This article has participated in the activity of “New person creation Ceremony”, and started the road of digging gold creation together
Front knowledge
-
The file command identifies the file type based on the file header. If there is data in front of the file header, the file type cannot be identified
-
Strings printable characters in the output file
You can find hints or specially coded messages
Can be used with the -o argument to get all ASCII character offsets (string positions)
-
Binwalk command
Identify files by their headers
-e Extracts files
-
To carry the command
Extract the file. It is recommended to try both separate commands again
-
Various file headers
Local search: file header
Compressed package
The basic idea
- Try to use WinRAR to avoid exceptions
- See the property
- Pseudo encryption
- Brute force
- Plaintext attack
- Crc32 collision
- Multiple compressed files merge CAT file name (on demand) > save file name
File structure
[Record file header + file structure + data descriptor] {this can be repeated many times} + core directory + directory end identifier
Brute force password cracking
This parameter is applicable only to passwords that are shorter than or equal to six characters in length
Direct blast with APCHPR
Zip pseudo encryption
Principle:
Two bytes of a General purpose bit flag exist in the record file header and the core directory area. Different bits have different meanings. The global encryption for compressed source file data (USHORT frFlags) should be 00 00, Ushort deFlags the value of 00 00 Pseudo-encrypted The value of 00 00 The value of 09 00 The value of USHORT deFlags the value of 00 00 Pseudo-encrypted The value of 09 00 The value of usHORT deFlags true encrypted the value of 09 00 The global mode for compressing the source file directory should be 09 00Copy the code
Repair tools:
-
Winrar Fix (can also fix other changes) tool -> Fix
-
Binwalk foremost ignores pseudo-encryption
-
ZipCenOp.jar(win)
Locate the folder and type CMD in the address bar
Java-jar zipcenop. jar r File nameCopy the code
CRC32 collision
Principle:
The crC32 value of the compressed package is computed in the unencrypted stateCopy the code
If the file content is small (about 4 bytes) and the encrypted password is long, you can use CRC32 burst to retrieve the contents of the original file
Script F: CTF CTF tools collection script CRC32 collision crc32-linux.py
Plaintext attack
The basic conditions
- An encrypted compressed package file
- Known compression tools for compressed files, such as WinRAR, 7Z
- The version of the compression tool is known
- Known compressed package file partial contiguous content, at least 12 bytes, any file
methods
- Compress plaintext files into compressed packages
- Verify that the compression method is the same, that is, compare the crC32 value after compression
- Use APCHPR for plaintext attacks
Tips:
If there are characters in the key box during the attack, you can stop the attack. Click the button on the right to decrypt with known key
docx
Zip package containing XML files
The file may be hidden, the information is in the zip package, not visible in Word
You can change the docx suffix to zip
The picture
Image content, Image analysis, Image Mosaic, Image repair, EXIF, LSB
The basic idea
-
To view property details, use exiftool (Linux) or identify
-
010editor, winhex, or notepad++ is displayed to check for special information. Then, search for keywords such as CTF, CTF, flag, and key
String, file command (kali)
strings test | grep -i flag file 1.txt Copy the code
-
Check whether the beginning and end marks of the image are correct. If the image marks are not correctly modified to restore the image, open it to check whether there is flag or CTF information. (USUALLY, GIF is a GIF, and it is necessary to view the data obtained by combining each frame of images in different frames.
-
Stegslove or binwalk/foremost separate file
Note: Foremost and Binwalk will extract PNG files according to the IEND block. The content after the IEND block will be ignored and cannot be extracted. Information can be hidden
-
Modify the height of PNG to IHDR, JPG to FFC2 (hexadecimal search) after three bytes of data
-
Use the response steganography detection tool according to the corresponding format
-
See if the image has abnormal blind watermarking, F5, Lsb, GUESS, Stegpy, STEG, jphide, Stegdetect
JPG
-
Characteristics of the
File header identifier (2 bytes) : FF D8
End of file identifier (2 bytes) : FF D9
-
Lsb
-
IDAT steganalysis
- Use pngCheck to analyze pngCheck. exe -v file
- Identify abnormal IDAT strings and use tools such as WinHEX to create new files
- Continue analysis based on the new file created
-
Modify the height
JPG Ffc2 (hexadecimal search) three bytes after the data
-
stegdetect (win)
Use this tool to detect steganography first, and then use the tool below to extract
(Check for JPG image steganography,Stegdetect can detect messages hidden by steganography tools such as JSteg, JPHide, OutGuess, Invisible Secrets, F5, appendX and Camouflage.) Copy images to In the folder where Stegdetect. exe is located, open CMD and enter:
Stegdetect. exe -tjopi -s 10.0 [stego_file] -s changes the sensitivity of the detection algorithm. The default value is 1. The matching degree of the detection results is directly proportional to the sensitivity of the detection algorithm. The greater the sensitivity value of the algorithm, the greater the possibility that the suspicious files detected contain sensitive information. -t Sets which stegwrite tools to detect (jOPI is the default). The options are as follows: j Detects whether the information in the image is embedded with JSTEG. O Detect whether the information in the image is embedded with Outguess. P Detects whether the information in the image is embedded with Jphide. I detect whether the information in the image is embedded with Invisible SecretsCopy the code
-
jphide
Used to extract JPG steganography information
Graphical operation, use the tool to open the file, click seek button on the toolbar, enter the password, click OK to save as TXT file
-
steghide(win)
View the file information embedded in the image:
steghide info out.jpg Copy the code
Extract hidden content containing passwords:
steghide extract -sf out.jpg -p 123456 Copy the code
Extract hidden content that does not contain passwords:
steghide extract -sf out.jpg Copy the code
Steghide blast code
Some problems with Steghide encryption files but do not give the password, then need to blast, Steghide itself does not support blasting, need some other methods: github.com/Va5c0/Stegh…
Steg_brute. Py -b-d [dictionary] -f [jpg_file]Copy the code
Library to install: ProgressBar
pip install progressbar2 Copy the code
-
F5 (Matrix coding)
(F5 steganography, passwd required)
Switch to F5-Steganography under Kail and run commands in Java Extract:
Java Extract 123456.jpg absolute address -p 123456Copy the code
-
Outguess (Based on frequency conversion)
(Kali under steganography + passwd)
TXT (Information stored text) outguess -k 12345 -r 2. JPG out. TXT -k Next to password -r Next to decrypted image output fileCopy the code
Under the Windows
F:\CTF\CTF tools Collection \ Steganography \F5\f5-steganography\tests
Jar e -e msg.txt -p mypasswd -q 70 in.jpg out.jpg
No password required: Java -jar f5.jar x -e out.txt pic.jpg
PNG
-
Characteristics of the
File header identifier (8 bytes) : 89 50 4E 47 0D 0A 1A 0A
End: 00 00 00 49 45 4E 44 AE 42 60 82
-
format
-
IHDR:Header Chunk
The first block of data in a PNG data stream
There can only be one file header block in a PNG stream
-
PNG contains many IDAT data blocks, each of which is compressed in Zlib format. The first IDAT data block has a Zlib logo such as 789C
Idat blocks only proceed to a new block when the previous block is full, and an image has only one 789C flag
-
-
Modify the height
010 editor
Tweakpg.exe When opening the picture, IDHRcyc error is displayed, indicating that the file size is modified and CRC value is not modified
-
LSB steganography
Hide data at the lowest level of the channel
Suitable for PNG files (lossless compression) and PMB files (no compression)
Tools: Stegsolve and ZSTEg
Stegsolve extracted LSB data
Select Extract Preview, Bit Plane Order and other fixed options
-
XOR
1. Binwalk analyzes two images
2. Open with Stegslove and select Image Combiner and select XOR
3. Continue the analysis according to the results after XOR
-
Zsteg (kali)
Zsteg can detect steganography data (LSB steganography, Zlib, OpenStego, etc.) in PNG and BMP images. Generally, files decrypted with Zsteg are BMP files
Zsteg images ofCopy the code
Hidden data found at extradata:0
Zsteg -e “extradata:0” /home/volcano/ desktop /misc17.png > 1.txt
Then binwalk-e separates the data from 1.txt to get flag
-
BlindWaterMark (Kali)
The first normal BWM
- Open the folder where bwm.py (project address) is located and open the terminal
# 1.png is the original image without watermarking # 2.png is the image with blind watermarking # flag. PNG is the image > python bwm.py decode 1.png 2.png flag.png Copy the code
The second frequency domain blind watermark
import cv2import numpy as npimport randomimport osfrom argparse import ArgumentParserALPHA = 5def build_parser():parser = ArgumentParser()parser.add_argument('--original', dest='ori', required=True)parser.add_argument('--image', dest='img', required=True)parser.add_argument('--result', dest='res', required=True)parser.add_argument('--alpha', dest='alpha', default=ALPHA)return parserdef main():parser = build_parser()options = parser.parse_args()ori = options.oriimg = options.imgres = options.resalpha = options.alphaif not os.path.isfile(ori):parser.error("original image %s does not exist." % ori)if not os.path.isfile(img):parser.error("image %s does not exist." % img)decode(ori, img, res, alpha)def decode(ori_path, img_path, res_path, alpha) :ori = cv2.imread(ori_path)img = cv2.imread(img_path)ori_f = np.fft.fft2(ori)img_f = np.fft.fft2(img)height, width = ori.shape[0], ori.shape[1]watermark = (ori_f - img_f) / alphawatermark = np.real(watermark)res = np.zeros(watermark.shape)random.seed(height + width)x = range(height / 2)y = range(width)random.shuffle(x)random.shuffle(y)for i in range(height / 2) :for j in range(width):res[x[i]][y[j]] = watermark[i][j]cv2.imwrite(res_path, res, [int(cv2.IMWRITE_JPEG_QUALITY), 100])if __name__ == '__main__': main() Copy the code
use
python pinyubwm.py --original 1.png --image 2.png --result out.png Copy the code
PNG. If you can’t get a normal image, switch 1.png and 2.png and try again
-
LSB py script decryption (LSB steganography + requires passwd)
F:\CTF\CTF tools collection \ script \ Cloacked – Pixel-master
use
python lsb.py extract [stego_file] [out_file] [password] Copy the code
-
Pngcheck (check IDAT block _win)
Open CMD in the pngCheck. exe folder
pngcheck.exe -v 123.png Copy the code
Can check whether there is PNG IDAT block problem may refer to related topics: blog.csdn.net/u010391191/…
About problem solving script reference FzWjScJ master’s blog: www.fzwjscj.xyz/index.php/a…
-
Java blind watermarking
Use tools to extract F: CTF CTF tool collection steganography image steganography
java -jar .\BlindWatermark.jar decode -c .\flag.png output.png Copy the code
-
Apng pictures
It is actually a GIF, separated by apngdis.exe
-
If tweakPNG is used to open and many errors are found, pngDebuger is used to see whether the error is hidden
GIF
-
Characteristics of the
Header identifier (6 bytes) : 47 49 46 38 39(37) 61 GIF89a
-
GIF, consisting of multiple images, with multiple metadata (attribute information)
-
Timeline steganography, the use of time intervals between multiple frames to hide information (mostly binary 01)
BMP
-
Characteristics of the
Lossless, no compression format
-
LSB steganography
-
Frequency domain blind watermark steganography
Using matlab
WebP
Install (kali) apt install webp press Y if necessary
use
Cwebp – Encoder tool: can convert PNG to WebP
cwebp 1.png -o 2.webp
Copy the code
Dwebp – decoder tool: Converts WebP to PNG
dwebp 1.webp -o 2.png
Copy the code
Vwebp – Viewer tool: you can view webP images directly
vwebp 1.webp
Copy the code
Webpinfo – Format viewer tool: can print out the block level structure of WebP files and basic integrity check
webpinfo 1.webp
Copy the code
Others (GIF2webp, img2webp and other visible official documents)
-
Exiftool (View image exif information)
exiftool 1.jpg Display all information of the picture exiftool 1.jpg | grep flag # Check the picture for information about 'flag' characters exiftool * # View all images in this folder exiftool -b -ThumbnailImage attachment.jpg >flag.jpg # Extract thumbnail * Copy the code
BPG
File header: 425047FB
Look at can online website: webencoder.libbpg.org/show.html
Tool script usage
Pillow
Pil upgraded version, below is simple use
from PIL import Image
Open a PNG image file, note the current path:
im = Image.open("file.png")
# Get image size:
w, h = im.size
im.show()
Save the image in PNG format:
im.save("another.png")
# Image processing - Change the size
im.resize((32.32))
# Image processing - Rotation
im.rotate(90)
# Pixel processing - Read the image as an array of pixels (whole)
im.getdata()
# Pixel Processing - Array generation image (whole)
im.putdata()
# Pixel Processing - Read the RGB value of a single pixel (single pixel)
im.getpixel((x,y))
# Pixel Processing - Read the RGB value of a single pixel (single pixel)
im.putpixel((x,y),(0.0.0))
im.copy()
im = Image.new("RGB", (1.1),data)
Copy the code
Binary data generates a QR code
The square root determines the size of the image based on the length of the binary string
from PIL import Pillow
s = Binary string
im = Image.new("RGB", (25.25))
im.putdata([(255.255.255) if i=="1" else (0.0.0) for i in s])
im.resize((100.100)).show()
Copy the code
identify
Exiftool has the same functions as exiftool and displays more information
identify -verbose pic.png
Copy the code
Get specified information
identify -format "%[EXIF:copyright] %c\n" pic.png
# Copyright can be replaced
Copy the code