Steganography

intermediate35 minWriteup

Finding hidden data in images and files

Learning Objectives

  • Detect steganography
  • Use stego tools
  • Extract hidden data
  • Handle password-protected stego

Steganography is the art of hiding messages in plain sight - inside images, audio, or other files. Unlike encryption which makes data unreadable, stego makes data invisible. The best hiding place is one nobody knows to look!

"Stego" challenges are CTF favorites. An innocent-looking image might contain the flag in its least significant bits, appended data, or embedded in metadata. Trust nothing!

Detecting Steganography

bash
1606070;"># Visual inspection
2606070;"># - Compare to original (if available)
3606070;"># - Look for visual artifacts
4606070;"># - Check file size (larger than expected?)
5 
6606070;"># Statistical analysis
7606070;"># - Entropy analysis (hidden data increases randomness)
8606070;"># - Chi-square test (detects LSB manipulation)
9 
10606070;"># Quick checks
11file image.jpg
12exiftool image.jpg
13strings image.jpg | grep -i flag
14binwalk image.jpg
15 
16606070;"># File size vs dimensions
17606070;"># JPEG shouldn't be huge for small dimensions
18606070;"># PNG shouldn't be enormous for simple graphics

Multiple Techniques

CTF images often use multiple stego techniques. After finding one piece of data, keep looking - there might be more!

Steghide (JPEG/BMP)

bash
1606070;"># steghide - Popular tool for JPEG and BMP
2 
3606070;"># Check for hidden data
4steghide info image.jpg
5606070;"># May ask for password (try empty first)
6 
7606070;"># Extract hidden data
8steghide extract -sf image.jpg
9606070;"># Prompts for password
10 
11606070;"># Try without password
12steghide extract -sf image.jpg -p 606070;">#a5d6ff;">""
13 
14606070;"># Crack steghide password
15606070;"># Use stegcracker
16pip install stegcracker
17stegcracker image.jpg wordlist.txt
18 
19606070;"># Or stegseek (faster!)
20stegseek image.jpg wordlist.txt
21 
22606070;"># Embed data (for understanding)
23steghide embed -cf image.jpg -ef secret.txt

PNG Analysis Tools

bash
1606070;"># zsteg - PNG/BMP stego detector
2gem install zsteg
3 
4606070;"># Run all checks
5zsteg image.png
6 
7606070;"># Common findings:
8606070;"># - LSB (Least Significant Bit) hidden data
9606070;"># - Text in specific color channels
10606070;"># - Data in alpha channel
11 
12606070;"># Specific checks
13zsteg -a image.png  606070;"># All methods
14zsteg -E 606070;">#a5d6ff;">"b1,rgb,lsb" image.png  # Extract specific
15 
16606070;"># pngcheck - PNG structure analysis
17pngcheck -v image.png
18 
19606070;"># PNG chunks
20606070;"># IHDR: Image header
21606070;"># IDAT: Image data
22606070;"># IEND: Image end
23606070;"># tEXt: Text metadata
24606070;"># zTXt: Compressed text

StegSolve

bash
1606070;"># StegSolve - Visual stego analysis (Java GUI)
2606070;"># Download: http://www.caesum.com/handbook/Stegsolve.jar
3 
4java -jar Stegsolve.jar
5 
6606070;"># Features:
7606070;"># - View individual color planes (R, G, B)
8606070;"># - View bit planes (LSB to MSB)
9606070;"># - Extract data from specific planes
10606070;"># - Frame browser for animated images
11606070;"># - Image combiner (XOR, AND, OR images)
12 
13606070;"># What to look for:
14606070;"># - Hidden images in color channels
15606070;"># - Text visible in single bit plane
16606070;"># - Patterns in LSB
17606070;"># - Differences between channels
StegSolve is essential! Often the flag is visible only in a specific color channel or bit plane that looks like random noise otherwise.

LSB (Least Significant Bit)

python
1606070;"># LSB steganography hides data in the least significant bits
2606070;"># of pixel values. Changing LSB has minimal visual impact.
3 
4606070;"># Manual LSB extraction in Python
5from PIL import Image
6 
7def extract_lsb(image_path):
8    img = Image.open(image_path)
9    pixels = img.load()
10    width, height = img.size
11 
12    bits = 606070;">#a5d6ff;">""
13    for y in range(height):
14        for x in range(width):
15            pixel = pixels[x, y]
16            for value in pixel[:3]:  606070;"># R, G, B
17                bits += str(value & 1)  606070;"># Get LSB
18 
19    606070;"># Convert bits to bytes
20    message = 606070;">#a5d6ff;">""
21    for i in range(0, len(bits), 8):
22        byte = bits[i:i+8]
23        if len(byte) == 8:
24            char = chr(int(byte, 2))
25            if char == 606070;">#a5d6ff;">'\x00':  # Null terminator
26                break
27            message += char
28 
29    return message
30 
31print(extract_lsb(606070;">#a5d6ff;">"image.png"))

Audio Steganography

bash
1606070;"># Audio files can hide data too!
2 
3606070;"># Spectrogram analysis (visual representation of audio)
4606070;"># Use Audacity: View → Spectrogram
5606070;"># Or Sonic Visualizer
6 
7606070;"># Common findings:
8606070;"># - Text/images visible in spectrogram
9606070;"># - Morse code
10606070;"># - Hidden audio track
11 
12606070;"># LSB in audio
13606070;"># Similar to image LSB but in audio samples
14 
15606070;"># SSTV (Slow Scan Television)
16606070;"># Images transmitted via audio
17606070;"># Use QSSTV or online decoders
18 
19606070;"># Tools:
20606070;"># - Audacity (spectrogram, reverse audio)
21606070;"># - Sonic Visualizer
22606070;"># - mp3stego (for MP3 files)
23606070;"># - DeepSound (Windows)
24 
25606070;"># Check audio metadata
26exiftool audio.mp3
27ffprobe audio.wav

Online Stego Tools

1606070;"># aperisolve.com - All-in-one stego analyzer
2606070;"># Runs: zsteg, steghide, binwalk, strings, exiftool
3606070;"># Shows color channels, bit planes
4606070;"># HIGHLY RECOMMENDED for quick analysis!
5 
6606070;"># futureboy.us/stegano/decinput.html
7606070;"># Online stego decoder
8 
9606070;"># stylesuxx.github.io/steganography/
10606070;"># LSB encoder/decoder
11 
12606070;"># manytools.org/hacker-tools/steganography-encode-text-into-image/
13606070;"># Simple stego tools
14 
15606070;"># Workflow:
16606070;"># 1. Upload to aperisolve.com first
17606070;"># 2. If that fails, try specific tools
18606070;"># 3. Manual analysis with StegSolve
19606070;"># 4. Python scripts for custom extraction
aperisolve.com automates many stego checks. Always try it first - it might instantly solve the challenge!

Stego Checklist

1□ Basic forensics (file, strings, exiftool, binwalk)
2□ Upload to aperisolve.com
3□ Try steghide with empty password
4□ Try steghide with common passwords (stegseek)
5□ Run zsteg on PNG/BMP
6□ Open in StegSolve, check all planes
7□ Check for appended data after EOF
8□ If audio: check spectrogram in Audacity
9□ Look for hints in filename or challenge description
10□ Google the image (might be modified version of known image)

Knowledge Check

Quick Quiz
Question 1 of 2

What does LSB steganography modify?

Key Takeaways

  • aperisolve.com automates many stego checks - use it first
  • steghide is most common for JPEG stego (try empty password)
  • zsteg detects LSB and other PNG stego techniques
  • StegSolve reveals data hidden in specific color/bit planes
  • Audio stego often appears in spectrograms (use Audacity)
  • Always check for data appended after the file's end marker