Text Analysis & Pattern Hunting
Use grep and regex to find needles in haystacks. Every hacker's secret weapon.
The Power of Pattern Matching
In security work, you'll often face massive amounts of data: log files with millions of lines, network captures with thousands of packets, or source code spanning hundreds of files. grep is your searchlight in this darkness.
The name "grep" comes from the ed editor command g/re/p —
"global regular expression print." It searches files for patterns and prints matching lines.
Grep Fundamentals
| Command | Purpose | Example |
|---|---|---|
grep "word" file |
Find lines containing "word" | grep "error" log.txt |
grep -i |
Case-insensitive search | grep -i "ERROR" log.txt |
grep -n |
Show line numbers | grep -n "secret" file.txt |
grep -r |
Recursive (search directories) | grep -r "password" /var/log/ |
grep -v |
Inverse match (lines NOT containing) | grep -v "debug" log.txt |
grep -c |
Count matching lines | grep -c "failed" auth.log |
hacker@kali:~$ grep "password" /etc/passwd
# Nothing - passwords aren't stored here!
hacker@kali:~$ grep -i "failed" /var/log/auth.log | head -5
Dec 25 03:14:22 server sshd[1234]: Failed password for root from 192.168.1.100
Dec 25 03:14:25 server sshd[1234]: Failed password for root from 192.168.1.100
Dec 25 03:14:28 server sshd[1234]: Failed password for admin from 192.168.1.100
# Brute force attack detected!
Regular Expressions (Regex)
Regular expressions are patterns that describe text. They're the secret language of pattern matchers. Master regex, and you can find almost anything.
Common Regex Patterns
| Pattern | Meaning | Example Match |
|---|---|---|
. |
Any single character | h.t matches "hat", "hit", "hot" |
* |
Zero or more of previous | lo*g matches "lg", "log", "looog" |
+ |
One or more of previous | lo+g matches "log", "looog" (not "lg") |
^ |
Start of line | ^Error matches lines starting with "Error" |
$ |
End of line | failed$ matches lines ending in "failed" |
[abc] |
Character class (a, b, or c) | [Ss]ecret matches "Secret" or "secret" |
[0-9] |
Any digit | ID:[0-9]+ matches "ID:12345" |
hacker@kali:~$ grep -E "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" access.log
# Finds all IP addresses in the log file
hacker@kali:~$ grep -E "^[A-Z][a-z]+ Code:" intercept.log
Secret Code: 42XDFL
# Found the hidden code!
MISSION: Find the Secret Code
OBJECTIVE
A mysterious file has been intercepted. Intelligence suggests it contains a hidden code buried within innocent-looking text. Your mission: use grep to extract the secret code.
intercept.log contents:
2
3Asset RAVEN confirms package received at dead drop BRAVO.
4
5Handler requests status update on OPERATION NIGHTFALL by 0600.
6
7Extraction team standing by at coordinates CHARLIE-7.
8
9Counter-surveillance detected near safe house. Recommend alternate route.
10
11Secret Code: 42XDFL
12
13END TRANSMISSION - STATION ECHO-5 SIGNING OFF
Use the terminal below to find the secret code:
MISSION COMPLETE!
You've successfully extracted the secret code: 42XDFL
This technique is essential for log analysis, security forensics, and threat hunting.
Real-World Applications
Log Analysis
Search gigabytes of logs for failed logins, suspicious IPs, or error patterns that indicate attacks.
Secret Hunting
Find hardcoded credentials, API keys, or sensitive data accidentally committed to source code.
Malware Analysis
Extract strings from suspicious binaries to identify C2 servers, encryption keys, or IOCs.
OSINT
Parse scraped web content for email addresses, phone numbers, or other intelligence targets.
Ready to Test Your Skills?
Complete the quiz to prove your pattern hunting abilities.
Completing CLH-004 to CLH-006 earns: CLI Analyst