Exploit Notes

Steganography

Last modified: 2023-07-06

Steganography

Steganography is the practice of representing information within another message or physical object, in such a manner that the presence of the information is not evident to human inspection.

Basic Analysis

open example.jpg
file example.jpg

strings example.jpg
# Display the first N lines (default: 10 lines)
strings example.jpg | head
strings example.jpg | head -n 50
# Display the last N lines (default: 10 lines)
strings example.jpg | tail
strings example.jpg | tail -n 50

xxd example.jpg
xxd example.jpg | head

Extract the Data inside the Image File

# -e: extract data inside image
binwalk -e example.jpg

# PPM
outguess-extract example.ppm out.ppm

Read Meta Information

exiftool example.jpg

If you get the GPS Latitude/Longitude, you can get the location by searching on Google Map e.g. GPS Latitude: 54 deg 17' 41.27" N, GPS Longitude: 2 deg 15' 1.33" W Input "54 17' 41.27" N 2 15' 1.33" W" in the search form on Google Map.

Get Hidden Data

# JPG only
steghide info sample.jpg
steghide extract -sf sample.jpg

# PNG & BMP only - https://github.com/zed-0xff/zsteg
zsteg -a sample.png

# PDF
sudo apt install poppler-utils
pdfinfo sample.pdf

# QR code scan
zbarimg QR.png

  • Crack Steg Passphrases

    Use Stegseek.

    # Crack using wordlists
stegseek --crack sample.jpg /usr/share/wordlists/rockyou.txt

# Crack by attempting all embedding patterns
stegseek --seed sample.jpg

  • Crack PDF password

    # 1. Convert
pdf2john example.pdf > hash.txt
# or
/usr/share/john/pdf2john.pl example.pdf > hash.txt

# 2. Crack
john --format=pdf --wordlist=wordlist.txt hash.txt

GUI Analyzer

stegsolve is an image analysis tool on GUI.

java -jar stegsolve.jar

Embed Hidden Data

Exiftool

exiftool -Key="value" sample.jpg

Steghide

steghide embed -ef sample.jpg

Outguess

[Outguess](A steganography tool for JPG, PPM and PNM.) is a steganography tool for JPG, PPM and PNM.

outguess -k "passphrase" -d hidden.txt example.jpg out.jpg

OSINT

Search the image information using search engines.


npiet

npiet is an interpreter for the piet programming language.
It takes as input a portable pixmap (PPM) and PNG, GIF.

  1. Download and Compile

    First of all, download the npiet and extract it.

    wget https://www.bertnase.de/npiet/npiet-1.3f.tar.gz
tar -xf npiet-1.3f.tar.gz

    Then compile the "npiet.c".

    cd npiet-1.3f
gcc npiet.c -o npiet

  2. Decode

    After compiling, decode the image files

    ./npiet example.png
./npiet example.ppm
./npiet example.gif