‘find’ command for Recon

2 months ago 33

BOOK THIS SPACE FOR AD

ARTICLE AD

There are a plethora of reconnaissance tools that can enumerate a system for all it’s secrets. However, as you’re progressing through your career, you should always be weary of relying solely on automation and it’s affects eroding your skills. Utilizing the native tools and commands in Linux allows you to become deeply intimate with the system; become fluent in it’s language and it will reveal all it’s secrets in due. Today I will share with you the find techniques I use to perform reconnaissance and enumeration

Files with 777 Permissions

find / -type f -perm 0777

This command will find all files with read, write and execute permissions on the system. If you want to scope it to just your directory, change to the below

find /home/your_username -type f -perm 0777

Find executable files

find / -perm a=x

Similar to the first command except I’m searching for files that only have executable permissions set. This is useful for when you want to find files that are owned by root but have granted executable permission for a user

Find files modified in the last 10 days

find / -mtime 10

Find files accessed in the last 10 days

find / -atime 10

Find files changed in the last 60 minutes

find / -cmin -60

Find files recently changed in the last 10 minutes

find . -type f -mmin -10

Find files of a particular size in MB

find / -size 50M

Folders and files that can be written to or executed from

find / -writable -type d 2>/dev/nullfind / -perm -222 -type d 2>/dev/nullfind / -perm -o w -type d 2>/dev/null

Does the same as above, but also cleans up the output with cut and sort

find / -writable -type d 2>/dev/null | cut -d "/" -f 2 | sort -u

Find world executable folders

find / -perm -o x -type d 2>/dev/null

Find files with the SUID or GUID bit set

find / -type f -perm -04000 -ls 2>/dev/null

If you want to search for the SUID and GUID bit separetly…the below searches for the SUID

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

This searches for the SETGUID

find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null

Find and delete empty directories in my current directory

find . -type d -empty -exec rmdir -v {} +

I use these when cleaning up after an engagement. I may have created a directory I completely forgot about so I’ll just blow it all away.

Find logs that haven’t been modified in more than a month

find /var/log -iname "*~" -o -iname "*log*" -mtime +30

Similar to the above, to find logs that have been modified in the last week use the ‘-’ conditional

find /var/log -iname "*~" -o -iname "*log*" -mtime -7

Find by content

find / -name "*txt" -exec grep -Hi phrase_to_be_searched {} \;

This searches for files with “txt” extension and greps the content. The “H” signifies the file name, while the “i” tells to ignore case

Find system processes

find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"

Display the contents of the “flag” (whatever that flag may be)

find / -type f -name flag.txt -exec cat {} \; 2>/dev/null

If you know the name of the file, but can’t find it. Use this to do a system wide search. But be careful, this can potentially kill your screen if the name is a commonly named file.

Find history files

https://academy.hackthebox.com/module/51/section/1777#:~:text=find%20/%20%2Dtype%20f%20%5C(%20%2Dname%20*_hist%20%2Do%20%2Dname%20*_history%20%5C)%20%2Dexec%20ls%20%2Dl%20%7B%7D%20%5C%3B%202%3E/dev/null