find vs. grep: mini cheat sheet

grep and find are such powerful commands to find resources quickly. The syntax is convenient and you can combine options at will to filter results.

grep

GREP stands for “global regular expression print” and is helpful to search chars and patterns, and filter information in big chunks of data.

7 Basic commands

PurposeCommand
search term “mimikatz” in security.log (case insensitive)grep -i "mimiKAtZ" security.log
display the exact lines where the result is foundgrep -n "mimikatz" security.log
search recursively in foldersgrep -r "mimikatz" ./
exact matchesgrep -w "h4ck3r" security.log
count resultsgrep -c "h4ck3r" security.log
get filenames onlygrep -l "h4ck3r" ./mydir
reverse the patterngrep -v "RTFM" README.md

Common Options (not an exhaustive list)

Purposeoption
count lines that match a pattern-c
lines but not filenames-h
case insensitive-i
filenames only-l
pass multiple expressions-e expression -e expression2
patterns from file, one per line-f file
line numbers-n
lines that DO NOT MATCH pattern-v
exact match-w
pass regex-E

7 Advanced usages

PurposeCommand
grep in multiple filesgrep "h4ck3r" 1.log 2.log 3.log .4log
exclude file extensionsgrep -rl --exclude=*.{sh,txt} ./
exclude dirsgrep -r --exclude-dir={root,log,proc,sys} "test" ./
include specific file extensiongrep -nr "eth0" --include="*.conf" /etc/
only target lines that start with alphanumeric charsgrep "^[[:alnum:]]" README.md
another way for exact matches (-w)grep "\bsudo\b" /etc/
quickly list php filesls | grep ".php"

7 Nice tricks

PurposeCommand
multiple searches at the same timegrep -E "^(sudo|root|system)" /etc/
grep is taking too long? time it!time grep "e" ./
pipe grep to narrow searchesgrep "[nN]urse" romeo-and-juliet.txt | grep -v "\[_.*Nurse.*_]"
search in all derivatives of an expression (lov)grep -i "\blov.\+\b" romeo-and-juliet.txt
pipe grep output to another programgrep -rA 2 "bin/.*sh" ~/scripts | less
grep in big .gz files without opening themzgrep -ic "h4ck3r" logs.gz
shorten ranges in grep searchesgrep {1..7} error.log

Source (2,3,4): https://www.shell-tips.com/linux/grep/#how-to-grep

Simple or double quotes for search terms?

It depends on what you want to achieve, but in case you need to use a shell variable, which is a pretty common usage, use double quotes.

How to highlight search terms with colors?

It’s usually handled by the system itself, but if it’s not the case, you can use the following alias in your .bashrc:

alias grep='grep --color=auto'

7 commands for hackers

PurposeCommand
Extract emails from filegrep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" file.txt
Extract valid IP addressesgrep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" file.txt
Extract passwordsgrep -i "pwd|passw" file.txt
Extract usersgrep -i "user|invalid|authentication|login" file.txt
Extract md5 hashesegrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{32}([^a-fA-F0-9]|$)' *.txt | egrep -o '[a-fA-F0-9]{32}' > md5-hashes.txt
Extract WordPress MD5egrep -o '$P$S{31}' *.txt > wp-md5.txt
Extract Visa credit cardsgrep -E -o "4[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" *.txt > visa.txt

Source: hacktricks

find

find is a command-line utility you can use to search a list of files or directories and apply functions on them.

7 basic commands

PurposeCommand
find a filefind ./ myfile.json
find a file by its namefind ./mydir -name myfile
case insensitive searchfind ./mydir -iname mYfILE
find directories within a dirfind ./mydir -type d
find in multiple dirs by filenamefind ./mydir /mydir2/subdir -type f -name myfile
exclude name “README”find ./mydir -not README
find and delete JSON filesfind ./mydir –name "*.json" –delete

Common Types

Purposetype
ddirectory
ffile

Size units

SymbolUnit
Ggigabytes
Mmegabytes
kkilobytes.
cbytes (default)

7 advanced usages

N.B.: When I write -/+, it means either - for smaller or + for bigger than. Don’t use the /

PurposeCommand
find by sizefind ./mydir -size 1M
find by size smaller/bigger thanfind ./mydir -size -/+1M
find by permissionfind ./mydir -perm 777
find by X last modified daysfind ./mydir -mtime X (X is an integer)
find stuff of user Xfind ./mydir -user ulysse31
find empty foldersfind ./mydir -type d -empty
limit depth to 2 levelsfind -maxdepth 2 ./mydir -type f -name lola

7 nice tricks

PurposeCommand
quickly search in current user homedirfind ~ -type f -name "todo"
find files accessed in the last 3 hoursfind ./mydir -amin -180
find all files matching pattern “[0-9]”find ./mydir -type f -name "*[0-9]"
find read-only filesfind ./dir -perm /u=r
apply ls -lah on each search resultfind ./mydir -type f -name "*.json" -exec ls -lah {} \; or find . -type f -name *.json" | xargs ls -lah
set permissions for all dirsfind ./mydir -type d -exec chmod 0755 {} \; or find ./mydir -type d -print0 | xargs -0 chmod 0755
set permissions for all filesfind ./mydir -type d -exec chmod 0644 {} \; or find ./mydir -type f -print0 | xargs -0 chmod 0644

About find, grep, and more complex commands

There are dozens of combos you might want to try, for example, applying grep on each result of the find command. While it’s totally possible, I like to keep it simple, as, most of the time, I only need speed.

If you need more complexity, you can try combos with | (pipe) or use the -exec option:

find . -type f -iname "*.json" -exec grep -L "Wanna be startin' somethin'" {} \;

Remove the annoying “permission denied”

In this cheat sheet, I often use ./mydir as haystack, but if you need more global search, you will probably get messages like “permission denied,” as there are system binaries and protected resources you’re not supposed to read with your user account.

To remove useless lines, you can send the output to /dev/null at the end of the command line:

COMMAND 2> /dev/null

It’s also possible to combine find and grep to achieve the same goal:

find / -type d -name secret 2>&1 | grep -v "Permission denied"

Wrap up

Use grep and find to save time and energy.

\0/