Image of CTF steganography summary

This article has participated in the activity of “New person creation Ceremony”, and started the road of digging gold creation together

Front knowledge

• The file command identifies the file type based on the file header. If there is data in front of the file header, the file type cannot be identified

• Strings printable characters in the output file

  You can find hints or specially coded messages

  Can be used with the -o argument to get all ASCII character offsets (string positions)

• Binwalk command

  Identify files by their headers

  -e Extracts files

• To carry the command

  Extract the file. It is recommended to try both separate commands again

• Various file headers

  Local search: file header

Compressed package

The basic idea

1. Try to use WinRAR to avoid exceptions
2. See the property
3. Pseudo encryption
4. Brute force
5. Plaintext attack
6. Crc32 collision
7. Multiple compressed files merge CAT file name (on demand) > save file name

File structure

[Record file header + file structure + data descriptor] {this can be repeated many times} + core directory + directory end identifier

Brute force password cracking

This parameter is applicable only to passwords that are shorter than or equal to six characters in length

Direct blast with APCHPR

Zip pseudo encryption

Principle:

Two bytes of a General purpose bit flag exist in the record file header and the core directory area. Different bits have different meanings. The global encryption for compressed source file data (USHORT frFlags) should be 00 00, Ushort deFlags the value of 00 00 Pseudo-encrypted The value of 00 00 The value of 09 00 The value of USHORT deFlags the value of 00 00 Pseudo-encrypted The value of 09 00 The value of usHORT deFlags true encrypted the value of 09 00 The global mode for compressing the source file directory should be 09 00Copy the code

Repair tools:

• Winrar Fix (can also fix other changes) tool -> Fix

• Binwalk foremost ignores pseudo-encryption

• ZipCenOp.jar(win)

  Locate the folder and type CMD in the address bar

  Java-jar zipcenop. jar r File nameCopy the code

CRC32 collision

Principle:

The crC32 value of the compressed package is computed in the unencrypted stateCopy the code

If the file content is small (about 4 bytes) and the encrypted password is long, you can use CRC32 burst to retrieve the contents of the original file

Script F: CTF CTF tools collection script CRC32 collision crc32-linux.py

Plaintext attack

The basic conditions

• An encrypted compressed package file
• Known compression tools for compressed files, such as WinRAR, 7Z
• The version of the compression tool is known
• Known compressed package file partial contiguous content, at least 12 bytes, any file

methods

1. Compress plaintext files into compressed packages
2. Verify that the compression method is the same, that is, compare the crC32 value after compression
3. Use APCHPR for plaintext attacks

Tips:

If there are characters in the key box during the attack, you can stop the attack. Click the button on the right to decrypt with known key

docx

Zip package containing XML files

The file may be hidden, the information is in the zip package, not visible in Word

You can change the docx suffix to zip

The picture

Image content, Image analysis, Image Mosaic, Image repair, EXIF, LSB

The basic idea

1. To view property details, use exiftool (Linux) or identify

2. 010editor, winhex, or notepad++ is displayed to check for special information. Then, search for keywords such as CTF, CTF, flag, and key

   String, file command (kali)

   strings test | grep -i flag 
   file 1.txt
   Copy the code

3. Check whether the beginning and end marks of the image are correct. If the image marks are not correctly modified to restore the image, open it to check whether there is flag or CTF information. (USUALLY, GIF is a GIF, and it is necessary to view the data obtained by combining each frame of images in different frames.

4. Stegslove or binwalk/foremost separate file

   Note: Foremost and Binwalk will extract PNG files according to the IEND block. The content after the IEND block will be ignored and cannot be extracted. Information can be hidden

5. Modify the height of PNG to IHDR, JPG to FFC2 (hexadecimal search) after three bytes of data

6. Use the response steganography detection tool according to the corresponding format

7. See if the image has abnormal blind watermarking, F5, Lsb, GUESS, Stegpy, STEG, jphide, Stegdetect

JPG

• Characteristics of the

  File header identifier (2 bytes) : FF D8

  End of file identifier (2 bytes) : FF D9

• Lsb

• IDAT steganalysis

1. Use pngCheck to analyze pngCheck. exe -v file
2. Identify abnormal IDAT strings and use tools such as WinHEX to create new files
3. Continue analysis based on the new file created

• Modify the height

  JPG Ffc2 (hexadecimal search) three bytes after the data

• stegdetect (win)

  Use this tool to detect steganography first, and then use the tool below to extract

  (Check for JPG image steganography,Stegdetect can detect messages hidden by steganography tools such as JSteg, JPHide, OutGuess, Invisible Secrets, F5, appendX and Camouflage.) Copy images to In the folder where Stegdetect. exe is located, open CMD and enter:

  Stegdetect. exe -tjopi -s 10.0 [stego_file] -s changes the sensitivity of the detection algorithm. The default value is 1. The matching degree of the detection results is directly proportional to the sensitivity of the detection algorithm. The greater the sensitivity value of the algorithm, the greater the possibility that the suspicious files detected contain sensitive information. -t Sets which stegwrite tools to detect (jOPI is the default). The options are as follows: j Detects whether the information in the image is embedded with JSTEG. O Detect whether the information in the image is embedded with Outguess. P Detects whether the information in the image is embedded with Jphide. I detect whether the information in the image is embedded with Invisible SecretsCopy the code

• jphide

  Used to extract JPG steganography information

  Graphical operation, use the tool to open the file, click seek button on the toolbar, enter the password, click OK to save as TXT file

  

• steghide(win)

  View the file information embedded in the image:

  steghide info out.jpg
  Copy the code

  Extract hidden content containing passwords:

  steghide extract -sf out.jpg -p 123456
  Copy the code

  Extract hidden content that does not contain passwords:

  steghide extract -sf out.jpg
  Copy the code

  Steghide blast code

  Some problems with Steghide encryption files but do not give the password, then need to blast, Steghide itself does not support blasting, need some other methods: github.com/Va5c0/Stegh…

  Steg_brute. Py -b-d [dictionary] -f [jpg_file]Copy the code

  Library to install: ProgressBar

  pip install progressbar2
  Copy the code

• F5 (Matrix coding)

  (F5 steganography, passwd required)

  Switch to F5-Steganography under Kail and run commands in Java Extract:

  Java Extract 123456.jpg absolute address -p 123456Copy the code

• Outguess (Based on frequency conversion)

  (Kali under steganography + passwd)

  TXT (Information stored text) outguess -k 12345 -r 2. JPG out. TXT -k Next to password -r Next to decrypted image output fileCopy the code

  Under the Windows

  F:\CTF\CTF tools Collection \ Steganography \F5\f5-steganography\tests

  Jar e -e msg.txt -p mypasswd -q 70 in.jpg out.jpg

  No password required: Java -jar f5.jar x -e out.txt pic.jpg

PNG

• Characteristics of the

  File header identifier (8 bytes) : 89 50 4E 47 0D 0A 1A 0A

  End: 00 00 00 49 45 4E 44 AE 42 60 82

• format

  1. IHDR:Header Chunk

     The first block of data in a PNG data stream

     There can only be one file header block in a PNG stream

  2. PNG contains many IDAT data blocks, each of which is compressed in Zlib format. The first IDAT data block has a Zlib logo such as 789C

     Idat blocks only proceed to a new block when the previous block is full, and an image has only one 789C flag

• Modify the height

  010 editor

  Tweakpg.exe When opening the picture, IDHRcyc error is displayed, indicating that the file size is modified and CRC value is not modified

• LSB steganography

  Hide data at the lowest level of the channel

  Suitable for PNG files (lossless compression) and PMB files (no compression)

  Tools: Stegsolve and ZSTEg

  Stegsolve extracted LSB data

  Select Extract Preview, Bit Plane Order and other fixed options

  

• XOR

  1. Binwalk analyzes two images

  2. Open with Stegslove and select Image Combiner and select XOR

  3. Continue the analysis according to the results after XOR

• Zsteg (kali)

  Zsteg can detect steganography data (LSB steganography, Zlib, OpenStego, etc.) in PNG and BMP images. Generally, files decrypted with Zsteg are BMP files

  Zsteg images ofCopy the code

  Hidden data found at extradata:0

  Zsteg -e “extradata:0” /home/volcano/ desktop /misc17.png > 1.txt

  Then binwalk-e separates the data from 1.txt to get flag

• BlindWaterMark (Kali)

  The first normal BWM

  • Open the folder where bwm.py (project address) is located and open the terminal

  # 1.png is the original image without watermarking
  # 2.png is the image with blind watermarking
  # flag. PNG is the image
  > python bwm.py decode 1.png 2.png flag.png
  Copy the code

  The second frequency domain blind watermark

  import cv2import numpy as npimport randomimport osfrom argparse import ArgumentParserALPHA = 5def build_parser():parser = ArgumentParser()parser.add_argument('--original', dest='ori', required=True)parser.add_argument('--image', dest='img', required=True)parser.add_argument('--result', dest='res', required=True)parser.add_argument('--alpha', dest='alpha', default=ALPHA)return parserdef main():parser = build_parser()options = parser.parse_args()ori = options.oriimg = options.imgres = options.resalpha = options.alphaif not os.path.isfile(ori):parser.error("original image %s does not exist." % ori)if not os.path.isfile(img):parser.error("image %s does not exist." % img)decode(ori, img, res, alpha)def decode(ori_path, img_path, res_path, alpha) :ori = cv2.imread(ori_path)img = cv2.imread(img_path)ori_f = np.fft.fft2(ori)img_f = np.fft.fft2(img)height, width = ori.shape[0], ori.shape[1]watermark = (ori_f - img_f) / alphawatermark = np.real(watermark)res = np.zeros(watermark.shape)random.seed(height + width)x = range(height / 2)y = range(width)random.shuffle(x)random.shuffle(y)for i in range(height / 2) :for j in range(width):res[x[i]][y[j]] = watermark[i][j]cv2.imwrite(res_path, res, [int(cv2.IMWRITE_JPEG_QUALITY), 100])if __name__ == '__main__':	main()
  Copy the code

  use

  python pinyubwm.py --original 1.png --image 2.png --result out.png
  Copy the code

  PNG. If you can’t get a normal image, switch 1.png and 2.png and try again

• LSB py script decryption (LSB steganography + requires passwd)

  F:\CTF\CTF tools collection \ script \ Cloacked – Pixel-master

  use

  python lsb.py extract [stego_file] [out_file] [password]
  Copy the code

• Pngcheck (check IDAT block _win)

  Open CMD in the pngCheck. exe folder

  pngcheck.exe -v 123.png
  Copy the code

  Can check whether there is PNG IDAT block problem may refer to related topics: blog.csdn.net/u010391191/…

  About problem solving script reference FzWjScJ master’s blog: www.fzwjscj.xyz/index.php/a…

• Java blind watermarking

  Use tools to extract F: CTF CTF tool collection steganography image steganography

   java -jar .\BlindWatermark.jar decode -c .\flag.png output.png
  Copy the code

• Apng pictures

  It is actually a GIF, separated by apngdis.exe

• If tweakPNG is used to open and many errors are found, pngDebuger is used to see whether the error is hidden

GIF

• Characteristics of the

  Header identifier (6 bytes) : 47 49 46 38 39(37) 61 GIF89a

• GIF, consisting of multiple images, with multiple metadata (attribute information)

• Timeline steganography, the use of time intervals between multiple frames to hide information (mostly binary 01)

BMP

• Characteristics of the

  Lossless, no compression format

• LSB steganography

• Frequency domain blind watermark steganography

  Using matlab

WebP

Install (kali) apt install webp press Y if necessary

use

Cwebp – Encoder tool: can convert PNG to WebP

cwebp 1.png -o 2.webp
Copy the code

Dwebp – decoder tool: Converts WebP to PNG

dwebp 1.webp -o 2.png
Copy the code

Vwebp – Viewer tool: you can view webP images directly

vwebp 1.webp
Copy the code

Webpinfo – Format viewer tool: can print out the block level structure of WebP files and basic integrity check

webpinfo 1.webp
Copy the code

Others (GIF2webp, img2webp and other visible official documents)

• Exiftool (View image exif information)

  exiftool 1.jpg Display all information of the picture
  exiftool 1.jpg | grep flag # Check the picture for information about 'flag' characters
  exiftool * # View all images in this folder
  exiftool -b -ThumbnailImage attachment.jpg >flag.jpg # Extract thumbnail *
  Copy the code

BPG

File header: 425047FB

Look at can online website: webencoder.libbpg.org/show.html

Tool script usage

Pillow

Pil upgraded version, below is simple use

from PIL import Image
Open a PNG image file, note the current path:
im = Image.open("file.png")
# Get image size:
w, h = im.size
im.show()
Save the image in PNG format:
im.save("another.png")
# Image processing - Change the size
im.resize((32.32))
# Image processing - Rotation
im.rotate(90)

# Pixel processing - Read the image as an array of pixels (whole)
im.getdata()
# Pixel Processing - Array generation image (whole)
im.putdata()
# Pixel Processing - Read the RGB value of a single pixel (single pixel)
im.getpixel((x,y))
# Pixel Processing - Read the RGB value of a single pixel (single pixel)
im.putpixel((x,y),(0.0.0))

im.copy()
im = Image.new("RGB", (1.1),data)
Copy the code

Binary data generates a QR code

The square root determines the size of the image based on the length of the binary string

from PIL import Pillow
s = Binary string
im = Image.new("RGB", (25.25))
im.putdata([(255.255.255) if i=="1" else (0.0.0) for i in s])
im.resize((100.100)).show()
Copy the code

identify

Exiftool has the same functions as exiftool and displays more information

identify -verbose pic.png
Copy the code

Get specified information

identify -format "%[EXIF:copyright] %c\n" pic.png
# Copyright can be replaced
Copy the code