Steganography with Linux

What is Steganography?
Steganography is the concept of “secretly” embedding the contents of a file, into a “carrier” file – like a JPEG image or a .wav file. Using special software, you can carefully insert the payload file into the carrier file, without affecting the original contents. Without the special software, that carrier file with look and act normally, except that it will be larger in size, because the payload file is also now hidden within.

Why is steganography used?
Would a regular person want to do this? Probably not; although I guess it depends on who your enemies/attackers are, and how sneaky you want to be?!

However, from a computer forensics perspective (if you are an IT security professional), it makes sense to understand this technology, how it works, and how to detect it. If you are processing a computer that was suspected of being used in a crime, this might be a way that the attacker hid data. It can also be a way that two parties can transmit messages or files securely, and also in plain-sight.

How would steganography be useful?
A common use-case would be to encrypt valuable data using gpg, then embed that encrypted file into an innocuous image or sound file. That way, one can hide the data in “plain sight”. To the average, and even informed person – it will look just like a regular image or sound file – you’d need to actually scan it to see if it has a hidden payload.

This technique could be used to store data-at-rest, so that it’s not so obvious. It could also be used to send data to another person via e-mail or a website, in plain-sight, again, where it’s not obvious that there is encrypted data within. The only potentially obvious indicator is that the file will be larger. However, as we’ll see below, with compression the file can be only a tiny bit larger – meaning it would not be obvious at all that it was carrying a payload.

How to embed a payload into a carrier file:
On linux, one of the main apps for this is “steghide”. This supports .au, .bmp, .jpg, and .wav files. Remember, this program needs to be intimately familiar with the file format because it needs to inject the payload without corrupting the rest of the file. The whole point is that the file should look/act/feel exactly the same afterwards – except for it being a slightly larger size!

If you have a Debian-based distribution of Linux like Ubuntu, LinuxMInt, or Raspian for Raspberry Pi, you can install steghide like this:

$ sudo apt-get install steghide

then to embed a file:

$ steghide embed -cf file.jpg -ef data.txt.gpg

where it auto-detects (regardless of extension) and supports ONLY .au, .bmp, .jpg, or .wav.

How to extract the payload from a carrier file:
To extract the contents, run:

$ steghide extract -sf file.jpg

To get details about the embedded file, using this command, you must know the password (or write a script to guess it):

$ steghide info file.jpg

it will then prompt you for a password. If the password is write and there is something embedded, it shows you statistics.

An example:
Let’s say we have a typical cat picture from the internet:


this will be our carrier file. Now, we have a text file that has valuable information in it – called private.txt. It’s really just 4K of Lorem Ipsum text. The idea is, I would first encrypt that file using gpg, then embed that resultant gpg file into the kitten picture.

Encrypt the file:

$ gpg -c --cipher-algo aes256 private.txt

This process created the private.txt.gpg file, which is the encrypted version of the clear-text file. Next, embed the encrypted file into the kitten picture:

$ steghide embed -cf kitten_post.jpg -ef private.txt.gpg

And it might help to look at what we have left in the directory:


Notice how the payload (private.txt.gpg) is 1,662 bytes, however the difference between the original cat picture and the one that is carrying the payload (the _post.jpg) is only 235 bytes. That is because this program also compresses the contents too.

Now, the user can freely display, store, or send this cat picture in plain-sight where someone else could potentially decrypt the payload. On the receiving end, I can now do this:

$ steghide extract -sf ./kitten_post.jpg

it prompts me for a the steg password, and I see:

Enter passphrase: 
wrote extracted data to "private.txt.gpg".

then, I decrypt the original payload with:

$ gpg ./private.txt.gpg

which shows me this:

gpg: keyring `/home/rcs/.gnupg/secring.gpg' created
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase

And I now have a private.txt file in the current directory. At which point I can read that private.txt file – so we’ve come full-circle.

Detecting if a file is carrying a payload:
This is a much trickier problem. In the case of steghide, if you know the password, you can pull the statistics. However, if you don’t know the password, then it doesn’t tell you anything. Ideally, you’d need a tool that could somehow tell if there appears to be a payload – and then you can use a password cracker (like crunch) to see if you can break in.

As far as tools, everyone seems to point to “stegdetect” – although it’s not packaged, so you’d need to pull the source and compile it locally. Aside from that, there doesn’t seem to be a popular tool. If you know of a good one, please leave a comment below!

UPDATE: I found on here that I could point to the debian sources, do a “sudo apt-get update”, and then install stegdetect with “sudo apt-get install stegdetect”. However, it’s not what I hoped for. It supports these steg programs/algorithms: jsteg, outguess, jphide, invisible secrets, F5, camouflage, and appendX. In other words, it does not support steghide, and did NOT detect our encoded file! For example, when I ran:

$ stegdetect ./*.jpg

it returned:

./kitten.jpg : negative
./kitten_post.jpg : negative

So, it may be a good place to start – but it’s not a good countermeasure for steghide – the most popular tool on Linux for this!

Bottom line:
Again, I don’t think this will be of a lot of interest to the average user. I doubt many people would store their tax returns or finances.xls in this way. However, for IT security professionals, I think this is a valuable thing to understand, and to understand the tooling that is used. If you work in computer forensics, it might make sense to have a script that scans all the known file types where steganography is used. This particular “steghide” only supports a couple of file formats, but other tools support other file types.

Posted in Computers and Internet, General, Linux, Open Source, Security, Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Enter your email address to follow this blog and receive notifications of new posts by email.

Join 9 other followers

%d bloggers like this: