In many cases, the greatest hurdle to becoming a white hat hacker is proficiency with the command line (cli) Linux. This series is designed specifically for those with aspirations of becoming a pentester/white hat hacker, but lack the basic CLI Linux skills.
Aspiring Hackers just starting with Linux are often faced with the dilemma of how to find things (files, binaries, directories, config files, etc) in Linux. This can be very frustrating, but knowledge of a few commands and techniques can go a long way towards minimizing this frustration and making the command line in Linux more friendly.
This tutorial is focused on finding what you are looking for in Linux via the command line.
locate
Linux has multiple ways of finding application, commands, files, etc from the command line. Probably the easiest to use is locate. Locate, followed by a keyword, will go throughout your file system and locate every occurrence of that word.
Sometimes what locate finds is overwhelming, too much information. In addition, if you just created a file, it may not appear in this list as locate uses a database that is updated once a day. A file you created today usually won't appear in that database until tomorrow.
whereis
If we know what we are looking for is a binary (similar to an executable in Windows), Linux has a specific command for that. This command is whereis. whereis will not only return the location of the binary, but also it's manual or man page.
kali > whereis aircrack-ng
As you can see above, whereis returned just the aircrack-ng binaries, rather than all the occurrences of aircrack-ng like locate did.
which
The which command is even more specific. It will only return the location of binaries that are in the PATH variable in Linux.
kali > which aircrack-ng
As you can see above, which was able to find a single binary file in the directories listed in the PATH variable. We will do more in a subsequent tutorial on the PATH variable, but for now it is sufficient to know that the PATH variable is where the operating system looks for the binaries (commands) that you type at the command line. At a minimum, this usually includes /usr/bin.
find
The find command is the most powerful and most flexible of the finding utilities. find is capable of beginning your search in any designated directory and looking for a number of different parameters including, of course, file name, but also can find files that meet other criteria, such as ;
1. date of creation or modification
2. owner
3. group
4. permissions
5. size
The basic syntax for find is;
find <directory list to search> <options> <expression>
So, if I wanted to search for a file starting in the top of the file system (root) / directory with the name apache2, I would type;
kali > find / -type -f -name apache2
Where:
/ is the directory to start searching
-type is the type of file in this case -f or an ordinary file
-name search by name or apache2
As you can see, the find command started at the top of the file system and went through EVERY directory looking for our apache2 command. It found many instances of it and listed them for us. Unfortunately, such a search is slow and requires find to look in every directory. What if we only wanted it to look in the /etc directory?
In this case, we could start the search with /etc directory and only look there and its sub-directories for the occurrences of apache2. Let's try this.
kali > find /etc -type f -name apache2
As we can see above, this much quicker search only found those occurrences of apache2 in the /etc directory and its sub-directories. It's also important to note that unlike some of the other search commands like locate, find only displays exact name matches. If the file apache2 has an extension, such as apache2.conf, it will not match. We can remedy this limitation by using wildcards ( *., ? and []). In this case, let's look in /etc directory for all files that begin with apache2 and have any extension (we might be looking for apache2.conf). We could write a find command with a wildcard such as;
kali > find /etc -type f -name 'apache2.*'
Note that I had to use the single quotes ' ' around the name I was searching for with the wildcard. When I run this command, I find 2 files that start with apache2 in the /etc directory including the apache2.conf file.
grep
Very often, when using the command line, we may want to find a particular keyword. grep is a filter to search for keywords. It is often used when output is piped from one command to another. I'll do more on piping in a future tutorial in this series, but it will suffice to say now that Linux (and Windows for that matter) allows us to take the output of one command and send it to another command. This is called piping and we use | to do this (this character is usually above the ENTER key). So, for instance, if I wanted to see all the services running on my Linux system, I can use the ps command followed by the aux switches such as;
kali > ps aux
As you can see, this gives me all the services running in this system. What if I wanted to find just one single service among this long list?
I can do this by piping the output from ps to grep and look for a keyword. For instance, if I wanted to find out whether the apache2 service was running, I could type;
kali > ps aux | grep apache2
This command says "display all my services and then send that output to grep where it will look for the keyword apache2 and then display ONLY that output".
As you can see above, grep was able to filter out all the other services and ONLY display those that had apache2 in their name saving me much time and eyesight scanning through the list manually looking for apache2.
Keep coming back my aspiring white hat hackers as we build the foundation of Linux skills necessary to become a professional white hat hacker!
To go to Lesson #3, click here.
For more on using Linux for hacking, check out my book "Linux Basics for Hackers" now available here on Amazon.
