Steganography on the fly

[prowl3r]

My brother just asked me to send him some sensitive information. I decided to hide the info in a mail attachment. So I'll be sharing this with you.

First I installed steghide from the repositories.

Code:

root@wireless-service:~/secrets# cat /etc/issue
BackTrack 4 PwnSauce \n \l

root@wireless-service:~/secrets# uname -a
Linux wireless-service 2.6.30.5 #1 SMP Wed Aug 26 16:47:02 EDT 2009 i686 GNU/Linux
root@wireless-service:~/secrets# aptitude install steghide
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
The following NEW packages will be installed:
  libmcrypt4{a} libmhash2{a} steghide
0 packages upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 384kB of archives. After unpacking 1176kB will be used.
Do you want to continue? [Y/n/?] y
Writing extended state information... Done
Get:1 http://archive.offensive-security.com pwnsauce/universe libmcrypt4 2.5.7-5ubuntu1 [81.2kB]
Get:2 http://archive.offensive-security.com pwnsauce/main libmhash2 0.9.9-1 [133kB]
Get:3 http://archive.offensive-security.com pwnsauce/universe steghide 0.5.1-9 [170kB]
Fetched 384kB in 2s (185kB/s)
Selecting previously deselected package libmcrypt4.
(Reading database ... 205446 files and directories currently installed.)
Unpacking libmcrypt4 (from .../libmcrypt4_2.5.7-5ubuntu1_i386.deb) ...
Selecting previously deselected package libmhash2.
Unpacking libmhash2 (from .../libmhash2_0.9.9-1_i386.deb) ...
Selecting previously deselected package steghide.
Unpacking steghide (from .../steghide_0.5.1-9_i386.deb) ...
Processing triggers for man-db ...
Setting up libmcrypt4 (2.5.7-5ubuntu1) ...

Setting up libmhash2 (0.9.9-1) ...

Setting up steghide (0.5.1-9) ...
Processing triggers for libc6 ...
ldconfig deferred processing now taking place
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done
root@wireless-service:~/secrets#

Then I got a .jpg file and put the info inside a .txt file.

Code:

root@wireless-service:~/secrets# ls -l
total 72
-rw-r--r-- 1 root root 65140 Oct 29 13:35 pills.jpg
-rw-r--r-- 1 root root  1689 Oct 29 13:41 secret.txt
root@wireless-service:~/secrets#

I checked how much info I can insert for this particular image file. The bigger the file, the more info you can drop into it.

Code:

root@wireless-service:~/secrets# steghide info pills.jpg
"pills.jpg":
  format: jpeg
  capacity: 2.3 KB
Try to get information about embedded data ? (y/n) n
root@wireless-service:~/secrets#

Now, inject the data into the image.

Code:

root@wireless-service:~/secrets# steghide embed -cf pills.jpg -ef secret.txt
Enter passphrase:
Re-Enter passphrase:
embedding "secret.txt" in "pills.jpg"... done
root@wireless-service:~/secrets# ls -l
total 52
-rw-r--r-- 1 root root 46852 Oct 29 13:50 pills.jpg
-rw-r--r-- 1 root root  1689 Oct 29 13:41 secret.txt
root@wireless-service:~/secrets#

To decode and extract the file:

Code:

root@wireless-service:~/secrets# rm secret.txt
root@wireless-service:~/secrets# ls -l
total 48
-rw-r--r-- 1 root root 46852 Oct 29 13:50 pills.jpg
root@wireless-service:~/secrets# steghide extract -sf pills.jpg
Enter passphrase:
wrote extracted data to "secret.txt".
root@wireless-service:~/secrets# ls -l
total 52
-rw-r--r-- 1 root root 46852 Oct 29 13:50 pills.jpg
-rw-r--r-- 1 root root  1689 Oct 29 13:51 secret.txt
root@wireless-service:~/secrets#

"A picture is worth a thousand words"

[mortis]

Great tool, thank you.

By the way it works with audio files too owyeah

Quote:

$ steghide info received_file.wav
"received_file.wav":
format: wave audio, PCM encoding
capacity: 3.5 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "secret.txt":
size: 1.6 KB
encrypted: rijndael-128, cbc
compressed: yes

[Isohump]

Great tutorial

[vvpalin]

Quote:

Originally Posted by Isohump

Nice tut I have a question can u embed it with a payload like Social Engineering Toolkit.

Its not self extracting for 1 and 2 if there is nothing to exploit they would need to execute it. You will probably want to look into either the new GDI flaw "pics", metsploit or origami for pdf's .. or any slew of the various divx flaws.

Also never underestimate a good social engineering attack. I could load up a linux or windows binary rite now with a msf payload post it as a patch or a game depending on what the person likes, and as there happily enjoying there media im happily enjoying there box.

################################################## ###################

@prowl3r
<nitpick>
highlight the relevant commands
</nitpick>

Also for everyone else this might come in handy .. before wrapping your text file up give it this quick command with a nice big pass.

openssl des3 -salt -in "$IN-NAME" -out "$OUT-NAME"