InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  1. Binary exploitation

(Very) Basic reverse

strings

The Linux strings builtin and the Windows sysinternals strings utility can be used to extract the printable characters contained in a file, and notably in non-text files.

By default, only the sequences that are at least 4 characters long are retrieved.

strings <BINARY>

objdump

The GNU objdump command line utility can be used to disassemble the assembler contents of the executable sections of a binary:

objdump -d <BINARY>

radare2

The radare2 suite is an open source reverse engineering framework consisting of multiples tools and features.

The framework supports multiples architectures (i386, x86-64, ARM, etc.), file formats (PE, PE+, ELF, Mach-O, etc.) and operating systems (Windows, GNU/Linux, OS X, etc.).

The rabin2 utility can be used to retrieve information and protection mechanisms of a binary:

rabin2 -I <BINARY>

radar2 <BINARY>
[0xXXX] > iL

The strings in the binary can be printed and searched into using izz:

[0xXXX] > iiz
[0xXXX] > iiz~<SEARCH_KEYWORD>
[0xXXX] > iiz~password

The visual mode can entered by using the v command and quitted using the q command. In visual mode, the p command can be used to switch between display mode.

GDB

Binaries without debugging symbols

Debugging a binary compiled with out the debbugging symbols ("no debugging symbols found") is possible as GDB can directly handle assembly code.

GDB uses By default the AT&T assembly syntax. The following command can be used to switch to the Intel syntax:

set disassembly-flavor intel

To setup a breakpoint, the binary entry point can be retrieved using the GDB info command:

(gdb) info file
Entry point: 0xXXXXXX

b *0xXXXXXX

The nexti (shortcut ni) and the stepi (shortcut si) commands are the assembly counter part of the soure code next and step commands.

The examine (shortcut x) command can be used to display the assembly code after the breakpoint:

# N = number of assembly line to print
# $pc = GDB variable for the program counter register

x/<N>i $pc
x/5i $pc

OllyDbg

OllyDbg is a GUI 32-bit assembler level analyzing debugger for Microsoft Windows.

The Search for -> All referenced strings functionality allows to retrieve all printable strings contained in the binary and their address location for breakpoint setting.

dnSpy

dnSpy is a GUI debugger and assembly editor which can be used to debug 32 or 64 bits .NET applications and edit assemblies in C# or Visual Basic.

The GUI interface can be launched using the dnSpy.exe or dnSpy-x86.exe programs.


References

https://reverseengineering.stackexchange.com/questions/1935/how-to-handle-stripped-binaries-with-gdb-no-source-no-symbols-and-gdb-only-sho

PreviousLinux - ELF64 ROP leaksNextBasic static analysis

Last updated 3 years ago