From aldeid
Jump to navigation Jump to search


detect stegano-hidden data in PNG & BMP:

  • LSB steganography in PNG & BMP
  • zlib-compressed data
  • OpenStego
  • Camouflage 1.2.1
  • LSB with The Eratosthenes set


$ sudo gem install zsteg
Fetching: rainbow-2.0.0.gem (100%)
Fetching: zpng-0.2.5.gem (100%)
Fetching: zsteg-0.1.2.gem (100%)
Successfully installed rainbow-2.0.0
Successfully installed zpng-0.2.5
Successfully installed zsteg-0.1.2
3 gems installed
Installing ri documentation for rainbow-2.0.0...
Installing ri documentation for zpng-0.2.5...
Installing ri documentation for zsteg-0.1.2...
Installing RDoc documentation for rainbow-2.0.0...
Installing RDoc documentation for zpng-0.2.5...
Installing RDoc documentation for zsteg-0.1.2...



Usage: zsteg [options] filename.png [param_string]


-c, --channels X
channels (R/G/B/A) or any combination, comma separated valid values: r,g,b,a,rg,bgr,rgba,r3g2b3,...
-l, --limit N
limit bytes checked, 0 = no limit (default: 256)
-b, --bits N
number of bits, single int value or '1,3,5' or range '1-8' advanced: specify individual bits like '00001110' or '0x88'
least significant BIT comes first
most significant BIT comes first
-P, --prime
analyze/extract only prime bytes/pixels
invert bits (XOR 0xff)
-a, --all
try all known methods
-o, --order X
pixel iteration order (default: 'auto') valid values: ALL,xy,yx,XY,YX,xY,Xy,bY,...
-E, --extract NAME
extract specified payload, NAME is like '1b,rgb,lsb'
use 'file' command to detect data type (default: YES)
disable ASCII strings finding (default: enabled)
-s, --strings X
ASCII strings find mode: first, all, longest, none (default: first)
-n, --min-str-len X
minimum string length (default: 8)
--shift N
prepend N zero bits
-v, --verbose
Run verbosely (can be used multiple times)
-q, --quiet
Silent any warnings (can be used multiple times)
-C, --[no-]color
Force (or disable) color output (default: auto)



$ zsteg file.png 
imagedata           .. text: "\r\t(%%*,&"
b1,r,msb,xy         .. file: Applesoft BASIC program data, first line number 64
b1,rgb,msb,xy       .. file: PE32 executable (Unknown subsystem 0x1814) Intel 80386, for MS Windows
b1,bgr,lsb,xy       .. file: GLS_BINARY_LSB_FIRST
b2,rgb,msb,xy       .. text: "UDDADPAE"
b2,bgr,msb,xy       .. text: "|[email protected]"
b4,r,msb,xy         .. text: "[email protected]&we-b e"
b4,g,msb,xy         .. text: "%`$Q\"[email protected]"
b4,b,msb,xy         .. text: "C$qFqgf#0wpq"
b4,rgb,msb,xy       .. text: "BcrpAPpv#"
b4,bgr,msb,xy       .. text: "@[email protected] s"


$ zsteg -E "b1,rgb,msb,xy" file.png > extracted.exe


$ zsteg husky.png 
b1,r,lsb,xy         .. text: "^5>c[[email protected]"
b1,rgb,lsb,xy       .. text: "picoCTF{r34d1ng_b37w33n_7h3_by73s}"
b1,abgr,msb,xy      .. file: PGP Secret Sub-key -
b2,g,msb,xy         .. text: "[email protected]"
b3,abgr,msb,xy      .. text: "[email protected]!Wt\tGtA"
b4,r,msb,xy         .. text: "0Tt7F3Saf"
b4,g,msb,xy         .. text: "2g'uV `3"
b4,b,lsb,xy         .. text: "##3\"TC%\"2f"
b4,b,msb,xy         .. text: " uvb&[email protected]!"
b4,rgb,lsb,xy       .. text: "1C5\"RdWD"
b4,rgb,msb,xy       .. text: "T E2d##B#VuQ`"
b4,bgr,lsb,xy       .. text: "A%2RTdGG"
b4,bgr,msb,xy       .. text: "EPD%4\"c\"#CUVqa "
b4,rgba,lsb,xy      .. text: "?5/%/d_tO"
b4,abgr,msb,xy      .. text: "EO%O#/c/2/C_e_q"