Grep is a powerful command-line utility in Unix, Linux, and other systems used to search for specific text patterns within files or data streams and print the lines that match those patterns. The following are some common grep commands that I use during pentests.

Searching for a file that contains the word “password”

grep -l -e "password" -f *
grep -li "password" *.bat       #Search inside bat files for the word password

Read the contents of all files in a directory (cat *) and pipe it to grep to find IP addresses

cat * | grep -Eo "([0-9]{1,3}[\.]){3}[0-9]{1,3}"
grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' <filename>

Extract words with 4 characters from a file

grep -E '^[[:alpha:]]{4}$' <filename>       #Adjust the character count {} to match your needs

Extract all email addresses

Some commands require anew, which can be found here https://github.com/tomnomnom/anew.

grep -o '[[:alnum:]+\.\_\-]*@[[:alnum:]+\.\_\-]*' | sort | uniq -i
grep -Eo "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" users.json
grep -o -E '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b' | anew | grep "@gmail.com"
cat * | grep -o -E "(([a-zA-Z][a-zA-Z0-9+-.]*\:\/\/)|mailto|data\:)([a-zA-Z0-9\.\&\/\?\:@\+-\_=#%;,])*" | grep "@" | anew

Extract all data between [ ]

If you have files or stdout content that is between [ ], you can extract just the values between the symbols with:

cat SAP_Users.txt | grep -oP '\[\K[^\]]+'

Extract a JSON parameter value

In the command below, the JSON output would look like [“userSAIdNumber”:”8804569878965″], and the grep command will extract only the 8804569878965.

grep -Po '"userSAIdNumber": *\K"[^"]*"' file.txt  | sed -e 's/^"//' -e 's/"$//'                      #Parameter is userSAIdNUmber in this example and sed removes quotes
grep -Po '"host": *\K"[^"]*"' test.jsonl | sed -e 's/^"//' -e 's/"$//' | anew subdomains.txt

From a file where there is “UserResourceTag”:1234894, in the file

This will extract the 1234894 value from the UserResourceTag key. You can change the key name to suit yours. The value to extract must be a numeric 0-9.

grep -o '"UserResourceTag":[0-9]*' staff.txt | awk -F: '{print $2}' >> resource_tags.txt

Extract URLs that start with http:// or https:// or domains with a path, even without http(s)://

grep -rohE 'https?://[^[:space:]]+|[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/[^:[:space:]]+' Stealer_Logs >> urls.txt

Extract a specific domain

grep -rhaE '(https?://|www\.)?admin\.domain\.com[^[:space:]]*' .    #Searches all files in the current directory

Find credential cache file

env | grep KRB5CCNAME

Grep for sensitive files and code

grep -iRn '*.pass.*' C:\KaliShare\web\dashboard
grep -iRn '*.hash.*' C:\KaliShare\web\dashboard
grep -iRn '*.login.*' C:\KaliShare\web\dashboard
grep -iRn '*.key.*' C:\KaliShare\web\dashboard
grep -iRn '*.encrypt.*' C:\KaliShare\web\dashboard
grep -iRn '*.addEventListener.*' C:\KaliShare\web\dashboard
grep -r EXEC * lgrep -i sqllcut -d":" -fl lgrep \.asp

Extract HTTP Passwords in POST Requests

This is useful for searching log files from something like Apache for POST requests containing passwords.

grep -i "POST /|pwd=|passwd=|password=|Host:"          #Adjust the URL/Parameters to match the password parameter name

Extract domain registration details from WHOIS output

whois example.com | grep 'Domain Name\|Registrant Name\|Registrant Email\|Admin Name\|Admin Email\|Tech Name\|Tech Email\|Billing Name\|Billing Email'