Viewing & Editing Files
cat, less, head, tail, nano, and just-enough vim to survive on a target box.
Reading files efficiently is one of the most fundamental skills in security work - whether you're combing through a web app's source code, tailing a log file during an active incident, or carving a config file for hardcoded credentials.
Read-Only Is Still Access
Reading files on a system requires authorization just like any other action. Even if you're only viewing files, accessing a system without permission violates computer fraud laws. Every technique in this lesson should be practiced on your own systems or in authorized environments.
cat - Dump a File to Screen
cat (concatenate) reads one or more files and prints them to standard output. It's the quick-and-dirty way to read a file.
Useful cat flags:
-n- number every output line-A- show non-printing characters (tabs as^I, line endings as$) - helpful for debugging config files-s- squeeze consecutive blank lines into one
cat is bad for large files - it dumps everything at once. For anything over a few hundred lines, use less.
Concatenating multiple files:
cat file1.txt file2.txt > combined.txt # merge two files
cat >> log.txt # append stdin to a file (Ctrl+D to stop)tac - Reverse cat
tac prints a file in reverse order (last line first). The name is cat backwards, which is exactly what it does.
tac is handy when you want the most recent log entries without knowing the exact line numbers (before using tail).
less and more - Paged Reading
For large files, you need a pager - a program that shows content one screen at a time.
less is the modern, feature-rich version. more is older and simpler. Always use less.
less /var/log/syslog
less /usr/share/wordlists/rockyou.txtEssential less keybindings:
| Key | Action |
|---|---|
Space or f | Forward one page |
b | Back one page |
j or ↓ | Forward one line |
k or ↑ | Back one line |
g | Jump to beginning |
G | Jump to end |
/pattern | Search forward for pattern |
?pattern | Search backward for pattern |
n | Next search result |
N | Previous search result |
q | Quit |
F | Follow mode (like tail -f) |
less Opens Almost Anything
less handles compressed files with zless, and you can even pipe command output into it: ps aux | less or find / -perm -4000 2>/dev/null | less. This is essential when command output is long.
head and tail - Reading Specific Portions
head shows the beginning of a file; tail shows the end.
The default is 10 lines. Use -n NUMBER (or just -NUMBER) to change it:
head -50 bigfile.txt # first 50 lines
tail -100 /var/log/syslog # last 100 linestail -f - Live Log Monitoring
-f (follow) makes tail watch the file and print new lines as they're written. This is invaluable for real-time monitoring:
Those three rapid-fire failures from the same IP? That's a brute-force attempt. tail -f /var/log/auth.log is one of the first commands an incident responder runs.
tail -f /var/log/apache2/access.log # watch web traffic in real time
tail -f /var/log/syslog # general system activity
tail -f /var/log/auth.log # authentication eventsnano - Beginner-Friendly Editor
nano is the approachable terminal text editor. It shows keyboard shortcuts at the bottom of the screen - no memorization needed to get started.
nano /etc/hosts
nano newfile.txtKey nano shortcuts (shown as ^ = Ctrl, M- = Alt/Esc):
| Shortcut | Action |
|---|---|
^O then Enter | Save (Write Out) |
^X | Exit |
^K | Cut entire line |
^U | Paste (Un-cut) |
^W | Search |
^G | Help |
^/ | Go to line number |
nano vs vim for Security Work
nano is perfect for quick edits - adding a line to /etc/hosts, editing a script, modifying a config. For serious editing, script writing, or when nano isn't available (minimal systems often only have vi/vim), you need to know enough vim to get out of it. We'll cover just-enough vim next.
vim - Just Enough to Survive
vim (Vi IMproved) is everywhere: minimal Docker containers, embedded systems, old servers. It will be the only editor available on many systems you encounter. The learning curve is steep, but you only need to know a handful of things:
The critical concept: vim has modes.
- Normal mode - default when you open vim. Keys execute commands, not type text.
dddeletes a line,yycopies it,/patternsearches. - Insert mode - type text like a normal editor. Press
ito enter. - Command mode - enter commands with
:. PressEscthen:to enter. - Visual mode - select text. Press
vto enter.
Getting stuck in vim is a meme. Here's how to never be stuck:
Press Esc (always safe - returns to Normal mode)
Type :q! then Enter → Quit WITHOUT saving (the lifesaver)
Type :wq then Enter → Write (save) and Quit
Type :w then Enter → Save without quittingThe minimum vim workflow:
vim filename → open file in Normal mode
i → enter Insert mode (now you can type)
(type your changes)
Esc → return to Normal mode
:wq Enter → save and exitUseful Normal mode commands:
| Command | Action |
|---|---|
i | Insert before cursor |
a | Insert after cursor |
o | Open new line below, insert |
dd | Delete current line |
yy | Yank (copy) current line |
p | Paste after cursor |
u | Undo |
Ctrl+r | Redo |
/pattern | Search forward |
n | Next search result |
N | Previous search result |
gg | Go to first line |
G | Go to last line |
:NUM Enter | Go to line number |
:%s/old/new/g | Replace all occurrences |
vim on Minimal Systems
On very minimal systems (containers, appliances), only vi is available, not vim. The commands are mostly the same. If vi seems broken, you may need to use TERM=xterm vi filename to fix display issues.
file - What Type Is This?
file examines a file's content and reports its type - ignoring the filename extension entirely:
In security work, file is essential because attackers and malware often rename files to disguise them. An .exe disguised as a .jpg, a shell script with no extension, a binary dropped in /tmp with a misleading name - file looks at the actual magic bytes and tells you the truth.
stat - File Metadata
stat shows detailed metadata about a file: permissions, ownership, all three timestamps, inode number, and more.
The three timestamps matter for forensics:
- Access (atime) - last time the file was read
- Modify (mtime) - last time the file contents changed
- Change (ctime) - last time the file metadata changed (permissions, ownership, name)
Timestamps Can Be Faked
Attackers use touch -t to modify file timestamps and cover their tracks. touch -t 202401010000 malware.sh would make malware.sh appear to have been created on January 1st, 2024. This is why forensic analysis looks at multiple corroborating sources (logs, filesystem journal, memory) rather than trusting timestamps alone.
Searching Inside Files - grep
While not strictly a "viewing" tool, grep is inseparable from file viewing in practice. It filters lines matching a pattern:
grep "Failed password" /var/log/auth.log
grep -i "error" /var/log/syslog # case-insensitive
grep -r "password" /var/www/ # recursive through directory
grep -v "^#" /etc/ssh/sshd_config # exclude comment lines
grep -n "root" /etc/passwd # show line numbers
grep -E "admin|root|superuser" /etc/passwd # extended regex That pipeline - grep for failed passwords, extract IPs, count unique occurrences, sort by frequency - is the kind of one-liner that turns a raw log file into an actionable threat intelligence report.
Key Takeaways
catdumps files to screen; use it for small files and piping.lessis better for large files - it lets you scroll, search, and navigate.headandtailread beginnings and ends of files.tail -ffollows a log file in real time - essential for incident monitoring.nanois beginner-friendly with on-screen shortcuts. Know it for quick edits.- vim survival kit:
Esc+:q!to quit without saving;ito enter insert mode;Esc+:wqto save and quit. filereveals a file's true type by reading magic bytes - don't trust extensions.statshows detailed metadata including all three timestamps, which matter for forensic timelines.grepfilters file contents by pattern and is the foundation of log analysis and credential hunting.