find vs. grep: mini cheat sheet

Be aware it's not an exhaustive list.

grep and find are such powerful commands to find resources quickly. The syntax is convenient and you can combine options at will to filter results.

Permalink to heading grep grep

GREP stands for “global regular expression print” and is helpful to search chars and patterns, and filter information in big chunks of data.

Permalink to heading 7 Basic commands 7 Basic commands

search term “mimikatz” in security.log (case insensitive)grep -i "mimiKAtZ" security.log
display the exact lines where the result is foundgrep -n "mimikatz" security.log
search recursively in foldersgrep -r "mimikatz" ./
exact matchesgrep -w "h4ck3r" security.log
count resultsgrep -c "h4ck3r" security.log
get filenames onlygrep -l "h4ck3r" ./mydir
reverse the patterngrep -v "RTFM"

Permalink to heading Common Options (not an exhaustive list) Common Options (not an exhaustive list)

count lines that match a pattern-c
lines but not filenames-h
case insensitive-i
filenames only-l
pass multiple expressions-e expression -e expression2
patterns from file, one per line-f file
line numbers-n
lines that DO NOT MATCH pattern-v
exact match-w
pass regex-E

Permalink to heading 7 Advanced usages 7 Advanced usages

grep in multiple filesgrep "h4ck3r" 1.log 2.log 3.log .4log
exclude file extensionsgrep -rl --exclude=*.{sh,txt} ./
exclude dirsgrep -r --exclude-dir={root,log,proc,sys} "test" ./
include specific file extensiongrep -nr "eth0" --include="*.conf" /etc/
only target lines that start with alphanumeric charsgrep "^[[:alnum:]]"
another way for exact matches (-w)grep "\bsudo\b" /etc/
quickly list php filesls | grep ".php"

Permalink to heading 7 Nice tricks 7 Nice tricks

multiple searches at the same timegrep -E "^(sudo|root|system)" /etc/
grep is taking too long? time it!time grep "e" ./
pipe grep to narrow searchesgrep "[nN]urse" romeo-and-juliet.txt | grep -v "\[_.*Nurse.*_]"
search in all derivatives of an expression (lov)grep -i "\blov.\+\b" romeo-and-juliet.txt
pipe grep output to another programgrep -rA 2 "bin/.*sh" ~/scripts | less
grep in big .gz files without opening themzgrep -ic "h4ck3r" logs.gz
shorten ranges in grep searchesgrep {1..7} error.log

Source (2,3,4):

Permalink to heading Simple or double quotes for search terms? Simple or double quotes for search terms?

It depends on what you want to achieve, but in case you need to use a shell variable, which is a pretty common usage, use double quotes.

Permalink to heading How to highlight search terms with colors? How to highlight search terms with colors?

It’s usually handled by the system itself, but if it’s not the case, you can use the following alias in your .bashrc:

alias grep='grep --color=auto'

Permalink to heading 7 commands for hackers 7 commands for hackers

Extract emails from filegrep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" file.txt
Extract valid IP addressesgrep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" file.txt
Extract passwordsgrep -i "pwd|passw" file.txt
Extract usersgrep -i "user|invalid|authentication|login" file.txt
Extract md5 hashesegrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{32}([^a-fA-F0-9]|$)' *.txt | egrep -o '[a-fA-F0-9]{32}' > md5-hashes.txt
Extract WordPress MD5egrep -o '$P$S{31}' *.txt > wp-md5.txt
Extract Visa credit cardsgrep -E -o "4[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" *.txt > visa.txt

Source: hacktricks

Permalink to heading find find

find is a command-line utility you can use to search a list of files or directories and apply functions on them.

Permalink to heading 7 basic commands 7 basic commands

find a filefind ./ myfile.json
find a file by its namefind ./mydir -name myfile
case insensitive searchfind ./mydir -iname mYfILE
find directories within a dirfind ./mydir -type d
find in multiple dirs by filenamefind ./mydir /mydir2/subdir -type f -name myfile
exclude name “README”find ./mydir -not README
find and delete JSON filesfind ./mydir –name "*.json" –delete

Permalink to heading Common Types Common Types


Permalink to heading Size units Size units

cbytes (default)

Permalink to heading 7 advanced usages 7 advanced usages

N.B.: When I write -/+, it means either - for smaller or + for bigger than. Don’t use the /

find by sizefind ./mydir -size 1M
find by size smaller/bigger thanfind ./mydir -size -/+1M
find by permissionfind ./mydir -perm 777
find by X last modified daysfind ./mydir -mtime X (X is an integer)
find stuff of user Xfind ./mydir -user ulysse31
find empty foldersfind ./mydir -type d -empty
limit depth to 2 levelsfind -maxdepth 2 ./mydir -type f -name lola

Permalink to heading 7 nice tricks 7 nice tricks

quickly search in current user homedirfind ~ -type f -name "todo"
find files accessed in the last 3 hoursfind ./mydir -amin -180
find all files matching pattern “[0-9]”find ./mydir -type f -name "*[0-9]"
find read-only filesfind ./dir -perm /u=r
apply ls -lah on each search resultfind ./mydir -type f -name "*.json" -exec ls -lah {} \; or find . -type f -name *.json" | xargs ls -lah
set permissions for all dirsfind ./mydir -type d -exec chmod 0755 {} \; or find ./mydir -type d -print0 | xargs -0 chmod 0755
set permissions for all filesfind ./mydir -type d -exec chmod 0644 {} \; or find ./mydir -type f -print0 | xargs -0 chmod 0644

Permalink to heading About find, grep, and more complex commands About find, grep, and more complex commands

There are dozens of combos you might want to try, for example, applying grep on each result of the find command. While it’s totally possible, I like to keep it simple, as, most of the time, I only need speed.

If you need more complexity, you can try combos with | (pipe) or use the -exec option:

find . -type f -iname "*.json" -exec grep -L "Wanna be startin' somethin'" {} \;

Permalink to heading Remove the annoying “permission denied” Remove the annoying “permission denied”

In this cheat sheet, I often use ./mydir as haystack, but if you need more global search, you will probably get messages like “permission denied,” as there are system binaries and protected resources you’re not supposed to read with your user account.

To remove useless lines, you can send the output to /dev/null at the end of the command line:

COMMAND 2> /dev/null

It’s also possible to combine find and grep to achieve the same goal:

find / -type d -name secret 2>&1 | grep -v "Permission denied"

Permalink to heading Wrap up Wrap up

Use grep and find to save time and energy.