What is PWN Reconnaissance?

A methodology for the reconnaissance phase of binary exploitation, focusing on architecture, protections, strings, symbols, libc, and seccomp.

Which tools are used?

Common tools include file, checksec, strings, nm/readelf, objdump, and pwntools to gather the reconnaissance data.

Why is this step important?

It reveals exploitation constraints and helps choose viable attack primitives before diving into exploitation.

PWN Reconnaissance

npx machina-cli add skill allsmog/pwn-claude-plugin/reconnaissance --openclaw

Files (1)

SKILL.md

5.1 KB

PWN Reconnaissance

Overview

The reconnaissance phase gathers critical information about a target binary before exploitation. This includes identifying architecture, protections, interesting strings, symbols, and potential libc version.

Reconnaissance Checklist

File type and architecture identification
Security protections (checksec)
Interesting strings extraction
Symbol table analysis
Libc identification (if applicable)
Seccomp filter detection

Step 1: File Identification

Identify the binary type and architecture:

file ./binary

Expected output interpretation:

Output Contains	Meaning
ELF 64-bit LSB executable	x86_64 architecture
ELF 32-bit LSB executable	x86 (i386) architecture
dynamically linked	Uses shared libraries (libc)
statically linked	Self-contained, no libc exploits
not stripped	Contains debug symbols
stripped	No debug symbols

Step 2: Security Protections

Run checksec to identify protections:

checksec --file=./binary

Or via pwntools:

from pwn import *
elf = ELF('./binary')
print(elf.checksec())

Protection Analysis

Protection	Enabled	Exploitation Impact
RELRO	Partial	GOT overwrite possible
RELRO	Full	No GOT overwrite, use other primitives
Stack Canary	Yes	Must leak or bypass canary
NX	Yes	No shellcode on stack, use ROP/ret2libc
PIE	Yes	Must leak binary base address
FORTIFY	Yes	Some unsafe functions hardened

Step 3: Strings Extraction

Find interesting strings:

strings -n 8 ./binary | grep -iE '(flag|password|secret|admin|shell|bin/sh|/bin)'

Look for:

Format string specifiers (%s, %x, %n)
Function names (system, execve)
File paths (/bin/sh, /flag)
Potential passwords or keys

Step 4: Symbol Analysis

Extract symbols if not stripped:

nm ./binary | grep -E ' [TtWw] ' | head -30

Or use readelf:

readelf -s ./binary | grep FUNC

Key symbols to note:

main - Entry point for analysis
win, flag, shell - Potential win functions
vuln, vulnerable - Obvious vulnerability hints
PLT entries for dangerous functions

Check for Win Functions

nm ./binary | grep -iE '(win|flag|shell|backdoor|secret)'

Step 5: PLT/GOT Analysis

Identify imported functions:

objdump -d ./binary | grep '@plt>:' | head -20

Or via pwntools:

from pwn import *
elf = ELF('./binary')
print("PLT entries:", list(elf.plt.keys()))
print("GOT entries:", list(elf.got.keys()))

Dangerous functions to note:

gets, scanf, strcpy, sprintf - Buffer overflow
printf, fprintf - Format string (if user-controlled)
system, execve - Code execution targets

Step 6: Libc Identification

If libc is provided:

strings libc.so.6 | grep -E "^GNU C Library"
file libc.so.6
md5sum libc.so.6

Query libc database with known offsets:

# Using libc-database
./libc-database/find printf <leaked_printf_offset>

# Or online: https://libc.blukat.me/

Step 7: Seccomp Detection

Check for seccomp filters:

seccomp-tools dump ./binary

If seccomp is present, analyze allowed syscalls to determine exploitation constraints (e.g., no execve means ORW - open/read/write approach).

Output Format

## Reconnaissance

### Findings
- Architecture: x86_64, dynamically linked, not stripped
- Protections: Partial RELRO, No Canary, NX enabled, No PIE
- Dangerous functions: gets@plt, printf@plt (potential format string)
- Interesting symbols: main, vuln, win (0x401234)
- Libc: Not provided (infer from remote)

### Commands Run
- file ./binary
- checksec --file=./binary
- strings -n 8 ./binary
- nm ./binary

### Implications
- No PIE: Fixed addresses, direct ROP possible
- NX enabled: Cannot execute shellcode on stack
- gets present: Likely buffer overflow vulnerability
- win function exists: ret2win exploitation possible

### Next Steps
1. Disassemble vuln() and win() functions
2. Identify buffer size in vuln()
3. Calculate offset to return address
4. Craft ret2win payload

Quick Reference Commands

# All-in-one recon
file ./binary && checksec --file=./binary && nm ./binary 2>/dev/null | head -20

# Find dangerous functions
objdump -d ./binary | grep -E '<(gets|strcpy|sprintf|scanf|printf)@plt>'

# Check for win function
nm ./binary 2>/dev/null | grep -iE 'win|flag|shell' || echo "No obvious win function"

Additional Resources

References

references/protection-bypass.md - Techniques for bypassing each protection
references/libc-database.md - Using libc-database for identification

Scripts

scripts/full-recon.sh - Run complete reconnaissance suite

Source

git clone https://github.com/allsmog/pwn-claude-plugin/blob/main/pwn-htb/skills/reconnaissance/SKILL.mdView on GitHub

Overview

The reconnaissance phase gathers critical information about a target binary before exploitation. It identifies architecture, protections, interesting strings, symbols, and potential libc version.

How This Skill Works

Start with file to identify type and architecture, then run checksec to catalog protections. Next, extract interesting strings, analyze the symbol table, and review the PLT/GOT for useful functions. If libc is present, attempt identification; finally check for seccomp filters to guide exploitation constraints.

When to Use It

You need to identify architecture and protections before exploitation
You want to extract interesting strings from a binary
You are analyzing the symbol table to surface potential win or vuln functions
You need to identify libc version or seccomp status
You want a baseline reconnaissance before exploitation planning

Quick Start

Step 1: Run file to identify architecture and linkage, then checksec for protections
Step 2: Extract strings and analyze symbols/PLT/GOT with nm/readelf or pwntools
Step 3: Identify libc version and seccomp status to finalize reconnaissance findings

Best Practices

Run file to confirm architecture and linkage (ELF vs others)
Always run checksec to catalog protections (RELRO, NX, PIE, Canary, FORTIFY)
Extract and inspect interesting strings with context (narrow to high-value keywords)
Review symbol tables and PLT/GOT for candidate gadgets and functions
Identify libc version and seccomp constraints early to guide exploitation strategy

Example Use Cases

Determine architecture and linking status (e.g., x86_64, dynamically linked, stripped) to set attack path
Run checksec to evaluate RELRO, NX, PIE, Canary, and FORTIFY for exploitation feasibility
Search symbols for potential win functions such as main, win, flag, or shell
Identify libc usage and offsets to plan libc-based exploits
Detect seccomp filters to tailor an exploit under syscall restrictions

Frequently Asked Questions

Add this skill to your agents