Steghide (Linux)

By on
Image showing mona lisa.


In this blog:

  • What is steghide?
  • Installation.
  • Embedding.
  • Extracting.
  • Clearing tracks.

In this blog:What is Steghide?


Steghide is an anti-forensics tool that encrypts data at rest.

 

Information is compressed, encrypted and password protected to use a pseudo random number generator to pick random pixels throughout the image.

 

This makes tiny changes to the image that are impossible for the human eye to perceive.




Installation

  

In the terminal, type sudo apt install steghide -y. Then type your user password. -y assumes the answer to any user prompts are yes.

I already have steghide installed so this is my output. 


Image showing Linux command.
Steghide installation command.



I have created a directory called steg to work out of. 

The cURL command below downloads an image that I want to use to hide information in. 

I can then output the image to an image file that I named and then open it to view it. 


Image showing Linux command.
Using cURL to pull the image from the internet to our workspace.

The downloaded image ➡️


Image showing black hole.
Random image downloaded using the cURL command.



Type nano secretmessage.txt to open a text editor and type in a secret message that you want to hide within the image. 


Image showing Linux command.
Nano script containing secret message.


Here it is ➡️


Image showing Linux command.
Saved nano script.


Embedding secret message


To embed the secret message into the image, type ➡️

steghide embed -cf <name_of_image_file> -rf <name_of_secret_message_file>



Image showing Linux command.
Embedding text into image using Steghide.


We can now delete the secret message file as it is stored inside our image. 


Image showing Linux command.
Deleting the secret message file to hide our tracks.


We can send this image to anyone as long as they know the name of the image file. 

Once we have this image, we can use Steghide again to extract the message from the image.

This is the image after the message was stored inside it.

Virtually no difference to the original image. 

             

Image showing comparison of two images.
              Original image                                      Image with text embedded


Image showing comparison of two image properties.
              Original image                                      Image with text embedded


The images on the surface, look identical, however the sizes are slightly different with the original image taking up 3,023 bytes less than the altered image. 

Once the altered image has been sent to someone else and deleted off the desktop system, the sizes cannot be compared. 

Image size can also be interfered with due to various reasons such as resolution changes and editing so size cannot be used by itself to diagnose steganography. 



Extracting secret message

To reveal the secret text, use the command ➡️

steghide extract -sf <name_of_image_file>


Image showing Linux command.
Extracting the secret text using Steghide.


Now typing ls, we can see that the text file has been returned. 


Image showing Linux command.
The text file has been extracted and returned to our workspace.


We can use nano to reveal the secret message.


Image showing Linux command.
Secret text retrieved.


Clearing tracks

To clear any files or packages that we may have used during our secret message hiding process, we can use null to get rid of the logs that are kept by Linux by default.

We must execute the commands as the root user so we can use the command sudo su and type in our admin password. 

Navigate to the log directory by typing cd /var/log.

The dpkg.log file is what holds the package install, update and remove history in Linux. Using Cat, we can see whether there are any logs left behind. 


Image showing Linux command.
Viewing install logs.
          
        
We can now assign a null value to the file so that it is replaced with nothing.


Image showing Linux command.
Using null value to clear all install logs.


Shone is a Cyber Security student at the Manchester Metropolitan University. Shone started writing blogs to document his own learning and help others along the way.

Comments

Post a Comment

Popular posts from this blog

Setting up Metasploitable lab

By on
Image
  In this blog: What is Metsploitable? Downloading Metasploitable on Virtual Machine. Inside Metasploitable. What's next? This blog is one of a 4 part series in Metasploitable. Click here to see how to run a DOS attack on Metasploitable. Click here to see how to deface Metasploitable's webpage. Click here to see how to fix a common timer error that occurs during bootup .  Click here to see how to connect Metasploitable with Kali Linux . What is Metasploitable? Metasploitable is an intentionally vulnerable Linux based virtual machine that is used to train pentesters and security professionals.   As mentioned, the machine is vulnerable to attacks that are not possible to execute on modern systems and is solely for educational purposes.  Metasploitable should not be able to face the public network due to its vulnerability.  Downloading Metasploitable on Virtual Machine Download Metasploitable2 here ➡️  https://sourceforge.net/projects/metasploitable/ ...
Read more

VeraCrypt

By on
Image
  In this blog: What is VeraCrypt? Installation. Creating an encrypted file container. Mounting devices. Inside locked-container. What is VeraCrypt? This is a continuation of the Steghide walkthrough - found here ➡️   https://shonepcyber.blogspot.com/2023/08/steghide-linux.html   VeraCrypt can be downloaded on Mac, Windows, and most other Linux based operating systems.   It is a free and open source disk encryption program.   VeraCrypt can create virtual encrypted disks, encrypt partitions, or encrypt the entire storage device with pre-boot authentication.   Uses enhanced security in algorithms which makes it fairly immune to advancements in brute force attacks.   The latest Linux tarball of VeraCrypt can be found at https://www.veracrypt.fr/en/Downloads.html . ➡️ VeraCrypt website. Installation Start the program once it has been downloaded. The software downloaded into my...
Read more

Tripwire

By on
Image
  In this blog: What is Tripwire? Mirrors. Installation. Initialise Tripwire. Edit twpol.txt. File integrity check. Securing our system. Email notifications.   See my blog on Intrusion Detection systems here. What is Tripwire? Tripwire is a popular open-source Linux IDS that's used for file integrity monitoring -- Basically checking for unauthorised changes to your files.  I will be using Kali Linux, which is a Debian based distro. Tripwire is part of the default repository in Ubuntu and Debian, meaning we can install it using commands in the terminal. Mirrors Before installing the tool, we must update the list of packages in the repos, which is used by the apt tool to determine the URL of the package to install.  Run ➡️  sudo apt-get update Without updating, the download manager might not be able to find the URL as the list could be out of date.  This is not a requirement if you know that the specific package you want has not been altered (no new version o...
Read more