What is Steganography ?

Steganography is the practice of hiding information within a non-secret information. Early examples are writing secret messages on letters with invisible ink.

A more modern usage of Steganography in the information era is hiding data in images or audio files. For a proper communication to work, the sender and recipient need to know how to write and extract the secret message. The media used to hide the information, including PNG image, audio or other file that acts as a covert channel.

Usage

Steganography could be used by hackers or individuals to exchange secret information in public forums or social media.

Stegware (Steganography malware) is a type of malware that use steganography to save its data in non-executable files to avoid detection.

Steganography is also used as a tracking mechanism by printing companies such as HP, CANON, EPSON where small yellow dots are printed every time a user prints a page saving the brand of the printer on the page.

In this guide, you will be using standard Linux commands to perform Steganography on audio and image files.

Hands-on

Without further ado, let’s jump on the hands-on. You will need a Linux distribution to proceed. WSL will work just fine if you don’t have access to a Linux machine.

We will be using Ubuntu and will need the following packages:

$ sudo apt install zip unzip

We will also be using strings, file and cat commands which should come pre-installed in most Linux distributions.

Inserting Plain Text in Media Files

Let’s download the good old Tux PNG image, the file we’ll be using to hide our secret message:

$ wget https://upload.wikimedia.org/wikipedia/commons/a/af/Tux.png

Let us now analyzes the image for non-binary information, for that we will use the strings command:

$ strings Tux.png | tail

Output:

28[1
@9C{
ot)h
'Oss
CM70805F7
Z)J1
EM+&!
h$ |
H,^,
IEND

As you will notice, nothing very interesting here. How about if we try to append the file with some text content ?

Let’s create a file with our secret message, putting a newline before and after the text to ease reading text when extracting it:

$ echo -e '\nSteganography is great!\n' > secret.txt

We will now append the Tux.png image with our file content creating a new file named secret.png:

$ cat Tux.png secret.txt > secret.png

Checking whether the file is still recognized as a valid PNG image file:

$ file secret.png

Output:

secret.png: PNG image data, 265 x 314, 8-bit colormap, non-interlaced

Perfect, now let’s check if we can extract back our secret message:

$ strings secret.png | tail

Output:

@9C{
ot)h
'Oss
CM70805F7
Z)J1
EM+&!
h$ |
H,^,
IEND
Steganography is great!

Our message is here, and we still have a valid PNG image that will open and display as a normal image. Note that this method works perfectly with an audio file like a WAV too, let’s try it out!

Downloading a sample WAV file:

$ wget https://upload.wikimedia.org/wikipedia/commons/b/b4/Fugue_c_minor_bwv_847.wav

Applying the same process as for the image:

$ cat Fugue_c_minor_bwv_847.wav secret.txt > secret.wav

The message is present and the WAV opens perfectly in a media playing the music:

$ strings secret.wav | tail

Output:

.`/W/n0G.
.C+},
-M'|7`,3@
70+j-
2b$44
'5R6({P
4J)F8
 i(V"
        s       I
Steganography is great!

Inserting a ZIP File in Media Files

The above method is great of hiding simple text, but it still needs some improvement to be able to hide more complex information like files and folders.

Simply zipping our secret.txt file will do the trick:

$ zip secret.zip secret.txt
updating: secret.txt (stored 0%)

Hiding the ZIP in the WAV file:

$ cat Fugue_c_minor_bwv_847.wav secret.zip > secret.wav

We can now analyze the WAV file with the unzip command:

$ unzip -t secret.wav
Archive:  secret.wav
warning [secret.wav]:  1146924 extra bytes at beginning or within zipfile
  (attempting to process anyway)
    testing: secret.txt               OK
No errors detected in compressed data of secret.wav.

We’ve tested whether we can unzip the WAV file using the -t parameter, and it clearly shows that no errors were detected, unzipping the WAV file:

$ unzip secret.wav
Archive:  secret.wav
warning [secret.wav]:  1146924 extra bytes at beginning or within zipfile
  (attempting to process anyway)
replace secret.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
 extracting: secret.txt

Printing our hidden file again:

$ cat secret.txt

Steganography is great!

You will notice that the unzip command identifies well the compressed file secret.txt. Pay attention to the warning message: warning [secret.wav]: 1146924 extra bytes at beginning or within zipfile. The extra bytes at the beginning are the audio data.

Here is a quick explanation about how and why this method works preserving the original data while appending our hidden data:

  • Most media viewers will display or play content if the files have a valid non-corrupted header, explaining why the pictures or WAV file still work in the OS.
  • The ZIP file can still be extracted as the unzip command scans the WAV file to detect zipped content.

Learn also: Enabling & Disabling IP Forwarding in Linux

Conclusion

We are just scratching the possibilities of Steganography here. The best part of this tutorial is that we did not use any specific tools or software to hide information in media files.

For more reliable Steganography tools, consider checking 0XRICK’s Github for a list of useful Steganography tools and resources.

Have fun exploring Steganography on Linux!