The Red Team's Guide to the `find` Command

The Linux find command is an indispensable tool for any system administrator, but its power extends far beyond simple file management. For red teams and penetration testers, find is a critical utility for reconnaissance, privilege escalation, and post-exploitation activities. This article will provide a comprehensive guide to using find from an offensive security perspective, complete with practical examples to help you master this versatile command.

Understanding the `find` Command Syntax

The basic syntax of the find command is as follows:

find [starting-point] [expression]

[starting-point]: This is the directory where find will begin its search. A common starting point is / for a full system scan, or . for the current directory.
[expression]: This is the core of the command, where you specify the criteria for your search. It can include options, tests, and actions.

Now, let's explore how a red team can use these components for offensive operations.

Phase 1: Reconnaissance and Information Gathering

Once you've gained a foothold on a system, the first step is often to understand your new environment. find is perfect for this, allowing you to quickly locate files and directories that may contain valuable information.

1. Finding Potentially Sensitive Files

Attackers are always on the lookout for configuration files, scripts, or documents that may contain hardcoded credentials, API keys, or other secrets.

Searching for specific file extensions:
```
# Find all files ending in .conf, .config, .ini, and .key
find / -type f \( -name "*.conf" -o -name "*.config" -o -name "*.ini" -o -name "*.key" \) 2>/dev/null
```
Explanation: This command searches the entire file system (/) for files (-type f) with names ending in .conf, .config, .ini, or .key. The 2>/dev/null is crucial to suppress "Permission denied" errors, which are common when searching as a low-privileged user.

Finding files by name containing keywords:

# Find files with "password" or "cred" in their name
find / -type f \( -name "*password*" -o -name "*cred*" \) 2>/dev/null

Searching for files with specific content:

This is a powerful technique that combines find with grep.
```
# Search for the string "password" inside all .conf files
find /etc -type f -name "*.conf" -exec grep -H "password" {} \; 2>/dev/null
```
Explanation: The -exec flag is used to execute a command on each file found. grep -H "password" {} will search for the string "password" in the file represented by {} and print the filename (-H) if a match is found.

2. Identifying User Information and Home Directories

Knowing what other users are on the system and what they are working on can lead to new avenues of attack.

Finding all user home directories:
```
find /home -maxdepth 1 -mindepth 1 -type d
```
Explanation: This command searches within /home for directories (-type d), but limits the depth to one level (-maxdepth 1 -mindepth 1) to avoid listing subdirectories and only show the user's main home directories.
Locating .bash_history and other hidden files:

These files can reveal command history, which may contain sensitive information.
```
find /home -name ".*history" 2>/dev/null
find /home -name ".*ssh*" 2>/dev/null
```

Phase 2: Privilege Escalation

After gathering initial information, red teams use find to identify misconfigurations that can lead to privilege escalation.

1. Files with Dangerous Permissions

A common privilege escalation vector is finding files that are writable by a low-privileged user but executed by a more powerful one (like root).

Finding all world-writable files:
```
find / -type f -perm -o=w 2>/dev/null
```
Explanation: This command finds all files (-type f) that have the write permission for others (-perm -o=w).
Identifying SUID and SGID Binaries:

SUID (Set User ID) and SGID (Set Group ID) bits allow a file to be executed with the permissions of the file's owner or group, respectively. This is a classic way to escalate privileges.
```
# Find all SUID binaries
find / -type f -perm -4000 2>/dev/null
 
# Find all SGID binaries
find / -type f -perm -2000 2>/dev/null
```
Explanation: The -perm flag with 4000 searches for the SUID bit, while 2000 searches for the SGID bit.

2. Services and Scripts with Weak Permissions

Sometimes, a script or service file running as a privileged user is configured to read from or write to a location that a low-privileged user can control.

Finding writable service files:
```
find /etc/systemd/system -type f -perm -o=w 2>/dev/null
```
Explanation: This command checks if any service unit files in the /etc/systemd/system directory are world-writable, which could allow a malicious user to modify them and escalate privileges.

Phase 3: Post-Exploitation and Lateral Movement

Once you have established a stronger presence, find can be used for further exploitation, such as locating credentials for lateral movement or planting a persistent backdoor.

1. Locating Credentials for Lateral Movement

Finding files with SSH keys:
```
find / -name "id_rsa*" -o -name "id_dsa*" 2>/dev/null
```
Explanation: This command finds files that match common SSH private key names.
Searching for common credential files:
```
find / -type f -name "*shadow*" 2>/dev/null
find / -type f -name "*passwd*" 2>/dev/null
```
Explanation: While you may not be able to read /etc/shadow as a normal user, other shadow or passwd files might exist on the system (e.g., in a backup or an application's data directory).

2. Maintaining Persistence

You can use find to find a good location to hide a backdoor or to find files to modify for persistence.

Finding directories that are writable by everyone:
```
find / -type d -perm -o=w 2>/dev/null
```
Explanation: World-writable directories are ideal for hiding malicious files, as they allow any user on the system to drop files there without raising suspicion.
Finding recently accessed or modified files:

This can be useful for both an attacker and a defender. An attacker might use it to find files that are rarely accessed, making it a good place for a backdoor.
```
# Find files that were modified in the last 24 hours
find / -mtime -1 2>/dev/null
 
# Find files that were not accessed in the last 365 days
find / -atime +365 2>/dev/null
```

Conclusion

The find command is an incredibly powerful and versatile tool for red teams. Its ability to systematically search the file system based on a wide range of criteria makes it an essential part of the red team toolkit. By understanding its syntax and knowing the common use cases for offensive security, you can effectively leverage find for reconnaissance, privilege escalation, and maintaining your presence on a target system. Always remember to use these techniques in authorized and ethical penetration testing engagements.

Complementary Tools for File Discovery: `locate`, `which`, and `whereis`

While find is the most powerful and flexible command for deep file system reconnaissance, red teams often use other, more specialized commands for quick lookups. Understanding the strengths and weaknesses of these tools can significantly speed up your operations.

`locate`: The Fast but Fickle Finder

The locate command is lightning-fast because it doesn't search the live file system. Instead, it queries a pre-built database of all files, usually updated by a scheduled task (updatedb).

Red Team Use Case: Quick confirmation that a specific file or binary exists on the system, without the overhead of a deep search.
Example 1: Finding all instances of a program:
```
# Quickly find all paths related to the "nc" (netcat) binary
locate nc
```
Explanation: This command will return a list of all files that have nc in their path, including /bin/nc, /usr/bin/nc.traditional, and documentation files. This is a great way to quickly see if a tool you want to use is already present on the system.
Example 2: Finding potential credential files quickly:
```
# Search for files with "id_rsa" in their path
locate id_rsa
```
Limitation: The locate database can be outdated. If a file was created after the last updatedb run, locate will not find it.

`which`: Locating Executable Binaries

The which command is a simple tool used to find the full path to an executable binary that would be run in the current shell. It searches the directories listed in the user's PATH environment variable.

Red Team Use Case: To confirm the exact location of a command you want to execute, especially if there are multiple versions on the system. This is crucial for path-based attacks or confirming which version of a tool will run.
Example 1: Finding the path of a common command:
```
# Find the full path to the python3 binary
which python3
```
Explanation: This will likely return /usr/bin/python3. If you found another Python binary with find, you can use which to confirm which one the system will execute by default.
Example 2: Identifying the gcc compiler location:
```
which gcc
```
Limitation: which only works for executable binaries and only searches the PATH. It will not find scripts or other files.

`whereis`: A Hybrid for Binaries, Source, and Manual Pages

The whereis command is similar to which but offers more information. It locates the binary, source code, and manual pages for a given command. It searches a set of standard binary, source, and man page directories.

Red Team Use Case: For quick recon on a specific tool. Finding the source code or man pages might provide clues about its functionality or potential vulnerabilities, especially if the source code is writable.
Example 1: Finding all information about the sudo command:
```
whereis sudo
```
Explanation: The output will show the path to the binary (/usr/bin/sudo), the source file (if available), and the manual page (/usr/share/man/man8/sudo.8.gz).
Example 2: Checking for the nmap tool:
```
whereis nmap
```
Explanation: This will quickly tell you if nmap is installed and where its binary and man pages are located.

In summary, while find is your go-to for comprehensive, flexible, and permission-based searches, locate, which, and whereis are valuable for their speed and specialized functions. A skilled red teamer knows when to use each tool to be as efficient as possible during an engagement.

Love it? Share this article: