Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Steganography
Posted by: xpcer
Date: March 21, 2007 08:15PM

hi friends, can you tell me what about steganography? can it implemented using JPG image? how it works?

thanks..

Options: ReplyQuote
Re: Steganography
Posted by: Mephisto
Date: March 21, 2007 08:50PM

steganography is basically the "art" of being able to hide data within other files. Yes, images are excellent file types for steganography.

Wikipedia.org gives a pretty good overview of what it is...

Other (hacker) sites provide more intimate details on how it's done and the tools that can be used to both hide data and reveal it.

Options: ReplyQuote
Re: Steganography
Posted by: rsnake
Date: March 21, 2007 08:56PM

Steganography depends on the attacker not knowing it's there. So by virtue of you telling us you just used it in an image pretty much negates it's usefulness in a lot of ways. ;) It's sort of security through obscurity. However, if you add encryption on top of that it can be pretty powerful as you are adding obscurity on top of actual security.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Steganography
Posted by: Kyran
Date: March 21, 2007 11:55PM

I personally like making a silly long password on a RAR file and embedding it in a jpeg.

- Kyran

Options: ReplyQuote
Re: Steganography
Date: March 22, 2007 04:12PM

Is there a definitive list of files that can be combined? I know JPG, GIF, PNG, and WAV files can be combined with RAR, ZIP, and MP3 files because they ignore preceeding headers, but is there a more extensive list?


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Steganography
Posted by: psifertex
Date: March 22, 2007 08:48PM

@Andrew: I'm not sure what you mean by ignoring the preceding headers -- the primary concern is one of size, usually. You can hold /any/ sort of data in jpg, gif, and png (non-compressed formats like gif and bmp tend to be easier) files. In those cases, you usually zero out the least significant bits of the color information (since typically the color depth is a lot higher than the human eye can differentiate anyway) and store your information there. Because of that you're obviously limited in storing a much smaller file inside of the bigger file. There's lots of other techniques and variants, but that's usually how it's done for images.

Adding encryption as RSnake already pointed out is one of the better ideas because it will hopefully randomize (good crypto is like good compression -- relatively random distribution hard to pick out from noise and thus has higher entropy) those least-significant bits so that they become harder to perform distribution analysis to determine whether something's hidden in those bits. You usually perform stego based on either distribution analyis, or fingerprinting of specific tools that have a particular header information or other mechanisms that allow the tools to detect their own encodings, and thus allow steg detection. Niels Provos has done some good work that you should check out at http://www.outguess.org/detection.php

Options: ReplyQuote
Re: Steganography
Posted by: hackathology
Date: March 27, 2007 11:49AM

At the Windows prompt use this command:

copy /B source.gif+source.zip target.gif

Or in Linux/Mac:

cat somefile.zip >> somefile.gif

not all zip programs can extract the resulting file. 7-Zip and Windows build in extraction failed, however Winrar works :)

http://hackathology.blogspot.com

Options: ReplyQuote
Re: Steganography
Date: March 27, 2007 08:17PM

That's what I was refering to. But is there a greater list of file types that can be combined?


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Steganography
Posted by: hackathology
Date: March 28, 2007 01:11AM

Awesome AnDrEw, i had not tried other file types, but yep, you can experiment with it.

http://hackathology.blogspot.com

Options: ReplyQuote
Re: Steganography
Posted by: psifertex
Date: March 30, 2007 11:08PM

Gotcha--I'm not sure I'd call that stego, really, though I guess it kinda is. That's more like, well, cat'ing two files together and hoping the parser of the first ignores the gibberish at the end, and that your zip tool can ignore the gibberish at the beginning and still hit the zip.

Check out foremost, the forensics file carving tool for doing automated-analysis of any files like this to detect a zip file stuck on the end.

Andrew, my guess is that any file format that explicitly lists the length of the original file in the file header might be potentially susceptible, like the ANI file format that's in the news now since specifying the section sizes is exactly where the current 0day vuln is in. It would still depend on the rendering code though, exactly what it does with the junk.

Options: ReplyQuote
Re: Steganography
Posted by: fyoung
Date: April 24, 2007 09:02PM

Andrew, most compression formats can have infomration inbedded into them and you can imbed whatever you want into them as its only 1's and 0's. The problem is that if your receiver does not know what file format to expect, you may encounter problems(ie is it a .wav file, a .jpg a word document etc), although since you probably share a password with them (to seed the random number generator), you can probably transmit a filetype or include the filetype inside of the image you embedded the file into.


Writing your own Stego tool for something like say gif or png is vastly easier to write than say jpg due to the differences in the way they are encoded.If I remember, gifs and PNG's are hardly encoded at all where as jpgs are compressed. Jpgs are split up into blocks of 8x8 then put through huffman encoding to reduce their size. The actual process is somewhat complex and it makes encoding the least significant bit fairly hard (but still possible).

There are also easy ways to encode files into the header of gif, jpg and png files (basically count the entire thing as a comment). This does not distort the image at all and has no file size limitations (at least I never found one), but is probably the easiest to detect.

In regards to using crypto with the stego and randomly picking bits to replace, in my experience this has its ups and downs. Most modern day automated stego detectors look for things that are statistically too "random." So distributing a large file randomly throughout the source will most likely pick up automated flags more than if the bits of the enbedded file were strewn in the first few pixels of the image sequentially. Of course the downside to this is that if someone knows that an image contains a hidden file, it makes it alot easier for someone to recover the file in question.

Another thing to keep in mind is that most forms of stego do not withstand compression very well, so keep in mind the medium you are sending it through. Some image hosting companies will compress the image when you upload it which will mess up the embedded file. Other modes of file transfer are also prone to this, but I had the most trouble with image hosting companies (especially free ones).



Edited 1 time(s). Last edit at 04/24/2007 09:10PM by fyoung.

Options: ReplyQuote
Re: Steganography
Posted by: xpcer
Date: April 25, 2007 01:33AM

hackathology Wrote:
-------------------------------------------------------
> At the Windows prompt use this command:
>
> copy /B source.gif+source.zip target.gif
>
> Or in Linux/Mac:
>
> cat somefile.zip >> somefile.gif
>
> not all zip programs can extract the resulting
> file. 7-Zip and Windows build in extraction
> failed, however Winrar works :)


it can work, but how to separate the original files if they have to be combined?

Options: ReplyQuote
Steganography Program, Please Try It
Posted by: xpcer
Date: April 26, 2007 10:47PM

thanks for all friends on sla.ckers.org.
i have create an stegano program.
you can download it at

htt p://files-upload.com/193067/setup.zip.html
(don't forget to delete the space)

first, you can install it on windows (it just run on windows), after that, is better if you restart your computer to make sure that the all ocx file using by this program are registered on windows.

the media file you can use to hide data is any file. but i suggest you to use the binary file, not text file because text file is not secure. you can read the manual program for details.

i need your opinion about this program, your suggestions.

you may give me your opinion what kind of media file is the better file for use as media file. thanks for all....

Options: ReplyQuote
Steganography Program, Please Try It
Posted by: xpcer
Date: April 26, 2007 10:49PM

oh, i was forgot, please email me your opinion an suggestion to xpcer@yahoo.com
thanks...

Options: ReplyQuote
Re: Steganography
Posted by: himself
Date: May 05, 2007 07:05AM

u may want to try ID Image Protector from http://www.idsecuritysuite.com/products/id-image-protector.htm
"is one of the most efficient protection programs for your personal data that insures reliable encryption of files with perfect decoding to original content."

Options: ReplyQuote


Sorry, only registered users may post in this forum.