Saturday 5 January 2013

Data Obfuscation

Security through Obscurity
========================

Methods of hiding information without it appearing that there is any information, is an interesting topic and I recently got thinking on it following a few image challenges which were posted on various security sites a while ago.
I failed miserably at the challenges, but at least picked a few things up on the way to my epic fail..

Although security through obscurity is not truly secure, it is an interesting method of getting information to someone whilst being hidden to the un-informed.

This post is about the simple methods possible to use to hide info from the un-informed, the methods described are not supposed to be terribly secure, but rather, interesting.

The below done on VMWare Image of BackTrack5 R3 and on a Windows 7 PC.

The first stage is to have a look at the file information and see what information is revealed.

LOOKING AT THE BASIC INFORMATION OF AN IMAGE  FILE
====================================================

Exif Data
-------------
Image files often contain Exif data which can be read in the hex of a file, but using a tool such as Exiftool greatly simplifies this.

exiftool will also give you information on the file type.

exiftool can be run from the command line, and there is also a Windows GUI for exiftool available.
run 'exiftool file.jpg' from the command line and you will be presented with information available in the file which can include things like GPS positions camera make/model, software, comments, etc etc.

General usage on command line ;
exiftool matrix.jpg




























There are a huge amount of options possible with exiftool, and it is a fantastic tool to manipulate information in image files.
Check out the links at the bottom of this post for further information.

Hex Data
--------------
Nearly all files have a so-called 'header' and 'trailer', some files types only have a 'header'.
The header and trailer of files are sections of the file which identify the file type so Operating Systems understand what fileformat they are dealing with.
These headers and trailers are typically unique for the file type and a good resource for checking the file signatures is ; http://www.garykessler.net/library/file_sigs.html

So when we have a file to examine, for instance a JPG file, open it with a Hex Editor (I am using Windows based HxD Hex Editor) and have a look at the file headers and trailers.

Image file matrix.jpg;

















You will see that the file starts with 'FF D8 FF' and ends with 'FF D9'.

Image file header;







Image file trailer;














If there is extra data after the trailer FF D9, then it is possible that there is some sort of extra data to be found.
The information after the FF D9 trailer can give you an idea of what the extra information could be. In the below example the information after file trailer FF D9 starts with a known file header '50 4B 03 04' (PK.. in ACSII format), so it would appear that there is a zip file appended to the JPG.













So by checking the information in a Hex editor you can quickly see whether the file appears to be what it is supposed to be, or whether something looks out of the ordinary.



ATTACHING INFORMATION TO A FILE
=================================
With many file formats it is possible to attach file information which can later be retrieved based on the above principal of files having headers and trailers.

kitty-hack1.jpg;












kitty-hack2.jpg;














For instance in Windows with 'Command Prompt';
copy /b kitty-hack1.jpg + kitty-hack2.jpg kitty.jpg



In Linux with 'cat' (lolz, no pun intended ;) ) ;
cat kitty-hack1.jpg kitty-hack2.jpg > kitty.jpg

The above commands will copy/append the data from kitty-hack2.jpg to kitty-hack1.jpg and name
the output file to kitty.jpg.

When checking the kitty.jpg in a Hex Editor you will see that there is a JPG trailer 'FF D9' followed by a JPG header 'FF D8 FF' of the second file.
So although it looks like 1 file, there are in fact 2 files which can be confirmed by this check in a Hex editor.














I cant post the kitty.jpg here as the photo sharing site I use (Photobucket) removes any extraneous information after the first found trailer on jpeg files.
This 'limitation' could be bypassed though by converting the 1st image to .bmp format (which has no trailer) and copying the 2nd image to the bmp file ;
Result after the conversion of the 1st image to .bmp format and then appending kitty-hack2.jpg with the above mentioned copy /b method ;
copy /b kitty-hack1.bmp + kitty-hack2.jpg kitty.jpg




Just by looking at the hex you would see something is up, and with a search for the JPG header 'FF D8 FF' in the above image you will find that the 2nd file is appended.














This method of hiding files/data by copying/appending to files can be done with many filetypes.
You can also for instance place files in a zip archive and copy this archive to an image in the
same way (zip secret files, append to image file, image file can then also be opened with Archive tool);
copy /b image.jpg + info.zip hidden.jpg

Of course it should be noted that this is not at all a secure way of hiding information, but for those not in the know, there is no indication that extra information is even there.

For instance I found this one online a while ago, cant remember where, but in any case if anyone objects to it being posted here, just say the word and I'll take it down.(image/content not made by me)
Below is a .png file and contains a .rar file with content.





STEGANOGRAPHY
================
Stegonography is the method of hiding information in a file in a way that only the recipient
of the file should know or be able to extract.
There are quite a few programs out there that can do this, but none are really maintained.
Steghide is a popular one which can hide information in various filetypes (JPG/BMP/WAV/AU)
and is installed on most PenTest distros.

If for instance you have a file 'passwords.txt' and want to hide it in an image 'forest.jpg'
you would run steghide as follows ;
steghide embed -cf forest.jpg -ef passwords.txt
You can also specify a different filename for the output using -sf ;
steghide embed -cf forest.jpg -ef passwords.txt -sf forest1.jpg
You will be prompted to enter a password which you can do or else leave blank for no password.

To later retrieve this information you would run steghide as follows ;
steghide extract -sf forest1.jpg
You will be prompted for a password, if there is none, simply hit enter to leave blank
and steghide will attempt to extract the hidden data.
























forest.jpg;














forest1.jpg















Another interesting one is 'stepic' which is not installed on stock BT5R3 but can easily be done by ;
apt-get install python-stepic

stepic uses LSB (least significant bit) methods to hide any data in an existing png file. It does not include a password / encryption option and so is not a secure method, but works fine to hide data.

stepic -h

























FILE CARVING
=============
File Carving is the process of extracting files from data based on headers and trailers.
This is usually done on whole disc images, mainly for data recovery purposes on for instance damaged or unmounted drives requiring data extraction.
Some programs used for such operations on linux and available on most PenTest distros are for instance 'foremost' & ' scalpel'

The same principal however can be used on a single file if it appears that extra information is available within the file.

So if you find a JPG file (file1.jpg) with extra information after the expected trailer,
you could cut the first part of the file from the header 'DD F8 FF' (start of JPG file)
until the end of JPG file (denominated with FF D9).

In your Hex editor select and cut the data away from (the first if there are more than one) 'FF D8 FF'
upto and including 'FF D9' and save the file.
(you could then paste the cut section to a new file in HxD and save as file2.jpg to see
whether it matches what you saw in initial JPG file for verification)

You should then have a stripped file which you can then check again for file properties.
This file may have different properties, and so again you may have to look for headers and trailers.
(is it a different filetype ? check headers and trailers with the aforementioned file signatures link)

The above sequence is just a simple example. Possibly data you have will require different methods,
however for this example it is to simply show how you can 'carve' one file away from another
when dealing with simple appended files.




BASIC ENCODING/ENCRYPTION
----------------------------------------
Some basic encoding and/or encryption can also be used to further obfuscate the hidden data.
The below examples are very weak methods of doing such, however it is simply to show how
data can further be made difficult to retrieve if you are not aware of the methods used to hide it.

BASE64
base64 is a method to convert binary data to ASCII characters.
This could be used to for instance append data to an image file in ASCII form even further obfuscating the data.

base64 is installed on most linux distros, to use simply ;
base64 inputfile > outputfile
to decode ;
base64 -d filein > fileout
On windows you could download the bas64.exe from www.fourmilab.ch
base64.exe -e inputfile outputfile
to decode
base64.exe -d filein fileout

ROT13
ROT13 is an 'encryption' that basically moves all letters of the alphabet up 13 letters, a variant of the Caeser shift cipher.
ROT5 is the same method based on moving numeric values up 5 numbers.
Using them together is sometimes referred to as ROT18.

So it is easy to identify and encode or decode, even more so if you have a reference of some kind and is
NOT a secure encryption method, but fun to play with.

If you were to see a line of text like ; uggc://jjj.paa.pbz
You can see that there are similarities with a normal web address, but the wording/letters don't appear to match up to what you would expect.
Run a ROT13 script over the line uggc://jjj.paa.pbz ;
echo uggc://jjj.paa.pbz | tr a-zA-Z n-za-mN-ZA-M
and you will find outcome ; http://www.cnn.com

If there are digits there you could also include a ROT5 script and make it a ROT18.

So a quick and dirty ROT18 one-liner could look like the below ;
encoding with ROT18
echo "My birthday is 01-01-1900" | tr a-zA-Z0-45-9 n-za-mN-ZA-M5-90-4
Zl oveguqnl vf 56-56-6455

Decoding with ROT18
echo "Zl oveguqnl vf 56-56-6455" | tr a-zA-Z0-45-9 n-za-mN-ZA-M5-90-4
My birthday is 01-01-1900


I made a quick and dirty rot18 encoding/decoding script for shits and giggles should it be of interest
which can be run on either input or on a file.
Download;
http://www.mediafire.com/file/qvfr0p0006oqzyp/rot18.sh























A similar, but more elaborate variation is the rot47 encryption.

Same as the above, a simple script on rot47 encoding / decoding ;
http://www.mediafire.com/file/83pag27jmfvqgqa/rot47.sh


























Very basic, but does the job.


Consider this scenario of keeping/sharing your passwords ;
------------------------------------------------------------------------------
-> Create your passwords.txt
-> Zip passwords.txt and password protect it to pass.zip.
zip pass.zip -e passwords.txt 
-> Encode passwords.zip with base64 to pass.base
base64 -w 0 pass.zip > pass.base
(the '-w 0' to prevent linewraps that make it easer to add to an image comment.)

You could even ROT18 the file to further obfuscate the data ;
ROT18 encode the base64 file
cat pass.base | tr a-zA-Z0-45-9 n-za-mN-ZA-M5-90-4 > pass.rot
-> Find or create a nice image that would not arouse suspicion.
As the amount of data is so small, it can be included in the image comment, which is probably safer as if you are using image hosting websites they may strip off superfluous info from the jpg.
-> Add the data to the image comment using exiftool.
info=$(cat pass.rot) ; exiftool performance.jpg -comment=$info


-> Upload image file to photo or file sharing site and send yourself the link or whatever is appropriate.

Performance.jpg ;
















Retrieval ;
exiftool performance.jpg -b -comment > out.put
ROT18 decode the file
cat out.put | tr a-zA-Z0-45-9 n-za-mN-ZA-M5-90-4 > rot.out
Decode the base64
base64 -d rot.out > pass.zip
Unzip the created .zip file.
unzip pass.zip



















(password hint; worst 500 passwords)
fcrackzip -Dp worst_500_passwords.txt -uv pass.zip



















A highly cumbersome and not terribly secure method of doing something simple, but still food for thought on what is possible on hiding information in 'plain sight'.



Team THS Challenge 
================
I made the below file for the Top Hat Security team for an article on this same subject in our members magazine, based on the above possibilities.
See what you can discover and post the outcome here or on the THS forums !

Download the challenge (challenge.jpg) here ;
http://www.mediafire.com/?4sgybntg3qy60ov


Edit dd 04-02-2013
No takers / results on the above THS challenge.jpg file  ?!

Some hints then..
The file challenge.jpg contains a password protected zip file, contents of which can be
extracted with a password which can be found in the challenge.jpg image data..

The challenge.jpg actually has 4 images (including challenge.jpg) and the final outcome
of the challenge should be a text file starting with ;

Well done ! 

Challenge complete, hope it was enjoyable !


All required processes are described in the above post, but if you're stuck, leave a comment
with what you have done / tried and I will see if it merrits a response ;)



CREDITS/LINKAGE ;
==================
Top Hat Security
http://top-hat-sec.com/main/
Exiftool
http://www.sno.phy.queensu.ca/~phil/exiftool/
Exiftool GUI
http://freeweb.siol.net/hrastni3/foto/exif/exiftoolgui.htm
Exiftool forums
http://u88.n24.queensu.ca/exiftool/forum/index.php
HxD Hex Editor
http://mh-nexus.de/en/hxd/
Steghide
http://steghide.sourceforge.net/download.php
Stegdetect - Outguess
http://www.outguess.org/detection.php
Stepic
http://domnit.org/blog/2007/02/stepic-explanation.html
File Signatures
http://www.garykessler.net/library/file_sigs.html

Some incredibly annoying challenges can be found here ;
http://www.wixxerd.com/challenges/



 
Google Analytics Alternative