EXIF Steganography and image injection with go
Alot of people for a while now in my server and on my pages like the fortran page have been asking me to do a lesson segment on steganography and how it in general works around, and how you can use scripts like EXIFtool to imbed BASE64 encoded payloads into images, filter the certificate and have the payload execute on someone elses machine
What will this page / lesson teach?
How steganography works
steganography with JPG/JPEG/PNG image formats
How to hide files / ZIP files inside of JPEG / JPG formats with go
How to base64 encode a payload
How to hide a base64 encoded payload into a JPG file
How to filter out and execute the payload in the image from a post forum
How to inject data into images with EXIF-Hunter
How to find the binary offsets and chunk types using EXIF hunter
How to find chunk offsets in PNG images by yourself
How to Geo locate and understand geo location tags in JPG/JPEG image formats
How to extract metadata out of image files using EXIFTOOL
How to EXTRACT ZIP files using EXIF-Hunter
How to build your own GO script to extract ZIP files in JPG/JPEG image formats
Wow a lot right? that's alright it should not take that long, by the end of this reading you should be able to understand how stenography works, and how to build your own scripts in go to automate the skills you learned here, just like the fortran95 lesson on math see this link here -> https://github.com/ArkAngeL43/fortran-notes to look at that lesson which teaches applying common mathematics to fortran95 in the 2003 standard
Starting out with the basics
What is steganography?
Steganography is a process hackers or in some cases organizations use to hide data inside of images, this can be something as small as an encrypted or base64 encoded message to someone, or something as big as a data leak and ZIP file which can execute remote code or holds very very important data. in most cases hackers or digital forensics experts will use steganography to encode and inject malicious payloads like the rubber ducky payload into images to gain remote access to a computer
How can this aid hackers in attacks and how is this better than normal malware?
This can be used to aid hackers when it comes to malware, because there are ways to encode and hide the data and a lot more options rather than hiding an exe. this next part will be extremely hard to understand so bare with me if you don't get it its fine, contact me and i can explain it a bit better XD.
Say a hacker wants to hack into a corporation, they have no current vulnerabilities that the hacker knows about or developers, this time he wants to say delete the server’s operating system. the last option the hacker has is to send a malicious file which he can choose EXE or JPG, which one would he go with and why? say he goes with the EXE and sends it over to the admin, the admin runs it and it is seen as a malicious file and is terminated by the AVP ( Anti Virus Program ) and his attack or chance is over. Now say he goes with the malware infested JPG file, the malware in this case is a base64 encoded payload which is seen as sudo rm -rf /* now this will work on the server because the admin has root privilege's, when the image is sent and opened by the server and filtered out the command is executed, which now just deleted essentially the entire operating system of the server.
While it seems that easy it is a dreadful long process, we wont be necessarily doing that today as that requires making your own programs and payloads, but if you could not tell the difference its essentially social engineering, most people wont click a random exe file from a random person they don't know or is not verified ( if they are smart ) but almost 99% of people would download and run an image on their computers. Image formats are not only reliable because of the social engineering behind them but also they can easily go undetected as malicious by Anti Virus Software.
The basics of PNG images
On this repo I will be teaching you how to use or make your own tools to inject data into JPG formats, but something to understand first will be the basics of steganography, to do this I will be giving you a basic understanding of how PNG files can be injected and how you can manually as well as using my own tools to find the chunk types, and offsets in PNG images.
Understanding, injecting, and finding chunks in png image formats
Locating offsets, and chunks
There is a long process of understanding to steganography with images, its not super super long but it can go deep especially given there are so much different forms of steganography along with image formats. To start this topic off we will be talking about the metadata / recon part of stenography which is quite fairly easy, all you need is a PNG image, and a hex dumping utility. Hex dumping is amazing for this kind of stuff because it allows you to find certain data and filter it out, as well as finding chunk type offsets.
Building your own command line interface hex dumping utility
for this project and term we will be using a set of my own tools, tools like EXIF tool, and our own set we make out of a programming language called go, I wont go into the basics about go, or how it works since its not needed
PROGRAM IN GO
this script is easy to work with, simple save the file as main.go, and run it as go run main.go yourimage.png
for this example i will be using the image below
we will run the script as follows go run main.go battlecat.png when we run the tool we will get the output of a large hex and example is seen down below at the very top of the hex dump.
Hmmm what do you see? it should be easy to see. .PNG would be our first clue, so in order to verify the image is a PNG image it is read in what is called the header of the file, the header of a file is the very top / start of the file. this is also why you can not just change a png extension to jpg, its simply because the image format type is embedded into the binary of the file. now when we look at the very first line which is looked at as the first 8 bytes mine is
89 50 4e 47 0d 0a 1a 0a
This is how we identify the header of the file
Now the second, third and the fourth values are also in a sense the same, once converted to ascii they literally read PNG, Now the header sequence in this file consists of two types of arbitrary tailing bytes which consists of both DOS and UNIX carriage return line feed (CRLF) ( Often 00000050 39 fb bc 9c 92 47 d4 4d 00
referred to as the files magic bytes )
chunk sequence
If you look at the hex dump further along you can see some weird tags like IDAT, and IHDR which are tags that define the type and size of the image along with the header, ( also why they are set at the header of the dump ),
IHDR is another tag to look at, in order for tools to read and convert the binary data of the image to meta data they need to look for tags like the IHDR tags which define the images metadata, what we will mostly be looking out for as a location to inject will be known as the IEND chunk, the IEND chunk is the images or PNG’s EOF ( End of file ), before i go on might i say along with this technique of image injection there are many many many MANY other techniques to inject images with payloads, in this section we will focus on a method of writing data to a certain byte offset ( The IEND offset ), The reason we are going to inject our data into the IEND chunk type is because images like PNG image formats define chunks and classifies them as critical or ancillary, the reason they are classified this way is to define what data is important in the image and what is not, the IEND chunk is an ideal injection point because it is not critical to have inside of the image, while it is used a lot and needed needed for the image to run it is not as critical as much as the metadata of the image is.
to locate this offset lets scroll all the way down to the bottom of the hex dump
I'm sure by now you spotted the IEND chunk for us this chunk is located at offset 0x85258 if you can not find the offset on your own no need to worry, i have a decent tool for you, so in my GitHub I have a tool called EXIF hunter, which is a tool to inject JPEG, JPG, PNG image formats and find metadata on the image, when you install this tool
git clone https://github.com/ArkAngeL43/EXIF-Hunter-V1.0.git ; cd EXIF-Hunter-V1.0 ; chmod +x ./install.sh ; ./install.sh
then you can run the command as follows
go run main.go -i your_image.png --meta
which once run you will get a large table and be asked Would you like to locate just the IEND chunk? and injectable offset <y/n > once you say yes or y you will get
now that we have all the offset and enough knowlege to grab the offset we can now inject our data into the image.
Injecting data into PNG images
I'm going to start this section off by saying sorry XD, the last section was very very disorganized so to continue into this one I'm going to explain some things I missed, the most important was EXIF-Hunter, if you don't know EXIF-Hunter is a image injection tool, payload encoder, meta data miner, geo location, and ZIP extraction utility for image formats of JPG/JPEG and PNG. This tool can aid in terms or lessons like this by helping you extract the meta data like chunks, chunk offsets, encoding payloads, and retrieving ZIP files embedded into images.
Now lets start off this section properly instead of sub starting it by explaining what exactly is image injection, and why is this specifically built around certain image formats. So lets put this into an example, say you wanted to use EXIF-Hunter to inject payloads into a image that is like JPG, and that data is a command or malicious code block. Well you will simply get the error this is not a valid PNG image format that is because the script is built specifically to seek out certain bytes that specify to only png image formats. remember when i was saying that each image has its own way of representing data and that each image has its own form of magic bytes? EXIF hunter was built specifically to seek the data inside of PNG image formats only and in cases like the code below
it is built to read specific data in image formats, as seen in bArr[1:4] which seeks out the header of the PNG dump, when it finds it it can now verify that the image is a PNG image, and that well we can move forward with the image injection, and that data can properly be processed and set into a certain offset in the image.
In order to inject our PNG we need the original image, the offset, the chunk type, and the payload. lets start by making our data to inject, in order for us to read it and for it to be properly injected fully we need to base64 encode it, so to do that we will use the following command
printf 'echo "hello world"' | base64 | tr -d '\n'
when we decode the payload you get ZWNobyAiaGVsbG8gd29ybGQi this is our payload to inject, for this side i will be using EXIF hunter you can use the tool of your choice since this section is rather just about injecting PNG's instead of injection JPG images with ZIP files or malicous code.
if you use EXIF hunter you use the following command to inject
go run main.go -i battlecat.png -o injected.png --inject --offset 0x85258 --payload "ZWNobyAiaGVsbG8gd29ybGQi"
-i specifies the input image -o specified the output image — inject starts injection — offset is the location we will inject — payload is out payload we will inject
once we enter the command and everything is correct we will get the following output
2 giant white EXIF tables ( Ignore that )
and two messages which thrown together say the following
we get general information that the file exists, it opening the file, if it failed or not, if the header came back valid as PNG, payload byte code, and if it was successful dumping
when we use the other option in EXIF hunter to now check to see if our data is injected we look at the end and see
if you look at hex and and hash table the meta data we can see our offset has now changed
and that our encoded string is now in there
00000060 5a 57 4e 6f 62 79 41 69 61 47 56 73 62 47 38 67 |ZWNobyAiaGVsbG8g|
00000070 64 32 39 79 62 47 51 69 2b c1 67 2d 00 00 00 00 |d29ybGQi+.g-....|
00000080 49 45 4e 44 ae 42 60 82 1f a7 b3 4f 35 ba e3 a5 |IEND.B`....O5...|Now that we can easily inject images, and understand the basics of stenography lets move to the more advanced side
injecting, understanding, and extracting data out of JPEG/JPG image formats
I believe i am still not through the basics yet so before we get to the final part of this lesson i will be teaching you how to look for and extract ZIP files, and inject ZIP files into JPG image formats, this can be a bit easier to understand since this is just hiding data into the image with the OS, and extracting data by finding the very specific header of the type of file. Now when it comes to JPEG lets all admit to a person they are the most dangerous images to have, this is dangerous because of a few small things im going to list off
JPEG/JPG images have what's called GEOlocation tags inside of them, which can tell a hacker or stalker the exact location of where the photo was taken based off of its coordinates, ( i made a function in EXIF-Tool to trace the location and write a map to it which we will discuss later )
They are easy to inject data into and have people execute payloads, with the way JPEG certificates work, it makes it easy for someone to install a backdoor or virus or malicious payload into the image and execute it upon filtering out that data in the certificate
They are easy to manipulate into viruses
They give out MUCH more information on the device used in that image and the person who took the photo
They give out a stronger structure for hackers to easily manipulate into trackers which can act as links upon opening the image.
Why would this be better than sending or making someone execute malicious EXE files or ELF files if they are on linux.
1: WAF Evasion, With commercial software like Fortinet's FortiGate firewall, each packet can be thoroughly dissected for analysis. These kinds of firewalls make it difficult for an attacker using simple TCP connections established with Netcat to persist on the compromised device or covertly map the network., the use of images along with tools to inject and hide the payloads in the images, make it difficult for system administration to monitor traffic and classify it as malicious
2: Packet sniffing evasion: In most cooperate environments operating systems or servers are configured to use custom certificates which make it quite possible for a network admin to decrypt the data coming in and out from devices on the current network.
3: AV Evasion: Anti virus systems are built to read the data of the binary, executable, or file, if it seeks out something dangerous such as a form of shellcode in a binary or ascii dump then it will trigger which on systems like windows wont continue downloading the data until the user presses or accepts the possibility to hit ok and have the program continue. With certain Stagers it gives you’re program more protection to bypass AV software.
Now to start off with this whole zip file injection as said above i am going to teach you the simple part of injecting data like ZIP files and extracting ZIP files from JPG/JPEG images with the power of go to really get you familiar with hiding data in images
Locating and extracting ZIP files from JPG images
This will be quite simple to understand because this process through the line of code is quite easy and quite simple to understand, below this text is an example of a script written by an anonymous poster in my old old old discord server which is not alive, which proves the concept that you can search for ZIP files in images via hex code and extract them
this is 103 lines of code its not too much to chop down when you have the main core, so let me explain this a bit better for you, the top function is the main function which takes image formats as the arguments or image paths anyway, then it checks if the argument containes JPG and if it does it continues, after that in the notes it says
Zip signature is "\x50\x4b\x03\x04" remember how I talked about how you can verify an image is an image by reading its header bytes? ZIP files are structured the same way with headers, a certain part of their files the header declares that the ZIP is well a ZIP file, lets look at the main function of this script is
this is the one we want to pay attention to, when we look at the script it uses go’s pointers and standard file stat to read the byte of the file, if the byte is equal to \x50 then there is a possibility of it being a zip file, but just to be sure it reads for the next 3 bytes after that to verify this is a zip header or ZIP file, hence the
if the byte is equal to the slice and the byte array then it returns as it follows, once done it will ask the user if it wants to use 7z to unpack and unzip the file archive
I amgoing to walk through the input and output for this script, so in the file path zip_utils you will find two things, a file passwords.txt and a image names image.jpg, this will be what I will be using for this input, the image will be image.jpg and the file we will be extracting will be passwords.txt, the image below is the one I will be using
when we run the script we will be running it as follows
go run main.go stego_image.jpg
we will get the following output
2022/02/27 08:20:43 Found zip signature at byte 135275.
well since we found the byte, lets see if we can hex dump it to pre see the files inside of that ZIP file
when we hex dump it and track to the very very VERY end of the long hex dump we can see the passwords.txt file, and some other weird symbols, in the case we do not want to extract it we can always see what is in the file to see what is in there, this can help more or less on the blue team to see what is in there in case if that zip file becomes a zip bomb and is like an implant to extract it
Injecting ZIP files
Now that we understand the basics of how the file is found and the basics of bytes in stenography, i will now teach you the basics of injecting a file or ZIP file into a JPG file
to do this we will need another script like the following
Now in this case this is actually more copying or hiding an archive in a image or behind an image more than injection but same concept, so in the simplist form this code takes two os argument vec’s, one to input the file you want to implant the file into and the zip file, for this case i will be simply using the same image as the one we used to find the zip file, when we run the program we get a silent output, we have it first open and read the file, then open the ZIP file to make sure both the image and ZIP file are all there and real. then you create the output image file which is our choice to name ( In EXIF hunter i added the option to change the output name with the -o tag ) then we can use Golangs base IOUTIL lib to merge the files together basically melting them and mixing the data together which is why when you hex dump it it becomes very very very wacky to look at and there isnt as organized of an output like we did see in the png image fortmat.
if you really wanted to test to see if the zip file was truly injected you can take the ZIP scan file and run your new output file through the scanner which if all is okay with no error or warning output then the file should be in there
- Summary
Steganography can be used in so many ways, used for so many different things, built, ran, and executed in multiple ways with different functions and different forms. This article was built and made to shine a massive light on how steganography can be used in the field of cyber security on both sides offensive and defensive such as digital forensics or exploitation processes. I hope this article helped clear up how steganography works and if it did be sure to leave a like and maybe even a follow it helps me alot. There was a section I chose to leave out of this and its at the very bottom which uses a tool i developed off of someone else library to do everything we talked about here. To view that please click here
