Stego-Toolkit – Collection Of Steganography Tools (Helps With CTF Challenges)

0
249
Stego-Toolkit – Collection Of Steganography Tools (Helps With CTF Challenges)

This venture is a Docker picture helpful for fixing Steganography challenges as these you could find at CTF platforms like hackthebox.eu. The picture comes preinstalled with many standard (see record below) and a number of other screening scripts you should use test easy issues (as an illustration, run check_jpg.sh picture.jpg to get a report for this JPG file).

Usage

First be sure you have Docker put in (how to). Then you should use the shell scripts bin/buid.sh and bin/run.sh on this repo to construct the picture and run the container. You might be dropped right into a bash shell contained in the container. It could have the information folder mounted, into which you’ll put the information to investigate.

If you do not use the scripts, comply with these steps:

  1. Build picture (docker construct -t <image_name> .) or pull from Docker hub (docker pull dominicbreuker/stego-toolkit)
  2. Start a container together with your information mounted to the folder /information (docker run -it <image_name> -v /native/folder/with/information:/information /bin/bash)
  3. Use CLI instruments and screening scripts in your information: e.g., run check_jpg.sh picture.jpg to create a fast report, or run brute_jpg.sh picture.jpg wordlist.txt to strive extracting hidden information with numerous instruments and passwords
  4. If you wish to run GUI instruments use one in all these two methods:
  • Run start_ssh.sh and hook up with your container with X11 forwarding
  • Run start_vnc.sh and hook up with the container’s Desktop by your browser

Check out the next sections for extra data:

  • What instruments are put in? Go here
  • What scripts can I run to shortly display information mechanically or brute force them? Go here
  • How can I play with totally different Steganography examples to see if I can break them? Go here
  • How can I run GUI instruments contained in the container? go here

Demo
Start with docker run -it --rm -v $(pwd)/information:/information dominicbreuker/stego-toolkit /bin/bash. You might be dropped right into a container shell in work dir /information. Your host folder $(pwd)/information might be mounted and the pictures inside might be accessible.

Tools
Many totally different Linux and Windows instruments are put in. Windows instruments are supported with Wine. Some instruments can be utilized on the command line whereas others require GUI assist!

Command line interface instruments
These instruments can be utilized on the command line. All you need to do is begin a container and mount the steganography information you wish to test.

General screening instruments
Tools to run to start with. Allow you to get a broad concept of what you’re coping with.

Tool Description How to make use of
file Check out what sort of file you might have file stego.jpg
exiftool Check out metadata of media information exiftool stego.jpg
binwalk Check out if different information are embedded/appended binwalk stego.jpg
strings Check out if there are attention-grabbing readable characters within the file strings stego.jpg
foremost Carve out embedded/appended information foremost stego.jpg
pngcheck Get particulars on a PNG file (or discover out is is definitely one thing else) pngcheck stego.png
establish GraphicMagick device to test what sort of picture a file is. Checks additionally if picture is corrupted. establish -verbose stego.jpg
ffmpeg ffmpeg can be utilized to test integrity of audio information and let it report infos and errors ffmpeg -v data -i stego.mp3 -f null - to recode the file and throw away the outcome

Tools detecting steganography
Tools designed to detect steganography in information. Mostly carry out statistical exams. They will reveal hidden messages solely in easy circumstances. However, they might present hints what to search for in the event that they discover attention-grabbing irregularities.

Tool File sorts Description How to make use of
stegoVeritas Images (JPG, PNG, GIF, TIFF, BMP) All kinds of straightforward and superior checks. Check out stegoveritas.py -h. Checks metadata, creates many remodeled pictures and saves them to a listing, Brute forces LSB, … stegoveritas.py stego.jpg to run all checks
zsteg Images (PNG, BMP) Detects numerous LSB stego, additionally openstego and the Camouflage tool zsteg -a stego.jpg to run all checks
stegdetect Images (JPG) Performs statistical exams to search out if a stego device was used (jsteg, outguess, jphide, …). Check out man stegdetect for particulars. stegdetect stego.jpg
stegbreak Images (JPG) Brute power cracker for JPG pictures. Claims it could actually crack outguess, jphide and jsteg. stegbreak -t o -f wordlist.txt stego.jpg, use -t o for outguess, -t p for jphide or -t j for jsteg

Tools truly doing steganography
Tools you should use to cover messages and reveal them afterwards. Some encrypt the messages earlier than hiding them. If they do, they require a password. If you might have a touch what sort of device was used or what password could be proper, strive these instruments. Some instruments are supported by the brute power scripts out there on this Docker picture.

Tool File sorts Description How to cover How to recuperate
AudioStego Audio (MP3 / WAV) Details on the way it works are on this blog post hideme cowl.mp3 secret.txt && mv ./output.mp3 stego.mp3 hideme stego.mp3 -f && cat output.txt
jphide/jpseek Image (JPG) Pretty previous device from here. Here, the model from here is put in for the reason that unique one crashed on a regular basis. It prompts for a passphrase interactively! jphide cowl.jpg stego.jpg secret.txt jpseek stego.jpg output.txt
jsteg Image (JPG) LSB stego device. Does not encrypt the message. jsteg conceal cowl.jpg secret.txt stego.jpg jsteg reveal cowl.jpg output.txt
mp3stego Audio (MP3) Old program. Encrypts after which hides a message (3DES encryption!). Windows device operating in Wine. Requires WAV enter (could throw errors for sure WAV information. what works for me is e.g.: ffmpeg -i audio.mp3 -flags bitexact audio.wav). Important: use absolute path solely! mp3stego-encode -E secret.txt -P password /path/to/cowl.wav /path/to/stego.mp3 mp3stego-decode -X -P password /path/to/stego.mp3 /path/to/out.pcm /path/to/out.txt
openstego Images (PNG) Various LSB stego algorithms (take a look at this blog). Still maintained. openstego embed -mf secret.txt -cf cowl.png -p password -sf stego.png openstego extract -sf openstego.png -p abcd -xf output.txt (miss -xf to create file with unique title!)
outguess Images (JPG) Uses “redundant bits” to cover information. Comes in two variations: previous=outguess-0.13 taken from here and new=outguess from the bundle repos. To recuperate, you could use the one used for hiding. outguess -k password -d secret.txt cowl.jpg stego.jpg outguess -r -k password stego.jpg output.txt
spectrology Audio (WAV) Encodes a picture within the spectrogram of an audio file. TODO Use GUI device sonic-visualiser
stegano Images (PNG) Hides information with numerous (LSB-primarily based) strategies. Provides additionally some screening instruments. stegano-lsb conceal --input cowl.jpg -f secret.txt -e UTF-8 --output stego.png or stegano-purple conceal --input cowl.png -m "secret msg" --output stego.png or stegano-lsb-set conceal --input cowl.png -f secret.txt -e UTF-8 -g $GENERATOR --output stego.png for numerous mills (stegano-lsb-set record-mills) stegano-lsb reveal -i stego.png -e UTF-8 -o output.txt or stegano-purple reveal -i stego.png or stegano-lsb-set reveal -i stego.png -e UTF-8 -g $GENERATOR -o output.txt
Steghide Images (JPG, BMP) and Audio (WAV, AU) Versatile and mature device to encrypt and conceal information. steghide embed -f -ef secret.txt -cf cowl.jpg -p password -sf stego.jpg steghide extract -sf stego.jpg -p password -xf output.txt
cloackedpixel Images (PNG) LSB stego device for pictures cloackedpixel conceal cowl.jpg secret.txt password creates cowl.jpg-stego.png cloackedpixel extract cowl.jpg-stego.png output.txt password
LSBSteg Images (PNG, BMP, …) in uncompressed codecs Simple LSB instruments with very good and readable Python code LSBSteg encode -i cowl.png -o stego.png -f secret.txt LSBSteg decode -i stego.png -o output.txt

Steganography GUI instruments
All instruments beneath have graphical person interfaces and can’t be used by the command line. To run them, you could make an X11 server out there contained in the container. Two methods are supported:

  • run start_ssh.sh to fireplace up an SSH server. Connect afterwards with X11 forwarding. Requires an X11 server in your host!
  • run start_vnc.sh to fireplace up a VNC server + consumer. Connect afterwards together with your browser to port 6901 and also you get an Xfce desktop. No host dependencies!

Alternatively, discover different methods to make X11 out there contained in the container. Many alternative ways are attainable (e.g., mount UNIX sockets).

Tool File sorts Description How to begin
Steg Images (JPG, TIFF, PNG, BMP) Handles many file sorts and implements totally different strategies steg
Steganabara (The original link is damaged) Images (???) Interactively rework pictures till you discover somethinf steganabara
Stegsolve Images (???) Interactively rework pictures, view coloration schemes individually, … stegsolve
SonicVisualiser Audio (???) Visualizing audio information in waveform, show spectrograms, … sonic-visualiser
Stegosuite Images (JPG, GIF, BMP) Can encrypt and conceal information in pictures. Actively developed. stegosuite
OpenPuff Images, Audio, Video (many codecs) Sophisticated device with lengthy historical past. Still maintained. Windows device operating in wine. openpuff
DeepSound Audio (MP3, WAV) Audio stego device trusted by Mr. Robot himself. Windows device operating in wine (very hacky, requires VNC and runs in digital desktop, MP3 damaged attributable to lacking DLL!) deepsound solely in VNC session
cloackedpixel-analyse Images (PNG) LSB stego visualization for PNGs – use it to detect suspiciously random LSB values in pictures (values near 0.5 could point out encrypted information is embedded) cloackedpixel-analyse picture.png

Screening scripts
Many instruments above don’t require interplay with a GUI. Therefore, you may simply automate some workflows to do fundamental screening of information doubtlessly containing hidden messages. Since the relevant instruments differ by filet kind, every file kind has totally different scripts.
For every file kind, there are two sorts of scripts:

  • XXX_check.sh <stego-file>: runs fundamental screening instruments and creates a report (+ probably a listing with reviews in information)
  • XXX_brute.sh <stego-file> <wordlist>: tries to extract a hidden message from a stego file with numerous instruments utilizing a wordlist (cewl, john and crunch are put in to generate lists – preserve them small).

The following filetypes are supported:

  • JPG: check_jpg.h and brute_jpg.sh (brute operating steghide, outguess, outguess-0.13, stegbreak, stegoveritas.py -bruteLSB)
  • PNG: check_png.h and brute_png.sh (brute operating openstego and stegoveritas.py -bruteLSB)

Wordlist era
The brute forcing scripts above want wordlists. Imho it is going to very seemingly not assist to make use of enormous customary wordlists like rockyou. The scripts are too gradual for it and stego challenges appear to not be designed for this. A extra possible state of affairs is that you’ve a hunch what the password might be however you have no idea precisely.
For these circumstances, a number of instruments to generate wordlists are included:

  • john: the neighborhood enhanced model of John the Ripper can increase your wordlists. Create a base wordlist with just a few candidate passwords and use john to create many variants of them. Use john -wordlist:/path/to/your/wordlist -rules:Single -stdout > /path/to/expanded/wordlist to use intensive guidelines (~x1000) john -wordlist:/path/to/your/wordlist -rules:Wordlist -stdout > /path/to/expanded/wordlist for a lowered ruleset (~x50).
  • crunch: can generate small wordlists you probably have a sample in thoughts. For occasion, if the passwords ends with 1984 and is 6 letters lengthy, use crunch 6 6 abcdefghijklmnopqrstuvwxyz -t @@1984 will generate the 26 * 26 = 676 passwords aa1984, ab1984, … as much as zz1984. The format is crunch <min-size> <max-size> <charset> <choices> and we used the templating choice. Check out much less /usr/share/crunch/charset.lst to see the charsets crunch ships with.
  • CeWL: can generate wordlists if an internet site is said to a password. For occasion, run cewl -d 0 -m Eight https://en.wikipedia.org/wiki/Donald_Trump for those who suspect an image of Donald Trump accommodates an encrypted hidden message. The command scrapes the location and extracts strings a minimum of Eight characters lengthy.

Steganography examples
The picture accommodates a pattern picture and audio file every in several codecs:

  • /examples/ORIGINAL.jpg
  • /examples/ORIGINAL.png
  • /examples/ORIGINAL.mp3
  • /examples/ORIGINAL.wav

It additionally accommodates a script /examples/create_examples.sh which you’ll run to embed a hidden message (“This is a very secret message!”) into these information with many various strategies. After operating this script, you discover these information in /examples/stego-information with their names indicating which device was used to embed the message. You can run the screening scripts to see in the event that they discover something on them or attempt to break them in any other case.

GUI and Containers
By default, no GUI instruments will be run in a Docker container as no X11 server is out there. To run them, you could change that. What is required to take action depends upon your host machine. If you:

  • run on Linux, you in all probability have X11
  • run on Mac OS, you want Xquartz (brew set up Xquartz)
  • run on Windows, you might have an issue

Use X11 forwarding by SSH if you wish to go this fashion. Run start_ssh contained in the container to begin the server, be sure you expose port 22 when beginning the container: docker run -p 127.0.0.1:22:22 ..., then use ssh -X ... when connecting (the script prints the password).
To not rely on X11, the picture comes with a TigerVNC server and noVNC consumer. You can use it to open an HTML5 VNC session together with your browser to connect with the containers Xfce desktop. To to that, run start_vnc.sh contained in the container to begin server and consumer, be sure you expose port 6901 when beginning the container docker run -p 127.0.0.1:6901:6901 ... and go to localhost:6901/?password=<the_password> (the script prints the password).

Using SSH with X11 forwarding

Commands within the GIF for copy & paste:

# in 1st host shell
docker run -it --rm -p 127.0.0.1:22:22 dominicbreuker/stego-toolkit /bin/bash

# inside container shell
start_ssh.sh

# in 2nd host shell (use it to launch GUI apps afterwards)
ssh -X -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no [email protected]

Using Browser and VNC

Commands within the GIF for copy & paste:

# in 1st host shell
docker run -it --rm -p 127.0.0.1:6901:6901 dominicbreuker/stego-toolkit /bin/bash

# inside container shell
start_vnc.sh

# in browser, join with: http://localhost:6901/?password=<password_from_start_vnc>

Link assortment
This is a group of helpful Steganography hyperlinks:

  • You should be capable of spot codes. Check out this cheat sheet from Eric Harshbarger, which accommodates many various codes.
  • Cheatsheet describing workflows, issues to search for and customary instruments: click
  • Forensics CTF information with a number of concepts for stego challenges: click
  • File format descriptions as lovely posters: click

References
The following instance media information are included on this repository:

MoreTip.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.