findstr is a native Windows command-line utility (available in Command Prompt and PowerShell) used to search for specific text patterns or strings within files. It acts as a more powerful version of the find command, allowing for regular expression (regex) searches, case-insensitive matching, and recursive searching through directories.
It is often described as the Windows equivalent to the Linux grep command.
Common findstr Syntax The basic syntax is: findstr [FLAGS] “STRING” [PATH]
Important: All options (flags) must precede the search strings and filenames in the command.
Key Flags and Options /s: Searches for matching files in the current directory and all subdirectories. /i: Ignores the case of the characters (case-insensitive). /r: Uses search strings as regular expressions. /l: Uses search strings literally (not as regex). /c:“string”: Uses the specified string as a literal search string, allowing spaces in the query. /n: Prints the line number before each line that matches. /m: Prints only the filename if a file contains a match. /v: Prints only lines that do not contain a match. /p: Skips files with non-printable characters.
Common Examples
Search for a string in all files in the current folder and subfolders (case-insensitive): findstr /si “target_text” * Search for a phrase that includes spaces: findstr /c:“Hello World” myfile.txt Search for multiple different strings (OR search): findstr “apple banana” fruits.txt (Matches lines with either apple or banana) Find lines that match a regular expression (e.g., lines starting with a number): findstr /r ”^[0-9]” data.txt List only filenames containing the string: findstr /m “search_text” *.txt
Limitations Unicode Support: findstr does not support UTF-16, whereas the older find command does. Line Length: It has a maximum line length limit of 8,191 bytes when using piped or redirected input. Regex Capabilities: While it supports regex, it is limited compared to standard grep and uses a unique, sometimes non-standard, syntax. Search String Length: The maximum length for a single search string is 511 bytes (254 for regex)
How to use findstr for Post-Exploitation
Here are the most common ways a tester uses findstr to escalate privileges or find “low-hanging fruit”:
-
Searching for Passwords in Configuration Files:
findstr /si password *.xml *.ini *.txt *.config(Flags:/ssearches subdirectories;/iignores case) -
Finding Staged Files or Sensitive Strings:
type file.txt | findstr /i "user_password admin_token" -
Filtering Active Network Connections:
netstat -ano | findstr :80
Comparison: findstr (Windows) vs. grep (Linux)
| Feature | findstr | grep |
|---|---|---|
| Recursive Search | /s | -r |
| Case Insensitive | /i | -i |
| Regex Support | Limited (/r) | Robust (-E) |
| Literal Search | /c:"string" | -F |
| CLItool | ||
| PostExploitation | ||
| Enumeration | ||
| privlegeescalation |