Steganographic Notes
Summary: http://blog.sina.com.cn/s/blog_16edef0190102xkf1.html
Number hiding is divided into two categories: replacement, insertion:
Additional insertion , normal jpeg files have a file terminator at the end of OxFF OxD9
The following EOI is ignored when browsing, so you can insert data here;
front insertion method,
The file is divided into different areas by file identifiers, these identifiers identify the layout format and other details of the file, and we can insert data in the middle;
The principle of image hiding: LSB is also the least significant bit (Least Significant Bit) . The principle is that the number of images in the picture is generally composed of three colors, namely three primary colors (red, green and blue). These three primary colors can form other colors. For example, in the storage of PNG images, each color will have 8 bits. LSB steganography is to modify the lowest 1 bit in the image number, which is indistinguishable from the human eye, and also hides the information.
Data is hidden by changing the last bit (least significant bit) of each byte. The specific implementation process is shown in the figure.
(Wbstego4open tool)
Audio hiding principle:
The compressed package is hidden in the picture: copy /b picture + the picture after the compressed package is hidden
Hidden information in Html file:
Hidden: snow.exe -C -m "hidden content" -p "password" input file output file;
View: snow -C -p "password" output file;
Hidden data in Android mobile devices:
Stegdroid tool (download from Android market):
Ogg : The full name is OGGVobis (oggVorbis) is an audio compression format , similar to MP3 and other music formats . Ogg is completely free, open and patent-free. OggVorbis files have the extension ".ogg" . The Ogg file format can be continuously improved in size and sound quality without affecting legacy encoders or players.
Data hiding in Windows :
Exchange data streams:
https://blog.csdn.net/xiaoxuetu_/article/details/77318670
NTFS data stream ( ADS ):
It is a feature of the NTFS disk format. Under the NTFS file system, each file can have multiple data streams, which means that in addition to the mainstream files, there can also be many non-main file streams hosted in the main file stream. They maintain file-related information through resource forks, and although we can't see it, it really exists.
1. Use NTFS to hide text files:
1. Create a text document: notepad filename.txt
Create an exchange data stream with the original file : notepad filename.txt : datastreamfilename.txt
View the data flow file just created: notepad file name.txt: data flow file name.txt ;
2. echo hidden content >> file name.txt: data stream file stream.txt
View the data flow file just created: notepad file name.txt: data flow file name.txt ;
3. Parasitize an existing file to another file or folder in the form of a data stream
type parasitic file.txt >> host file.txt : parasitic file.txt
View the same as 2 ;
Hide pictures using NTFS data stream:
Pictures can be hidden on any kind of file: text document .txt executable file .exe folder
Root directory
type image name.jpg>> Host file: image name.jpg
View : (using the system's own drawing program mspaint) mspaint host file : picture name.jpg
Detect hidden files:
Put lads.exe in the root directory to be detected, and run the command: lads.exe root directory
Detect the root directory and all subfiles in the root directory: lads.exe root directory /S
Clear hidden data stream files:
Clear the data stream files in the root directory: streams.exe -d root directory:
Clear all data stream files in the root directory: streams.exe -s -d root directory:
2. Shadow Copies Hide: Shadow Copies can be kept for at least six months
Use the vssadmin command to manage shadow copies;
Copy the cmd.exe file and create a new system restore point for him: My Computer -> Properties -> System Protection -> Create
Use vssadmin list shadows to view a list of all shadow copies;
Use del cmd.exe to delete files
Create a directory for the symbolic link with the mklink command: mklink /D shadow copy volume +\
The embedded cmd.exe is not visible but has access to execute:
Wmic process call create \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\cmd.exe
Hide information in VMware images:
Hidden: Add the pictures and *.vmdk files that need to be hidden to the dsfok directory
Dsfi *.vmdk - Picture size Picture size Picture name to be hidden;
View: dsfo *.vmdk - picture size picture size generate picture name
Steghide tool ( JPEG hides one byte every 17 bytes, BMP, WAV and AU )
Encryption: steghide embed -cf picture.jpg-ef secret.txt ——" embed the file secret.txt into picture.jpg
Decryption: steghide info picture.jpg ——" detect whether there is a .txt embedded file in the picture
steghide extract -sfpicture.jpg ——"Crack out the .txt file hidden in the picture (the process needs to enter the encrypted password)
mp3stegotools _
Example 1: http://www.shiyanbar.com/ctf/1928
Open the connection to get a QR code, and the scan result is:
\u7f8a\u7531\u5927\u4e95\u592b\u5927\u4eba\u738b\u4e2d\u5de5
Decrypt with unicode
When found, it was the pawnshop password to get the key 9158753624;
Save the original QR code locally, add .rar to the suffix;
Use the command Decode -X -P key audio name to get a txt file;
Decode the string with base64 to get ctf.
Example 2: http://www.shiyanbar.com/ctf/2010
1. Supplementary file header: FF D8 FF
2. Use cooledite to decrypt Morse code letusgo ;
3. Use the password to open the second layer of hell, and follow the prompts to find the word steganography image steganography
4. Use the web version of http://www.atool.org/steganography.php to solve the key{you are in finally hell now}
5. Use this password to open the last layer of text documents:
get ruokouling after converting to asii;
6. Try a weak password and find that the password is Password, after opening it is VTJGc2RHVmtYMTlwRG9yWjJoVFArNXcwelNBOWJYaFZlekp5MnVtRlRTcDZQZE42elBLQ01BPT0=
7. Decode with base64 to get:
U2FsdGVkX19pDorZ2hTP+5w0zSA9bXhVezJy2umFTSp6PdN6zPKCMA==
Rabbit decoding gets: fxbqrwrvnwmngrjxsrnsrnhx
Caesar decrypts:
http://www.zjslove.com/3.decode/kaisa/index.html
Flag:woshinimendexiaojiejieyo
Several common image formats:
Png: Image format file (or data stream) consists of an 8 -byte PNG file signature ( PNG file signature ) field ( file header ) and more than 3 data blocks ( chunk ) organized according to a specific structure .
PNG defines two types of data blocks , one is called key data block (required) and the other is called auxiliary data block (optional):
Key data blocks:
Auxiliary data block:
Detailed introduction: https://baike.baidu.com/item/png/174154?fr=aladdin
Jpg: Its basic data structure is of two types: " segment " and compressed-encoded image data.
There are 30 segment types , but only 10 must be recognized by all programs, the other types can be ignored.
Detailed introduction: https://blog.csdn.net/STN_LCD/article/details/78629029
Bmp:
The data of the BMP file is divided into four parts in order from the file header:
https://blog.csdn.net/u012877472/article/details/50272771