Find Command
Find command makes it so easier to find the files and directories on the filesystem. We can use so many flags to find exactly what we are looking for. And it is a very powerful tool and makes life very easier.
All files and directories
local@local:~$ find /
This command gives every files and directories on your filesytem. You might notice few error messages saying permission denied if you are running as low privileged user.
File Descriptors (FD)
In Linux/Unix, everything is a file. Regular file, Directories, and even Devices are files. Every File has an associated number called File Descriptor (FD). Your screen also has a File Descriptor. When a program is executed the output is sent to File Descriptor of the screen, and you see program output on your monitor. If the output is sent to File Descriptor of the printer, the program output would have been printed.
Error Redirection : Whenever you execute a program/command at the terminal, 3 files are always open
- standard input
- standard output
- standard error
These files are always present whenever a program is run. As explained before a file descriptor, is associated with each of these files.
| File | File Descriptor |
|---|---|
| Standard Input STDIN | 0 |
| Standard Output STDOUT | 1 |
| Standard Error STDERR | 2 |
So now we can direct that standard error to /dev/null which is a special file in linux. This can be thought as a black hole as it discards anything that is written to it.
Listing all files and directories with cleaner output
local@local:~$ find / 2>/dev/null
Also find command looks recursively inside every sub folder for more files and folders.
Listing files and directories on current directory
local@local:~$ find . 2>/dev/null
List everything on your current directory
Listing files only
local@local:~$ find / -type f 2>/dev/null
Listing folders only
local@local:~$ find / -type d 2>/dev/null
flags for different kind of files
| Flag | File type |
|---|---|
| b | block (buffered) special |
| c | character (unbuffered) special |
| d | directory |
| p | named pipe (FIFO) |
| f | regular file |
| l | symbolic link |
| s | socket |
| D | door (Solaris) |
Files in multiple directories
local@local:~$ find /etc /home -type f -name hello.txt 2>/dev/null
Files with particular name
local@local:~$ find / -type f -name "hello.txt" 2>/dev/null
Lists every file with name hello.txt
Files ignoring case sensitivity
local@local:~$ find / -type f -iname "hEllo.txt" 2>/dev/null
Files with same extension
local@local:~$ find / -type f -name "*.jpg" 2>/dev/null
Lists every jpg file in your filesystem.
All files owned by user root
local@local:~$ find / -type f -user root 2>/dev/null
All files owned by user root and readable
local@local:~$ find / -type f -user root -readable 2>/dev/null
All files owned by user root along with information
local@local:~$ find / -type f -user root -ls 2>/dev/null
Just like executing ls -la.
All files owned by group root along with information
local@local:~$ find / -type f -group root -ls 2>/dev/null
Finding all hidden file
local@local:~$ find / -type f -name ".*" 2>/dev/null
Files with specific file permissions
local@local:~$ find / -type f -perm -777 2>/dev/null
File permissions in Linux
Numeric Mode
| Number | Permission Type | Symbol |
|---|---|---|
| 0 | No Permission | — |
| 1 | Execute | –x |
| 2 | Write | -w- |
| 3 | Execute + Write | -wx |
| 4 | Read | r– |
| 5 | Read + Execute | r-x |
| 6 | Read +Write | rw- |
| 7 | Read + Write +Execute | rwx |
777 means file which can be read, written and executed by any user on the system.
Symbolic Mode
In the Absolute mode, you change permissions for all 3 owners. In the symbolic mode, you can modify permissions of a specific owner. It makes use of mathematical symbols to modify the file permissions.
| Operator | Description |
|---|---|
| + | Adds a permission to a file or directory |
| - | Removes the permission |
| = | Sets the permission and overrides the permissions set earlier |
The various owners are represented as -
| User | Denotations |
|---|---|
| u | user/owner |
| g | group |
| o | other |
| a | all |
The Permission Types that are used are:
- r – Read
- w – Write
- x – Execute
- s – SUID bit
- t – sticky bit
To understand more about file permissions
https://www.linux.com/training-tutorials/understanding-linux-file-permissions/
https://www.guru99.com/file-permissions.html
All files that are executable
local@local:~$ find / -perm /a=x -ls 2>/dev/null
It lists files that can be executed by all users.
All files owned by root with SUID permission
local@local:~$ find / -type f -user root -perm -4000 -ls 2>/dev/null
And
local@local:~$ find / -type f -user root -perm /u=s -ls 2>/dev/null
Find all empty files
local@local:~$ find / -type f -empty 2>/dev/null
Find files using size
Files having exact size of 1 MB
local@local:~$ find / -type f -size 1M 2>/dev/null
Files having size less than 1 MB
local@local:~$ find / -type f -size -1M 2>/dev/null
Files having size in between 1 MB and 10 MB
local@local:~$ find / -type f -size +1M -size -10M 2>/dev/null
Find files according to modified time
Files modified 10 days ago
local@local:~$ find / -type f -mtime 10 2>/dev/null
Files modified in between 10 and 20 days ago
local@local:~$ find / -type f -mtime +10 -mtime -20 2>/dev/null
Files modified in between dates
local@local:~$ find / -type f -newermt 2020-01-02 -not -newermt 2020-01-20 2>/dev/null
All the files that were modified in between 2020-01-02 and 2020-01-20 are shown.
Files accessed 10 days ago
local@local:~$ find / -type f -atime 10 2>/dev/null
Files accessed between 10 and 20 days ago
local@local:~$ find / -type f -atime +10 -atime -20 2>/dev/null
Files accessed in between dates
local@local:~$ find / -type f -newerat 2020-01-02 -not -newerat 2020-01-20 2>/dev/null
All the files that were accessed in between 2020-01-02 and 2020-01-20 are shown.
These kinds of tricks might be helpful during incident response when you have to track back the attacker’s steps on the server to find out which files were accessed or modified to keep the persistent session on the server.
Command execution with find
Deleting all files with particular filename
local@local:~$ find / -type f -iname "shell.sh" -exec rm -f {} \;
Checking metadata with exiftool
local@local:~$ find / -type f -iname "*.jpg" -exec exiftool {} \;
Find something on txt file with grep
local@local:~$ find / -type f -name '*.txt' -exec grep -i test {} \;
It looks for all files with extension txt and checks if it has string test on it using grep.
You can run other different commands using -exec for manipulation of file as well as contents inside it.
Limiting the depth for the search
local@local:~$ find / -type f -name "*.txt" -maxdepth 2 2>/dev/null
Limiting the depth of search to only 2.
Searching files using regular expression
local@local:~$ find / -type f -regex ".*\(png\|html\)$" 2>/dev/null
Searching for files with png or html extension.
There are other whole bunch of things that can be done with find. You can always check for the manual of find using man find.
After you feel comfortable with find command, head over to this tryhackme room and try to solve all the problems.