 records found .....
GOOGLE.COM.ACKNOWLEDGES.NON-FREE.COM
GOOGLE.COM.AFRICANBATS.ORG
GOOGLE.COM.ANGRYPIRATES.COM
GOOGLE.COM.AR
	... etc ...

nslookup:

$ nslookup <target>

$ nslookup google.com
Server:		192.168.1.110
Address:	192.168.1.110#53

Non-authoritative answer:
Name:	google.com
Address: 213.157.177.157
Name:	google.com
Address: 213.157.177.158
Name:	google.com
Address: 213.157.177.162
	... etc ...

dig:

$ dig [@server] <name> [record_type]
$ dig [@server] <domain> -t IXFR=<N>

$ dig google.com MX
; <<>> DiG 9.10.3-P4-Ubuntu <<>> google.com MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61593
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.			IN	MX

;; ANSWER SECTION:
google.com.		60	IN	MX	20 alt1.aspmx.l.google.com.
google.com.		60	IN	MX	30 alt2.aspmx.l.google.com.
google.com.		60	IN	MX	40 alt3.aspmx.l.google.com.
google.com.		60	IN	MX	50 alt4.aspmx.l.google.com.
google.com.		60	IN	MX	10 aspmx.l.google.com.
	... etc ...

Dump the ARP table of a SNMP server:

$ snmpwalk -v 2c -c <community> <server> ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress > arptable.dump

Show all TCP port 80 packets going to or from the specified IP:

$ tcpdump [-i tap0] -n tcp and port 80 and host 10.10.10.10

Enumerate local users:

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
	... etc ...

$ finger
Login     Name       Tty      Idle  Login Time   Office     Office Phone
root      root      *pts/0          March  19 11:13 (10.10.10.10)

$ who
root     pts/0        2017-05-09 11:13 (10.10.10.10)

$ w
 11:18:56 up 169 days,  11:18,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    10.10.10.10      11:13    0.00s  0.02s  0.00s w

Enumerate remote users:

$ finger @<remote>

Scan the target’s specified port range:

$ echo "" | nc -v -n -w1 <target> <port-range>

Find SetUID or SetGID binaries:

$ find / -type f \( -perm -4000 -o -perm -2000 \) -print

Mounting a Samba drive:

$ smbmount //<target>/<share> <mountpoint> -o username=<username>

$ smbmount //10.10.10.10/c$ /mnt/target -o username=administrator

Find any open Samba shares:

$ nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24 

Add a normal user:

$ useradd <name>

Add a root user:

$ useradd -o -u 0 <name>

Manual fingerprinting and banner grabbing:

$ nc -v 192.168.1.1 25
$ telnet 192.168.1.1 25

And while at it, grab the SSH server version too (if running):

$ nc -v 192.168.1.1 22
Connection to 192.168.1.1 port 22 [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1

Fingerprint Samba version too:

$ smbclient -L //192.168.1.1

Quickly determine if a port is open or closed using just bash:

$ (: </dev/tcp/127.0.0.1/443) &>/dev/null && echo "OPEN" || echo "CLOSED"
Start a simple web server, depending on what is installed (python, python3, php or ruby):
$ python -m SimpleHTTPServer 80
$ python3 -m http.server
$ php -S 0.0.0.0:80
$ ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start"

Spawn a TTY shell from a limited shell in Linux using Python:

$ python -c 'import pty;pty.spawn("/bin/bash")'

Spawn a TTY shell from a limited shell in Linux using Perl:

$ perl —e 'exec "/bin/sh";'

Download all documents and images from a web page address:

$ wget -A pdf,jpg,png,gif,bmp,doc,docx -m -r -np --convert-links --execute="robots = off" <address>

Encrypt a file using gpg:

$ gpg --encrypt --sign -r you@email <filename>

Decrypt a file using gpg:

$ gpg -d <filename>

Perform a request to a remote address every 5 seconds (download a file, whatever), until you press CTRL + C:

$ while true; do wget <address>; sleep 5; done

Dump all MySQL databases:

$ mysqldump --all-databases --all-routines -u root -p > ~/fulldump.sql

Use nikto to scan a host using a proxy server and output fingerprinted info to a file:

$ perl nikto.pl -host <ip_or_hostname> -useproxy <proxy_address> -output <filename>

Use wpscan to scan a Wordpress install and output fingerprinted into to a file:

$ ruby wpscan.rb --url <address> --enumerate 2> <filename>

Use sqlmap to grab the database banner, if possible:

$ ./sqlmap.py --url="<address>" --data="<post-data>" --banner

Grab the HTTP headers:

$ curl -LIN <address>

$ curl -LIN google.com
HTTP/1.1 200 OK
Date: Tue, 19 March 2017 13:12:48 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Server: gws
X-XSS-Protection: 1; mode=block
	... etc ...

Generate a MD5 hash of the specified string:

$ echo -n "This is the text" | openssl md5
(stdin)= 4da8333008320dd94d593f3211df63ab

Generate a SHA hash of the specified string:

$ echo -n "This is the text" | openssl sha
(stdin)= 0dc9696177e9786de95a1caee349a7a6da70a614