stego-toolkit
Steganography Toolkit
This project is a Docker image useful for solving Steganography challenges as those you can find at CTF platforms like hackthebox.eu.
The image comes pre-installed with many popular tools (see list below) and several screening scripts you can use check simple things (for instance, run check_jpg.sh image.jpg
to get a report for a JPG file).
Usage
First make sure you have Docker installed (how to).
Then you can use the shell scripts bin/build.sh
and bin/run.sh
in this repo to build the image and run the container.
You will be dropped into a bash shell inside the container.
It will have the data
folder mounted, into which you can put the files to analyze.
If you don’t use the scripts, follow these steps:
-
Build image (
docker build -t <image_name> .
) or pull from Docker hub (docker pull dominicbreuker/stego-toolkit
) -
Start a container with your files mounted to the folder
/data
(docker run -it <image_name> -v /local/folder/with/data:/data /bin/bash
) -
Use CLI tools and screening scripts on your files: e.g., run
check_jpg.sh image.jpg
to create a quick report, or runbrute_jpg.sh image.jpg wordlist.txt
to try extracting hidden data with various tools and passwords - If you want to run GUI tools use one of these two ways:
-
Run
start_ssh.sh
and connect to your container with X11 forwarding -
Run
start_vnc.sh
and connect to the container’s Desktop through your browser
Check out the following sections for more information:
- What tools are installed? Go here
- What scripts can I run to quickly screen files automatically or brute force them? Go here
- How can I play with different Steganography examples to see if I can break them? Go here
- How can I run GUI tools inside the container? go here
Demo
Start with docker run -it --rm -v $(pwd)/data:/data dominicbreuker/stego-toolkit /bin/bash
.
You will be dropped into a container shell in work dir /data
.
Your host folder $(pwd)/data
will be mounted and the images inside will be accessible.
Tools
Many different Linux and Windows tools are installed.
Windows tools are supported with Wine.
Some tools can be used on the command line while others require GUI support!
Command line interface tools
These tools can be used on the command line.
All you have to do is start a container and mount the steganography files you want to check.
General screening tools
Tools to run in the beginning.
Allow you to get a broad idea of what you are dealing with.
Tool
Description
How to use
file
Check out what kind of file you have
file stego.jpg
exiftool
Check out metadata of media files
exiftool stego.jpg
binwalk
Check out if other files are embedded/appended
binwalk stego.jpg
strings
Check out if there are interesting readable characters in the file
strings stego.jpg
foremost
Carve out embedded/appended files
foremost stego.jpg
pngcheck
Get details on a PNG file (or find out is is actually something else)
pngcheck stego.png
identify
GraphicMagick tool to check what kind of image a file is. Checks also if image is corrupted.
identify -verbose stego.jpg
ffmpeg
ffmpeg can be used to check integrity of audio files and let it report infos and errors
ffmpeg -v info -i stego.mp3 -f null -
to recode the file and throw away the result
Tools detecting steganography
Tools designed to detect steganography in files.
Mostly perform statistical tests.
They will reveal hidden messages only in simple cases.
However, they may provide hints what to look for if they find interesting irregularities.
Tool
File types
Description
How to use
stegoVeritas
Images (JPG, PNG, GIF, TIFF, BMP)
A wide variety of simple and advanced checks. Check out stegoveritas.py -h
. Checks metadata, creates many transformed images and saves them to a directory, Brute forces LSB, …
stegoveritas.py stego.jpg
to run all checks
zsteg
Images (PNG, BMP)
Detects various LSB stego, also openstego and the Camouflage tool
zsteg -a stego.jpg
to run all checks
stegdetect
Images (JPG)
Performs statistical tests to find if a stego tool was used (jsteg, outguess, jphide, …). Check out man stegdetect
for details.
stegdetect stego.jpg
stegbreak
Images (JPG)
Brute force cracker for JPG images. Claims it can crack outguess
, jphide
and jsteg
.
stegbreak -t o -f wordlist.txt stego.jpg
, use -t o
for outguess, -t p
for jphide or -t j
for jsteg
Tools actually doing steganography
Tools you can use to hide messages and reveal them afterwards.
Some encrypt the messages before hiding them.
If they do, they require a password.
If you have a hint what kind of tool was used or what password might be right, try these tools.
Some tools are supported by the brute force scripts available in this Docker image.
Tool
File types
Description
How to hide
How to recover
AudioStego
Audio (MP3 / WAV)
Details on how it works are in this blog post
hideme cover.mp3 secret.txt && mv ./output.mp3 stego.mp3
hideme stego.mp3 -f && cat output.txt
jphide/jpseek
Image (JPG)
Pretty old tool from here. Here, the version from here is installed since the original one crashed all the time. It prompts for a passphrase interactively!
jphide cover.jpg stego.jpg secret.txt
jpseek stego.jpg output.txt
jsteg
Image (JPG)
LSB stego tool. Does not encrypt the message.
jsteg hide cover.jpg secret.txt stego.jpg
jsteg reveal cover.jpg output.txt
mp3stego
Audio (MP3)
Old program. Encrypts and then hides a message (3DES encryption!). Windows tool running in Wine. Requires WAV input (may throw errors for certain WAV files. what works for me is e.g.: ffmpeg -i audio.mp3 -flags bitexact audio.wav
). Important: use absolute path only!
mp3stego-encode -E secret.txt -P password /path/to/cover.wav /path/to/stego.mp3
mp3stego-decode -X -P password /path/to/stego.mp3 /path/to/out.pcm /path/to/out.txt
openstego
Images (PNG)
Various LSB stego algorithms (check out this blog). Still maintained.
openstego embed -mf secret.txt -cf cover.png -p password -sf stego.png
openstego extract -sf openstego.png -p abcd -xf output.txt
(leave out -xf to create file with original name!)
outguess
Images (JPG)
Uses “redundant bits” to hide data. Comes in two versions: old=outguess-0.13
taken from here and new=outguess
from the package repos. To recover, you must use the one used for hiding.
outguess -k password -d secret.txt cover.jpg stego.jpg
outguess -r -k password stego.jpg output.txt
spectrology
Audio (WAV)
Encodes an image in the spectrogram of an audio file.
TODO
Use GUI tool sonic-visualiser
stegano
Images (PNG)
Hides data with various (LSB-based) methods. Provides also some screening tools.
stegano-lsb hide --input cover.jpg -f secret.txt -e UTF-8 --output stego.png
or stegano-red hide --input cover.png -m "secret msg" --output stego.png
or stegano-lsb-set hide --input cover.png -f secret.txt -e UTF-8 -g $GENERATOR --output stego.png
for various generators (stegano-lsb-set list-generators
)
stegano-lsb reveal -i stego.png -e UTF-8 -o output.txt
or stegano-red reveal -i stego.png
or stegano-lsb-set reveal -i stego.png -e UTF-8 -g $GENERATOR -o output.txt
Steghide
Images (JPG, BMP) and Audio (WAV, AU)
Versatile and mature tool to encrypt and hide data.
steghide embed -f -ef secret.txt -cf cover.jpg -p password -sf stego.jpg
steghide extract -sf stego.jpg -p password -xf output.txt
cloackedpixel
Images (PNG)
LSB stego tool for images
cloackedpixel hide cover.jpg secret.txt password
creates cover.jpg-stego.png
cloackedpixel extract cover.jpg-stego.png output.txt password
LSBSteg
Images (PNG, BMP, …) in uncompressed formats
Simple LSB tools with very nice and readable Python code
LSBSteg encode -i cover.png -o stego.png -f secret.txt
LSBSteg decode -i stego.png -o output.txt
f5
Images (JPG)
F5 Steganographic Algorithm with detailed info on the process
f5 -t e -i cover.jpg -o stego.jpg -d 'secret message'
f5 -t x -i stego.jpg 1> output.txt
stegpy
Images (PNG, GIF, BMP, WebP) and Audio (WAV)
Simple steganography program based on the LSB method
stegpy...