Using cat and grep Commands
You can use this lab to familiarize yourself with the cat command, which is used to display the contents of files.
Prerequisites. This lab was written using a Kali Linux bootable USB created with the Create a Bootable USB lab. The lab assumes you can launch a terminal window within a Linux operating system. If you’re not sure how, follow the steps in the study guide to do so.
Note: Some files require elevated permissions to run successfully. If you run a command and see the Permission Denied error message, you can usually get around this by prefixing the command with sudo, which runs the command as root.
Create an authentication error
1. If you’re logged into a Linux system and the screen isn’t locked, press CTRL + ALT + L keys to lock it. You will now have to log back in to gain access to the terminal.
2. Press any key to bring up the Log in screen.
3. The user should already be entered as kali. If not, enter kali as the user.
4. Enter success as the password. This won’t log you in, but will create a message in the /var/log/auth.log file.
5. Log in with the correct credentials of kali and the user and kali as the password.
View the Auth.log
1. Use the following command to display the contents of the /var/log/ directory:
ls /var/log/
The ls command is used to list files and the /var/log/ directory includes many files with the .log extension, indicating they are log files.
2. Use the following command to display the contents of the auth.log in this directory:
sudo cat /var/log/auth.log
This will likely scroll through multiple screens, making it hard to read.
3. Imagine you only want to see if there are any authentication failure entries in the log. Use the following command to do so:
sudo grep “authentication” /var/log/auth.log
You should see just a few entries displayed. Entries with the text “authentication failure” indicate a failed login. However, the auth.log will log all user authentication events in the log. Because any command entered with the sudo command is authenticated, you will also see your commands.
Sep 19 18:52:02 localhost lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=kali
Sep 19 18:59:43 localhost sudo: kali : TTY=pts/0 ; PWD=/home/kali ; USER=root ; COMMAND=/usr/bin/cat /var/log/auth.log
Sep 19 19:03:38 localhost sudo: kali : TTY=pts/0 ; PWD=/home/kali ; USER=root ; COMMAND=/usr/bin/grep authentication /var/log/auth.log
Notice the first log entry (18:52:02) shows the failed login with the words “authentication failure”.
The second entry shows that the command (cat /var/log/auth.log) was successfully run.
The last entry shows that the command (grep authentication /var/log/auth.log) was successfully run.
4. You can combine both commands using the pipe | directive with the following command:
sudo cat /var/log/auth.log | grep “authentication”
5. The grep command is case sensitive by default.