<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
	<id>https://wiki.brunnerne.dk/index.php?action=history&amp;feed=atom&amp;title=Binwalk</id>
	<title>Binwalk - Revision history</title>
	<link rel="self" type="application/atom+xml" href="https://wiki.brunnerne.dk/index.php?action=history&amp;feed=atom&amp;title=Binwalk"/>
	<link rel="alternate" type="text/html" href="https://wiki.brunnerne.dk/index.php?title=Binwalk&amp;action=history"/>
	<updated>2026-07-01T05:29:11Z</updated>
	<subtitle>Revision history for this page on the wiki</subtitle>
	<generator>MediaWiki 1.43.1</generator>
	<entry>
		<id>https://wiki.brunnerne.dk/index.php?title=Binwalk&amp;diff=52&amp;oldid=prev</id>
		<title>Brunn: Created page with &quot;== Binwalk CTF Quick Reference ==  === Introduction === Binwalk is a powerful tool primarily used for analyzing binary files to find embedded files and executable code within them. It scans for file signatures (magic bytes) that indicate the start of known file types.  In CTFs, Binwalk is essential for: * Finding hidden files packed inside other files (e.g., images hidden in documents, archives hidden in executables, firmware analysis). * Carving out embedded data struct...&quot;</title>
		<link rel="alternate" type="text/html" href="https://wiki.brunnerne.dk/index.php?title=Binwalk&amp;diff=52&amp;oldid=prev"/>
		<updated>2025-05-02T17:35:59Z</updated>

		<summary type="html">&lt;p&gt;Created page with &amp;quot;== Binwalk CTF Quick Reference ==  === Introduction === Binwalk is a powerful tool primarily used for analyzing binary files to find embedded files and executable code within them. It scans for file signatures (magic bytes) that indicate the start of known file types.  In CTFs, Binwalk is essential for: * Finding hidden files packed inside other files (e.g., images hidden in documents, archives hidden in executables, firmware analysis). * Carving out embedded data struct...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;== Binwalk CTF Quick Reference ==&lt;br /&gt;
&lt;br /&gt;
=== Introduction ===&lt;br /&gt;
Binwalk is a powerful tool primarily used for analyzing binary files to find embedded files and executable code within them. It scans for file signatures (magic bytes) that indicate the start of known file types.&lt;br /&gt;
&lt;br /&gt;
In CTFs, Binwalk is essential for:&lt;br /&gt;
* Finding hidden files packed inside other files (e.g., images hidden in documents, archives hidden in executables, firmware analysis).&lt;br /&gt;
* Carving out embedded data structures.&lt;br /&gt;
* Identifying potential compression or encryption through entropy analysis.&lt;br /&gt;
&lt;br /&gt;
It&amp;#039;s a go-to tool in forensics challenges when you suspect a file contains more than meets the eye.&lt;br /&gt;
&lt;br /&gt;
=== Basic Signature Scan ===&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Goal:&amp;#039;&amp;#039;&amp;#039; Scan a file for known file signatures (magic bytes).&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
binwalk &amp;lt;filename&amp;gt;&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
* This is the most fundamental command.&lt;br /&gt;
* Output shows the decimal offset, hexadecimal offset, and description of found signatures.&lt;br /&gt;
&lt;br /&gt;
=== Extraction ===&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Goal:&amp;#039;&amp;#039;&amp;#039; Scan for signatures and automatically extract recognized file types.&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Scan and extract known file types&lt;br /&gt;
binwalk -e &amp;lt;filename&amp;gt;&lt;br /&gt;
# OR (same command)&lt;br /&gt;
binwalk --extract &amp;lt;filename&amp;gt;&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
* Creates a directory named &amp;lt;code&amp;gt;_&amp;amp;lt;filename&amp;amp;gt;.extracted&amp;lt;/code&amp;gt; containing the carved files.&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;Note:&amp;#039;&amp;#039;&amp;#039; Extraction isn&amp;#039;t perfect; it might miss files, create corrupted files, or extract overlapping data incorrectly. Always inspect results.&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Goal:&amp;#039;&amp;#039;&amp;#039; Recursively scan and extract files found within extracted files.&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Scan, Extract, and Scan/Extract recursively within extracted files&lt;br /&gt;
binwalk -eM &amp;lt;filename&amp;gt;&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;-M&amp;lt;/code&amp;gt; : Recursively scan extracted files. Powerful but can take time and disk space.&lt;br /&gt;
* Use &amp;lt;code&amp;gt;--matryoshka=&amp;amp;lt;int&amp;amp;gt;&amp;lt;/code&amp;gt; to limit recursion depth if needed.&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Goal:&amp;#039;&amp;#039;&amp;#039; Extract specific signature types only.&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Extract only files matching &amp;#039;zip archive&amp;#039; description&lt;br /&gt;
binwalk -e --dd=&amp;#039;zip archive.*&amp;#039; &amp;lt;filename&amp;gt;&lt;br /&gt;
&lt;br /&gt;
# Extract only JPEGs&lt;br /&gt;
binwalk -e --dd=&amp;#039;jpeg image.*&amp;#039; &amp;lt;filename&amp;gt;&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;--dd=&amp;#039;&amp;amp;lt;type&amp;amp;gt;.*&amp;#039;&amp;lt;/code&amp;gt; : Dump (extract) only files whose description matches the regex pattern.&lt;br /&gt;
&lt;br /&gt;
=== Entropy Analysis ===&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Goal:&amp;#039;&amp;#039;&amp;#039; Analyze file entropy to identify potential compression, encryption, or obfuscated data.&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Perform entropy analysis&lt;br /&gt;
binwalk -E &amp;lt;filename&amp;gt;&lt;br /&gt;
&lt;br /&gt;
# Perform entropy analysis and attempt to plot it (requires library setup)&lt;br /&gt;
binwalk -E -J &amp;lt;filename&amp;gt;&lt;br /&gt;
&lt;br /&gt;
# Perform entropy analysis and save plot data to files (if plotting libraries fail)&lt;br /&gt;
binwalk -E --save &amp;lt;filename&amp;gt;&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
* High entropy regions often indicate compressed or encrypted data, which might warrant closer inspection.&lt;br /&gt;
* Low entropy often indicates null bytes, repetitive patterns, or uninitialized data.&lt;br /&gt;
&lt;br /&gt;
=== Searching for Specific Signatures ===&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Goal:&amp;#039;&amp;#039;&amp;#039; Fine-tune the signature scan.&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Only show signatures matching &amp;#039;zlib&amp;#039; (case-insensitive)&lt;br /&gt;
binwalk -I zlib &amp;lt;filename&amp;gt;&lt;br /&gt;
# OR&lt;br /&gt;
binwalk --include=zlib &amp;lt;filename&amp;gt;&lt;br /&gt;
&lt;br /&gt;
# Exclude signatures matching &amp;#039;png&amp;#039;&lt;br /&gt;
binwalk -X png &amp;lt;filename&amp;gt;&lt;br /&gt;
# OR&lt;br /&gt;
binwalk --exclude=png &amp;lt;filename&amp;gt;&lt;br /&gt;
&lt;br /&gt;
# Use a custom magic signature file&lt;br /&gt;
binwalk -m /path/to/custom.magic &amp;lt;filename&amp;gt;&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;-I / --include&amp;lt;/code&amp;gt; : Only display results containing this string.&lt;br /&gt;
* &amp;lt;code&amp;gt;-X / --exclude&amp;lt;/code&amp;gt; : Exclude results containing this string.&lt;br /&gt;
&lt;br /&gt;
=== Other Useful Options ===&lt;br /&gt;
* &amp;lt;code&amp;gt;-r&amp;lt;/code&amp;gt; : Attempt to clean up extraction artifacts (e.g., partially extracted files due to errors).&lt;br /&gt;
* &amp;lt;code&amp;gt;-l &amp;amp;lt;int&amp;amp;gt;&amp;lt;/code&amp;gt; : Limit scan depth to a certain number of bytes.&lt;br /&gt;
* &amp;lt;code&amp;gt;-o &amp;amp;lt;int&amp;amp;gt;&amp;lt;/code&amp;gt; : Start scan at a specific byte offset.&lt;br /&gt;
* &amp;lt;code&amp;gt;-A&amp;lt;/code&amp;gt; : Scan for common executable opcodes for specified architectures (e.g., x86, ARM). Useful for finding embedded code.&lt;br /&gt;
* &amp;lt;code&amp;gt;-W&amp;lt;/code&amp;gt; / &amp;lt;code&amp;gt;--hexdump&amp;lt;/code&amp;gt; : Show hex dump around signature matches.&lt;br /&gt;
&lt;br /&gt;
=== CTF Tips ===&lt;br /&gt;
* Start with &amp;lt;code&amp;gt;binwalk &amp;amp;lt;filename&amp;amp;gt;&amp;lt;/code&amp;gt; to get an overview.&lt;br /&gt;
* Use &amp;lt;code&amp;gt;binwalk -e &amp;amp;lt;filename&amp;amp;gt;&amp;lt;/code&amp;gt; for quick extraction, but &amp;#039;&amp;#039;&amp;#039;always&amp;#039;&amp;#039;&amp;#039; examine the &amp;lt;code&amp;gt;_*.extracted&amp;lt;/code&amp;gt; directory carefully. Check file sizes and types.&lt;br /&gt;
* Use &amp;lt;code&amp;gt;binwalk -E &amp;amp;lt;filename&amp;amp;gt;&amp;lt;/code&amp;gt; to visually spot areas of high entropy (potential hidden data).&lt;br /&gt;
* If extraction fails or seems incomplete, manually carve data using tools like &amp;lt;code&amp;gt;dd&amp;lt;/code&amp;gt; based on the offsets reported by Binwalk.&lt;br /&gt;
* Combine with other forensics tools like &amp;lt;code&amp;gt;strings&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;exiftool&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;foremost&amp;lt;/code&amp;gt;, or &amp;lt;code&amp;gt;scalpel&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
[[Category:Tools]]&lt;br /&gt;
[[Category:Forensics]]&lt;/div&gt;</summary>
		<author><name>Brunn</name></author>
	</entry>
</feed>