Learn with Us: Image Steganography
Steganography
the practice of concealing messages or information within other non-secret text or data.
While you may have written a letter to your friend in invisible ink and thought you alone have achieved peak secrecy, steganography is still something that a person like you and me wouldn’t be able to detect happening all around us ever so often. That’s the point of steganography, you see.
Even recently – just this month – Magecart Hackers have encoded stolen credit card data into visual and innocuous-looking images hosted on servers, which they later retrieve using the usual GET requests before extracting the stolen details from the images. The methods and media in which information can be hidden are simply endless.
With that being said, you may have encountered steganography challenges in Capture-The-Flag (CTF) competitions before as well! Capture-The-Flag competitions are events that usually involves challenges related to information security. The objective of a CTF challenge is usually to find and submit a short string that commonly looks like “SOMECTFNAME{…}”.
Steganography – usually found under the forensics category – is just one of the more common/beginner-level CTF challenges that may kickstart your interest in CTFs. However, they can evolve to become even more complex and obfuscated depending on the the creative methods of the challenge creator.
Still, the most common types of steganography challenges can include:
- Image Steganography
- Audio Steganography
- Text Steganography
- and even Video Steganography
In this week’s Learn with Us, you can have a taste of image steganography through the challenges we have created. Don’t hesitate to leave a comment in case something is unclear or you would like to know more about how the challenges were created 😀
NOTE: For some of the tools used, I recommend that you have a Linux Virtual Machine (VM) available to download and try them out (Ubuntu or Kali are recommended).
Level 1: Exif Metadata
The metadata of an image tell you details about the image, such as the date it was taken, its author, and even the camera model of the camera it was taken with.
Usually, you can find all these by right-clicking the image file and selecting “Properties” before clicking on the “Details” tab, but sometimes not all the metadata is shown through that method. Instead, you might find more interesting details through online tools made for checking metadata ✨
Download the following image and try looking through its properties first. Then, compare it with the results you get from uploading the image to this website (Click the “Choose File” button and upload this image, before clicking “I’m not a robot”, and then “View Image Data”):
http://exif.regex.info/exif.cgi (you can use any other online metadata viewer if you’d like as well)
Do you see the flag?
Level 2: Extracting Embedded Strings
There are various ways to solve this challenges, but in essence, a string containing the message is hidden among the raw data of the simple-looking image that you can download from here:
To view the raw data of a photo, a Hex Editor can be used
First, you could use a Hex Editor software to find something resembling the flag by going to Search,
entering the likely value (since we know the flag starts with “CWCX{“, we will put that under Text-String)
and then searching! You’ll see your flag 😀
If you do not have Hex Editor software, you could use the one provided online at hexed.it too as seen here ✨
However, apart from Hex Editors, there are also tools used specifically to find strings among all the unfamiliar characters in the raw data of a file.
There is a well-known tool that you can use in Linux Virtual Machines (such as Kali in this example) called strings.
Just change your directory to the location where your image is stored, and then enter “strings <image name>”.
This will give you a lot of false-positive strings, so you can pipe (using the “|” operator) that long output into another command called “grep <string you want to find>” to filter out the line containing the flag that you want!
Level 3: Unnoticeable Colour Differences
Each pixel of an image is a colour that can be identified using a hex code (e.g. the hex code of this heading’s colour is #2b7c74).
A slight change in the colour (#2b7c75) is not distinguishable to the naked eye, so this can be used to hide messages as well!
Download these two files and compare them using this online tool (remember to change the Fuzz value to 1!):
https://online-image-comparison.com/
Level 4: Finding Embedded Images Using File Signatures
For every extension (e.g. .jpg, .png, etc.), there is something called a file signature (or also known as ‘magic number’) found at the start of the raw data that helps the operating system and programmes identify the file type.
(Again, you may also use an online hex editor with any jpg or png file to see the following)
For example, the magic number of .jpeg and .jpg files are FFD8 (in hex values) or also seen as ÿØ (as text-string)
As for .png files, the magic number would be 89 50 4E 47 (in hex values) or also seen as ‰PNG
A full list of magic numbers exist online for your reference in case you are finding other file types (e.g. .zip files):
https://en.wikipedia.org/wiki/List_of_file_signatures
For certain file types, there are also common hex values that mark the ending of the file as well. Using both the magic number and this ending, you can then manually extract a hidden file in an image.
.jpg files usually end in FFD9 (hex value), so anything after that should likely not be part of the image.
Similarly for .png files, you would usually see an IEND®B`‚ at the end of the image, and that is where the png file ends.
Therefore, if there was a really, say, a jpg image within another jpg image, you would find something like an FFD8 and an FFD9 between the FFD8 at the start of the file and the FFD9 at the end of the file. That same logic can be applied to the png file and either types can be hidden in either types.
Just copy the contents of the nested image (e.g. everything between the inner FFD8 and FFD9 inclusively), and paste it into a new blank file, then save it. Remember to change the extension of the new file to the correct extension!
The start of the embedded PNG file 
The end of the embedded PNG file 
Copied over to a blank notepad and saved as a .png file
An alternative method is to use the binwalk tool that will help you find embedded files automatically.
Just go to the location of the file and enter ‘binwalk <filename>’, and as you can see in the example, there is a png file in there at 0x383A
when you add the `–dd=’.*’` option to the binwalk command, you are getting it to extract all files of every type (hence the ‘.*’) embedded in the specified file, and this will return the _<filename>.extracted folder that we also see in this image containing the embedded secret files.
Now you can try one example for yourself 😀 Within this .jpg image, there are two images hidden: one is a .jpg image, and the other is a .png image. Can you find both?
(Clue: an image is embedded in another image embedded in the original image, so if you only got the final image, it may be because you used binwalk ;D )
When it comes to CTFs, it all boils down to google searching and researching for articles, previous CTF writeups, and learning as you try the challenges.
The image steganography challenges in this article only cover the most basic of ways people can hide information in images, and they can even do so in other unsuspecting resources as well such as audio, other forms of text, and also videos.
Tune in the following week for more of these challenges, but next time we will be covering audio steganography instead ? Get ready to see how images can be hidden through things that you would assume are just sounds or normal music.
Thank you~ ?
Responses