Steganography
Hack Responsibly.
Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
Steganography Checklist
TODO: clean up steganography CTF checklist (issue #17)
Properly link all tools and attributions
Add description for what the checklist is for
Make sure all tools still exist
Check author's site for updates
Add "Resources" section at bottom
Find link for "feature for randomizing the color palette" (section 10.ii) on author's site
credit to Ge0rg3 for this great checklist. His site also has custom examples for each situation below.
File 1. Just to be sure what filetype you are facing, check with
type <filename>
. 2. If something seems strange, the next step would be to open the file withGHex
and check the files "magic bytes". Sometimes they are missing, or have been corrupted or obscured.Strings
View all strings in the file with
strings -n 6 -t x <filename>
.I typically use
-n 6
to find strings of length 6+, and-t x
to view their position in the file.
Alternatively, you can view strings on this site once an image has been uploaded.
Exif
Check all image metadata. I would recommend Jeffrey's Image Metadata Viewer for in-depth analysis.
Exiftool
is another common one.
Binwalk
Next you can use
binwalk
to check images for hidden embedded files.My preferred syntax is
binwalk -Me <filename>
.-Me
is used to recursively extract any files.
pngcheck
We can use
pngcheck
to look for optional/correct broken chunks. This is vital if the image appears corrupt.Run
pngcheck -vtp7f <filename>
to view all info.-v
is for verbose,-t
and-7
display tEXt chunks,-p
displays contents of some other optional chunks and-f
forces continuation if major errors are encountered.Related write-ups: PlaidCTF 2015, SECCON Quals 2015
Explore Color & Bit Planes
Images can be hidden inside of the color/bit planes. Upload your image to this site, then on the image menu page explore all options in the top panel (i.e. Full Red, Inverse, LSB etc).
Go to "Browse Bit Planes", and browse through all available planes.
If there appears to be some static at the top of any planes, try extracting the data from them in the "Extract Files/Data" menu.
Related write-ups: MicroCTF 2017, CSAW Quals 2016, ASIS Cyber Security Contest Quals 2014, Cybersocks Regional 2016
Extract Least Significant Bit (LSB) Data
As mentioned in step 6.3, there could be some static in bit planes. If so, navigate to the "Extract Files/Data" page, and select the relevant bits.
Check RGB Values
ASCII Characters/other data can be hidden in the RGB(A) values of an image.
Upload your image here and preview the RGBA values. Try converting them to text, and see if any flag is found. It might be worth looking at just the R/G/B/A values on their own.
Related write-ups: MMA-CTF-2015
Steghide
Found a password? (Or not?)
If you've found a password, the go-to application to check should be
steghide
. Bear in mind that this can sometimes be used without a password, too.You can extract data by running
steghide extract -sf <filename>
.Other stego tools (may need passwords to retrieve information):
OpenStego,
Stegpy
Outguess
jphide
Associated writeups: Pragyan CTF 2017, Xiomara 2019, CSAW Quals 2015, BlackAlps Y-NOT-CTF (JFK Challenge)
Browse Color Palette
If the PNG is in type 3, you should look through the color palette.
This site (TODO: find site link) has a feature for randomizing the color palette, which may reveal the flag. You can also browse through each color in the palette, if the flag is the same color.
It may also be worth looking at the palette indexes themselves, as a string may be visible from there.
Related write-ups: Plain CTF 2014
Pixel Value Differencing (PVD/MPVD)
This is a method where the differences between pixel pairs are measured slightly adjusted in order to hide data.
It would be rare to have a case of PVD where you're not explicitly told (or perhaps hinted at) that this is the steganographic method, as it's very niche.
Related write-ups: TJCTF 2019, MMA-CTF 2015
Misc
StegCracker
- https://pypi.org/project/stegcracker/ - bruteforce tool for finding steghide
passwords and extract (works well, uses rockyou.txt
as default wordlist)
extract files from stego'd files: binwalk -Me <filename>
http://bigwww.epfl.ch/demo/ip/demos/FFT/ - Fast Fourier Transform online tool. Check this to test stego images that cant be solved with other stuff
https://0xrick.github.io/lists/stego/ https://github.com/DominicBreuker/stego-toolkit/blob/master/README.md#tools https://pequalsnp-team.github.io/cheatsheet/steganography-101
References
If you like this content and would like to see more, please consider buying me a coffee!
Last updated