checksec Cheat Sheet
Quick report of binary security mitigations (RELRO, stack canary, NX, PIE, Fortify).
Overview
checksec (from pwntools or standalone scripts) parses ELF/PE binaries and reports hardening flags. Run first on unknown binaries to choose exploit strategy (ret2libc vs ROP vs format string).
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
Via pwntools (recommended)
pip install pwntoolspwn checksec ./binaryStandalone checksec.sh
wget https://raw.githubusercontent.com/slimm609/checksec.sh/master/checksec -O checksecchmod +x checksecsudo mv checksec /usr/local/bin/Debian package
sudo apt install -y checksecEssential commands
pwntools wrapper
checksec --file=./vulnpwn checksec ./vulnchecksec.sh
checksec --file=./vulnchecksec --dir=/usr/bin/ | headAll files in folder
checksec --dir=./binaries/Common workflows
Pre-exploit triage —
checksec --file=./server_binaryCompare libc and binary —
checksec --file=./vuln ./libc.so.6ldd ./vulnKernel hardening (checksec.sh) —
checksec --kernelBatch during CTF —
for f in *; do [ -f "$f" ] && [ -x "$f" ] && checksec --file="$f"; doneFlags reference
RELRO Full | GOT mostly read-only — harder GOT overwrite |
|---|---|
RELRO Partial | GOT writable — classic GOT hijack |
Canary | Stack cookie — need leak or bypass |
NX | Stack not executable — use ROP / ret2libc |
PIE | Base randomized — need code pointer leak |
Fortify | _FORTIFY_SOURCE — harder overflows on libc calls |
RPATH/RUNPATH | Library search path — hijack risk if writable dir |
Tips
- No PIE → static addresses from objdump/nm for gadgets and functions.
- NX + no Canary → straight ret2libc or ROP to mprotect rarely needed.
- Confirm with readelf -l ./binary | grep GNU_STACK — should be RWE absent (no E).
- Remote exploits: match local checksec to remote binary copy exactly.