Description

detect stegano-hidden data in PNG & BMP:

• LSB steganography in PNG & BMP
• zlib-compressed data
• OpenStego
• Camouflage 1.2.1
• LSB with The Eratosthenes set

Installation

$ sudo gem install zsteg
Fetching: rainbow-2.0.0.gem (100%)
Fetching: zpng-0.2.5.gem (100%)
Fetching: zsteg-0.1.2.gem (100%)
Successfully installed rainbow-2.0.0
Successfully installed zpng-0.2.5
Successfully installed zsteg-0.1.2
3 gems installed
Installing ri documentation for rainbow-2.0.0...
Installing ri documentation for zpng-0.2.5...
Installing ri documentation for zsteg-0.1.2...
Installing RDoc documentation for rainbow-2.0.0...
Installing RDoc documentation for zpng-0.2.5...
Installing RDoc documentation for zsteg-0.1.2...

Usage

Syntax

Usage: zsteg [options] filename.png [param_string]

Options

-c, --channels X

channels (R/G/B/A) or any combination, comma separated valid values: r,g,b,a,rg,bgr,rgba,r3g2b3,...

-l, --limit N

limit bytes checked, 0 = no limit (default: 256)

-b, --bits N

number of bits, single int value or '1,3,5' or range '1-8' advanced: specify individual bits like '00001110' or '0x88'

--lsb

least significant BIT comes first

--msb

most significant BIT comes first

-P, --prime

analyze/extract only prime bytes/pixels

--invert

invert bits (XOR 0xff)

-a, --all

try all known methods

-o, --order X

pixel iteration order (default: 'auto') valid values: ALL,xy,yx,XY,YX,xY,Xy,bY,...

-E, --extract NAME

extract specified payload, NAME is like '1b,rgb,lsb'

--[no-]file

use 'file' command to detect data type (default: YES)

--no-strings

disable ASCII strings finding (default: enabled)

-s, --strings X

ASCII strings find mode: first, all, longest, none (default: first)

-n, --min-str-len X

minimum string length (default: 8)

--shift N

prepend N zero bits

-v, --verbose

Run verbosely (can be used multiple times)

-q, --quiet

Silent any warnings (can be used multiple times)

-C, --[no-]color

Force (or disable) color output (default: auto)

Examples

Identification

$ zsteg file.png 
imagedata           .. text: "\r\t(%%*,&"
b1,r,msb,xy         .. file: Applesoft BASIC program data, first line number 64
b1,rgb,msb,xy       .. file: PE32 executable (Unknown subsystem 0x1814) Intel 80386, for MS Windows
b1,bgr,lsb,xy       .. file: GLS_BINARY_LSB_FIRST
b2,rgb,msb,xy       .. text: "UDDADPAE"
b2,bgr,msb,xy       .. text: "|IAEQ@DDD"
b4,r,msb,xy         .. text: "Ab@pT&we-b e"
b4,g,msb,xy         .. text: "%`$Q\"wTf@"
b4,b,msb,xy         .. text: "C$qFqgf#0wpq"
b4,rgb,msb,xy       .. text: "BcrpAPpv#"
b4,bgr,msb,xy       .. text: "@CrbqP@v s"

Extraction

$ zsteg -E "b1,rgb,msb,xy" file.png > extracted.exe

CTF

$ zsteg husky.png 
b1,r,lsb,xy         .. text: "^5>c[rvyzrf@"
b1,rgb,lsb,xy       .. text: "picoCTF{r34d1ng_b37w33n_7h3_by73s}"
b1,abgr,msb,xy      .. file: PGP Secret Sub-key -
b2,g,msb,xy         .. text: "ADTU@PEPA"
b3,abgr,msb,xy      .. text: "t@Wv!Wt\tGtA"
b4,r,msb,xy         .. text: "0Tt7F3Saf"
b4,g,msb,xy         .. text: "2g'uV `3"
b4,b,lsb,xy         .. text: "##3\"TC%\"2f"
b4,b,msb,xy         .. text: " uvb&b@f!"
b4,rgb,lsb,xy       .. text: "1C5\"RdWD"
b4,rgb,msb,xy       .. text: "T E2d##B#VuQ`"
b4,bgr,lsb,xy       .. text: "A%2RTdGG"
b4,bgr,msb,xy       .. text: "EPD%4\"c\"#CUVqa "
b4,rgba,lsb,xy      .. text: "?5/%/d_tO"
b4,abgr,msb,xy      .. text: "EO%O#/c/2/C_e_q"