Stegseek
Is a lightning fast steghide cracker that can be used to extract hidden data from files. It is built as a fork of the original steghide project and, as a result, it is thousands of times faster than other crackers and can run through the entirety of rockyou.txt* in under 2 seconds
Installation
Download newest release at Github.com.
sudo dpkg -i stegseek*
Usage
stegseek [stegofile.jpg] [wordlist.txt]
Flags
Commands:
--crack Crack a stego file using a wordlist. This is the default mode.
--seed Crack a stego file by attempting all embedding patterns.
This mode can be used to detect a file encoded by steghide.
In case the file was encoded without encryption, this mode will
even recover the embedded file.
Positional arguments:
--crack [stegofile.jpg] [wordlist.txt] [output.txt]
--seed [stegofile.jpg] [output.txt]
Keyword arguments:
-sf, --stegofile select stego file
-wl, --wordlist select the wordlist file
-xf, --extractfile select file name for extracted data
-t, --threads set the number of threads. Defaults to the number of cores.
-f, --force overwrite existing files
-v, --verbose display detailed information
-q, --quiet hide performance metrics (can improve performance)
-s, --skipdefault don't add guesses to the wordlist (empty password, filename, ...)
-n, --nocolor disable colors in output
-c, --continue continue cracking after a result has been found.
(A stego file might contain multiple embedded files)
-a, --accessible simplify the output to be more screen reader friendly
Use "stegseek --help -v" to include steghide's help.
Examples
Cracking
The most important feature of stegseek is wordlist cracking:
stegseek [stegofile.jpg] [wordlist.txt]
This mode will simply try all passwords in the provided wordlist against the provided stegofile.
Detection and passwordless extraction (CVE-2021-27211)
Stegseek can also be used to detect and extract any unencrypted (meta) data from a steghide image. This exploits the fact that the random number generator used in steghide only has 2^32 possible seeds, which can be bruteforced in a matter of minutes.
stegseek --seed [stegofile.jpg]
This command will tell you:
- Whether this file actually contains steghide content.
- How much hidden content the file contains.
- How the content was encrypted.
If you’re (very) lucky and the file was encoded without encryption, this mode will even recover the encoded file for you!
The below demo features a challenge from X-MAS CTF 2020. A flag was hidden using a secure random password, but without encryption enabled. Within a few minutes, Stegseek is able to recover the embedded file without needing to guess the correct password.