Summary of common MISC tools in CTF

1. Steganography

(1)Image steganography

1. Subtle color differences (pixel three primary colors RGB) tool: stegsolve

2. GIF multi-frame hiding tools: stegsolve, Photoshop, firework

   (1) Color channel hiding

   (2) Hiding information in different frames

   (3) Comparison and hiding of different frames

3. Exif information hiding tool: right-click on Windows to open image properties

4. Picture repair tool winhex

   (1) Picture header repair

   (2) Image tail repair

   (3) CRC check repair

   (4) Length, width and height repair

5. Least significant bit LSB steganography tools: stegsolve, zsteg, wbstego4

6. Image encryption Stegdetect outguess Jphide F5

(1)file command

The file does not know the suffix , or the file cannot be opened if it has a suffix . Modify the file suffix according to the recognized file type and the file can be opened normally.

file  myheart
file  filejpj

(2)winhex

Check the file header type and infer the file header and file tail based on the file header.

file type	File header	end of file	feature
JPEG (jpg)	FFD8FF	FF D9	ÿØÿà
PNG (png)	89504E47	AE 42 60 82	.PNG...
GIF (gif)	47494638	00 3B	GIF89a
ZIP Archive (zip)	504B0304	50 4B	PK..

(3)zsteg analysisi

zsteg   pic  -a   #查看它的所有的可用组合
zsteg -E  组合名  oldpicname  newpicname      #重新组合

(4)stegsolve

(1) When the appearance, size, and pixels of two jpg images are basically the same, you can consider combined analysis, that is, performing XOR, ADD, and SUM operations on the two images.

Image Combine with

(2) Image LSB steganography

Data Extract

(5)Python script

LSB.py
import PIL.Image
def foo():
    im=PIL.Image.open("文件路径")
    im2=im.copy()
    pix=im2.load()
    width,height=im2.size
    for x in xrange(0,width):
        for  y in xrange(0,height):
            if pix[x,y]&0x1==1:
                pix[x,y]=0
            else:
                pix[x,y]=255
    im2.show()
    pass
if  __name__='__main__':
    foo()
    print('ok')
    pass

(6)TweakPNG

PNG graphics browsing tool. When the file header is normal but cannot be opened, it may be a CRC check error . You can try to open it through TweakPNG.

(2)Audio steganography

1. Information is hidden in sounds or data

2. Tools: MP3stego, Audition, Matlab

(3)Video steganography

1. The file is hidden in one or more frames of the video

2. Tools: Premiere, VideoStudio,

(4)File separation

1. Tools: binwalk, dd, foreignmost, winhex

chmod 777 picture.png gives the highest permission to the picture

Tool usage

(1)binwalk tooli

Binwalk is a tool used to analyze and separate files under Linux. It can quickly identify whether a file is composed of multiple files and separate the files.

binwalk  filename   #分析文件
binwalk  -e  filename  #分离文件

(2)foremost tools i

If binwalk cannot separate the file , you can use binwalk to copy the target file to kali. After successful execution, the directory we set will be generated in the file directory of the target file, and the files will be separated according to file type in the directory.

foremost  filename  -o   #输出目录名

(3) dd separates i

When automatic separation of files fails or cannot be separated automatically for other reasons, you can use dd to separate the files manually .

dd  if=源文件  of=目标文件名 bs=1 skip=开始分离的字节数

if=file #Input file name

of=file #Output file name

bs=bytes #Set the read and write block size to bytes at the same time, which can replace ibs and obs

skip=blocks#Skip blocks blocks from the beginning of the input file before starting copying

(5)File merge

Tool usage

(1)cat merge

cat  合并的文件  >  输出的文件
cat chap1 chap2 chap3 chap4  > 1.txt

(2)copy merge

copy  /B   合并的文件 要输出的命令
copy  /B   chap1+chap2+chap3+chap4  文件名

Integrity check

certutil   -hashfile  图片名.png  md5

(6)Compressed file analysis

1. Encryption and brute force cracking

ARCHPR（zip）

It is known that the first three digits are abc, you can enter abc??? for brute force cracking

Pseudo encryption is as follows

(1)Zip pseudo-encryption

zip pseudo-encryption, use winhex to open the compressed file, find the ninth and tenth character in the file header, and modify it to 0000

(2)RAR pseudo-encryption

Because the RAR file has header verification, an error will appear when opening it using pseudo-encryption. If the error disappears and the file is decompressed normally after using Winhex to modify the flag, it means it is pseudo-encrypted. Use winhex to open the RAR file and find the 24th byte. The mantissa of this byte is 4, which means encryption, and 0, which means no encryption. Change the mantissa to 0 to break the pseudo encryption.

2. Traffic analysis

Mainly includes traffic packet repair, protocol analysis, and data extraction

wireShark network analyzer

wireShark uses its own powerful message filters to help us filter out the messages we want.

Commonly used filtering commands

1. Filter IP

ip.src eq x.x.x.x or ip.dst eq x.x.x.x
ip.addr eq x.x.x.x

2. Filter port

tcp.port eq 80 or udp.port eq 80
tcp.dstport == 80  #只显示tcp协议的目标端口为80
tcp.srcport == 80  #只显示tcp协议的原端口为80
tcp.port >= 1  and tcp.port <=80

3. Filtering protocol

tcp/udp/arp/icmp/http/ftp/dns/ip...

4. Filter MAC

eth.dst == A0:00:00:04:C5:84  #过滤目标MAC

5. Packet length filtering

udp.length == 26#这个长度指udp本身固定长度8加上udp下面那块数据包之和
tcp.len >= 7#指的是ip数据包(tcp下面那块数据),不包括tcp本身
ip.len == 94#除了以太网头固定长度14，其他都算是ip.len，即空ip本身到最后
frame.len ==119#整个数据包长度，从eth开始到最后

6.http mode filtering

http.request.methed == "GET"
http.request.methed == "POST"
http.request.uri="/img/logo-edu.gif"
http contains "GET"
http contains "HTTP/1."
http.request.method == "GET"
http contains "flag"
http contains "key"
tcp contains "flag"

SMTP protocol

SMTP is a protocol that provides reliable and efficient email transmission . SMTP is an email service built on the FTP file transfer service . It is mainly used to transfer email information between systems and provide notifications about incoming letters. SMTP is independent of a specific transmission subsystem and only requires the support of a reliable and orderly data flow channel. One of the important features of SMTP is its ability to transmit emails across the network, that is, "SMTP mail relay". Using SMTP, mail transmission can be realized between processing processes on the same network, and mail transmission between a processing process and other networks can also be realized through a relay or gateway.