Unix File Search – Lisandre

Search for a file anywhere, not only in local directory

Find the location of files and directories. Shorter search time because it uses a built-in database locate.db instead of the entire hard disk.

Manually update the locate.db database (automatically updated with cron)

sudo apt install mlocate

sudo updatedb

locate <filename>

Search for file in a specific folder

Use -iname for case insensitive name search.

2>/dev/null will remove all the “Permission denied” errors

# find location -name filename
find /etc -name passwd 2>/dev/null -exec ls -la {} \;
find /etc -name pass* 2>/dev/null -exec ls -la {} \;
find / -name sbd* 2>/dev/null -exec ls -la {} \;

Find big files

find / -name '*' -size +1G 2>/dev/null -exec ls -la {} \;
find / -name '*' -size +500M 2>/dev/null -exec ls -la {} \;
du -a / | sort -n -r | head -n 20

Search files for privilege escalation

See Privilege Escalation page for more examples.

# Executable writable by others and owned by root
find -P / -type f -executable -user root -perm -o=w -name '*' 2>/dev/null -exec ls -la {} \;

Search text in files

# i stands for ignore case (optional in your case).
# R stands for recursive.
# l stands for "show the file name, not the result itself".

Search text “flag” in files

grep -Ril "flag" /

Search for more than one word

grep -E "one|two|three" file.txt

Display file name + lines containing word “password”

grep -Ri "password" .
grep -Ri "key" .
grep -Ri "sessionkey" .
grep -Ri "admin" .

Search for passwords and display x lines after

# -A: Print NUM lines of trailing context after matching lines.
# -B: Print  NUM  lines of leading context before matching lines.
grep -A2 sAMAccountName ldapsearch-users-authenticated.txt

Search regex in file and extracts only the string

grep -o 'Pulse.*daemon' /etc/passwd

Loop on files

# Search for files with the word "password" in them,
# then display all the lines containing the word "password".
for file in $(grep -Ril "password" .); do grep "password" $file; done
for file in $(grep -Ril "cisco" ~/houseofkeys/); do grep "name" $file; done

Search and replace word(s) in a file

sed 's/replace me/done/' file.txt
cat file.txt | sed 's/replace me/done/'

Extract fields from file

cut has a delimiter of one character only. For more complex delimiters, use awk instead. When using multiple cut commands, consider using awk.

cut -f 1,5 -d ":" /etc/passwd

awk -F ":" '{print $1, $5}' /etc/passwd

grep -o 'Pulse.*daemon' /etc/passwd

Remove first n characters

cat /etc/passwd | cut -c 1-

Search in $PATH environment variable

# Search through directories in the $PATH environment variable
which sbd

Track pentest activities using built-in logging

This will identify files that have changed after the starttime file

touch starttime
# do pentest activites
find / -newer starttime 2>/dev/null | grep -v -E "^/(proc|sys|dev)/" > newer