Advanced Network Security Learning Lesson 20 - File Operation and Steganography of CTF

---

1. File type identification

1. File command

------ When a file does not have a file extension, or has a file extension but cannot be opened normally, the file extension can be modified according to the recognized file type so that the file can be opened normally.

Usage scenario: The file cannot be opened if the suffix is ​​not known.
Format: file myheart

recognizes here that it is a PCAP traffic packet

2、Winhex

------ You can view the file header type of the file through the WinHex program, and determine the file type based on the file header type.

Usage scenario: Determine file type through file header information under Windows.

3. The file header is incomplete/wrong

------ Generally, there are two reasons why a file cannot be opened normally: the file header is incomplete and the file header field is incorrect.

------ For the case where the file header is incomplete, you can use the WinHex program to add the corresponding file header information. In the case of incorrect header fields, you can try to find a file of the same type and use it as a replacement file to restore the normal opening of the file.

Usage scenario: The file header is incomplete or the file header field is wrong and the normal file cannot be opened.
Format: file file name

---

2. File separation operation

------ If you are not sure whether the file is a combination of multiple files, you can use tools such as WinHex to check whether there are keywords such as PK and other suspected file names. As shown below:

1. Binwalk tool

------ Binwalk is a tool used to analyze and separate files under Linux. It can quickly determine whether a file is composed of multiple files and separate it. If the separation is successful, a folder named "filename_extracted" will be generated in the directory where the target file is located, which contains the separated files.

------ One feature of Binwalk is that it will automatically decompress the compressed package for us when we separate it. When adding the compressed package and providing a password, an empty document will be decompressed.

• Ordinary user login command:
  Analyze files: binwalk filename
  Separate files: binwalk -e filename
  

• Use the command to log in as a root user:
  Analyze the file: binwalk filename --run-as=root
  Separate the file: binwalk -e filename --run-as=root
  Because in the Linux system, it is considered very dangerous to log in directly with the root user. the behavior of.

2、Foremost

------ If binwalk cannot separate the file correctly, you can use foreignmost to copy the target file to kali. After successful execution, the directory we set will be generated in the file directory of the target file. The directory will be divided by file type. Detach the file.

• Usage:
  foremost file name –o output directory name
  

3、dd

------ When files cannot be separated correctly using automatic tools, you can manually separate files with the help of the dd command.
------Binwalk和Foremost分离只能分离按照顺序块来隐藏的文件，无法分离文件块打乱的文件。

• Example:
  ------ There are two files hidden in a file, namely file 1 and file 2. Each file is divided into 2 blocks, namely file 1a and file 1b, file 2a and file 2b.
  ------ If the order of file blocks is: file 1a, file 1b, file 2a, file 2b, this can be separated using Binwalk and Foremost. But assuming that the discharge order is: file 1a, file 2a, file 1b, file 2b, in this chaotic state, Binwalk and Foremost cannot be separated. At this time, you can use dd to separate.

• Format:
  dd if=source file of=target file name bs=how many bytes per block count=how many blocks skip=skip shrink blocks

  • Parameter Description:
    if=file #Input file name, default is standard input.
    of=file #Output file name, the default is standard output
    bs=bytes #Also set the size of each block read, which can replace ibs and obs.
    count #The total number of blocks to be read
    skip=blocks #How many blocks to skip from the beginning of the input file before starting copying.

• Usage demonstration:
  Here I create a new file 123 with the following content:
  
  Enter the command: dd if=123 of=aa bs=5 count=1
  
  Then there is an additional aa file in the current directory. Open the file to view
  

4、Winhex

------ In addition to using the dd command, you can also manually detach files by using the WinHex tool. Just drag and drop the target file into WinHex, then locate the part that needs to be separated, and finally click copy to complete the operation.

Usage scenario: Use the winhex program to manually separate files under Windows.
------ The separation method is to select the required part and copy it, then create another file and paste the copied part.

---

3. File merging operation

1. File merging under Linux

Usage scenario: Under Linux, files with similar file names are usually merged in batches.
Format: cat merged file > output file

------ Integrity check: Calculate file md5 under Linux:
md5sum file name

2. File merging under Windowsa

Usage scenario: Under Windows, files with similar file names are usually merged in batches.
Format: copy /B File command for merged file output

------ Integrity check: Calculate file md5 under Windows:
certutil -hashfile file name md5

---

4. Steganography of file content

------ File content steganography means writing the KEY directly in the file in hexadecimal form, usually at the beginning or end of the file 分析时通常重点观察文件开头和结尾部分. If it is in the middle of the file, the keyword KEY or flag is usually searched to find hidden content.

Usage scenario: Search for hidden file contents under Windows

Winhex

------ Usually drag the file to be identified into winhex, look for parts that have keywords or are obviously discordant with the file content, usually first look at the beginning and end of the file, search for keywords such as flag or key, and finally drag the scroll wheel to find .

---

5. Image file steganography

1. Picture mixing

------ Picture mixing means 两张图片重叠在一起that due to color overlap or other factors, we can only see one of the pictures. Achieving this effect is equivalent to hiding the other picture.

Recommended tool: Stegsolve.jar (adjustable picture color pixels)
Original picture:

Picture after adjustment:

2. LSB (Least Significant Bit)

------ Find information that the human eye cannot recognize by modifying the image grayscale, threshold, exposure, color curve, etc.

Recommended tool: Stegsolve.jar

steganographic steps

1. Suppose I want to hide a character f in a picture . First, convert f into ASCII code, and then convert it into binary
   f: 102, which corresponds to binary: 01100110

2. Select 8 consecutive hexadecimal digits in the picture, and then convert these 8 digits into binary
   

3. Replace the last digit of the converted binary number one by one according to the binary value of f above: 01100110. Finally, convert the replaced binary value to hexadecimal to replace the 8-digit hexadecimal number selected in the original picture. system.
   

Tools for finding hidden information

The images used are:

1. Open the image with Stegsolve.jar and find something strange at the top of the image of the three channels red0, green0, and blue0:
   

2. Open File>>Analyse>>Data Extract
   

3. Check the 0 channels at the Red, Green, and Blue positions and export and save them as files in png format:
   

4. Get the flag.png picture and find it is a QR code
   

3. Steganography into image attributes (view image attributes)

4. Steganographic image size (image size modification)

------ Generally, pictures are of normal size and can be viewed, but picture corruption or other incidents may also occur. However, if there is a problem with the image size, we can still access the image, but we can only see part of the image. Use this method to hide other parts of the image.

• Example: The picture below shows that the size of the picture has been modified so that we cannot see the complete picture information.
  

1. Use WinHex to modify the image size
   ------ At this time, you can use WinHex to modify the image size. Generally, the 18th and 19th bits are the width, and the 22nd and 23rd bits are the height.
   

2. Check the size in the image properties, and then convert the value to hexadecimal
   ------ If you don't know which digit is the image size, you can directly check the size in the image properties, then convert the value to hexadecimal, and finally in Find in WinHex.
   
   

3. After modifying the image properties with WinHex, you can view it normally
   

5. GIF animation information hiding

Use tool: Stegsolve.jar
Use tool Stegsolve.jar to view frame by frame. Specific steps:

---

6. Compressed file analysis

1. Pseudo encryption

------ If the compressed file is encrypted, or the file header is normal but the decompression error occurs, first try to see if the file is pseudo-encrypted. Whether the zip file is encrypted is displayed through the identifier. In the file directory field of each file, there is a bit that specifically identifies whether the file is encrypted. Setting it to 00 means that the file is not encrypted. If it is successfully decompressed, it means that the file is pseudo-encrypted. If an error occurs during decompression, the file is truly encrypted.
Usage scenario: pseudo-encrypted files

• How to operate:

1. Use winhex to open the file and search for hexadecimal 50 4B 01 02. You can see the file header field of each encrypted file.
   

2. Counting from 50, the ninth and tenth characters are encrypted fields. Set them to 0000 to become unencrypted.
   

2. Brute force cracking

------ Usually we can use the ARCHPR.exe tool to crack rar files
Usage scenario: encrypted rar files under windows

1. Select brute force cracking as the attack type. Select the brute force cracking range option in the range position according to the prompts. Set the type of brute force cracking to start and end in the specific range of the option. If it is not defined, the full range of brute force cracking will be used. Click Open to select the file to be cracked, and click to start cracking. It is recommended to use a numeric password of 1 to 9 digits and the English dictionary that comes with the system as the password dictionary.

2. Select the mask for the attack type to perform complex brute force cracking. For example, if you know that the first 3 digits of the password are abc and the last 3 digits are numbers, then select the mask for the attack type, enter acb??? in the mask, and select all for the brute force range option. Number, open the click you want to crack, click crack. At this time, the ??? part will be replaced by the characters in the brute force cracking range we selected.
   

---

7. Traffic packet file analysis

Wireshark filter

------ Use wireshark's powerful message filter to help us filter out the messages we want.

• Commonly used filtering commands:

1）过滤IP，如源IP或者目标 x.x.x.x
ip.src eq x.x.x.x or ip.dst eg x.x.x.x  或者  ip.addr eq x.x.x.x

2）过滤端口
tcp.port eq 80 or udp.port eq 80
tcp.dstport == 80  只显tcp协议的目标端口为80
tcp.srcport == 80  只显tcp协议的源端口为80
tcp.port >= 1 and tcp.port <= 80

3）过滤协议
tcp/udp/arp/icmp/http/ftp/dns/ip.....

4）过滤MAC
eth.dst  ==  A0:00:00:04:c5:84  过滤目标mac

5）包长度过滤
udp.length == 26 这个长度是指udp本身固定长度8加上udp下面那块数据包之和
tcp.len >= 7 指的是ip数据包(tcp下面那块数据)，不包括tcp本身
ip.len == 94 除了以太网头固定长度14，其它都算是ip.len,即从ip本身到最后
frame.len == 119 整个数据包长度，从eth开始到最后

6）http模式过滤
http.request .method == “GET”
http.request .method == “POST”
http.request.uri  == “/img/logo-edu.gif”
http contains “GET”
http contains “HTTP/1.”
http.request.method == “GET” && http contain “User-Agent:”
http contains “flag”
http contains “key”
tcp contains “flag”

------ During the competition, you can look for the flag in the traffic packet
------ In addition to the picture below, you can also 追踪流look for it directly in

---