← Back

The Red Team's Guide to the find Command

The Linux find command is an indispensable tool for any system administrator, but its power extends far beyond simple file management. For red teams and penetration testers, find is a critical utility for reconnaissance, privilege escalation, and post-exploitation activities. This article will provide a comprehensive guide to using find from an offensive security perspective, complete with practical examples to help you master this versatile command.

Understanding the find Command Syntax

The basic syntax of the find command is as follows:

find [starting-point] [expression]
  • [starting-point]: This is the directory where find will begin its search. A common starting point is / for a full system scan, or . for the current directory.
  • [expression]: This is the core of the command, where you specify the criteria for your search. It can include options, tests, and actions.

Now, let's explore how a red team can use these components for offensive operations.

Phase 1: Reconnaissance and Information Gathering

Once you've gained a foothold on a system, the first step is often to understand your new environment. find is perfect for this, allowing you to quickly locate files and directories that may contain valuable information.

1. Finding Potentially Sensitive Files

Attackers are always on the lookout for configuration files, scripts, or documents that may contain hardcoded credentials, API keys, or other secrets.

  • Searching for specific file extensions:

    # Find all files ending in .conf, .config, .ini, and .key
find / -type f \( -name "*.conf" -o -name "*.config" -o -name "*.ini" -o -name "*.key" \) 2>/dev/null

    Explanation: This command searches the entire file system (/) for files (-type f) with names ending in .conf, .config, .ini, or .key. The 2>/dev/null is crucial to suppress "Permission denied" errors, which are common when searching as a low-privileged user.

  • Finding files by name containing keywords:

    # Find files with "password" or "cred" in their name
find / -type f \( -name "*password*" -o -name "*cred*" \) 2>/dev/null

  • Searching for files with specific content:

    This is a powerful technique that combines find with grep.

    # Search for the string "password" inside all .conf files
find /etc -type f -name "*.conf" -exec grep -H "password" {} \; 2>/dev/null

    Explanation: The -exec flag is used to execute a command on each file found. grep -H "password" {} will search for the string "password" in the file represented by {} and print the filename (-H) if a match is found.

2. Identifying User Information and Home Directories

Knowing what other users are on the system and what they are working on can lead to new avenues of attack.

  • Finding all user home directories:

    find /home -maxdepth 1 -mindepth 1 -type d

    Explanation: This command searches within /home for directories (-type d), but limits the depth to one level (-maxdepth 1 -mindepth 1) to avoid listing subdirectories and only show the user's main home directories.

  • Locating .bash_history and other hidden files:

    These files can reveal command history, which may contain sensitive information.

    find /home -name ".*history" 2>/dev/null
find /home -name ".*ssh*" 2>/dev/null

Phase 2: Privilege Escalation

After gathering initial information, red teams use find to identify misconfigurations that can lead to privilege escalation.

1. Files with Dangerous Permissions

A common privilege escalation vector is finding files that are writable by a low-privileged user but executed by a more powerful one (like root).

  • Finding all world-writable files:

    find / -type f -perm -o=w 2>/dev/null

    Explanation: This command finds all files (-type f) that have the write permission for others (-perm -o=w).

  • Identifying SUID and SGID Binaries:

    SUID (Set User ID) and SGID (Set Group ID) bits allow a file to be executed with the permissions of the file's owner or group, respectively. This is a classic way to escalate privileges.

    # Find all SUID binaries
find / -type f -perm -4000 2>/dev/null
 
# Find all SGID binaries
find / -type f -perm -2000 2>/dev/null

    Explanation: The -perm flag with 4000 searches for the SUID bit, while 2000 searches for the SGID bit.

2. Services and Scripts with Weak Permissions

Sometimes, a script or service file running as a privileged user is configured to read from or write to a location that a low-privileged user can control.

  • Finding writable service files:

    find /etc/systemd/system -type f -perm -o=w 2>/dev/null

    Explanation: This command checks if any service unit files in the /etc/systemd/system directory are world-writable, which could allow a malicious user to modify them and escalate privileges.

Phase 3: Post-Exploitation and Lateral Movement

Once you have established a stronger presence, find can be used for further exploitation, such as locating credentials for lateral movement or planting a persistent backdoor.

1. Locating Credentials for Lateral Movement

  • Finding files with SSH keys:

    find / -name "id_rsa*" -o -name "id_dsa*" 2>/dev/null

    Explanation: This command finds files that match common SSH private key names.

  • Searching for common credential files:

    find / -type f -name "*shadow*" 2>/dev/null
find / -type f -name "*passwd*" 2>/dev/null

    Explanation: While you may not be able to read /etc/shadow as a normal user, other shadow or passwd files might exist on the system (e.g., in a backup or an application's data directory).

2. Maintaining Persistence

You can use find to find a good location to hide a backdoor or to find files to modify for persistence.

  • Finding directories that are writable by everyone:

    find / -type d -perm -o=w 2>/dev/null

    Explanation: World-writable directories are ideal for hiding malicious files, as they allow any user on the system to drop files there without raising suspicion.

  • Finding recently accessed or modified files:

    This can be useful for both an attacker and a defender. An attacker might use it to find files that are rarely accessed, making it a good place for a backdoor.

    # Find files that were modified in the last 24 hours
find / -mtime -1 2>/dev/null
 
# Find files that were not accessed in the last 365 days
find / -atime +365 2>/dev/null

Conclusion

The find command is an incredibly powerful and versatile tool for red teams. Its ability to systematically search the file system based on a wide range of criteria makes it an essential part of the red team toolkit. By understanding its syntax and knowing the common use cases for offensive security, you can effectively leverage find for reconnaissance, privilege escalation, and maintaining your presence on a target system. Always remember to use these techniques in authorized and ethical penetration testing engagements.

Complementary Tools for File Discovery: locate, which, and whereis

While find is the most powerful and flexible command for deep file system reconnaissance, red teams often use other, more specialized commands for quick lookups. Understanding the strengths and weaknesses of these tools can significantly speed up your operations.

locate: The Fast but Fickle Finder

The locate command is lightning-fast because it doesn't search the live file system. Instead, it queries a pre-built database of all files, usually updated by a scheduled task (updatedb).

  • Red Team Use Case: Quick confirmation that a specific file or binary exists on the system, without the overhead of a deep search.

  • Example 1: Finding all instances of a program:

    # Quickly find all paths related to the "nc" (netcat) binary
locate nc

    Explanation: This command will return a list of all files that have nc in their path, including /bin/nc, /usr/bin/nc.traditional, and documentation files. This is a great way to quickly see if a tool you want to use is already present on the system.

  • Example 2: Finding potential credential files quickly:

    # Search for files with "id_rsa" in their path
locate id_rsa

    Limitation: The locate database can be outdated. If a file was created after the last updatedb run, locate will not find it.

which: Locating Executable Binaries

The which command is a simple tool used to find the full path to an executable binary that would be run in the current shell. It searches the directories listed in the user's PATH environment variable.

  • Red Team Use Case: To confirm the exact location of a command you want to execute, especially if there are multiple versions on the system. This is crucial for path-based attacks or confirming which version of a tool will run.

  • Example 1: Finding the path of a common command:

    # Find the full path to the python3 binary
which python3

    Explanation: This will likely return /usr/bin/python3. If you found another Python binary with find, you can use which to confirm which one the system will execute by default.

  • Example 2: Identifying the gcc compiler location:

    which gcc

    Limitation: which only works for executable binaries and only searches the PATH. It will not find scripts or other files.

whereis: A Hybrid for Binaries, Source, and Manual Pages

The whereis command is similar to which but offers more information. It locates the binary, source code, and manual pages for a given command. It searches a set of standard binary, source, and man page directories.

  • Red Team Use Case: For quick recon on a specific tool. Finding the source code or man pages might provide clues about its functionality or potential vulnerabilities, especially if the source code is writable.

  • Example 1: Finding all information about the sudo command:

    whereis sudo

    Explanation: The output will show the path to the binary (/usr/bin/sudo), the source file (if available), and the manual page (/usr/share/man/man8/sudo.8.gz).

  • Example 2: Checking for the nmap tool:

    whereis nmap

    Explanation: This will quickly tell you if nmap is installed and where its binary and man pages are located.

In summary, while find is your go-to for comprehensive, flexible, and permission-based searches, locate, which, and whereis are valuable for their speed and specialized functions. A skilled red teamer knows when to use each tool to be as efficient as possible during an engagement.

***
Note on Content Creation: This article was developed with the assistance of generative AI like Gemini or ChatGPT. While all public AI strives for accuracy and comprehensive coverage, all content is reviewed and edited by human experts at IsoSecu to ensure factual correctness, relevance, and adherence to our editorial standards.