Basic Tools Contd.¶

Peepdf¶

Peepdf is a Python based tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files.

 1 $./peepdf.py -i pdffile.pdf Example¶ We will now see how to extract an embedded object file in PDFs As we can see there is no suspiction in the pdf file when viewed normally in a pdf viewer. So now lets load the pdf file in peepdf  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27$ ./peepdf.py -i nothing.pdf File: nothing.pdf MD5: 56572d46b09ef2b3de1faa4c9d5e1cb0 SHA1: 99b73b7d87815f669d54bb1c430b703d4ae827a4 SHA256: 98d1aa64f417da1a331b18c3b57d8d25e642c8f23a661e5298730c01d0a04ad2 Size: 925647 bytes Version: 1.1 Binary: True Linearized: False Encrypted: False Updates: 0 Objects: 8 Streams: 2 URIs: 0 Comments: 0 Errors: 0 Version 0: Catalog: 1 Info: No Objects (8): [1, 2, 3, 4, 5, 6, 7, 8] Streams (2): [5, 8] Encoded (1): [8] Suspicious elements: /Names (1): [1] /EmbeddedFiles: [1] /EmbeddedFile: [8]

As we can see there is an embedded file in the pdf.

So now we need to extract the embedded file using the stream command as follows,

 1 PPDF> stream 8 > embedfile
 1 2 3 $file embedfile embedfile: PNG image data, 960 x 640, 8-bit/color RGB, non-interlaced$ xdg-open embedfile
We can see that there is an Image embedded in the pdf.

Pngcheck¶

A tool to test PNG image files for corruption, display size, type, compression info.

pngcheck is the official PNG tester and debugger. Originally designed simply to test the CRCs within a PNG image file (e.g., to check for ASCII rather than binary transfer), it has been extended to check and optionally print almost all the information about a PNG image and to verify that it conforms to the PNG specification. It also includes partial support for MNG animations.

It can dump the chunk-level information in the image in human-readable form. For example, it can be used to print the basic stats about an image (dimensions, bit depth, etc.); to list the color and transparency info in its palette; or to extract the embedded text annotations. All PNG and JNG chunks are supported, plus almost all MNG chunks (everything but PAST, DISC, tERm, DROP, DBYK, and ORDR). This is a command-line program with batch capabilities.

 1 $zip2john file.zip Example¶ Example file  1 2$ zip2john flag.zip flag.zip:$zip2$*0*1*0*47690c81c096c3c8*4d21*1f*7b9718219de608c6c2d860c4cf5566471d3d4bb5c73b5449ab75ac357c185c*6114d207125db9159c6a*$/zip2$:::::flag.zip
 1 $zip2john flag.zip >> hash.txt  1 2 3 4 5 6 7 8 9 10 11$ john hash.txt Warning: detected hash type "ZIP", but the string is also recognized as "zip-opencl" Use the "--format=zip-opencl" option to force loading these as that type instead Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 8x SSE2]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 123321 (flag.zip) 1g 0:00:00:02 DONE 2/3 (2019-04-26 17:31) 0.4651g/s 16946p/s 16946c/s 16946C/s 123456..MATT Use the "--show" option to display all of the cracked passwords reliably Session completed

So the password found is 123321, similarly we can crack the archive compressions like 7z, Rar.

Usage¶

The general usage of fcrackzip for brute forcing the password is as follows.

 1 $fcrackzip -v -b -u -p • -v for knowing what's going on in background. Commonly Know as verbose. • -b for brute-forcing. • -u for unzip. • -p for setting the initial password for brute forcing or the file to supply password for dictionary attack. • -D sets dictionary mode and reads passwords from a wordlist alphabetically. The general usage for the dictionary attack is as follows.  1$ fcrackzip -v -u -D -p

The common wordlist which is publicly available is rockyou.

Example¶

Here is an example, using a dictionary attack. On opening the zip file, we found that the file was protected.

We used dictionary attack to find the password.

In this way cracking the zip is possible when you don't know the password.

 1 $man fcrackzip Audacity¶ Audacity is a GUI based tool. It is an open-source audio editor and recording application software. Installation¶ Audacity is available for Windows, macOS & Linux. You can download Audacity from its official site, or in Ubuntu, you can download it from the Ubuntu store. Usage¶ Audacity can be used from the command line or by directly clicking the icon in applications.  1$ audacity
On opening a file with the audacity you would see something similar to it.

Audacity displays the audio files in a wave form. You change the waveform into spectrogram by changing the layer into spectrogram. You can do it by clicking the arrow next to the track name to switch from waveform to spectrogram.

Spectrogram is a visual based view of representing the signal strength, or “loudness”, of a signal over time at various frequencies present in a particular waveform.

There are so many effects like changing speed, pitch, tempo etc. By clicking the effects option in the menu bar, you can see many options, and users can apply the effect only in the selected area or the entire track.

Example¶

In CTFs we come across quite a few audio challenges. Mostly, these challenges are mainly about changing the layer to spectrogram or they embedding some data in morse format.

Morse Code means converting the text into Dot-Dash format. You can use this link for decoding that morse code. If you hear the audio has beeps, it is confirmed that, the audio file contains a morsecode you can directly upload that in this link and get the message you wanted. In CTFs we get challenges which have the morse code or we see that morse code after changing the layer to spectrogram.

An example for changing the layer to spectrogram,

An example for changing the layer and getting the morse code, You can see some extra data above the separation of two tracks, that is nothing but morse. Big lines represent Dash and Small lines represent Dot, the space between them separates each letter. If you want a clear idea of each and every letter you can separate it with / or |.

The morse code for alphabets and number is as follows,

References¶

Visit Wikipedia for detailed information on morse code and visit the documentation for usage of Audacity.

Sonic Visualiser¶

Sonic-Visualiser is also a GUI based tool. It is similar to Audacity but a bit more powerful than it. It is an application software for viewing and analysing the contents of audio files.

Installation¶

Sonic Visualiser is available for Linux, OS/X, and Windows. You can download Sonic-Visualiser from its offical site, or in Ubuntu, you can download it from the Ubuntu store.

Usage¶

Sonic-Visualiser can be used from the command line or by directly clicking the icon in applications.

Usage¶

The general usage of pdfcrack for brute-forcing is,

 1 $pdfcrack -f The genearal usage of pdfcrack when we provided a wordlist is,  1$ pdfcrack -f -w

Example¶

Here is an example, using a wordlist. On opening the PDF, we found that the file was protected.

We used dictionary attack(using a wordlist) to find the password.

In this way cracking the password of PDF files is done when you don't know/forget the password.

If you unfortunately, click ctrl+c then it will save the process until you clicked into an another file called savedstate.sav in the directory where the PDF is present or the current directory.

For further reference visit,

 1 $man pdfcrack Deep Sound¶ Deep Sound is a steganography tool and audio converter that hides the information in audio files or audio/CD tracks. It is a windows tool. It allows us to extract the secret hiding data from the audio files or CD tracks. DeepSound also support encrypting secret files using AES-256(Advanced Encryption Standard) to improve data protection. Installation¶ This tool can be installed from it's official site. Usage¶ On opening the Deep Sound after downloading it in Windows it looks something similar to this, There you can see Open Carrier Files option, click on it and choose a music file(of any type like wav, mp3, etc) which you are choosing to embed secret files in it. Then click on Add Secret Files option next to it. And choose the embedding file. Then click Encode Secret Files option. then you will see a window something similar to this, You can encode the secret file using a password also, by clicking the tick mark, you will be able to see the password choosing option. and chooose the password with which you are going to encrypt the file. After click Encode Secret Files option in the bottom, then it will save the encoded file in the output directory mentioned which you have mentioned. Example¶ Here's an example of encoding a secret file into an audio file, Choose an audio file which you needed to embed a file. Choose the embedding file which you needed to embed it in the audio file. Click on the Encode secret files option and choose the output format. Then it will give an another file in the format you specified. Here's am example of decoding the secret file from the audio file, In the above picture you can see a file(1(1).wav) in Carrier audio files and in secret file name you can the embeded file and click the Extract secret files option, then it will decode the file present in that audio into an another file. By going to the directory mentioned in the Information window you will get the embedded file in the audio. Reference¶ For further information, visit the documentation. Jsteg¶ Jsteg is a package for hiding data inside JPEG files with a technique known as steganography. This is accomplished by copying each bit of the data into the least-significant bits (LSB) of the image. The amount of data that can be hidden depends on the file size of the jpeg; it takes about 10-14 bytes of jpeg to store each byte of the hidden data. Installation¶  1 2 3 4$ sudo wget -O /usr/bin/jsteg https://github.com/lukechampine/jsteg/releases/download/v0.1.0/jsteg-linux-amd64 $sudo chmod +x /usr/bin/jsteg$ sudo wget -O /usr/bin/slink https://github.com/lukechampine/jsteg/releases/download/v0.2.0/slink-linux-amd64 $chmod +x /usr/bin/slink Usage¶ Jsteg tool can be initialised by typing the following command.  1$ jsteg

Hiding data¶

Now, let's hide some data using jsteg. Consider this image of Itachi.

Let the name of the file to be embedded be 'jsteg.txt'.

The file to be embedded contains the following data.

Commands to embed a file in the JPEG image is as follows.

Zsteg¶

Zsteg is also a tool like Jsteg but it is used to detect LSB steganography only in the case of PNG and BMP images.

Installation¶

 1 2 $sudo apt install ruby$ sudo gem install zsteg

Usage¶

Zsteg tool can be initialised by typing the following command.

 1 $zsteg Now, let's see a challenge from Securinets CTF Quals 2019 in which the following PNG image is given . Let's use zsteg on this image and see what happens. The syntax is as follows.  1$ zsteg

Then the result can be seen below.

In the above result, we can find some meaningful data embedded in the LSBs of the PNG image. This meaningful data helped in solving the challenge.

Tweak PNG¶

TweakPNG is a low-level utility for examining and modifying PNG image files. It supports Windows XP and higher. In order to make much use of it, you have to be at least familiar with the internal format of PNG files. This is a windows based tool so we need to install a tool called wine to run TweakPNG on Linux.

Installation¶

Installation for wine can be done by executing the following command.

 1 $sudo apt install wine-stable TweakPNG executable can be downloaded from here. Usage¶ Let's open this PNG image in TweakPNG and examine it. Open 64-bit version of TweakPNG using wine. The syntax is as follows.  1$ wine tweakpng.exe

Then the following window will be displayed.

Now, if the above cat image is opened in TweakPNG, the following window will be displayed.