Steganography is the art of passing secret information. Kapersky puts it this way: "Steganography is the practice of concealing information within another message or physical object to avoid detection. Steganography can be used to hide virtually any type of digital content, including text, image, video, or audio content. That hidden data is then extracted at its destination" [1].

This secretive process, which apparently dates back to ancient Greece, appears to have been named much later. The first recorded use of the term steganography was in 1499 by Johannes Trithemius in his Steganographia, "a treatise on cryptography and steganography, disguised as a book about magic" [2].

This article describes how attackers hide and extract potentially sensitive data. I will start by covering a sample of the types of steganography before looking at common ways of concealing information online. One common technique I'll describe in this article requires two message types: a container and a secret. The container conceals the secret from interception and ideally even conceals its existence.

Weaving Yarn

Steganography covers multiple media types, including network protocols. Some of the principal types of steganography are:

• Physical – information hidden under the part of an envelope where the stamp is stuck, messages in Morse code woven into the yarn of clothing, invisible ink written on paper. In ancient times messages would be carefully concealed on the back of wax tablets, away from the primary message.
• Digital – changing the order of items in an array, converting pictures into sound files, adding messages to areas of a file that are usually ignored or used by metadata, creating deliberate errors in a word processor's document using the tracking feature that reveal a message, concealing messages in images, hiding data in streamed and on-demand videos, altering executable files.
• Social – changing shared file descriptors or titles, purposely misspelling words to circumvent keyword filters in oppressive societies.
• Networking – creating covert communication channels using otherwise unused network fields, such as fields within the TCP/IP protocol. For instance, VoIP (Voice over IP) messages can be concealed in seemingly corrupted or delayed packets.

Now that I have covered some of the theory, I'll describe some examples.

The Bad Guys

Nefarious payloads can be disguised inside files that are viewed as innocuous. You won't be surprised to hear that many different applicable files, including video, audio, and text documents, can contain malicious data. In addition to these file types, a web page can also act as the container for delivering secrets to those who know how to look for them.

One of my favorite examples is described at the Life Plus Linux Blogspot site [3]. The example provides an excellent reason to be extremely cautious about what you copy-and-paste from web pages. The page presents the Linux command ls -lat, which serves up a directory listing, including hidden files, along with ownership and permissions for each file. But pay attention to the surreptitious whitespace before the hyphen in the command.

The text for the payload is colored white (as is the background of the web page) so it is perfectly hidden from an unsuspecting user. If you look at how the CSS (Cascading Style Sheet) is constructed, it is configured to use this setting:

color: #f3f5f6; // set it to the color of the page

In Listing 1 you can see that, despite the web browser only displaying one whitespace, a subsequent copy and paste reveals a remarkable amount of code that could potentially contain a malicious payload. Note the ls at the start and the -lat at the end. Clever isn't it?

ls
; clear; echo 'Haha! You gave me access to your computer with sudo!'; echo -ne 'h4cking ## (10%)\r';
sleep 0.3; echo -ne 'h4cking ### (20%)\r'; sleep 0.3; echo -ne 'h4cking ##### (33%)\r'; sleep 0.3;
echo -ne 'h4cking ####### (40%)\r'; sleep 0.3; echo -ne 'h4cking ########## (50%)\r'; sleep 0.3;
echo -ne 'h4cking ############# (66%)\r'; sleep 0.3; echo -ne 'h4cking ##################### (99%)\r';
sleep 0.3; echo -ne 'h4cking ####################### (100%)\r'; echo -ne '\n'; echo 'Hacking complete.';
echo 'Use GUI interface using visual basic to track my IP'
ls
-lat

Figure 1 shows exactly how the browser interprets the code. It pulls it down using the nefarious stylesheet via the HTML <span> tag when it is pasted. And, as the webpage says, the possibilities for such an attack are endless. If that example doesn't give you a good reason to think before you next blindly cut n' paste from a website, it is likely nothing will. As you can imagine, all kinds of executable payloads could be delivered via such a method!

Figure 1: How the browser interprets the code in Listing 1. © http://lifepluslinux.blogspot.com/2017/01/look-before-you-paste-from-website-to.html

Steghide

One very popular tool used by security researchers and attackers alike is called Steghide [4]. You can install Steghide on Ubuntu and other Debian derivatives with

$ apt update; apt install -y steghide

Run the command man steghide to study the manual once the package is installed. You'll learn that Steghide can use the JPEG, BMP, WAV, and AU file formats for the cover file and there are no restrictions on the format of the secret data. Steghide can use audio and image files to conceal secretive messages. Apparently, it is also powerful enough to work with other file types, too, but I haven't confirmed this.

I'll start with a screenshot from my laptop's background, showing the start of the Steghide help output (using --help), as shown in Figure 2. I've called the screenshot secret_inside.jpg after quickly converting the format to JPEG from PNG using the GNU Image Manipulation Program (GIMP) package [5].

Figure 2: An arbitrary image to conceal a secret within (actually, the start of Steghide's help file).

Now that I have an image to use as a container, I'll create a secret. I just need a text file with a secret saved inside. I'll use the following command to echo text to a file called secret.txt:

$ echo "Nothing to see here, move along." > secret.txt

Now I run the following command to use the embed option:

$ steghide embed -ef secret.txt -cf secret_inside.jpg
Enter passphrase:
Re-Enter passphrase:
embedding "secret.txt" in "secret_inside.jpg"... done

The passphrase I used is just abc. As you can see, Steghide completes the process nicely. The -ef option lets you specify the "embedfile" to use (the secret). The -cf is for the "coverfile" filename (the container). If you are aware that a file probably contained a secret, but aren't sure, you can query the file with the following command:

$ steghide --info secret_inside.jpg
"secret_inside.jpg":
  format: jpeg
  capacity: 34.1 KB
Try to get information about embedded data ? (y/n)

If you click y to continue, you are presented with a passphrase request for the secret file. If you supply the correct passphrase, you can see the cipher used to encrypt the passphrase and the filename of the embedded file:

Enter passphrase:
  embedded file "secret.txt":
    size: 33.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes

The cat command reveals the secret was extracted correctly:

$ cat secret.txt
Nothing to see here, move along.

Use the following command to skip the -info option:

$ steghide --extract -sf secret_inside.jpg

And use -v to get file format information in greater detail. The encinfo option lets you view encryption options (Listing 2).

$ steghide encinfo
encryption algorithms:
<algorithm>: <supported modes>...
cast-128: cbc cfb ctr ecb ncfb nofb ofb
gost: cbc cfb ctr ecb ncfb nofb ofb
rijndael-128: cbc cfb ctr ecb ncfb nofb ofb
twofish: cbc cfb ctr ecb ncfb nofb ofb
<snip?>

The clever simplicity of Steghide is a good way of get started with steganography on the Linux command line. See the the Steghide documentation [6] for more information.