Commit 497403ab authored by TheOuterLinux's avatar TheOuterLinux

...

parent bbc06cf1
......@@ -70,6 +70,7 @@ mv - move (rename) files
number - convert Arabic numerals to English
octave - a high-level interactive language for numerical computations
openssl - OpenSSL command line tool
outguess - universal steganographic tool
p7zip - wrapper on 7-Zip file archiver with high compression ratio
parted - a partition manipulation program
paste - merge lines of files
......@@ -91,6 +92,8 @@ sed - stream editor for filtering and transforming text
shred - overwrite a file to hide its contents, and optionally delete it
shuf - outputs randomly shuffled line-by-line file content or list of files/folders
stat - display file or file system status
stegbreak - launches brute-force dictionary attacks on JPG image
stegdetect - finds image files with steganographic content
steghide - a steganography program
stegsnow - whitespace steganography program
synclient - commandline utility to query and modify Synaptics driver options
......
Retrieved from: http://theevilbit.blogspot.com/2013/01/backtrack-forensics-steganoghraphy.html
The Evil Bit Blog
Forensics, Pentesting, Networking and Security
Pages
[Home ] ▼
Sunday, January 20, 2013
Backtrack Forensics: Steganoghraphy
Menu: Forensics -> Forensic Analysis Tools
Directory: /usr/local/bin/
stegbreak
stegcompare
stegdeimage
stegdetect
stegdecect is a tool to detect steganography in image files, it supports
different methods, which used to hide content. Currently, the detectable
schemes are: jsteg, jphide (unix and windows), invisible secrets, outguess
01.3b, F5 (header analysis), appendX and camouflage. Stegbreak is used to
launch dictionary attacks against JSteg-Shell, JPHide and OutGuess 0.13b.
Before we start to use the tools we need an image, which has some hidden
content. Let's review a few hiding apps before using stegdetect. As I didn't
found any preinstalled in BT, so I installed steghide for first, which can hide
content in jpeg, bmp, wav, au files.
Using steghide:
apt-get install steghide - installation
steghide --info IMG_4422.JPG - get info from the image (how much data can be
hidden)
steghide --embed -ef mysecret.txt -cf IMG_4422.JPG -sf steg.jpg -p mypass -Z -
hide mysecret.txt with password "mypass", and create a new file, where the file
is hidden, and don't compress data
steghide --embed -ef mysecret.txt -cf IMG_4422.JPG -sf steg.jpg -p mypass -
same as the previous but w/ compression
steghide --extract -xf mysecret2.txt -sf steg2.jpg -p mypass - extract the file
[steghide]
The bad news is that stegdetect won't detect steghide algorithm. Despite the
fact, I tried it to ses what happens.
Using stegdetect:
stegdetect -t [list of tests] steg.jpg - where tests can be (by default jopifa
enabled):
• j - Tests if information has been embedded with jsteg.
• o - Tests if information has been embedded with outguess.
• p - Tests if information has been embedded with jphide.
• i - Tests if information has been hidden with invisible secrets.
• f - Tests if information has been hidden with F5.
• F - Tests if information has been hidden with F5 using a more sophisticated
but fairly slow detection algorithm.
• a - Tests if information has been added at the end of file, for example by
camouflage or appendX.
stegdetect -s[number] steg.jpg - setting sensitivity
Actually setgdetect found jphide for the original and the created image as
well, so it's clearly false positive.
[stegdetect]
I tried to see what stegbreak can do, and created a list of password where I
put only one line, the correct password.
stegbreak -f passlist.txt steg.jpg
I got the following error: "stegbreak: fopen: /usr/local/share/stegbreak/
rules.ini: No such file or directory"
I downloaded the source and placed the ini file in the said location, but you
can also download it from here.
After that I got a "Segmentation fault" error. I couldn't find a working
solution for this problem, however it's a known bug.
Second I tried outguess, which can hide info in jpeg files.
apt-get install outguess
outguess -k "mypass" -d index.html IMG_4422.JPG out2.jpg - hides index.html in
IMG_4422.JPG
[outguess]
Unfortunately stegdetect doesn't detect the hidden file (probably because I
used outguess v2), even if increasing the sensitivity, as you can see:
[stegdetect]
My last try was with jphide, I used the windows version, as had no luck with
installing the one for Linux. It can be downloaded from here.
[jphs]
As you can see stegdetect can detect it, when increasing sensitivity, but as it
claims the same thing for the original image, so...
[stegdetect]
stegcompare can compare the original and the image which stores information,
but I couldn't figure out what the output means.
[stegcompar]
stegdeimage - not sure about what it should do, also gives the following error:
"/home/stego_analysis/compress/dscf0033.jpg : error: No such file or directory"
looking at the source code:
73 if (jpg_open("/home/stego_analysis/compress/dscf0033.jpg") == -1)
74 return;
it is clear that it will never run, unless you have such an image.
[stegdeimag]
Overall I'm not really convinced by the stegdetect toolset, it's buggy, and
doesn't really find steganography correctly.
Official website for steghide: http://steghide.sourceforge.net/
Official website for stegdetect and outguess: http://www.outguess.org/
Official website for jphide: http://linux01.gwdg.de/~alatham/stego.html
OUTGUESS(1) General Commands Manual OUTGUESS(1)
NAME
outguess - universal steganographic tool
SYNOPSIS
outguess [ -emt ] [ -r ] [ -k key ] [ -F [+-] ] [ -d datafile ] [ -s seed ] [ -i limit ] [
-x maxkeys ] [ -p param ] [ inputfile [ outputfile ]]
DESCRIPTION
Outguess is a universal steganographic tool that allows the insertion of hidden informa‐
tion into the redundant bits of data sources. The nature of the data source is irrelevant
to the core of outguess. The program relies on data specific handlers that will extract
redundant bits and write them back after modification. Currently only the PPM, PNM, and
JPEG image formats are supported, although outguess could use any kind of data, as long as
a handler were provided.
Outguess uses a generic iterator object to select which bits in the data should be modi‐
fied. A seed can be used to modify the behavior of the iterator. It is embedded in the
data along with the rest of the message. By altering the seed, outguess tries to find a
sequence of bits that minimizes the number of changes in the data that have to be made.
A bias is introduced that favors the modification of bits that were extracted from a high
value, and tries to avoid the modification of bits that were extracted from a low value.
Additionally, Outguess allows for the hiding of two distinct messages in the data, thus
providing plausible deniability. It keeps track of the bits that have been modified pre‐
viously and locks them. A (23,12,7) Golay code is used for error correction to tolerate
collisions on locked bits. Artificial errors are introduced to avoid modifying bits that
have a high bias.
OPTIONS
The following command line options, when specified as capital letters, indicate options
for the second message.
-F [+-]
Specifies that OutGuess should preserve statistics based on frequency counts. As a
result, no statistical test that is based on frequency counts will be able to
detect steganographic content. This option is on by default.
-kK key
Specify the secret key used to encrypt and hide the message in the provided data.
-dD datafile
Specify the filename containing a message to be hidden in the data.
-sS seed
Specify the initial seed the iterator object uses for selecting bits in the redun‐
dant data. If no upper limit is specified, the iterator will use this seed without
searching for a more optimal embedding.
-iI limit
Specify the upper limit for finding an optimal iterator seed. The maximum value for
the limit is 65535.
-eE Use error correction for data encoding and decoding.
Other options that apply to the general execution of outguess:
-r Retrieve a message from a data object. If this option is not specified, outguess
will embed messages.
-x maxkeys
If the second key does not create an iterator object that is successful in embed‐
ding the data, the program will derive up to specified number of new keys.
-p param
Passes a string as parameter to the destination data handler. For the JPEG image
format, this is the compression quality, it can take values between 75 and 100.
The higher the quality the more bits to hide a message in the data are available.
-m Mark pixels that have been modified.
-t Collect statistics about redundant bit usage. Repeated use increases output level.
For embedding messages, you need to specify a source and a destination filename. Outguess
determines the data format by the filename extension. If no filenames are specified out‐
guess operates as a filter and assumes the PPM data format.
EXAMPLES
To embed the message hidden.txt into the monkey.jpg image:
outguess -k "my secret pass phrase" -d hidden.txt monkey.jpg out.jpg
And in the other direction:
outguess -k "my secret pass phrase" -r out.jpg message.txt
will retrieve the hidden message from the image.
If you want to embed a second message, use:
outguess -k "secret1" -d hide1.txt -E -K "secret2" -D hide2.txt monkey.jpg out.jpg
Outguess will first embed hide1.txt and then hide2.txt on top of it, using error correct‐
ing codes. The second message hide2.txt can be retrieved with
outguess -k "secret2" -e -r out.jpg message.txt
SEE ALSO
cjpeg(1), djpeg(1), pnm(5), stirmark(1)
AUTHOR
Niels Provos <provos@citi.umich.edu>
1 May 2000 OUTGUESS(1)
OutGuess 0.2 Universal Stego (c) 1999-2001 Niels Provos
outguess [options] [<input file> [<output file>]]
-[sS] <n> iteration start, capital letter for 2nd dataset
-[iI] <n> iteration limit
-[kK] <key> key
-[dD] <name> filename of dataset
-[eE] use error correcting encoding
-p <param> parameter passed to destination data handler
-r retrieve message from data
-x <n> number of key derivations to be tried
-m mark pixels that have been modified
-t collect statistic information
-F[+-] turns statistical steganalysis foiling on/off.
The default is on.
STEGBREAK(1) BSD General Commands Manual STEGBREAK(1)
NAME
stegbreak — launches brute-force dictionary attacks on JPG image
SYNOPSIS
stegdetect [-qV] [-r rules] [-f wordlist] [-t tests] [-c] [file ...]
DESCRIPTION
The stegbreak states a brute-force dictionary attack against the specified JPG images.
The options are as follows:
-q Only reports images for which the dictionary attack succeeded.
-V Displays the version number of the software.
-r rules Contains rules with transformations that will be applied to the words in the
wordlist. The rules follow the same syntax as in Solar Designers password
cracking program John the Ripper. The default is rules.ini.
-f wordlist Specifies the file that contains the words for the dictionary attack. The
default is /usr/share/dict/words.
-t tests Sets the tests that are being run on the image. The following characters are
understood:
o The dictionary attack follows the embedding used by outguess.
p The dictionary attack follows the embedding used by jphide.
j The dictionary attack follows the embedding used by jsteg-shell.
The default value is p.
-c Specifies that the JPG images should be converted to a small sized object that
contains all the information necessary for the dictionary attack. This can be
used to reduce the size of the data set in distributed computing applications.
The stegbreak prints the filename, the embedding system and the password when the attack
succeeded for an image. For jsteg-shell and outguess, it also prints analysis results from
the built in file utility.
Pressing Ctrl-C causes a status line to be displayed, pressing Ctrl-C a second time within
one second aborts the program.
EXAMPLES
stegbreak -t p auto.jpg
Launches a brute-force dictionary attack against auto.jpg assuming that information has been
embedded with jphide.
FILES
/usr/share/dict/words default wordfile for the dictionary attack.
/usr/local/share/stegbreak/rules.ini rules on how to manipulate words for the dictionary
attack, from John the Ripper.
SEE ALSO
stegdetect(1)
ACKNOWLEDGEMENTS
This program contains source code from Solar Designer's John the Ripper. It has been placed
under a BSD-license with his permission.
This product includes software developed by Ian F. Darwin and others. The stegbreak utility
uses Darwin's file magic to verify results from OutGuess key guessing.
Korejwa provided information on the data format used by JSteg Shell.
AUTHORS
The stegbreak utility has been developed by Niels Provos.
BSD July 05, 2001 BSD
STEGDETECT(1) BSD General Commands Manual STEGDETECT(1)
NAME
stegdetect — finds image files with steganographic content
SYNOPSIS
stegdetect [-qhnV] [-s float] [-C num,tfname] [-c file ... name] [-D file] [-d num]
[-t tests] [file ...]
DESCRIPTION
The stegdetect utility analyses image files for steganographic content. It runs statistical
tests to determine if steganographic content is present, and also tries to find the system
that has been used to embed the hidden information.
The options are as follows:
-q Only reports images that are likely to have steganographic content.
-h Only calculates the DCT histogram. Use the -d option to display the values.
-n Enables checking of JPEG header information to surpress false positives. If
enabled, all JPEG images that contain comment fields will be treated as negatives.
OutGuess checking will be disabled if the JFIF marker does not match version 1.1.
-V Displays the version number of the software.
-s float Changes the sensitivity of the detection algorithms. Their results are multiplied
by the specified number. The higher the number the more sensitive the test will
become. The default is 1.
-C num,tfname
Feature vectors are being extraced from the images. The argument num can either
be zero or one. A zero indicates that the provided images do not contain stegano‐
graphic content, a one indicates that they do. The argument tfname is the name of
transform used for feature extraction. The features vectores are printed to
stdout.
-c file Reads the data created by the -C options and computes the necessary values to
detect steganographic content in yet unknown images. The option can be used mul‐
tiple times. It expects that the name of the scheme provided as additional argu‐
ment. The result is a decision object that can be used with the -D option. The
decision object contains a the parameters for a linear discriminant function based
on the Neyman-Pearson theorem.
-D file Reads a decision object that contains detection information about a new stegano‐
graphic scheme.
-d num Prints debug information.
-t tests Sets the tests that are being run on the image. The following characters are
understood:
j Tests if information has been embedded with jsteg.
o Tests if information has been embedded with outguess.
p Tests if information has been embedded with jphide.
i Tests if information has been hidden with invisible secrets.
f Tests if information has been hidden with F5.
F Tests if information has been hidden with F5 using a more sophisticated
but fairly slow detection algorithm.
a Tests if information has been added at the end of file, for example by
camouflage or appendX.
The default value is jopifa.
The stegdetect utility indicates the accuracy of the detection with a number of stars behind
the detected system. If no filenames have been specified, stegdetect will read the file‐
names from stdin.
EXAMPLES
stegdetect -t p auto.jpg
Tries to detect the presence of jphide embedded information in auto.jpg.
ERRORS
stegdetect works only for JPEG images.
Currently, there is no support for parameter training. The only exported knob is the sensi‐
tivity level. Future versions will export all detection parameters via a configuration
file.
SEE ALSO
stegbreak(1)
ACKNOWLEDGEMENTS
This product includes software developed by Ian F. Darwin and others. The stegdetect util‐
ity uses Darwin's file magic to identify data appended at the end of an image.
AUTHORS
The stegdetect utility has been developed by Niels Provos.
BSD April 01, 2001 BSD
......@@ -212,6 +212,7 @@ nslookup - query Internet name servers interactively
number - convert Arabic numerals to English
octave - a high-level interactive language for numerical computations
openssl - OpenSSL command line tool
outguess - universal steganographic tool
p7zip - wrapper on 7-Zip file archiver with high compression ratio
pacman4console - ncurses-based pacman game
pacmd - reconfigure a PulseAudio sound server during runtime
......@@ -273,6 +274,8 @@ ss - another utility to investigate sockets
ssh - OpenSSH SSH client (remote login program)
startx - initialize an X session
stat - display file or file system status
stegbreak - launches brute-force dictionary attacks on JPG image
stegdetect - finds image files with steganographic content
steghide - a steganography program
stegsnow - whitespace steganography program
strace - trace system calls and signals
......
......@@ -241,3 +241,43 @@ number of allowed processes to run at any given time. However, be warned
that GNOME and KDE systems may use a lot or processes and you should run
htop every so often to get an idea as to how large to set your limits.
The file itself has some notes to help you.
#####[Bluetooth]#####
If you dont normally use Bluetooth but don't seem to have a client for it,
that still doesn't mean that the module for it isn't loaded and working.
To prevent Bluetooth from loading:
1. Add 'blacklist btusb' to:
sudoedit /etc/modprobe.d/blacklist.conf
2. Add the following to /etc/rc.local:
rfkill block bluetooth
echo disable > /proc/acpi/ibm/bluetooth
/etc/init.d/bluetooth stop
#####[Possible Backdoor ports]#####
According to rkhunter, a scanner for rootkits, possible TCP/UDP ports used
for backdoors are as follows:
1524
1984
2001
2006
2128
6666
6667
6668
6669
7000
13000
14856
25000
29812
31337
32982
33369
47107
47018
60922
62883
65535
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment