strings Cheat Sheet
Extract printable strings from binaries and dumps to find URLs, flags, passwords, and error messages.
Overview
strings scans files for ASCII/UTF-16 sequences. First-pass recon on unknown binaries, memory dumps, and firmware without disassembling everything.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
binutils (standard on Linux)
sudo apt install -y binutilsstrings --versionEssential commands
Default (min length 4)
strings binaryLonger minimum — less noise
strings -n 8 binaryAll sections including .data
strings -a binaryUnicode (UTF-16LE common on Windows)
strings -el win.exeCommon workflows
Quick binary triage —
strings -n 6 ./vuln | grep -iE 'password|flag|/bin/|http|error'strings -a ./vuln | lessCompare two binary versions —
strings old.bin > old.txtstrings new.bin > new.txtdiff -u old.txt new.txtFirmware / disk image —
strings -n 10 firmware.bin | grep -i adminstrings -a -n 8 memory.dmp | grep -i '@' | headPipe to other tools —
strings libc.so.6 | grep '^/bin/'objdump -d ./vuln | strings -n 4 - | head # wrong tool combo — use:strings ./vuln | grep 'CTF{'With file type check —
file unknown.blobstrings -n 8 unknown.blob | head -50Flags reference
-n N | Minimum string length (default 4) |
|---|---|
-a | Scan entire file, not just loadable sections |
-t x | Print offset in hex before each string |
-t d | Decimal offset |
-e l | UTF-16LE encoding |
-e b | UTF-16BE encoding |
-o | Alias for -t o octal offset |
-w | Include whitespace-only “strings” |
Tips
- Use -n 8 or higher on large dumps to reduce garbage.
- Hidden flags may be wide strings — try strings -el on Windows PE.
- Combine with grep -E for IPs, emails, and paths.
- rabin2 -zz binary (radare2) finds strings with virtual addresses for PIE.