From 8d167abe76341f79d723b704fda1c6f010dbcb86 Mon Sep 17 00:00:00 2001 From: Zesc Date: Wed, 25 Sep 2024 19:26:40 +0200 Subject: [PATCH] pre-release tidying --- opsec/steganography/index.html | 4 +- opsec/steghide/index.html | 90 ++++++++++++++++------------------ 2 files changed, 44 insertions(+), 50 deletions(-) diff --git a/opsec/steganography/index.html b/opsec/steganography/index.html index 500c0e3..04d2fb9 100644 --- a/opsec/steganography/index.html +++ b/opsec/steganography/index.html @@ -106,8 +106,8 @@
-

About nihilist

-

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@nowhere.moe (PGP)

+

About Zesc

+

TBD

diff --git a/opsec/steghide/index.html b/opsec/steghide/index.html index 08fbbce..d8ba67f 100644 --- a/opsec/steghide/index.html +++ b/opsec/steghide/index.html @@ -56,24 +56,33 @@ -
+

Hiding files in images with steghide

Previous Page

Zesc - 2024-08-30

+

steghide is a mature GPL-licensed CLI tool for hiding arbitrary data inside of of image files (and some archaic audio formats). Its official web presence is located at https://steghide.sourceforge.net/. it conceals data inside a larger coverfile in a way that is indistinguishable to first-order statistical analysis. This means there is are anomalies in the file histogram, making most pictures innocuous without an original to compare to.

+
+
+
+
+ +
+
+
+
+

Basic Use

-

steghide is a mature GPL-licensed CLI tool for hiding arbitrary data inside of of image files (and some archaic audio formats). Its official web presence is located at https://steghide.sourceforge.net/, but it is ubiquitously mirrored in various repositories and package managers (. If you use APT, simply install it with

+

steghide is ubiquitously mirrored in various repositories and package managers. You can also find a clone of the sourceforge repository on GitHub. If you use APT, simply install it with

# apt install steghide
- - -

steghide uses subcommands, and the three most important ones are info, embed and extract which will be explained in sequence. For this tutorial, we are going to use the Astronomy Picture of the Day of 2024-09-08, a beautiful image of the Andromeda galaxy:

-
+

steghide uses subcommands, and the three most important ones are info, embed and extract which will be explained in sequence. For this tutorial, we are going to use the Astronomy Picture of the Day of 2024-08-24, a beautiful image of the anti-twilight arch:

+

Our example file to hide is going to be Bitcoin: A Peer-to-Peer Electronic Cash System, the original paper by Satoshi Nakamoto.

-

As mentioned above, the cover image must be larger than the file you wish to embed, as a rule of thumb your coverfile should be 20 times larger. We can check how many bytes steghide can embed by using steghide info file. In our case, it tells us that it can embed 232 KB and asks whether an attempt should be made at reading embed data without extracting. As there is nothing embedded yet, we decline with n.

+

As mentioned above, the cover image must be larger than the file you wish to embed, as a rule of thumb your coverfile should be 20 times larger. (Hint: you can split larger files with tools like tar or 7z into smaller fragments to embed into a whole collection of cover files.) We can check how many bytes steghide can embed by using steghide info file. In our case, it tells us that it can embed 232 KB and asks whether an attempt should be made at reading embed data without extracting. As there is nothing embedded yet, we decline with n.

"apod20240824.jpg":
   format: jpeg
@@ -82,11 +91,11 @@ Try to get information about embedded data ? (y/n)

The PDF is only 180 KB, so it fits. Next, we use steghide embed -cf coverfile -ef embedfile -sf destination and get asked for a passphrase (make sure to remember it or safe it in a password manager). After re-entering the passphrase (you can set it beforehand with the -p option) it will write the processed file to the specified destination. You can also leave out the -sf option, in which case it defaults to overwriting the coverfile. Look at it and try to find a visual difference to the original:

-
+

It's completely lost in the visual noise. As an experiment, let's try taking the difference of both images with a program like GIMP. This is what it looks like:

-
+
 -

A difference of zero means a fully black pixel. Try zooming in and you'll see that only a few pixels are slightly lighter than black. These are the pixels that contain parts of your embedded file in their least significant bits..

+

A difference of zero means a fully black pixel. Try zooming in and you'll see that only a few pixels are slightly lighter than black. These are the pixels that contain parts of your embedded file in their least significant bits.

WARNING: changing the output file in anyway will make the embedded file irretrievable. This is especially important for every form of lossy compression!
@@ -103,54 +112,39 @@ d56d71ecadf2137be09d8b1d35c6c042 output.pdf
-
-
-
-
-

Advanced Use

-

Changing the encryption

-

As you've seen, steghide needs a passphrase to embed and extract data. (Note: using an empty passphrase can lead to issues extracting.) This passphrase is used to both encrypt your file before embedding and to seed the PRNG by which it selects pixel positions for embedding data. By default, it uses AES-128. You should not rely on steghide for securing your data cryptographically (see the introduction to steganography), and when in doubt you can separately encrypt the file before embedding, but you may still want to change the used algorithm. For this, simply use -e algorithm mode

. You can list all available modes with steghide encinfo. So as example, to embed our previous picture using AES-256 in cipher feedback mode, you would use this: - -
$ steghide embed -cf apod20240824.jpg -ef bitcoin.pdf -e rijandael-256 cfb
- -

Use steghide recursively

-

Since steghide works on arbitrary binary data, you can embed steghide's output into another picture, provided the size is sufficient. The 4.8 MB picture below contains a 260 KB waveform audio file which in turns contains 2.7 KB UTF-8 encoded text file. (The passphrase is moon for both.)

-
-

-

-

-
-
-
-
- - -
-

Setup



-

-

-	
-
+

Advanced Use

+

Common Pitfalls

+

There are a couple of things you shouldn't do with steghide. Here a quick overview:

+
    +

  1. Use strong passwords: Always a given. The password to steghide can be brute-forced like every other password. stegseek can brute force 14 million passwords in under 2 seconds.

    2. +

  2. Use original images: Known images can be easily double-checked against your cover files. If for example the Monero icon on your website is different to that included in the official press kit, that's suspicious, defeating the purpose of steganography. Make sure to only use this with originals only you are in possession of - in a pinch, adding an in-picture caption, resizing it, etc. offers plausible deniability, as different image editing programs are notoriously variant in handling pixel-level details.

    3. +

  3. Avoid images with little detail: Images without pixel-level visual noise (e.g. diagrams, images of text, etc.) will have less hiding space, and become visible deteriorated when files are embedded. For demonstration purposes, compare this map with its original, then look at their difference. The embedded file was a mere 4286 B in size, yet these two files differ by 6693 B in size! (The password is left as a brute-forcing exercise for the reader.)

    4. +

  4. Avoid format conversions: Even "lossless" conversions from one image format to another tend to be non-reversible, making it impossible to retrieve the hidden data. Remember that many popular websites compress all images uploaded to them to save on bandwidth, making them unsuitable for our purposes.

    5. +
+ +

Changing the encryption

+

As you've seen, steghide needs a passphrase to embed and extract data. (Note: using an empty passphrase can lead to issues extracting.) This passphrase is used to both encrypt your file before embedding and to seed the PRNG by which it selects pixel positions for embedding data. By default, it uses AES-128. You should not rely on steghide for securing your data cryptographically (see the introduction to steganography), and when in doubt you can separately encrypt the file before embedding, but you may still want to change the used algorithm. For this, simply use -e algorithm mode. You can list all available modes with steghide encinfo. So as example, to embed our previous picture using AES-256 in cipher feedback mode, you would use this:

+ +
$ steghide embed -cf apod20240824.jpg -ef bitcoin.pdf -e rijandael-256 cfb
+ +

Using steghide recursively

+

Since steghide works on arbitrary binary data, you can embed steghide's output into another picture, provided the size is sufficient. The 4.8 MB picture below contains a 260 KB waveform audio file which in turns contains 2.7 KB UTF-8 encoded text file. (The passphrase is moon for both.)

+
 +

-

-	
-
-

-

-	
-
-
+ +
@@ -174,8 +168,8 @@ d56d71ecadf2137be09d8b1d35c6c042 output.pdf
-

About nihilist

-

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@nowhere.moe (PGP)

+

About Zesc

+

TBD