Steganography

There are many ways to embed data into different file formats. Common file formats are often used by hackers to hide data in them. By doing so, exfiltration time is often longer but stealthier.

Identification

Before attempting anything, identifying the file format is a must. 

$ file file.ext
$ strings file.ext

Extract & Embed data - JPG, PNG, GIF, TIFF, BMP

StegoVeritas is a fantastic tool to manipulate files with. It is worth the detour. I personally like the GIF steg. It can be easily installed with pip3 and then simply run its requirements installation script.

$ pip3 install stegoveritas
$ stegoveritas_install_deps
$ stegoveritas file.ext

Extract & Embed data - JPEG, BMP, WAV, AU

Steghide is one of the most famous steganography tools. The JPEG, BMP, WAV and AU file formats are supported for use as cover file. There are no restrictions on the format of the secret data. Features include the compression of the embedded data, encryption of the embedded data and automatic integrity checking using a checksum.

Extract:

$ steghide extract -sf image.jpeg
$ steghide extract -sf image.jpeg -p PASSWORD_TO_DECRYPT

Embed:

$ steghide embed -cf image.jpeg -ef secret.txt

NOTE: steghide will ask your for a passphrase but it is optional. Although, it is pretty rare that someone will take the time to obfuscate data just to leave it unencrypted. Especially when it is so easy to embed/encrypt.

Extract & Embed data - PNG, BMP

Zsteg is a Ruby GEM and will do the same thing as steghide but with PNG and BMP files.

Extract:

$ zsteg image.png
$ zsteg image.png -v -a
$ zsteg image.png -v --lsb #Least significant bit first
$ zsteg image.png -v --msb #Most significant bit first
$ zsteg image.png -v -c (R/G/B/A) #Specific color channel
$ zsteg image.png -v -b 1,3,5 #Specific bits
$ zsteg image.png -v -b 1-6 #Specific bits range

Embed:

$ zsteg image.png
$ zsteg image.png -v -a
$ zsteg image.png -v --lsb #Least significant bit first
$ zsteg image.png -v --msb #Most significant bit first

StegSeek - Steganography passphrase cracking

Stegseek is a neat piece of code that will crunch through any wordlist faster than any steganography cracker available (to my knowledge). Compile from source or install released binaries It also includes nearly all of steghide's functionality, so it can also be used to embed or extract data as normal. The only catch is that commands must use the --command format. https://github.com/RickdeJager/stegseek/releases

Crack:

$ stegseek image.jpeg wordlist.lst -t 16 >> cracked

Unicode - Homoglyphs & Homographs

Sometimes, the data will be encoded using a weird encoding. This can be good for phishing, bypassing filters, and of course hiding data in plain sight. Using homoglyphs for domains is a common thing and is usually better for phishing than typosquatting/subtracting/etc. https://www.irongeek.com/homoglyph-attack-generator.php

Exiftool - Metadata

Nothing fancy here, a simple tool to read a file's metadata.

$ exiftool file.foo

Audio - Spectrograph analysis

Some audio analysis software are available such as:

  • Audacity

  • Sonic Visualiser

  • WavSteg <- can extract/embed data

  • DeepSound

You can always check for hidden messages in audio files using any audio analysis software or pass it through any/many kind of filters to maybe end up with an isolated output. I personally use Audacity but Sonic Visualiser is also good, any DAW is also perfect (FlStudio, Ableton, ProTools,etc)

PreviousData ExfiltrationNextPivot & Tunneling

Last updated