✅ What is binwalk?
binwalk is a tool for analyzing binary files to automatically detect:
- Embedded files (ZIP, PNG, ELF, etc.)
- Compressed data (gzip, LZMA, bzip2, etc.)
- Firmware structures
It’s widely used in CTF forensics, steganography, and reverse engineering challenges.
🛠️ Basic binwalk Commands
1. Scan a file
binwalk target.bin
→ Detects embedded files and compression within the binary.
2. Extract automatically
binwalk -e target.bin
→ Extracts detected regions into a folder _target.bin.extracted/.
3. Detailed signature scan
binwalk -B target.bin
→ Scans using binary signatures for more precise detection.
4. Recursive extraction of compressed data
binwalk -Me target.bin
-M: Recursive scan inside extracted folders-e: Extract files
5. Search for custom byte patterns
binwalk -R "FF D8 FF" target.bin
→ Finds specific byte sequences (example: JPEG header FF D8 FF).
🎯 Common Use Cases in CTF
1. Files embedded in images
Images like PNG/JPG/GIF may contain ZIPs or 7z files.
$ binwalk image.png 15342 0x3BEF Zip archive data, at least v2.0
→ Extract with:
binwalk -e image.png
2. Appended files at the end of images
Classic CTF trick: a ZIP or flag.txt appended after the PNG IEND or JPG FF D9.
binwalk -e suspicious.png
Or search manually using a hex editor for magic numbers.
3. Custom headers with hidden files
Sometimes a custom binary contains an embedded PNG or ELF.
binwalk -R "\x89PNG" file
4. Firmware extraction
binwalk -Me firmware.bin
→ Detects squashfs, cramfs, LZMA, etc.
→ Extract to squashfs-root/ to find flags.
5. Embedded compressed data
binwalk can automatically decompress gzip, LZMA, bzip2, zlib to reveal hidden files.
$ binwalk suspect.bin 6823 0x1AA7 gzip compressed data
6. Partial/corrupted files
Sometimes headers are damaged and binwalk cannot extract automatically.
→ Manual recovery via hex editor may be needed before extraction.
🔍 Typical CTF Patterns
| Pattern | Description | binwalk usefulness |
|---|---|---|
| PNG/JPG with embedded ZIP | Appended or concatenated | ★★★★★ |
| Multiple compressed data blocks | gzip, bzip2, LZMA | ★★★★★ |
| Firmware analysis | squashfs → /etc/passwd → flag | ★★★★★ |
| Embedded secrets | RSA keys or binaries | ★★★☆☆ |
| Custom encryption / unknown format | No standard magic | ★☆☆☆☆ |
| Partial/corrupted files | Needs header/footer repair | ★★★☆☆ |
📌 Tips
- PNG chunk structure may cause false positives.
- Recursive extraction (
-M) creates many folders; manage carefully. - LSB steganography in images won’t be detected by binwalk → use
zsteg,steghide,exiftool.
🧩 Other tools often used with binwalk in CTFs
| Category | Tool | Use |
|---|---|---|
| Steganography | zsteg / steghide / exiftool | LSB, EXIF hidden data |
| Hex editor | HxD / 010 Editor / bless | Manual header repair |
| Compression | 7z / unzip / binutils | Extract data |
| Firmware | unsquashfs / dd | Extract squashfs, etc. |
Leave a Reply