Ir al contenido
1337skills 1337skills - Hojas de Trucos

Strings Commands

The strings utility searches through files and displays printable character sequences. It’s useful for analyzing binary files, executables, and object files to find embedded text, debug symbols, and other human-readable content.

Installation

Linux/Ubuntu

sudo apt update
sudo apt install binutils

macOS

# Usually pre-installed
strings /usr/bin/ls

Basic Usage

Extract Strings from Files

# Extract strings from binary file
strings /usr/bin/ls

# Extract from executable
strings ./program

# Extract from object file
strings object.o

# Extract from shared library
strings /usr/lib/libc.so.6

# Extract from any file
strings /bin/bash

Output Control

# Print file offset before each string
strings -t x /usr/bin/ls

# Print decimal offset
strings -t d /usr/bin/ls

# Print octal offset
strings -t o /usr/bin/ls

# Print with separator
strings -tx /usr/bin/ls | head

# Show string count
strings /usr/bin/ls | wc -l

# Output to file
strings /usr/bin/ls > strings.txt

Filtering Strings

Length Filtering

# Find strings of at least 4 characters (default is 4)
strings -n 4 /usr/bin/ls

# Find strings of at least 10 characters
strings -n 10 /usr/bin/ls

# Find very short strings (minimum 1 character)
strings -n 1 /usr/bin/ls

# Find long strings (minimum 20 characters)
strings -n 20 /usr/bin/ls

# Count strings by length
strings /usr/bin/ls | awk '{print length}' | sort | uniq -c

Filtering by Content

# Find specific strings
strings /usr/bin/ls | grep -i error

# Find paths
strings /usr/bin/ls | grep '/'

# Find IP addresses
strings /usr/bin/binary | grep -E '[0-9]+\.[0-9]+'

# Find URLs
strings /usr/bin/binary | grep -i 'http'

# Find error messages
strings /usr/bin/ls | grep -E 'Failed|Error|error'

# Find function names
strings /usr/bin/ls | grep -E '^[a-zA-Z_]'

# Find suspicious strings
strings /usr/bin/binary | grep -E 'system|exec|shell'

# Find version strings
strings /usr/bin/ls | grep -E '[0-9]+\.[0-9]+'

Binary File Analysis

Executable Analysis

# Extract all strings from executable
strings /bin/bash | head -50

# Find dependencies/libraries referenced
strings /bin/bash | grep '\.so'

# Find compiler information
strings /bin/bash | grep 'gcc\|clang'

# Find build information
strings /bin/bash | grep -E 'built|Build|version'

# Find configuration paths
strings /usr/bin/mysql | grep '/etc'

# Find help messages
strings /usr/bin/grep | grep '^[A-Z]'

# Find debug symbols
strings -o /usr/bin/ls | grep -E '\.[ch]:'

# Find strings with line numbers
strings -o /usr/bin/ls | head -20

Shared Library Analysis

# Extract strings from .so file
strings /usr/lib/libc.so.6 | head

# Find exported functions
strings /usr/lib/libc.so.6 | grep -v '^[a-z]' | head -20

# Find library version info
strings /usr/lib/libc.so.6 | grep -i version

# Check for debug symbols
strings /usr/lib/libc.so.6 | grep '\.[ch]'

# Find hardcoded paths
strings /usr/lib/libc.so.6 | grep '/'

Forensic Analysis

Finding Embedded Content

# Extract all readable strings from image file
strings disk.img | head -50

# Search for email addresses
strings disk.img | grep '@'

# Search for URLs in binary
strings malware.bin | grep -E 'http|ftp'

# Find hardcoded credentials
strings application | grep -i 'password\|username\|key'

# Extract ASCII strings from binary
strings /path/to/binary | wc -l

# Find database connection strings
strings app.bin | grep -i 'database\|server\|host'

# Extract timestamps
strings dump.bin | grep -E '[0-9]{4}-[0-9]{2}-[0-9]{2}'

# Find log entries
strings dump.bin | grep -i 'log\|error\|warning'

File Type Analysis

# Check if binary contains specific strings
strings /usr/bin/file | grep -q 'ELF' && echo "ELF binary"

# Identify programming language
strings executable | grep -E 'python|ruby|java'

# Find interpreter paths
strings script.bin | grep '/usr/bin'

# Find include files referenced
strings object.o | grep '\.[hc]'

# Find referenced modules
strings library.so | grep -E '::|\.'

Advanced Operations

Combining with Other Tools

# Count unique strings
strings /usr/bin/ls | sort -u | wc -l

# Find duplicate strings
strings /usr/bin/ls | sort | uniq -c | sort -rn | head

# Compare strings in two binaries
diff <(strings bin1) <(strings bin2)

# Find strings common to both binaries
comm -12 <(strings bin1 | sort -u) <(strings bin2 | sort -u)

# Extract and count string lengths
strings /usr/bin/ls | awk '{print length}' | sort -n | uniq -c

# Find longest strings
strings /usr/bin/ls | awk '{print length, $0}' | sort -rn | head -10

# Find most common strings
strings /usr/bin/ls | sort | uniq -c | sort -rn | head -20

Batch Processing

# Extract strings from all binaries in directory
for file in /usr/bin/*; do
  [ -f "$file" ] && strings "$file" > "$(basename $file).strings"
done

# Find specific string across all binaries
for file in /bin/*; do
  [ -f "$file" ] && grep -l "error" <(strings "$file") && echo "$file"
done

# Compare strings across multiple files
for file in *.bin; do
  echo "=== $file ==="
  strings "$file" | grep "version"
done

# Extract strings with file names
for file in *; do
  [ -f "$file" ] && strings "$file" | while read line; do
    echo "$file: $line"
  done
done

Security Analysis

# Find suspicious syscalls
strings malware.bin | grep -E 'execve|system|popen'

# Find encryption-related functions
strings binary | grep -i 'crypt\|encrypt\|decrypt'

# Find command execution strings
strings binary | grep -E '/bin/|/usr/bin/'

# Find network-related strings
strings binary | grep -iE 'socket|connect|send|recv'

# Find file operation strings
strings binary | grep -iE 'open|read|write|delete'

# Find process-related strings
strings binary | grep -iE 'fork|exec|kill|signal'

# Find registry keys (Windows binaries)
strings binary | grep -i 'HKEY\|registry'

# Find API calls
strings binary | grep -i 'CreateProcess\|LoadLibrary\|GetProcAddress'

Analysis Techniques

String Statistics

# Get string statistics
strings /usr/bin/ls | awk '{print NF}' | sort -n | uniq -c

# Find strings by word count
strings /usr/bin/ls | awk 'NF > 5 { print }' | head -20

# Get average string length
strings /usr/bin/ls | awk '{s+=length; c++} END {print s/c}'

# Find strings with specific patterns
strings /usr/bin/ls | grep -E '^[A-Z]{2,}$' | sort -u

# Extract version information
strings /usr/bin/ls | grep -oE '[0-9]+\.[0-9]+(\.[0-9]+)?'

# Find all paths
strings /usr/bin/ls | grep '^/' | sort -u

Comparison and Diff

# Compare strings before and after patch
diff <(strings before.bin | sort) <(strings after.bin | sort)

# Find added strings (new version)
comm -23 <(strings new.bin | sort -u) <(strings old.bin | sort -u)

# Find removed strings (deleted in new version)
comm -13 <(strings new.bin | sort -u) <(strings old.bin | sort -u)

# Find common strings
comm -12 <(strings bin1 | sort -u) <(strings bin2 | sort -u)

# Find strings only in one binary
strings file1 | sort > strings1.txt
strings file2 | sort > strings2.txt
diff strings1.txt strings2.txt

Best Practices

  • Use appropriate minimum length (-n) for your analysis goals
  • Combine with grep for targeted searches
  • Use offsets (-t) to locate strings in binary files
  • Compare binaries to identify modifications
  • Look for suspicious function names and paths
  • Check for hardcoded credentials and API endpoints
  • Analyze error messages for clues about functionality
  • Document findings with file offsets for reference
  • Use for malware analysis to identify communication endpoints
  • Compare before/after samples for change detection

Last updated: 2026-03-30