You are in the middle of a penetration test. You have gained access to a Linux server. You need to find configuration files, passwords, sensitive data, or evidence of compromise. You cannot waste time clicking through folders manually.
This is where find and grep become your best friends.
These two commands are the most powerful file-searching tools on any Linux system. They are installed by default on every distribution. They work the same way on every system.
Let me show you exactly how to use them for real pentesting scenarios.
LEGAL WARNING
This guide is for educational purposes and authorized penetration testing only.
Using these commands on systems you do not own or have explicit written permission to test is illegal. The techniques described here are for use in legitimate security assessments, CTF competitions, and your own lab environments.
YOU HAVE BEEN WARNED.
The Practical Difference Between Find and Grep
Here is the simplest way to understand them. find looks for files by their properties. Name, size, type, permissions, modification date. It finds the file itself. grep looks inside files for specific content.
Text, patterns, strings. It finds what is inside the file. You can use find to locate a file and grep to search for something inside of that file. Together, find and grep allow you to look for something inside multiple files.
Here’s how to use these tools during an actual penetration test.
Find Commands You Will Actually Use
Find Files by Name
This is the most basic and most useful find command. You know the name of a file, you just do not know where it is.
find / -name "config.php"
This searches the entire system for any file named config.php.
find / -name "*.conf"
This finds every file with a .conf extension. Configuration files are gold during a pentest.
find / -name "wp-config.php"
WordPress configuration files contain database credentials. This is one of the most common files you will search for.
Case sensitivity matters.
Use -iname to ignore case:
find / -iname "config.php"
Find Files by Type
You often do not know the exact name, but you know what kind of file you are looking for.
find / -type f -name "*.log"
-type f tells find to look for regular files. Log files are full of useful information.
find / -type d -name "admin"
-type d tells find to look for directories. Admin directories are always worth investigating.
find / -type f -perm 4000
This finds files with the SUID bit set. These can be exploited for privilege escalation.
Finding Files Based on File Size
Sometimes you need to look for big files, which can be databases or backups.
find / -type f -size +100M
Big files over 100 MB are most likely databases, backups, or logs.
find / -type f -size -10k
Small files contain usually configuration snippets or credentials.
Find Files by Modification Date
In a lot of cases, you will need to find files modified at certain intervals. If you suspect that there is an attacker on your system, this tool can help you discover their actions. You can also use it for finding recently modified configuration files.
find / -type f -mtime -1
Look for files modified in the last 24 hours.
find / -type f -mmin -10
Look for files modified in the last 10 minutes.
find / -type f -mtime +30
Files modified more than 30 days ago.
Find Files by Permissions
You can find files that are world-readable or world-writable. These are often misconfigurations that can be exploited.
find / -type f -perm -o=r
World-readable files. These can be read by any user on the system.
find / -type f -perm -o=w
World-writable files. These can be modified by any user.
find / -type f -perm -u=s
Files with SUID set. These run with the owner's privileges.
Find and Execute a Command on Each Result
This is where find becomes really powerful. You can run a command on every file that matches your search.
find / -name "*.conf" -exec ls -la {} \;
This will find you all files with the extension .conf file; then use ls -la on each one of those files at once.
find / -name "*.php" -exec grep -l "password" {} \;
Find all the ".php" files that contain the string "password".
Grep Commands You Will Actually Use
Search for a String in a File
The most basic grep command.
grep "password" file.txt
This searches file.txt for the word password.
Search for a String in Multiple Files
grep "password" *.conf
This searches all .conf files in the current directory.
Search for a String Recursively
This is the most useful grep command for pentesting. It searches every file in every subdirectory.
grep -r "password" /etc/
This searches every file in the /etc directory for the word password.
grep -ri "password" /var/www/
The -i flag ignores case. This searches for password, Password, PASSWORD, and any other variation.
Search for Multiple Patterns
grep -r "password\|secret\|key" /etc/
This searches for password, secret, or key in the /etc directory.
grep -rE "(password|secret|key|token)" /var/www/
The -E flag enables extended regular expressions. This is cleaner than using backslashes.
Show the Context Around a Match
Sometimes you want to see the lines before and after the match.
grep -r -A 2 -B 2 "password" /etc/
-A 2 shows two lines after the match. -B 2 shows two lines before the match.
grep -r -C 3 "password" /var/www/
-C 3 shows three lines both before and after the match.
A whole words can be searched.
grep -r -w "root" /etc/
The -w option searches for entire words; therefore, it will not match "routing" or "up root."
Search for Regular Expression Matches.
grep -rE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/
This command will search for all the IP addresses contained in the configuration files.
grep -rE "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}" /var/www/
This finds email addresses in web files.
grep -rE "BEGIN (RSA|DSA|EC) PRIVATE KEY" /home/
This finds SSH private keys. Do not search the entire system for this unless you are authorized.
Display only the file names that match
grep -r -l "password" /etc/
The -l option will print only the filename rather than any matching lines within that file. This is useful if you just want to know what files have contained the string.
grep -r -L "password" /etc/
The -L option will print the names of files where there are no matched strings.
Count Matches
grep -r -c "password" /etc/
-c prints the count of matches in each file.
Combining Find and Grep
The real power comes from combining these commands. You can search within a specific set of files that you find.
Using Find to Search Inside File Found by Find
find /var/www/ -name "*.php" -exec grep -H "password" {} \;
The command “find” will locate every PHP file that is located below /var/www/ and check each file for the string “password”. The '-H' option tells it to print the filename of the current file being checked.
Search with xargs
xargs is often faster than -exec for large numbers of files.
find /var/www/ -name "*.php" | xargs grep "password"
This is the same as the previous command but uses xargs.
Find Files and Search with Context
find /etc/ -type f -name "*.conf" -exec grep -Hn "root" {} \;
-Hn shows the filename and line number.
Locating Sensitive Files and Checking Their Contents
find / -name "wp-config.php" -exec grep -H "DB_PASSWORD" {} \;
The above command will locate the Word Press configuration file which contains the database password.
Practical Pentest Scenarios
Scenario 1: Locate Database Credentials
You can access a web server. You need to locate the database credentials.
find /var/www/ -type f \( -name "*.php" -o -name "*.inc" -o -name "*.conf" \)
-exec grep -H "DB_PASSWORD\|DB_USER" {} \;
The above command will help in finding the database credentials present in PHP, include, and configuration files.
Scenario 2: Finding SSH Keys
SSH keys for lateral movement must be found.
find /home/ -name "id_rsa" -o -name "id_dsa" -o -name "*.pem"
The above command will find commonly named SSH private keys.
grep -r "BEGIN RSA PRIVATE KEY" /home/
The above command will help in finding the SSH keys based on their headers.
Scenario 3: Find Configurations containing Passwords
find /etc/ -type f -name "*.conf" -exec grep -H "password" {} \;
The above command will help in finding passwords in the configuration files present in the /etc directory.
find / -name "*.conf" -o -name "*.cfg" -o -name "*.ini" | xargs grep -H "password\|secret\|key"Scenario 4: Looking for recently modified suspicious files
After an intrusion, one may be required to find the files which have been created or modified by the attacker.
find / -type f -mtime -1 -exec ls -la {} \;
This finds all the files which were last modified within the last 24 hours.
find /tmp /var/tmp /dev/shm -type f -mtime -1
Temporary folders are usually favored by the intruders.
Scenario 5: Finding world writable files and folders
find / -type f -perm -o=w 2>/dev/null
This command finds all the world writable files. This also redirects the standard error to dev-null.
find / -type d -perm -o=w 2>/dev/null
This will locate world writable directories.
Scenario 6: Locate Backup Files
Many times backup files are left by developers within the web directory.
find /var/www/ -type f \( -name "*.bak" -o -name "*.old" -o -name "*.backup" \)find /var/www/ -type f -name "*~"
These are some backup file types.
Scenario 7: Searching for any suspicious activity in logs
grep -r “Failed password” /var/log/
This command will show all failed login attempts.
grep -r “Accepted password” /var/log/
This command will show all accepted login attempts from an external source.
grep -r “error” /var/log/apache2/
This command is used to find errors from the web server.
Quick Reference Sheet
Search by name:
find / -name "filename"Search by extension:
find / -name "*.txt"Search directories:
find / -type d -name "admin"Search large files:
find / -type f -size +100MSearch for recent modifications:
find / -type f -mtime -1Search for SUID files:
find / -type f -perm -u=sWorld readable:
find / -type f -perm -o=rRecursive Search:
grep -r "pattern" /path/Case insensitive search:
grep -ri "pattern" /path/Multiple Pattern Search:
grep -rE "pattern1|pattern2|pattern3" /path/Context:
grep -r -C 3 "pattern" /path/Filename only:
grep -r -l "pattern" /path/Combine find with grep:
find /path/ -name "*.ext" -exec grep -H "pattern" {} \;The Bottom Line
The most important tools for penetration testing include find and grep. They are typically on every Linux installation and provide consistent speed and flexibility.
To use find to search for a given filename, type, size, permissions or last modified date of a file. You can also use grep to search through a file to see if it contains any sensitive information, such as credentials or other indicators of compromise. You can also combine both tools together to search through multiple sets of documents at once.
The examples in this guide are drawn from real penetration tests. Practice them in your lab environment until they become second nature. When you are on a real engagement, speed matters, and these commands will save you hours.
FAQ Section
Explain the difference between find and grep in Linux?
find is used to search for files based on their attributes like name, size, permissions, time. grep is used to search for text inside a file. We use find command to find the file and then use grep to search within that file.
How do I search for files with a particular word in Linux?
For searching a certain word in any file in that path, you can use the following command: grep -r "word" /path/. For searching in files with a certain extension, you can use the following command: find /path/ -name "*.ext" -exec grep "word" {} \;.
Can you use the find and grep commands in one command?
Yes. You may use find /path/ -name "*.ext" -exec grep -H "pattern" {} \; to search files matching the find command criteria. The other way of searching is find /path/ -name "*.ext" | xargs grep "pattern". It searches faster than the previous variant.
How do you use grep to make it case insensitive?
Use -i flag in your command. grep -ri "password" /etc/. It matches password, Password, PASSWORD and any other cases.
Which are the most valuable files to search during a pentest?
The most valuable files to be searched during a pentest are the following: Configuration files (extension .conf, .ini, .cfg), web application files (.php, .asp, .jsp), backup files (.bak, .old), database configuration files (wp-config.php, config.php), and log files (.log).
