Steghide: An introduction

 JOLT, a hacking CTF located in Little Rock, Arkansas. JOLT 2022 was where I first was introduced to steghide. Steghide is a tool associated with Steganography which according to wikipedia is: ""the practice of representing information within another message or physical object, in such a manner that the presence of the information is not evident to human inspection". So basically hiding information within a picture. And of course if you can hide information in there you can extract information, and hide information that is dangerous."

On the kali linux steghide page it says: "Steghide is steganography program which hides bits of a data file in some of the least significant bits of another file in such a way that the existence of the data file is not visible and cannot be proven.

Steghide is designed to be portable and configurable and features hiding data in bmp, jpeg, wav and au files, blowfish encryption, MD5 hashing of passphrases to blowfish keys, and pseudo-random distribution of hidden bits in the container data.

Steghide is useful in digital forensics investigations."

You can include passphrases for your files, and do a lot more. Steghide is a really useful tool for gathering information from pictures that have been embedded with steghide. 

I am going to demonstrate this by taking a picture and embedding information in it, giving it a passphrase, and then basically reversing that and seeing if we can get the information we put in using stegseek. I encourage you to follow along! :) 

Let's begin! 

First, we need to install steghide. You can do this on kali by running the 


"sudo apt-get install steghide" command. 

After that let's pick a photo to select for our example. I love cute kittens so let's find a photo of a cute kitten. :) 



Photo for our example





Now that we have a picture, let's see what we can do with steghide by using the steghide --help command. This gives us a list of commands that we can use with steghide. First, let's use the info command to get some info about our photo. We can just use 
"steghide info cute-kitten.jpg" to get some info.

This gives us very little information, the format which is jpeg and the capacity which 6.4 KB. The thing about steghide is that it is used mainly to interact with "stego" files. These are files that have been manipulated by steghide. Therefor, a normal photo won't have a whole lot of use with steghide. 

But what if we wanted to add a passphrase to a photo, and embed a file into the photo? We can do that!

I created a txt file called "cute-kitten.txt" with the word "meow" in it. Now that we have done that we can embed this file into our jpeg with the command "steghide --embed -cf cute-kitten.jpg -ef cute-kitten.txt". This will require you to enter a passphrase, you don't have to, but I encourage you to do so. If you don't anyone will be able to view the contents and that defeats the purpose of steghide, and for this example we will use a passphrase. My super secret passphrase is meow! Once we enter our passphrase twice it now works!

So what happens if we try to get some info on this picture with steghide? Well, when we run "steghide --extract -sf cute-kitten.jpg" we get hit with a passphrase. What happens if we enter it wrong? We get a message telling us we couldn't extract any data. 

So, I obviously know the passphrase. But what if you don't, say at a CTF? Well, there's another fantastic tool! Enter stegseek! https://github.com/RickdeJager/stegseek https://github.com/RickdeJager/stegseek 
Stegseek is a super fast cracker and an super easy tool to use. It's similar to hashcat. 
It's used specifically for steghide cracking! 

(Note: You might have heard about or used stegcracker. Last time I used stegcracker it did not work very well, and a previous article I mention that others using it on a ctf challenge I developed had trouble. I recommend replacing it with stegseek, and using stegcracker will give you a similar message to use stegseek!) 

So first let's install stegseek using "sudo apt-get install stegseek -y"
After that let's run a stegseek --help. 

We can either attempt to crack the passphrase, or seeding the file and seeing if a file us encoded by steghide. 

I am going to first run the seed command "stegseek --seed cute-kitten.jpg output.txt" 
This takes about 5 minutes. 
  
Thre sult gives us several things:

Possible seed: "dfb2b9b5"
Plain size: 42.- Bytes (compressed)
Encryption Alg: rijndael-128
Encryption mode: cbc

This gives us a pretty good idea that this is a steghide photo. Finding a seed, it being compressed, and using rijndael and cbc let's us know that the file has most likely been modified by steghide.

Next, let's try and crack the password!

Remember our password is "meow"! Let's see if we can get it with rockyou.txt

"stegseek --crack -sf cute-kitten.jpg -xf -wl /usr/share/wordlists/rockyou.txt output2.txt" using that command it takes.... literal seconds! One of the results is "Found passphrase: "meow"

So let's enter that passphrase now with steghide.

"steghide --extract -sf cute-kitten.jpg"

When we enter meow we can option to over-write the data to cute-kitten.txt. This doesn't matter that match for our demonstration. 

And there we go! 

That's a small and simple example of how to use steghide. It's a great tool to use at CTF's as either a steganography challenge, or to use it for cracking a steghide challenge! 

Thanks for taking the time to read and I hope you have a great week! Don't forget to hack the planet!!

-BlackCatt



Comments

Post a Comment

Popular posts from this blog

Post SOTB and Happy New Year :)

Image
 If you missed out on SOTB that really stinks, but also I understand. Shell on the Border happened during new years and man was it an amazing experience. I couldn't attend the speaker part but the ctf was fun. It was at an arcade that had major Mr. Robot vibes. A truly different and awesome experience in the unlikely city of Fort Smith, Arkansas. Want to make a huge shout out Shyft, MoonKaptain, Fie, FractumSeraph, Allee, Fort Smith Arcade, and HackNWA (if I forgot you I am sorry it's not on purpose). All of y'all made this an amazing experience and the work we put it in was definitely seen. I am proud to be apart of FS2600 and I am grateful for the opportunity to be able to help, and to even do some of my first challenges.  I wanted to go over my challenges that I did, just 3, for those that are curious. First of all this being my first time making CTF challenges there were some mistakes on my part. I had made these challenges with a huge assumption of prerequisite knowled
Read more

Arkansas Hackers: More than meets the eye

      What do you think of when you think of Arkansas? Walmart? Bill Clinton? Barefooted hillbillies? Now, what do you think of when you think of a hacker? I am willing to bet that most of you reading this probably don't think the two go together at all. But you'll be surprised to find out that there is a large group of Cybersecurity experts and hobbyists with all kinds of interests. And so hopefully by the end of this post you will see just how expansive Arkansas Hackers is!  Last week from Friday the 6th to Sunday the 8th I had the privilege of being able to attend a popular hacking CTF that goes by the name of JOLT. For those that may not know, a hacking CTF is basically where teams of hackers come together to try and get flags that are behind challenges. These challenges are wide-ranging and cover all types of hacking areas. Other than the bragging rights there are generally rewards for the top 3 winners. JOLT is located in Little Rock, Arkansas and is headed by members of
Read more

Vulnerability Spotlight: Type confusion

What is type confusion exactly? And how can it be used to exploit programs? According to the CWE (Common Weakness Enumeration) "Type confusion is when: the program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. When the program accesses the resource using an incompatible type, this could trigger logical errors because the resource does not have expected properties. In languages without memory safety, such as C and C++, type confusion can lead to out-of-bounds memory access." C and C++ are common examples used because these languages do not have type checking. This allows attackers to potentially exploit type confusion within C/C++ programs, which can lead to code execution. Of course C and C++ are not the only examples, languages with dynamic typing generally (like Perl) have this issue. C++ has 3 main Cast
Read more