Trying and Cracking Steganography


Once I read about how some spies were saving messages in pictures. Cool. So I thought I’d try it just for fun.

Steganography

It was a lot different from invisible ink we played with as kids. 🙂

First I looked at an article on StackOverflow

In the article I found:

You can concatenate a gif and a zip (the information you want to hide) into one file. Gifs are read from the start of the file, while zips are read from the end of the file.

To create such a file in linux:

cat file1.gif >> outfile.gif
cat file2.zip >> outfile.gif

or in Windows:

copy /b "file1.gif"+"file2.zip" "outfile.gif"

Try it:

In cygwin:
$ zip Sometext.zip Sometext.txt
adding: Sometext.txt (stored 0%)

ls -1

DDR3.JPG
Sometext.txt
Sometext.zip

cat DDR3.JPG > DDR3_zip.jpg
cat Sometext.zip >> DDR3_zip.jpg

ls -l

35604 Jan 4 10:33 7zip_Cat.jpg
111118 Nov 1 14:51 DDR3.JPG
111295 Jan 4 10:35 DDR3_zip.jpg
21 Jan 4 10:34 Sometext.txt
177 Jan 4 10:35 Sometext.zip

Sure enough, if you use Windows Explorer, and open the file that’s been appended, you get the same image. Cool.

 

To extract the text, I found it with 7Zip.

 

Then, I did some analysis using a few commands in cygwin.

$ file *
7zip_Cat.jpg: JPEG image data, JFIF standard 1.01
DDR3.JPG: JPEG image data, JFIF standard 1.01
DDR3_zip.jpg: JPEG image data, JFIF standard 1.01
Sometext.txt: ASCII text, with CRLF line terminators
Sometext.zip: Zip archive data, at least v1.0 to extract

strings DDR3_zip.jpg | tail


(‘Yj7
bo=2\
[T$L
Sometext.txtUT
UNZUx
This is some text
[T$L
Sometext.txtUT
WNZUx

So, the fact that the file has been modified is easily found after all.

———

Steganotool:

More from the Stackoverflow thread:

Here is an opensouce Steganography software called steganotool This project is an open source steganography tool that can be used to hide and extract text to/ from Bitmap images.

Downloaded if from
https://github.com/PanagiotisDrakatos/steganotool

Use the file: Steganography.exe

 

Use the Steganography tool to add to the file JackA.bmp:
This is some text.
And create the file: Jack_Steno.bmp

ls -l

3,728 JackA.bmp
4,814 Jack_Steno.bmp

The resulting file is 1086 bytes bigger.

file *
JackA.bmp: PC bitmap data, Windows 3.x format, 35 x 34 x 24

Jack_Steno.bmp: PC bitmap data, Windows 3.x format, 35 x 34 x 32

strings Jack_Steno.bmp
– nothing at all, very interesting.

However, the cat command shows some interesting differences:

cat JackA.bmp

 

 

 

 

cat Jack_Steno.bmp

 

 

 

 

 

It turns out that Steganography only works with BMP files. Not a common file format these days. If you hid some info in a BMP file, someone might be curious.

find /cygdrive/c -type f -iname "*.bmp" 2> /dev/null | wc
 610 2189 58228

find /cygdrive/c -type f -iname "*.jpg" 2> /dev/null | wc
 7855 17536 900006

——

Clotho:

I tried Clotho, downloaded from here.

Using the most basic setting

 

 

 

 

 

 

 

 

 

 

 

$ file *
 DDR3.JPG: JPEG image data, JFIF standard 1.01
 DDR3_cloth1.JPG: JPEG image data, JFIF standard 1.01
 SomeText.txt: ASCII text, with CRLF line terminators
 clotho_basic.jpg: JPEG image data, JFIF standard 1.01

RL@AcerP633V /cygdrive/c/temp/Steganography2/clotho
 $ strings DDR3_cloth1.JPG | tail
 &`gi
 O|wX
 F4r
 ('Yj7
 bo=2\
 RQNX-CLOTHO:256: <------
 ga}.
 H/U*
 ``dg
 this is some text <------

So, the Linux strings command works again.

 

 

Try the obfuscation feature.

Again, the strings command can indication something.

$ strings DDR3_cloth2.JPG | tail
 J}rNcerP633V /cygdrive/c/temp/Steganography2/clotho
 LOX(
 &`gi
 O|wX
 F4r
 ('Yj7
 bo=2\
 RQNX-CLOTHO:256: <------
 ga}.
 :|=c

And the strings command still works.

 

And, interestingly enough, I see something in Windows 7 explorer:

 

 

 

 

 

 

Every file touched by clotho, has a little padlock in the icon.  Hmm.

——————-

Try SteganoGifPaletteOrder:

Downloaded from:

http://users.skynet.be/glu/sgpo.htm

http://users.skynet.be/glu/sgpo.zip

Requires that you have and know java.

cd C:\Utils\SteganoGifPaletteOrder\
 java SteganoGifPaletteOrder

 

 

 

 

 

 

 

 

 

 

Only works with GIF files.

Does not have functionality to specify where to save resulting file.

In the same directory as the .class files, it just creates a file:
out.gif

No possibility to give it a particular file name, which is pretty fundamental.

Reject.

—-

Autopsy:

On this blog, I found a comment,

Dale Jackaman comments: Open source forensics tools such as Autopsy or commercial tools such as X-Ways Forensics will find all these hidden file types.

So I Download Autopsy

http://www.sleuthkit.org/autopsy/
http://www.sleuthkit.org/autopsy/download.php

487 mb!

And take it for a test drive. You have to make a case first.

It finds the zip files.

 

 

 

 

 

 

 

 

 

 

 

 

Looking at a file that I modified: DDR3_2_zip.jpg, nothing seems to be flagged.

But if you use the tab, Indexed Test, it give the same results as the cygwin/linux strings command

 

 

 

 

 

 

 

 

 

 

So, you can use Autopsy to find issues. But, in my case, you would need to know what you are looking for.

Looks like a big program, that does many things.

—–

Michael Raggo’s StegSpy 2.1:

I downloaded Michael Raggo’s StegSpy 2.1 from here.

Turns out that it says: Copyright 2003, 2004
Over 1 1/2 decades ago.

And, it’s a very simple program. Only one button!

Then, tried it on the file I modified, DDR3_2_zip.jpg, but it didn’t detect anything.

 

 

 

 

 

 

 

 

 

 

——

SSuite Picsel Security:

Eventually, I found SSuite Picsel Security

To encypt:

Open original image. Here, use the supplied, Athena.bmp

Make a file with the message, link it to the Message button

 

 

 

 

 

 

 

 

 

 

 

Encrypt Image

Save image

$ ls -l

21 Jan 4 10:34 Sometext.txt
 11238 Jan 3 15:49 athena.bmp
 85186 Jan 4 13:41 athenaAfterEncrpt.bmp

Makes the resulting file size much bigger

Images looks the same.

But cat command shows differences:

Original:

cat athena.bmp

 

 

 

 

 

 

 

Resulting Encrypted File

cat athenaAfterEncrpt.bmp

 

 

 

 

 

 

 

You can encrypt with a JPG file too.  However, the resulting file created is a BMP.

ls -l

111118 Nov 1 14:51 DDR3.JPG
 1920054 Jan 4 13:54 DDR3AfterEncrpt.bmp

ls -lh

109K Nov 1 14:51 DDR3.JPG
 1.9M Jan 4 13:54 DDR3AfterEncrpt.bmp

And the resulting BMP is much bigger than the original JPG.

To Decrypt

Open Original IMage: DDR3.jpg

Hit Decrypt button.

Open Encrypted Image file:
DDR3AfterEncrpt.bmp

Decrypt image: Yes

 

 

 

 

 

 

 

 

 

 

 

 

—–

Closing Thoughts:

That’s enough exploring for a day or two.  It was a lot different from invisible ink we played with as kids. 🙂

Steganography looks like a big field. There are lots of other software packages out there. See the links below.

Some of the software I tried is quite old. Using the linux commands, it was easy to detect a modification.

What bothers me, is how unsophisticated so many of them were.

SSuite Picsel Security was the best that I tried. I’ll be looking at more of their many free software packages.

Does anyone know of some really good Steganography software? If so, please comment, and send the links.

 

—-

Useful Links:

HACKER LEXICON: WHAT IS STEGANOGRAPHY?
https://www.wired.com/story/steganography-hacker-lexicon/

How can you hide information inside a jpg or gif photo?
https://stackoverflow.com/questions/1216156/how-can-you-hide-information-inside-a-jpg-or-gif-photo

5 ways to Secretly Hide a File or Message Inside Another File
https://www.raymond.cc/blog/hide-your-secret-files-by-embedding-it-to-another-safe-source/

35 Best Free Steganography Software For Windows
http://listoffreeware.com/list-of-best-free-steganography-software-for-windows/

Easily Breaking a very weak steganography software: Camouflage
http://www.guillermito2.net/stegano/camouflage/index.html

Analyzing steganography softwares (for the fun of learning about it)
http://www.guillermito2.net/stegano/index.html

Michael Raggo on steganography
http://www.spy-hunter.com/stegintro.htm

Michael Raggo’s StegSpy 2.1
http://www.spy-hunter.com/stegspydownload.htm

 

——

PS:  Hopefully the formatting looks ok.  WordPress always continues to surprise, and make the simple, complex and difficult.

 

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: