Find Command

5 minute read

Find command makes it so easier to find the files and directories on the filesystem. We can use so many flags to find exactly what we are looking for. And it is a very powerful tool and makes life very easier.

All files and directories

This command gives every files and directories on your filesytem. You might notice few error messages saying permission denied if you are running as low privileged user.

File Descriptors (FD)

In Linux/Unix, everything is a file. Regular file, Directories, and even Devices are files. Every File has an associated number called File Descriptor (FD). Your screen also has a File Descriptor. When a program is executed the output is sent to File Descriptor of the screen, and you see program output on your monitor. If the output is sent to File Descriptor of the printer, the program output would have been printed.

Error Redirection : Whenever you execute a program/command at the terminal, 3 files are always open

  • standard input
  • standard output
  • standard error

These files are always present whenever a program is run. As explained before a file descriptor, is associated with each of these files.

File File Descriptor
Standard Input STDIN 0
Standard Output STDOUT 1
Standard Error STDERR 2

So now we can direct that standard error to /dev/null which is a special file in linux. This can be thought as a black hole as it discards anything that is written to it.

Listing all files and directories with cleaner output

[email protected]:~$ find / 2>/dev/null

Also find command looks recursively inside every sub folder for more files and folders.

Listing files and directories on current directory

[email protected]:~$ find . 2>/dev/null

List everything on your current directory

Listing files only

[email protected]:~$ find / -type f 2>/dev/null

Listing folders only

[email protected]:~$ find / -type d 2>/dev/null

flags for different kind of files

Flag File type
b block (buffered) special
c character (unbuffered) special
d directory
p named pipe (FIFO)
f regular file
l symbolic link
s socket
D door (Solaris)

Files in multiple directories

[email protected]:~$ find /etc /home -type f -name hello.txt 2>/dev/null

Files with particular name

[email protected]:~$ find / -type f -name "hello.txt" 2>/dev/null

Lists every file with name hello.txt

Files ignoring case sensitivity

[email protected]:~$ find / -type f -iname "hEllo.txt" 2>/dev/null

Files with same extension

[email protected]:~$ find / -type f -name "*.jpg" 2>/dev/null

Lists every jpg file in your filesystem.

All files owned by user root

[email protected]:~$ find / -type f -user root 2>/dev/null

All files owned by user root and readable

[email protected]:~$ find / -type f -user root -readable 2>/dev/null

All files owned by user root along with information

[email protected]:~$ find / -type f -user root -ls 2>/dev/null

Just like executing ls -la.

All files owned by group root along with information

[email protected]:~$ find / -type f -group root -ls 2>/dev/null

Finding all hidden file

[email protected]:~$ find / -type f -name ".*" 2>/dev/null

Files with specific file permissions

[email protected]:~$ find / -type f -perm -777  2>/dev/null

File permissions in Linux

Numeric Mode

Number Permission Type Symbol
0 No Permission
1 Execute –x
2 Write -w-
3 Execute + Write -wx
4 Read r–
5 Read + Execute r-x
6 Read +Write rw-
7 Read + Write +Execute rwx

777 means file which can be read, written and executed by any user on the system.

Symbolic Mode

In the Absolute mode, you change permissions for all 3 owners. In the symbolic mode, you can modify permissions of a specific owner. It makes use of mathematical symbols to modify the file permissions.

Operator Description
+ Adds a permission to a file or directory
- Removes the permission
= Sets the permission and overrides the permissions set earlier

The various owners are represented as -

User Denotations
u user/owner
g group
o other
a all

The Permission Types that are used are:

  • r – Read
  • w – Write
  • x – Execute
  • s – SUID bit
  • t – sticky bit

To understand more about file permissions
https://www.linux.com/training-tutorials/understanding-linux-file-permissions/
https://www.guru99.com/file-permissions.html

All files that are executable

[email protected]:~$ find / -perm /a=x -ls 2>/dev/null

It lists files that can be executed by all users.

All files owned by root with SUID permission

[email protected]:~$ find / -type f -user root -perm -4000 -ls 2>/dev/null

And

[email protected]:~$ find / -type f -user root -perm /u=s -ls 2>/dev/null

Find all empty files

[email protected]:~$ find / -type f -empty 2>/dev/null

Find files using size

Files having exact size of 1 MB

[email protected]:~$ find / -type f -size 1M 2>/dev/null

Files having size less than 1 MB

[email protected]:~$ find / -type f -size -1M 2>/dev/null

Files having size in between 1 MB and 10 MB

[email protected]:~$ find / -type f -size +1M  -size -10M  2>/dev/null

Find files according to modified time

Files modified 10 days ago

[email protected]:~$ find / -type f -mtime 10 2>/dev/null

Files modified in between 10 and 20 days ago

[email protected]:~$ find / -type f -mtime +10 -mtime -20 2>/dev/null

Files modified in between dates

[email protected]:~$ find / -type f -newermt 2020-01-02 -not -newermt 2020-01-20 2>/dev/null

All the files that were modified in between 2020-01-02 and 2020-01-20 are shown.

Files accessed 10 days ago

[email protected]:~$ find / -type f -atime 10 2>/dev/null

Files accessed between 10 and 20 days ago

[email protected]:~$ find / -type f -atime +10 -atime -20 2>/dev/null

Files accessed in between dates

[email protected]:~$ find / -type f -newerat 2020-01-02 -not -newerat 2020-01-20 2>/dev/null

All the files that were accessed in between 2020-01-02 and 2020-01-20 are shown.

These kinds of tricks might be helpful during incident response when you have to track back the attacker’s steps on the server to find out which files were accessed or modified to keep the persistent session on the server.

Command execution with find

Deleting all files with particular filename

[email protected]:~$ find / -type f -iname "shell.sh" -exec rm -f {} \;

Checking metadata with exiftool

[email protected]:~$ find / -type f -iname "*.jpg" -exec exiftool {} \;

Find something on txt file with grep

[email protected]:~$ find / -type f -name '*.txt' -exec grep -i test {} \;

It looks for all files with extension txt and checks if it has string test on it using grep.

You can run other different commands using -exec for manipulation of file as well as contents inside it.

[email protected]:~$ find / -type f -name "*.txt" -maxdepth 2 2>/dev/null

Limiting the depth of search to only 2.

Searching files using regular expression

[email protected]:~$ find / -type f -regex ".*\(png\|html\)$" 2>/dev/null

Searching for files with png or html extension.

There are other whole bunch of things that can be done with find. You can always check for the manual of find using man find.

After you feel comfortable with find command, head over to this tryhackme room and try to solve all the problems.