tool reference
ctf tools with one-liner usage.
pwntools · ghidra · john · volatility · wireshark · binwalk · sqlmap · and more
binary exploitation
pwntools
Python library for exploit scripting. connect to local processes or remote services, craft payloads, and handle binary encoding.
from pwn import *; r = remote("host", port)r = process("./binary")r.sendline(b"input"); r.recvuntil(b"prompt:")p64(0xdeadbeef) # little-endiancyclic(200) # generate; cyclic_find(0x6161616b) # find offsetGDB + pwndbg
Dynamic debugger for Linux binaries. pwndbg plugin adds heap visualization, pattern generation, and better register display.
gdb ./binary; run $(python3 -c "print('A'*100)")b *main; b *0x401234stack 20 # pwndbg; x/20gx $rsp # vanillapattern create 200; pattern search $ripdisassemble main; x/20i $ripROPgadget
Find ROP gadgets (instruction sequences ending in ret) within a binary or library.
ROPgadget --binary ./binaryROPgadget --binary ./binary --string "pop rdi; ret"ROPgadget --binary /lib/x86_64-linux-gnu/libc.so.6 --string "pop rdi"checksec
Audit binary security protections: NX, PIE, stack canary, RELRO, FORTIFY.
checksec --file=./binaryfrom pwn import *; print(ELF("./binary").checksec())one_gadget
Find single gadgets in libc that execute execve("/bin/sh"). Faster than a full ROP chain when register constraints match.
one_gadget /lib/x86_64-linux-gnu/libc-2.31.soone_gadget libc.so.6 --level 1reverse engineering
Ghidra
Free NSA decompiler. Turns assembly into C-like pseudocode. Supports x86, ARM, MIPS, and more.
ghidra # then File > Import > AnalyzeanalyzeHeadless /project proj -import binary -postScript PrintTree.javaltrace / strace
ltrace traces library calls (strcmp, memcmp, malloc). strace traces syscalls (read, write, open). Both reveal program behavior without a debugger.
ltrace ./binarystrace ./binarystrace -e trace=read,write ./binarystrings
Extract printable strings from any binary. Fast first step on any unknown file.
strings ./binarystrings ./binary | grep -i flagstrings -n 8 ./binaryangr
Python binary analysis framework with symbolic execution. Finds inputs that reach a target state.
import angr; p = angr.Project("./binary"); sm = p.factory.simulation_manager(); sm.explore(find=0x401234); sm.found[0].posix.dumps(0)forensics
Wireshark / tshark
PCAP analysis. Follow TCP/UDP streams, filter by protocol, export transferred objects.
wireshark capture.pcaptshark -r capture.pcap -Y httptshark -r capture.pcap -q -z follow,tcp,ascii,0tshark -r capture.pcap --export-objects http,./output_dirVolatility
Memory forensics framework. Analyze Windows/Linux memory dumps to list processes, find network connections, recover files.
volatility -f mem.dmp imageinfopython3 vol.py -f mem.dmp windows.pslistpython3 vol.py -f mem.dmp windows.netscanpython3 vol.py -f mem.dmp windows.malfindpython3 vol.py -f mem.dmp windows.dumpfiles --pid 1234binwalk
Scan for embedded files and compression signatures. Extract everything found automatically.
binwalk file.binbinwalk -e file.binbinwalk -Me file.binexiftool
Extract metadata from images, documents, audio, and video. GPS, author, timestamps, comments.
exiftool image.jpgexiftool -GPS* image.jpgexiftool /dir/zsteg
Detect and extract LSB steganography in PNG and BMP files.
zsteg image.pngzsteg -c rgb image.pngzsteg -e "b1,rgb,lsb,xy" image.pngsteghide
Embed or extract hidden data from JPEG, BMP, WAV, and AU files.
steghide extract -sf image.jpgsteghide extract -sf image.jpg -p "password"steghide embed -cf image.jpg -sf secret.txtforemost
Recover files from disk images or raw streams by file signature (file carving).
foremost -i disk.img -o ./recoveredforemost -t jpg,png -i disk.img -o ./recoveredweb exploitation
sqlmap
Automated SQL injection detection and exploitation. Run after manually confirming the injection point.
sqlmap -u "http://target/page?id=1" --dbssqlmap -u "http://target/login" --data "user=a&pass=b" -p usersqlmap -u "..." -D dbname -T tablename --dumpsqlmap -u "..." --cookie "session=abc123"ffuf
Fast web fuzzer. Directory brute-forcing, parameter discovery, virtual host enumeration.
ffuf -u http://target/FUZZ -w /usr/share/wordlists/dirb/common.txtffuf -u "http://target/page?param=FUZZ" -w wordlist.txtffuf -u http://target/FUZZ -w wordlist.txt -fs 1234curl
Manual HTTP request crafting from the command line.
curl -H "Authorization: Bearer token" http://target/apicurl -X POST -H "Content-Type: application/json" -d '{"key":"val"}' http://targetcurl -L http://targetcurl -i http://targetcryptography
John the Ripper
Password cracker. Supports hundreds of hash types and archive formats.
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txtzip2john file.zip > zip.hash; john zip.hash --wordlist=rockyou.txtjohn hashes.txt --showjohn --list=formats | grep sha256hashcat
GPU-accelerated password cracker. Faster than John for large wordlists on supported hardware.
hashcat -m 0 hashes.txt rockyou.txthashcat -m 1400 hashes.txt rockyou.txthashcat -m 0 hashes.txt rockyou.txt -r rules/best64.ruleCyberChef
In-browser encoding/decoding/transformation tool. Magic mode auto-detects encoding. Chain operations for multi-layer puzzles.
https://gchq.github.io/CyberChef/Input encoded text → Operations > Magic > BakeSageMath
Mathematical software for crypto CTF challenges. RSA, elliptic curves, lattice attacks.
factor(n)pow(c, d, n)sage script.sageosint
Sherlock
Search for a username across 300+ social media platforms.
sherlock usernamesherlock user1 user2 user3sherlock username --csvexiftool (OSINT)
Extract GPS and metadata from images to find location or author info.
exiftool -GPS* image.jpgexiftool -v3 image.jpg