Grep
Grep is a powerful command-line utility in Unix, Linux, and other systems used to search for specific text patterns within files or data streams and print the lines that match those patterns. The following are some common grep commands that I use during pentests.
Searching for a file that contains the word “password”
grep -l -e "password" -f * grep -li "password" *.bat #Search inside bat files for the word password
Read the contents of all files in a directory (cat *) and pipe it to grep to find IP addresses
cat * | grep -Eo "([0-9]{1,3}[\.]){3}[0-9]{1,3}"
grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' <filename>
Extract words with 4 characters from a file
grep -E '^[[:alpha:]]{4}$' <filename> #Adjust the character count {} to match your needs
Extract all email addresses
Some commands require anew, which can be found here https://github.com/tomnomnom/anew.
grep -o '[[:alnum:]+\.\_\-]*@[[:alnum:]+\.\_\-]*' | sort | uniq -i
grep -Eo "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" users.json
grep -o -E '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b' | anew | grep "@gmail.com"
cat * | grep -o -E "(([a-zA-Z][a-zA-Z0-9+-.]*\:\/\/)|mailto|data\:)([a-zA-Z0-9\.\&\/\?\:@\+-\_=#%;,])*" | grep "@" | anew
Extract all data between [ ]
If you have files or stdout content that is between [ ], you can extract just the values between the symbols with:
cat SAP_Users.txt | grep -oP '\[\K[^\]]+'
Extract a JSON parameter value
In the command below, the JSON output would look like [“userSAIdNumber”:”8804569878965″], and the grep command will extract only the 8804569878965.
grep -Po '"userSAIdNumber": *\K"[^"]*"' file.txt | sed -e 's/^"//' -e 's/"$//' #Parameter is userSAIdNUmber in this example and sed removes quotes grep -Po '"host": *\K"[^"]*"' test.jsonl | sed -e 's/^"//' -e 's/"$//' | anew subdomains.txt
From a file where there is “UserResourceTag”:1234894, in the file
This will extract the 1234894 value from the UserResourceTag key. You can change the key name to suit yours. The value to extract must be a numeric 0-9.
grep -o '"UserResourceTag":[0-9]*' staff.txt | awk -F: '{print $2}' >> resource_tags.txt
Extract URLs that start with http:// or https:// or domains with a path, even without http(s)://
grep -rohE 'https?://[^[:space:]]+|[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/[^:[:space:]]+' Stealer_Logs >> urls.txt
Extract a specific domain
grep -rhaE '(https?://|www\.)?admin\.domain\.com[^[:space:]]*' . #Searches all files in the current directory
Find credential cache file
env | grep KRB5CCNAME
Grep for sensitive files and code
grep -iRn '*.pass.*' C:\KaliShare\web\dashboard grep -iRn '*.hash.*' C:\KaliShare\web\dashboard grep -iRn '*.login.*' C:\KaliShare\web\dashboard grep -iRn '*.key.*' C:\KaliShare\web\dashboard grep -iRn '*.encrypt.*' C:\KaliShare\web\dashboard grep -iRn '*.addEventListener.*' C:\KaliShare\web\dashboard grep -r EXEC * lgrep -i sqllcut -d":" -fl lgrep \.asp
Extract HTTP Passwords in POST Requests
This is useful for searching log files from something like Apache for POST requests containing passwords.
grep -i "POST /|pwd=|passwd=|password=|Host:" #Adjust the URL/Parameters to match the password parameter name
Extract domain registration details from WHOIS output
whois example.com | grep 'Domain Name\|Registrant Name\|Registrant Email\|Admin Name\|Admin Email\|Tech Name\|Tech Email\|Billing Name\|Billing Email'