Having sophisticate abnormal activity detection devices would mitigate infiltration attempts from outside of the organization. But how about if the threat is inside of your organization already and has some access privileges to certain data? Disgruntled employees are your own people and often a greater threat than outsiders. Those disgruntled emplyees would be harder to detect as they’ve been well blended, and they would have shorter reconnaissance period since, at the moment they’ve decided to damage the organization, they already have more access than outside attackers those would need to plan for months. So when these angry minds and steganography are combined, it can lead to data leakages or industrial espionage. Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. In this posting, we will demonstrate how to conceal a word document(*.docx) into a jpeg file using a Kali Linux tool called ‘steghide‘.
The demonstration will have three major steps; Installation, Encryption, Extraction.
1. Installation of ‘steghide‘
Acoording to the author of the tool, “Steghide is a steganography program that is able to hide data in various kinds of image- and audio-files. The color- respectivly sample-frequencies are not changed thus making the embedding resistant against first-order statistical tests.” (source : http://steghide.sourceforge.net/)
“Steghide” does not come with Kali linux as default but it’s available in Kali Linux Repositories.
To download ‘steghide‘, open a terminal and type;
“apt-get install steghide”
Well, the command returned “Unable to locate package” error. Looks like we need to update the repository information of Kali Linux. Let’s go update ‘sources.list‘ file. The file is located in “root/etc/apt” folder as shown below.
Updating Kali Linux repository file can be done in three steps
Step 1. Copy the repository information from here : (https://docs.kali.org/general-use/kali-linux-sources-list-repositories)
Step 2. Open ‘sources.list’ with your favorite text editor and paste the addresses you just copied from Step 1.
Step 3. Back to terminal window and execute “apt update”
Now we have updated the repository information, let’s try installing ‘steghide‘ again.
Obviously, the installation will not be completed till you say ‘yes‘ ..
Now ‘steghide’ has been installed successfully.
Too learn the parameters, use ‘steghide –help‘.
The tool is now installed, let’s do some fun stuff.
In this step we will have two files; a picture named ‘original.jpg‘ and a word file named ‘supersecrets.doc‘. Upon success of executing ‘steghide‘ command, the word file will hide itself into the picture file.
Size of the picture is 4,422,054 bytes(4.4mb) and the word file is 184,832bytes(184kb, approx. 30pages)
The ‘steghide‘ command for embedding *.doc into *.jpg in this step is;
‘steghide embed -cf <path of the *.jpg> -ef <path of the *.doc>‘
Interesting part of this step was it seems it doesn’t matter where those parameter are positioned within the command as long as ‘-ef‘ , ‘-cf‘ parameters are followed by correct paths of the files. In other words, the command seemed work well in this way too;
‘steghide embed -ef <path of the *.doc> -cf <path of the *.jpg>‘
Once the command is executed, ‘steghide‘ will ask you to set a password for encryption. Type the same password twice then it’s done.
Now let’s see how well ‘supersecrets.doc‘ has been fitted in to the picture.
The original size of the picture was 4,422,054 bytes and the word file was 184,832bytes
So theoretically the expected outcome is 4,606,886bytes.
According to the screenshot above, the outcome has the size of 4,436,107bytes
and since the original one had the size of 4,422,054 bytes, we now know the word file has been shrunk to 14,053bytes from 184,832bytes.
Now the disgruntled employee can send this encrypted picture to the competitor organization as an email attachment without raising any alerts.
So now, as the competitor organization receives the email, download the attachment and decrypt ‘original.jpg‘ with ‘steghide‘ to extract ‘supersecrets.doc‘. Using the follwing command and the given password, the word file will be successfully extracted.
Steghide extract -sf <path of the picture>
3.1 Lowkey reminded me..
I was wondering how big or what type of documents are supported by ‘steghide‘. So I tried to embed a big pdf file; (the famous ‘NIST SP 800-53 rev.4‘) big as 5.5Mb, long as 462pages. However it appears ‘steghide‘ doesn’t support PDF format at the moment.
I also converted the ‘NIST SP 800-53 rev.4.pdf‘ file to ‘NIST SP 800-53 rev.4.docx‘ which it shrunk to 726,777bytes but it was still too big to be embedded into the picture we used earlier. Then again, I shrunk the word file into a half size(approx. 350kb) by cutting out some contents but it was still too big to process.
(‘steghide‘ says ‘nuh-uh’ when the document is too big to be embedded into a picture)
So, if a secret document is encrypted and transfered to competitor right under the victim organization’s nose, how will the victim organization find proofs other than some unusual picture of horses was attached?
According to a SANS report, there are various forensic tools detect such hidden information. It seems those tools require licenses to use but many of them seem provide demo versions.
The SANS report mentioned above can be found at here :