<< All versions
Skill v1.0.0
currentAutomated scan100/100yaklang/hack-skills/steganography-techniques
──Details
PublishedApril 28, 2026 at 07:23 PM
Content Hashsha256:6a12e4aa790c50ad...
Git SHAa3ab667b8d66
──Files
Files (1 file, 10.8 KB)
SKILL.md10.8 KBactive
SKILL.md · 350 lines · 10.8 KB
version: "1.0.0" name: steganography-techniques description: >- Steganography detection and extraction playbook. Use when analyzing images (LSB, PNG chunks, JPEG DCT, EXIF), audio (spectrogram, DTMF), files (polyglots, appended data, ADS), and text (whitespace, zero-width, homoglyphs) for hidden data.
SKILL: Steganography Techniques — Expert Analysis Playbook
AI LOAD INSTRUCTION: Expert steganography detection and extraction techniques. Covers image steganography (LSB, PNG chunk hiding, JPEG DCT, EXIF metadata, dimension tricks, palette manipulation), audio steganography (spectrogram, LSB, DTMF, morse), file steganography (polyglots, binwalk, NTFS ADS, steghide), and text steganography (whitespace, zero-width Unicode, homoglyphs). Base models miss the systematic file-type-based analysis approach and tool-specific extraction workflows.
0. RELATED ROUTING
Before going deep, consider loading:
- traffic-analysis-pcap for extracting files from network captures before stego analysis
- memory-forensics-volatility for extracting files from memory dumps
- classical-cipher-analysis if extracted hidden data is further encrypted/encoded
Tool Reference
Also load STEGO_TOOLS_GUIDE.md when you need:
- Tool installation instructions and dependencies
- Detailed command reference for each stego tool
- Workflow patterns for specific file types
1. IMAGE STEGANOGRAPHY
LSB (Least Significant Bit)
LSB embeds data in the least significant bits of pixel color channels.
bash
# zsteg — LSB analysis for PNG/BMPzsteg image.png # auto-detect all LSB patternszsteg image.png -a # try all known methodszsteg image.png -b 1 # extract bit plane 1zsteg image.png -E "b1,rgb,lsb,xy" # specific extraction pattern# StegSolve (Java GUI)java -jar StegSolve.jar# Navigate color planes: Red 0, Green 0, Blue 0 → look for hidden image/text# Data Extractor: specify bit planes + byte order# stegoveritas — comprehensive automated analysisstegoveritas image.png# Runs: exiftool, binwalk, zsteg, foremost, color plane extraction
PNG Specific
bash
# pngcheck — validate structure, find hidden chunkspngcheck -v image.png# Hidden chunks: tEXt, zTXt (compressed text), iTXt (international text)# Custom/private chunks may contain hidden data# CRC vs dimensions trick# If CRC doesn't match declared dimensions → image was cropped# Fix: brute-force correct width/height → reveals hidden rows/columnspython3 -c "import struct, zlibwith open('image.png','rb') as f:data = f.read()# Check IHDR CRC at offset 29ihdr = data[12:29]for h in range(1,2000):for w in range(1,2000):new_ihdr = struct.pack('>II',w,h) + ihdr[8:]if zlib.crc32(b'IHDR'+new_ihdr) & 0xffffffff == struct.unpack('>I',data[29:33])[0]:print(f'Width: {w}, Height: {h}')"# APNG (animated PNG) — hidden frames# Use apngdis to extract all frames: apngdis image.png
JPEG Specific
bash
# steghide — embed/extract from JPEG (DCT coefficient modification)steghide extract -sf image.jpg # extract (no passphrase)steghide extract -sf image.jpg -p PASSWORD # extract with passphrasesteghide info image.jpg # check if data is embedded# stegcracker — brute force steghide passphrasestegcracker image.jpg wordlist.txt# jsteg — JPEG LSB steganographyjsteg reveal image.jpg output.txt# JPEG structure analysisexiftool -v3 image.jpg # verbose metadata + structurejpegdump image.jpg # raw JPEG marker analysis
EXIF Metadata
bash
# exiftool — comprehensive metadata extractionexiftool image.jpgexiftool -b -ThumbnailImage image.jpg > thumb.jpg # extract thumbnailexiftool -all= image.jpg # strip all metadata# Hidden data in EXIF fields (comment, artist, copyright, etc.)exiftool -Comment image.jpgexiftool -UserComment image.jpgstrings image.jpg | grep -i "flag\|key\|secret"
Palette-Based (GIF)
bash
# GIF color table manipulation — data in color palette ordergifsicle -I image.gif # infogifsicle --color-info image.gif # palette details# Check for animation frames: convert -coalesce image.gif frame_%d.png
2. AUDIO STEGANOGRAPHY
Spectrogram Analysis
bash
# Sonic Visualiser — best for spectrogram viewing# Layer → Add Spectrogram → look for visual patterns (text/images)# Audacity# Analyze → Plot Spectrum# Select audio → change view to Spectrogram# sox for command-line spectrogram generationsox audio.wav -n spectrogram -o spectro.png
Audio LSB
bash
# DeepSound — hide/extract files in audio (Windows)# GUI tool: open audio file → extract hidden files# WavSteg — LSB in WAV filespython3 WavSteg.py -r -i audio.wav -o output.txt -n 1 # extract 1 LSBpython3 WavSteg.py -r -i audio.wav -o output.txt -n 2 # extract 2 LSBs
DTMF / Morse Code
bash
# DTMF decoder (phone tones)multimon-ng -t wav -a DTMF audio.wav# Morse code# Audacity → visual inspection of on/off pattern# Online decoder or manual: .- = A, -... = B, etc.# SSTV (Slow-Scan Television) — image in audioqsstv # GUI decoder# Or: RX-SSTV (Windows)
WAV Header Manipulation
bash
# Check for data appended after WAV audio data# WAV data chunk size vs actual file sizepython3 -c "import wavew = wave.open('audio.wav','rb')print(f'Frames: {w.getnframes()}, Channels: {w.getnchannels()}, Width: {w.getsampwidth()}')expected = w.getnframes() * w.getnchannels() * w.getsampwidth() + 44 # 44 = WAV headerimport osactual = os.path.getsize('audio.wav')if actual > expected:print(f'Extra data: {actual - expected} bytes appended')"
3. FILE STEGANOGRAPHY
Polyglot Files
A single file that is valid in two or more formats simultaneously.
bash
# Detection: check file with multiple toolsfile suspicious_filexxd suspicious_file | head # check magic bytesbinwalk suspicious_file # find embedded files# Common polyglots: PDF+ZIP, JPEG+ZIP, JPEG+RAR, PNG+ZIP# Try unzip on image files:unzip image.jpg -d extracted/7z x image.jpg -oextracted/
Appended / Embedded Data
bash
# binwalk — scan for embedded files and databinwalk image.png # scanbinwalk -e image.png # extract embedded filesbinwalk --dd='.*' image.png # extract everything# foremost — file carvingforemost -i suspicious_file -o output_dir/# dd — manual extraction# If binwalk shows embedded ZIP at offset 0x1234:dd if=suspicious_file bs=1 skip=$((0x1234)) of=extracted.zip
NTFS Alternate Data Streams (ADS)
cmd
:: List ADS (Windows)dir /r file.txtGet-Item file.txt -Stream *:: Read hidden streammore < file.txt:hidden_streamGet-Content file.txt -Stream hidden_stream:: Create ADS (for testing)echo "hidden data" > file.txt:secret
Steghide Brute Force
bash
# stegcracker — wordlist attack on steghide passphrasestegcracker image.jpg /usr/share/wordlists/rockyou.txt# stegseek — faster alternativestegseek image.jpg /usr/share/wordlists/rockyou.txt# stegseek is ~10000x faster than stegcracker
4. TEXT STEGANOGRAPHY
Whitespace Encoding
bash
# Tabs and spaces encode binary (tab=1, space=0 or vice versa)# stegsnow — whitespace steganographystegsnow -C message.txt # extract hidden messagestegsnow -C -p PASSWORD message.txt # extract with password# Manual detection:cat -A file.txt | head # show tabs (^I) and line endings ($)xxd file.txt | grep "09 20\|20 09" # look for tab/space patterns
Zero-Width Characters
bash
# Unicode invisible characters used for encoding:# U+200B (Zero-Width Space), U+200C (ZWNJ), U+200D (ZWJ), U+FEFF (BOM)# Detection:python3 -c "text = open('message.txt','r').read()hidden = [c for c in text if ord(c) in [0x200b, 0x200c, 0x200d, 0xfeff]]print(f'Found {len(hidden)} zero-width characters')binary = ''.join('0' if ord(c)==0x200b else '1' for c in hidden)# Convert binary to ASCII"# Online tools: holloway.nz/steg, Unicode Steganography decoders
Homoglyph Substitution
bash
# Visually identical characters from different Unicode blocks# e.g., Latin 'a' (U+0061) vs Cyrillic 'а' (U+0430)# Detection:python3 -c "text = open('message.txt','r').read()for i, c in enumerate(text):if ord(c) > 127:print(f'Position {i}: char={c} ord={ord(c)} name={__import__(\"unicodedata\").name(c,\"?\")}')"
5. DECISION TREE
Suspect hidden data — what file type?│├── Image (PNG/BMP)?│ ├── Check metadata: exiftool (§1 EXIF)│ ├── Check structure: pngcheck, binwalk (§1 PNG)│ ├── LSB analysis: zsteg, StegSolve (§1 LSB)│ ├── Check dimensions vs CRC: height/width brute force (§1 PNG)│ ├── Check for appended data: binwalk -e (§3)│ └── Try as polyglot: unzip/7z (§3)│├── Image (JPEG)?│ ├── Check metadata: exiftool (§1 EXIF)│ ├── Try steghide: steghide extract (§1 JPEG)│ │ └── Password protected? → stegseek brute force (§3)│ ├── Try jsteg: jsteg reveal (§1 JPEG)│ ├── Check for appended data: binwalk -e (§3)│ └── Check thumbnail: exiftool -b -ThumbnailImage (§1 EXIF)│├── Image (GIF)?│ ├── Check frames: extract all animation frames (§1 Palette)│ ├── Check palette: gifsicle --color-info (§1 Palette)│ └── Check for appended data: binwalk -e (§3)│├── Audio (WAV/MP3/FLAC)?│ ├── Spectrogram: Sonic Visualiser / Audacity (§2)│ ├── LSB: WavSteg (§2)│ ├── DTMF tones: multimon-ng (§2)│ ├── Morse code: manual or decoder (§2)│ ├── SSTV: qsstv (§2)│ └── Check file size vs expected: header analysis (§2)│├── Text file?│ ├── Check whitespace: cat -A, stegsnow (§4)│ ├── Check zero-width chars: Unicode analysis (§4)│ ├── Check homoglyphs: non-ASCII detection (§4)│ └── Check encoding: multiple base decodings│├── Any file type?│ ├── strings: strings -n 8 file | grep -i "flag\|key\|pass"│ ├── binwalk: binwalk -e file (embedded files) (§3)│ ├── file: file suspicious_file (true type)│ ├── xxd: check magic bytes, compare headers│ └── NTFS? → check ADS: dir /r (§3)│└── Password/passphrase needed?├── steghide → stegseek / stegcracker (§3)├── Check challenge description for hints└── Try common passwords: password, file name, challenge name