# Steganography

## Identification

Before attempting anything, identifying the file format is a *must.* 

```
$ file file.ext
$ strings file.ext
```

## Extract & Embed data - JPG, PNG, GIF, TIFF, BMP

[**StegoVeritas**](https://github.com/bannsec/stegoVeritas) is a fantastic tool to manipulate files with. It is worth the detour. I personally like the GIF steg. It can be easily installed with **pip3** and then simply run its requirements installation script.

```
$ pip3 install stegoveritas
$ stegoveritas_install_deps
$ stegoveritas file.ext
```

## Extract & Embed data - JPEG, BMP, WAV, AU

[**Steghide**](https://github.com/StefanoDeVuono/steghide) is one of the most famous steganography tools.\
The **JPEG**, **BMP,** **WAV** and **AU** file formats are **supported for use as cover file**. \
There are  **no restrictions** on the **format of the secret data**.\
Features include the **compression** of the embedded data, **encryption** of the embedded data  and  automatic **integrity** checking using a checksum. 

**Extract:**

```
$ steghide extract -sf image.jpeg
$ steghide extract -sf image.jpeg -p PASSWORD_TO_DECRYPT
```

**Embed:**

```
$ steghide embed -cf image.jpeg -ef secret.txt 
```

***NOTE:** steghide will ask your for a passphrase but it is **optional**. Although, it is pretty rare that someone will take the time to obfuscate data just to leave it unencrypted. Especially when it is so easy to embed/encrypt.* 

## Extract & Embed data - PNG, BMP

**Zsteg** is a **Ruby GEM** and will do the same thing as steghide but with **PNG** and **BMP** files.

**Extract:**

```
$ zsteg image.png
$ zsteg image.png -v -a
$ zsteg image.png -v --lsb #Least significant bit first
$ zsteg image.png -v --msb #Most significant bit first
$ zsteg image.png -v -c (R/G/B/A) #Specific color channel
$ zsteg image.png -v -b 1,3,5 #Specific bits
$ zsteg image.png -v -b 1-6 #Specific bits range
```

***Embed:***

```
$ zsteg image.png
$ zsteg image.png -v -a
$ zsteg image.png -v --lsb #Least significant bit first
$ zsteg image.png -v --msb #Most significant bit first
```

## StegSeek - Steganography passphrase cracking

**Stegseek** is a neat piece of code that will crunch through any wordlist faster than any steganography cracker available (to my knowledge). Compile from source or install released binaries\
It also includes nearly all of steghide's functionality, so it can also be used to embed or extract data as normal. The only catch is that commands must use the `--command` format.\
<https://github.com/RickdeJager/stegseek/releases>

**Crack:**

```
$ stegseek image.jpeg wordlist.lst -t 16 >> cracked
```

## Unicode - Homoglyphs & Homographs&#x20;

Sometimes, the data will be encoded using a weird encoding. This can be good for phishing, bypassing filters, and of course hiding data in plain sight. Using homoglyphs for domains is a common thing and is usually better for phishing than typosquatting/subtracting/etc.\
<https://www.irongeek.com/homoglyph-attack-generator.php><br>

## Exiftool - Metadata

Nothing fancy here, a simple tool to read a file's metadata.

```
$ exiftool file.foo
```

## Audio - Spectrograph analysis

Some audio analysis software are available such as:

* Audacity
* Sonic Visualiser
* **WavSteg <- can extract/embed data**
* DeepSound

You can always check for hidden messages in audio files using any audio analysis software or pass it through any/many kind of filters to maybe end up with an isolated output. \
I personally use Audacity but Sonic Visualiser is also good, any DAW is also perfect (FlStudio, Ableton, ProTools,etc)<br>

![Waveform view of an audio file](/files/-MkIR9zCSnJRiJLAyr2E)

![Spectrograph view of the same audio file](/files/-MkIQXeRhhee1m3PPQRB)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.turbosec.net/post-exploitation/data-exfiltration/steganography.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.