Skip to content

Steganography

What is steganography?

Steganography is an amazing art of hiding data inside images, videos etc. The advantage that steganography has over cryptography is that the hidden data does not attract serious attention. However, when someone sees a cryptographic data, they'll immediately recognize that this data is encrypted. Though the extraction of the hidden message is difficult in cryptography, steganographic data looks less malicious!!

Why is steganography used?

Let us consider that a person "A" is sending something secret to person "B". Let us consider that the agent who is going to transfer this secret is "C". If "A" uses some kind of cryptographic techniques, "C" will definitely notice that some sort of a secret message is getting transferred and he'll try all possible way to decrypt it. So "A" has to use some technique so that "C" won't bother into examining the hidden message. This is why steganography is used. The message which is to be transferred will definitely look less malicious.

Some known tools for steganography

Exiftool

It is a tool that is used mainly to read metadata in files.

To install exiftool

1
$ sudo apt install exiftool

Exiftool gives the metadata of a file as its output. This data can be used for further analysis regarding the file type and its data. On a CTF point-of-view, we might get clues and hints or information that might turn out to be crucial for finding the flag.

Tip

strings is a bash command that shows all the ASCII strings in the file that is passed into the command. In CTFs it is often seen that sometimes some clues or even the flag can be found as an ASCII string inside the given challenge file. Way to use:

1
$ strings  <file-name>

Ghex

Ghex is a tool which helps us to view the hex data or hex dump of an image. To install Ghex

1
$ sudo apt install ghex
To use Ghex
1
$ ghex image.jpg
Using ghex we can see the headers, footers, and the data chunks of an image. It is to be noted that ghex can be used for all types of files not only images.

Binwalk

It is a tool used mainly for searching embedded files and executable code within another data file.

To install binwalk

1
$ sudo apt install binwalk
alt text

Here in the above image, we see that there is a 'jpg image' that has a compressed 'images' in it and we see that it is, it is embedded within the jpg image file. To extract it we can make use of a carving tool dd. It can carve out data from specific offsets that are passed as arguments to the tool along the with the file that needs to be read. Give the following command:

1
$ dd if=deeper.jpg of=image1.jpg bs=1 skip=202
Where at if= the file from which data has to be extracted is passed as an argument and of= has the name of the file that we give after extraction. skip= is the offset of the file that has to be read and bs= i the byte skip argument that specifies the frequency of reading data from the given file.

Steghide

It is used to embed and extract secret messages in images. It supports all the general formats of images like .png, .jpg etc.

To install steghide

1
$ sudo apt install steghide

To embed a secret message into an image

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
$ steghide embed -cf image.jpg -ef secret_message.txt
Enter passphrase : ********
Re-Enter passphrase : ********
embedding "secret_message.txt" in "image.jpg"... done

To extract the secret message from the image
```sh
$ steghide extract -sf image.jpg
Enter passphrase : ********
wrote extracted data to "secret_message.txt".
For any help with the commands type
1
$ steghide --help
It is important to note that the password may not always be a plain text sentence. Sometimes it may be hashed. Some examples of hashes include MD5, sha1 etc. We all know that there is no specific way to reverse the hashes. But, there are websites which store hashes of certain commonly used strings.

Some of such websites are:

a. HashKiller b. MD5Decrypt

Stegsolve

It is used to analyze images in different planes by taking off bits of the image.

To install stegsolve

1
2
3
4
$ wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar
$ chmod +x stegsolve.jar
$ mkdir bin
$ mv stegsolve.jar bin/
Stegsolve can be invoked by placing the image in the /bin folder and running stegsolve.
1
$ java -jar stegsolve.jar

There are over 10 different planes supported by stegsolve like Alpha, Blue, Green, Red, XOR etc.