Hacknetics
  • Hacknetics
  • Active Directory Management
    • How to Join a Windows 11 PC to a Domain
    • Allow RDP in the domain
  • Active Directory AD Attacks
    • Bloodhound
      • Bloodhound Cypher Queries
    • Impacket-install
    • Kerberos cheatsheet
    • Domain Controllers
    • Overpass The Hash/Pass The Key (PTK)
    • Bloodhound Python
    • Rubeus to Ccache
    • Silver Ticket
    • Golden Ticket
    • Abusing GPO Permissions
    • AppLocker Bypasses
    • SharpView Enumeration
    • DonPapi
    • AD Overview
    • Enumerating Forests
    • NOPAC Priv esc
  • buffer-overflows
    • Buffer Overflows
  • c2-frameworks
    • Sliver
    • Powershell Empire
      • IronPython Empire
    • Metasploit
      • Metasploit Basics
      • Custom MSF Resource Scripts
      • Meterpreter Device Survey
      • Paranoid Mode
    • Pwncat-cs
    • Cobalt Strike
    • Dcrat
      • Modules
      • Builder
      • Dcrat AV Evasion
      • C2 Comms
    • FFM Documentation
  • covering-tracks
    • Evading Logging and Monitoring
    • Linux Logging
    • Tor
    • Windows Log Clearing
    • Ghost Writing Binaries
    • Backdoor Linux Commands
  • Data Exfiltration
  • Exploit Development
    • ROP Finding the vulnerable function
    • Useful Tools for Exploit Dev
    • ropeme
    • Obtaining MSFT Patches for Analysis
    • Mutiny Fuzzer
    • GDB
  • file-transfers
    • Transfering Files
  • lateral-movement
    • Pivoting Enumeration
      • Proxychains and FoxyProxy
      • SSH Tunneling and Port Forwarding
      • Plink.exe
      • socat
      • Chisel
      • SShuttle
  • lin-priv-esc
    • Linux Privilege Escalation
    • Bash Jails
    • ssh agent
  • Things I have Pwn'd before
    • Tomcat
    • Jenkins
  • persistence
    • Linux Persistence
    • Windows Persistence
      • Assign Group Memberships
      • Guest Windows Account Persistence
      • WMI Persist With Event Filters
      • SAM SYSTEM Exfil / Pass The Hash
      • Backdoor Executable
      • Special Privileges and Security Descriptors
      • RID Hijacking
      • Task Scheduler
      • Hijacking File Associations
      • Abusing Services
      • Logon Triggered Persistence
      • MSSQL Enabling xp cmdshell
      • Sticky Keys
      • Using Web Shells
  • recon-enumeration
    • Exploit Research
    • Pentesting DNS
    • Pentesting Kerberos
    • Pentesting FTP
    • Pentesting Email
    • Pentesting SMB
    • Pentesting Redis
    • Banner Grabbing
    • Pentesting Rsync
    • Pentesting MsSql
    • Scanning
    • Pentesting SNMP
    • Pentesting NFS
    • Pentesting LDAP
    • Pentesting Finger
    • User Recon
  • resources
    • resources
    • Youtube / Book List
    • CS/Software Engineer Resources
  • shells
    • Shells
    • web-shells
      • PHP Reverse Shell
      • wwwolf's PHP web shell
  • tool-guides
    • Asymmetric File Encrypt and Decrypt
    • Aws Buckets
    • cewl-crunch
    • Creating a Custom Wordlist
    • evil-winrm
    • Git
    • gobuster
    • Hashcat
    • Hydra User Guide
    • John
    • Linux Basics
    • Mimikatz
    • netcat
    • Nmap
    • nuclei
    • PowerView
    • r2
    • Resources
    • tcpdump
    • T-Shark User Guide
    • tmux
    • ssh
    • Vim
    • Wireshark
    • kwp
    • LAPS
    • KeePass KeeThief
    • FileCryptography.psm1
    • Impacket Pastable Commands
    • crackmapexec Pastable Commands
    • feroxbuster
    • NetExec
    • Ligolo-ng
    • gs-netcat
    • Scarecrow
  • Web Path
    • Testing for LFI
    • Testing for RFI
    • Testing for SQL
    • Testing for XSS
    • Authentication Bypass
    • Cmd Injection
    • Javascript Vulnerabilities
    • SSTI
    • Web Servers
    • JWT Tokens
    • Adobe Coldfusion
    • NoSQL Injection
    • vhost Enumeration
  • Wifi/Bluetooth/ZigBee/SDR/SmartCards
    • Wifi Capture Filters
    • Bluetooth Basics
    • Wifi Overview
    • Bettercap Bluetooth / Wifi
    • Aircrack-ng
    • Airdecap-ng
    • Aireplay-ng
    • RTL-SDR Radio
    • Bluetooth Low Energy
    • Smart Cards
    • Airodump-ng Airgraph-ng
    • gqrx
  • Windows
    • powershell-cheatsheet
    • Windows Privlage Escalation
    • Anti-Virus Evasion
    • Windows Registry
    • exploits
      • printspoofer
    • Windows Kernel Vulnerabilities
    • Windows Defender
    • AMSI Bypasses
    • pktmon Packet Capture Windows
    • Powershell Constrained Language Mode
    • Windows Survey
    • Windows Persistence
    • Windows World Writeable Dirs
  • firewalls
    • iptables
    • ufw
    • netsh advfirewall
  • Malware Analysis
    • Malware Analysis Fundamentals
    • Packer Identification by File section names
    • Analyzing Malicious Documents
    • In Depth Malware Analysis
    • Reversing Malicious Code
  • Infrastructure Development
    • SSL Cert Generation
    • Pfsense
      • OpenVPN Server on Pfsense
    • Proxmox OVA Import
  • Python3 Reference
    • Python3 Cheatsheet
    • Regex Python3
  • EDR
    • Velociraptor EDR
  • Host Forensics
    • Windows Host Forensics
    • Windows NT Versions
    • Windows Logs
  • Cloud
    • AWS
  • OSINT
    • Spiderfoot
    • Shodan Dorks
  • Phishing
  • Random
  • Linux
    • awk
    • cut
    • grep
    • sort
    • Cups CVE2024
  • Windows Malware Development
    • Win32 API
    • Processes Threads Handles
      • Message Box Example (Basic)
      • CreateProcess Example (Basic)
  • Golang
  • Mikrotik
    • Implementing a Password Reset Function for Persistent Access in MikroTik RouterOS
    • Cleaner Wrasse
  • Firmware Reversing
Powered by GitBook
On this page
  • General Information
  • Run Program with R2
  • Find Entrypoints
  • Help
  • Analysis
  • Flag Space
  • Strings
  • axt Analyse X-refs to
  • Seeking
  • Disassembling
  • Make the Output Prettier
  • Visual Mode and Graph Mode
  • Cross-Reference
  • radare2 Commands
  • Comment
  • Mark Offsets
  • Quit
  • Visual Graphs
  • All Credit:

Was this helpful?

Edit on GitHub
  1. tool-guides

r2

General Information

rabin2 -I filename

  • Output

$ rabin2 -I megabeets_0x1
arch     x86
baddr    0x8048000
binsz    6220
bintype  elf
bits     32
canary   false
class    ELF32
compiler GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
crypto   false
endian   little
havecode true
intrp    /lib/ld-linux.so.2
laddr    0x0
lang     c
linenum  true
lsyms    true
machine  Intel 80386
maxopsz  16
minopsz  1
nx       false
os       linux
pcalign  0
pic      false
relocs   true
relro    partial
rpath    NONE
sanitiz  false
static   false
stripped false
subsys   linux
va       true

Run Program with R2

r2 ./filename

Find Entrypoints

[0x08048370]> ie
[Entrypoints]
vaddr=0x08048370 paddr=0x00000370 haddr=0x00000018 hvaddr=0x08048018 type=program 1 entrypoints

  • ie stands for info entrypoints

Help

  • If you know the general flag you want to use i.e. i for info you can append a ?

i?

  • This will show you all the help available to append to the i flag.

Analysis

  • r2 does not analyze the file by default, you need to specify the a flag

  • To have r2 analyze the file issue aa or analyse all, or aaa

[0x08048370]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.

  • Can also have r2 analyze the file at start up with

r2 -A filename

Flag Space

  • After analysis radare2 associates names to interesting offsets in the file such as sections, functions, symbols, strings.

  • All are called flags

  • Choose a flag space using fs flagspace and print the flags it contains with f.

  • Can pass multiple commands with semi colon i.e. cmd1;cmd2;cmd3

fs imports; f
[0x08048370]> fs imports; f
0x00000000 16 loc.imp.__gmon_start
0x08048320 6 sym.imp.strcmp
0x08048330 6 sym.imp.strcpy
0x08048340 6 sym.imp.puts
0x08048350 6 sym.imp.__libc_start_main

  • Can see the strcmp, strcpy, puts etc.

  • We can also list the strings flagspace

[0x08048370]> fs strings 
[0x08048370]> f
0x08048700 21 str..::_Megabeets_::.
0x08048715 23 str.Think_you_can_make_it
0x0804872c 10 str.Success
0x08048736 22 str.Nop__Wrong_argument.

Strings

  • Lets look at the strings

  • iz - List the strings in data sections

  • izz Search for strings in the whole binary

[0x08048370]> iz
[Strings]
nth paddr      vaddr      len size section type  string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0   0x00000700 0x08048700 20  21   .rodata ascii \n  .:: Megabeets ::.
1   0x00000715 0x08048715 22  23   .rodata ascii Think you can make it?
2   0x0000072c 0x0804872c 9   10   .rodata ascii Success!\n
3   0x00000736 0x08048736 21  22   .rodata ascii Nop, Wrong argument.

axt Analyse X-refs to

  • axt stands for analyse x-refs to

  • Finds data or code references to this specific address

  • @@ is like a for each iterator sign used to repeat a command over a list of offsets

  • str.* is a wildcard for all flags that start with str. (our strings)

  • This helps to list the function name, where they are used and the reference instruction in addition to the strings

  • Select the correct strings flagspace (default is 'fs *'

Seeking

  • Seek command accepts an address or math expression as an arg.

  • Expression can be math operation, flag, or memory access operations.

  • We want to seek for the main function.

  • Can find it by executing s main

  • First we want to see what else radare2 has flagged

[0x08048370]> afl
0x08048370    1 33           entry0
0x08048350    1 6            sym.imp.__libc_start_main
0x080483b0    4 43           sym.deregister_tm_clones
0x080483e0    4 53           sym.register_tm_clones
0x08048420    3 30           sym.__do_global_dtors_aux
0x08048440    4 43   -> 40   entry.init0
0x080486e0    1 2            sym.__libc_csu_fini
0x080483a0    1 4            sym.__x86.get_pc_thunk.bx
0x0804846b   19 282          sym.rot13
0x080486e4    1 20           sym._fini
0x08048585    1 112          sym.beet
0x08048330    1 6            sym.imp.strcpy
0x08048320    1 6            sym.imp.strcmp
0x08048680    4 93           sym.__libc_csu_init
0x080485f5    5 127          main
0x080482ec    3 35           sym._init
0x08048340    1 6            sym.imp.puts

  • afl stands for analyze functions list

Disassembling

  • Seek to the main function

s main

  • Now disassemble it with

pdf

  • Print Disassemble Function

  • Prompt will change to the address of main!

Make the Output Prettier

s sec.utf8=true 
e srrc.utf8.curvy=true

  • Can add to ~/.radare2rc to make changes permanent

Visual Mode and Graph Mode

  • Much more user-friendly

  • Press V will bring us to the Visual Mode Screen

  • Use p/P to change between the modes

  • Nav to the disassembly view using p

  • To go back to a specific screen press q

Cross-Reference

  • Use x/X to list the references to and from (respectively) the current offset. Use the numbers to jump to a reference

radare2 Commands

  • Use :command to execute r2 commands from inside Visual Mode

Comment

  • You can add a comment using ;<comment> followed by Enter

  • Remove it using ;-

Mark Offsets

m<key>

  • Use this to mark a specific offset with a key of your choice, press '<key> to choose your key.

  • This will allow you to mark important addresses you want to jump to quickly

Quit

  • Press q to return to r2 shell

Visual Graphs

  • radare2 has a Graph view

  • You can access VG move from your shell by running VV

  • Move up, down, R, L with h,j,k,l and jump to a func using g and the key shown next to the jump call

All Credit:

https://www.megabeets.net/a-journey-into-radare-2-part-1/

PreviousPowerViewNextResources

Last updated 2 years ago

Was this helpful?