Skip to main content

Steganography ctf tools and using techniques.....

 Steganography ctf tools by Avi.....

Disclaimer: I have collected the following information from different sites, some youtube channels just to done things quickly during steg ctf challenges. 



@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

file command

eog command

strings <imagename> | grep -i flag



exiftool <image_name>

apt-get install exif

















Now decode the hex using the cyber chef tool or you can use the built-in python tool as described below image. 


******************************************************************

exiv2 command

******************************************************************

Binwalk command:

binwalk <image_name>

 

binwalk -e <image_name>

-e for extract

Using this tool, you can check whether there is a hidden archive data on that image or not.

How to extract archive data using binwalk.

binwalk -dd=”.*” <image_name>

binwalk -M -dd=”.*” <image_name>

 

after extraction, it saves under _StegPuzzle3.jpg.extracted directory.


******************************************************************

foremost <imagename>

******************************************************************

7z e something.7z

******************************************************************

gzip -d rockyou.txt.gz

 -d is for decompressing or uncompressed

******************************************************************

tar xvzf file.tar.gz

******************************************************************

unzip <file_name.zip>

******************************************************************

apt-get install unar

 unar <.rar file name>

 unrar -e <.rar file name>

******************************************************************

gem install zsteg

zsteg <png_image_name>

zsteg -a <png_image_name>

-a for everything

 zsteg -E b1,bgr,lsb,xy image.bmp

 Png files can be run in this tool.

 Png file can be run on, zsteg, eog, stegsolve.jar

 jpg file can also be open using eog


******************************************************************

Steghide

apt-get install steghide

steghide embed -ef secure.txt -cf <image_name>

-ef is embedfile

-cf is coverfile

steghide extract -sf <image_name> (it will then ask for password: if no password then just simply press enter)

-sf is stegfile

 Work for jpg and jpeg images. 

******************************************************************

Stegosuite

Apt-get install stegosuite

******************************************************************

dd command:

dd if=sourceimage.jpg bs=1 skip=1972141 of=example.zip

if is input file name from where you want to extract zip information.

Bs= block size

of is output file

skip is a decimal value. using binwalk command we know where is our zip file is located inside an image. binwalk command will help you to find out the hex value and its corresponding decimal value. dd command doesn’t understand hex value, so we need to put here decimal value. 



Outguess:

apt-get install outguess

 outguess -d something.txt steg_image.jpg output_steg_image.jpg

-d is texts that we want to embed with an image.

Steg_image.jpg is, we will embed the something.txt using this image.

Output_steg_image.jpg is, will be our final output image.

outguess -k password -d something.txt steg_image.jpg output_steg_image.jpg

-k is for password

 

outguess -r output_steg_image.jpg output.txt

-r means retrieve

Whatever the text the image contains, that will be redirected to output.txt files. 

******************************************************************

Hex editor command:

xxd for linux

xxd <image_name>

hexeditor <imagename>

hexdump <image_name>

HxD for windows


stegcracker:

apt-get install stegcracker

stegcracker ncd2020.jpg /usr/share/wordlists/rockyou.txt


Stegseek cracker:

Stegseek <image_name> <dictionary file path>


******************************************************************

Stegsolve.jar


******************************************************************

jstego:

Download from here:

https://sourceforge.net/projects/jstego/

To run:

java -jar jstego-0.3.jar

When you have large jpg files (most probably two images to compare) then you can use this tool to extract information's from those images. 

******************************************************************

ImgStegano

To run:

java -jar ImgStegano.jar

******************************************************************

JPG FFD9 (FF D9)


The terminating byte of a jpg image in hex is FFD9. If you see after that something start with PK-phill catz all the way to the end, then it might be a .zip file hiding inside that image. that .zip file contains the flag. Copy those highlighted text on a new window in HxD and save it as .zip

Extract it. You might get the flag.

 

Now let’s see, how you can do the same in kali linux. 


We can leverage binwalk and dd command. First use binwalk command to see where your zip archive data is. Mark that hex value (offset) 0x1E17AD. Now, note that corresponding decimal value of that hex value that is 1972141

Now use dd command.

dd if=example.jpg bs=1 skip=1972141 of=secret.zip


******************************************************************

Magic number of a .png image file:

89 50 4E 47 0D 0A 1A 0A

Use hex editor to edit it.

If a .png file starts with PK-Phill Katz, then it will tell you it’s a zip archive file when you check it via file command. But, actually its not.

If you see, the magic hex numbers are not there, put those there and then try to open the png file.

******************************************************************

Tesseract-ocr

Optical character recognition. If this is a high-resolution image then my methodology is, convert the image in more bigger format so that we can extract the image text more efficiently.

Command in kali:

convert ocr_cool.png -scale 300% output.png

A good tool that read the text from an image file is called tesseract.

Apt-get install tesseract-ocr

 

Tesseract <image file from that we want to read text> <out>

Here out is output text file…

******************************************************************

Pngsum tool:


Pngcsum is our file after extracting it from pngcsum-v01.tar.gz

./pngcsum <corrupted_file> <newly_correct_generated_file>

if pngsum unable to run then check its file permission. 

chmod +x pngsum

******************************************************************

tweakpng:

download the tool from the below link. 

http://entropymine.com/jason/tweakpng


******************************************************************

Stegoveritas:

https://github.com/bannsec/stegoVeritas

how to install in kali:

pip3 install stegoveritas

stegoveritas_install_deps

******************************************************************














Online steg tools:

https://www.mcafee.com/enterprise/en-us/downloads/free-tools/steganography.html

https://aperisolve.fr

https://futureboy.us/stegano/decinput.html

https://lukeslytalker.pythonanywhere.com/?fbclid=IwAR0NCOlUkkcujmSsqxw8t_b10a_wdfpm5Iw79RqkRdvQAlrMlsCVAW9yLRs


Online barcode reader:

https://online-barcode-reader.inliteresearch.com/

https://zxing.org/w/decode.jspx 



Unicode text steganography:

npiet online:

both the above tool you will get from this link, https://0xrick.github.io/lists/stego/



 

Resources:

https://0xrick.github.io/lists/stego/

https://resources.infosecinstitute.com/topic/steganography-and-tools-to-perform-steganography/

https://ctfs.github.io/resources/topics/steganography/file-in-image/README.html


Virtual punch card reader:

https://www.masswerk.at/cardreader/


Whitespace steganography:

https://neatnik.net/steganographr


Zero width white space steganography

https://neatnik.net/steganographr/

 

Installing sonic visualizer:

Download .deb package of sonic visualizer from their website.

sudo dpkg -i <.deb file> 

-i for install

or sudo apt install sonic-visualizer




Wavsteg:

github below link is explained how to install.

https://github.com/ragibson/Steganographt#WavSteg




http://fotoforensics.com/

Which can detect digital modification.


Grep command feature for hash or string finding from heystack file:

Main command:

cat grep_practice.txt | grep -e "[0-9a-f]\{32\}" -w  -o | sort -u

Only 32-bit hash will display as output from the below txt file. 

 


root@kali:~/Desktop# cat grep_practice.txt | grep -e "[0-9a-f]\{32\}"

it will display all the strings that has character count 32 and 32+

632e1c9b593b0faf778e6de166448d93 (32)

632e1c9b593b0faf778e6de166448d945487343 (32+)


root@kali:~/Desktop# cat grep_practice.txt | grep -e "[0-9a-f]\{32\}" -w 

it will display only string that has exact character count equal to 32

632e1c9b593b0faf778e6de166448d93




cat haystack.txt | grep -o “flag{[a-z_]\{,16\}}” > output.txt

-o for an exact match

\{,16\} we don’t know the minimum length that is why, (comma given); and the maximum length is 16 as said on the hints.

\{ \} means this is not in the part of the regular expression.

Now it is better to save the output in a text file. That will help you to find the text quickly.


#############################################################################

Deep sound software is windows based software. Using this software you can extract something from an audio (.wav) file. And using sonic visualizer, you can find out if something is written into that audio file by analyzing that audio file's spectrogram. 

#############################################################################


binary to hex to ascii:



decode hex using python:





base64 decode:

echo "base 64 code" | base64 -d 


url decode:


if found something like %D, %7D etc, then url decoder will help. 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

 
qr code reader via shell:

zbarimg:

sudo apt install zbar-tools

To use:
 
zbarimg qrcode.png

Now you should get whatever the qrcode image is hiding in its mechanism on your shell. 


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

cut command:



@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Gimp install:

sudo apt install gimp (in kali or ubuntu machine)

 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 
MPlayer:
 
mplayer something.exe (here exe is assume mpeg file) 
 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


Solving Animated QR code with different color:


https://ezgif.com/split   (you can try with this site)

convert challenge.gif %d.png

Now you will get 0-119 total 120 png files. 

Now you need to arrange the files in order for example, 0 10 20 30 40 50 60 70 80 90 100 110
then 1 11 21 31 41 51 61 71 81 91 101 111

for this one:
0 10 20 30 40 50 60 70 80 90 100 110   (assume all of them has extension as .png)

convert -append *0.png output.png

Now you should get a valid QR code. Like this find other QR codes as well. 


or you can try this one.

convert challenge.gif  %04d.png

Now you shall get 0000.png 0001.png ----------0119.png

for 0000.png 0010.png 0020.png 0030.png ----up to 0110.png

convert -append *0.png output.png    (as all the files ends with 0 so we can write *0.png)


We can run a for loop to do this very quickly.

for i in {0..9}; do convert -append *${i}.png ${i}out.png; done

Now you need to read the QR codes to see what is in it.

zbarimg *out.png

###########################################################

 
 
 
###########################################################
 
.apng images:
 
sudo apt-cache search apng  (to see what are the tools available to deal with apng image)
 
sudo apt-get install apngdis
 
apngdis ugo.apng  (it will extract 61 images along with some text files) 
 
pngcheck ugo.apng
 
composite *.png -compose difference difference.png  (composite all the differences from those png images into a single file. sometimes flag come out by doing this)
 
 
phase 2 challenge hacky holidays space race ctf 2021
 
if you see decimal values in a text file along with some other values then try to decode decimal values. It will give you the flag. 
 
########################################################### 

Comments

Post a Comment

Popular posts from this blog

Install Nessus from docker

The below two commands you need to run first one by one:  docker run -itd --name=ramisec_nessus -p 8834:8834 ramisec/nessus docker exec -it ramisec_nessus /bin/bash /nessus/update.sh Username: admin And you need to change the password: #Enter the command line of the docker container docker exec -it ramisec_nessus bash #Execute the following commands in sequence # Enter this directory cd /opt/nessus/sbin # List logged in users ./nessuscli lsuser # Modify the password of the specified user (take admin as an example) ./nessuscli chpasswd admin After access to the nessus, make sure you turn off the automatic updates otherwise crack will not work after some time. Before any scan you need to run the update.sh command (shown above) to have the latest plugins. Now everytime your system reboots, your docker instance will be shutdown. You need to up it again manually. Here are the commands.  1. docker ps -a    Now note down the container id. 2. docker start <container id> C
Post a Comment
Read more

net command cheat sheet

  To see what users present in the system: net user To see local groups in the system: net localgroup To see domain groups. This should be run on a domain controller: net group To see the details of a user along with his/her group membership: net user mahim To see who are the members of a particular group (local machine): net localgroup "administrators"    (These are not case sensitive. You can use administrators or Administrators. Both will give you same result. To see who are the members of a particular group (domain machine): net group "domain admins" Create a local user: net user localuser1 MyP@ssw0rd /add Create a domain user: net user domainuser1 MyP@ssw0rd /add /domain Add the local user to local admin group: net localgroup Administrators localuser1 /add Add the user to domain admin group: net group "Domain Admins" domainuser1 /add /domain Avi
Post a Comment
Read more