Basic Tools Contd.

Peepdf

Peepdf is a Python based tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files.

Installation

Download the tool from the official Github Repo

Usage

1
$ ./peepdf.py -i pdffile.pdf

Example

We will now see how to extract an embedded object file in PDFs

Image

As we can see there is no suspiction in the pdf file when viewed normally in a pdf viewer.

So now lets load the pdf file in peepdf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ ./peepdf.py -i nothing.pdf
File: nothing.pdf
MD5: 56572d46b09ef2b3de1faa4c9d5e1cb0
SHA1: 99b73b7d87815f669d54bb1c430b703d4ae827a4
SHA256: 98d1aa64f417da1a331b18c3b57d8d25e642c8f23a661e5298730c01d0a04ad2
Size: 925647 bytes
Version: 1.1
Binary: True
Linearized: False
Encrypted: False
Updates: 0
Objects: 8
Streams: 2
URIs: 0
Comments: 0
Errors: 0

Version 0:
    Catalog: 1
    Info: No
    Objects (8): [1, 2, 3, 4, 5, 6, 7, 8]
    Streams (2): [5, 8]
        Encoded (1): [8]
    Suspicious elements:
        /Names (1): [1]
        /EmbeddedFiles: [1]
        /EmbeddedFile: [8]

As we can see there is an embedded file in the pdf.

So now we need to extract the embedded file using the stream command as follows,

1
PPDF> stream 8 > embedfile
1
2
3
$ file embedfile
embedfile: PNG image data, 960 x 640, 8-bit/color RGB, non-interlaced
$ xdg-open embedfile
We can see that there is an Image embedded in the pdf.

Embedded Image

Pngcheck

A tool to test PNG image files for corruption, display size, type, compression info.

pngcheck is the official PNG tester and debugger. Originally designed simply to test the CRCs within a PNG image file (e.g., to check for ASCII rather than binary transfer), it has been extended to check and optionally print almost all the information about a PNG image and to verify that it conforms to the PNG specification. It also includes partial support for MNG animations.

It can dump the chunk-level information in the image in human-readable form. For example, it can be used to print the basic stats about an image (dimensions, bit depth, etc.); to list the color and transparency info in its palette; or to extract the embedded text annotations. All PNG and JNG chunks are supported, plus almost all MNG chunks (everything but PAST, DISC, tERm, DROP, DBYK, and ORDR). This is a command-line program with batch capabilities.

Installation

1
$ sudo apt install pngcheck

We will now use pngcheck with the following Image image.png

Usage

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
$ pngcheck -v image.png
File: image.png (40711 bytes)
  chunk IHDR at offset 0x0000c, length 13
    2560 x 1440 image, 32-bit RGB+alpha, non-interlaced
  chunk bKGD at offset 0x00025, length 6
    red = 0x00ee, green = 0x00ee, blue = 0x00ee
  chunk pHYs at offset 0x00037, length 9: 2835x2835 pixels/meter (72 dpi)
  chunk IDAT at offset 0x0004c, length 8192
    zlib: deflated, 32K window, maximum compression
  chunk IDAT at offset 0x02058, length 8192
  chunk IDAT at offset 0x04064, length 8192
  chunk IDAT at offset 0x06070, length 8192
  chunk IDAT at offset 0x0807c, length 7799
  chunk IEND at offset 0x09eff, length 0
No errors detected in image.png (9 chunks, 99.7% compression).

References

For more information about the tool,

1
$ man pngcheck

John The Ripper

John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version. John can almost crack all password encrypted archives.

Installation

1
$ sudo snap install john-the-ripper

Usage

1
$ zip2john file.zip

Example

Example file
1
2
$ zip2john flag.zip
flag.zip:$zip2$*0*1*0*47690c81c096c3c8*4d21*1f*7b9718219de608c6c2d860c4cf5566471d3d4bb5c73b5449ab75ac357c185c*6114d207125db9159c6a*$/zip2$:::::flag.zip
1
$ zip2john flag.zip >> hash.txt
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
$ john hash.txt

Warning: detected hash type "ZIP", but the string is also recognized as "zip-opencl"
Use the "--format=zip-opencl" option to force loading these as that type instead
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 8x SSE2])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123321           (flag.zip)
1g 0:00:00:02 DONE 2/3 (2019-04-26 17:31) 0.4651g/s 16946p/s 16946c/s 16946C/s 123456..MATT
Use the "--show" option to display all of the cracked passwords reliably
Session completed

So the password found is 123321, similarly we can crack the archive compressions like 7z, Rar.

References

For more information about the tool,

1
$ man john

Fcrackzip

Fcrackzip is a password cracking tool for ZIP files. Fcrackzip cracks the password by Brute-Force Attack or by a Dictionary Attack.

In a Brute-force Attack the attacker checks all the known combinations of passwords until the correct password founds.

Dictionary Attack involves providing a wordlist which contains a set of commonly used passwords.

Installation

1
$ sudo apt install fcrackzip

Usage

The general usage of fcrackzip for brute forcing the password is as follows.

1
$ fcrackzip -v -b -u -p <file_name.zip>
  • -v for knowing what's going on in background. Commonly Know as verbose.
  • -b for brute-forcing.
  • -u for unzip.
  • -p for setting the initial password for brute forcing or the file to supply password for dictionary attack.
  • -D sets dictionary mode and reads passwords from a wordlist alphabetically.

The general usage for the dictionary attack is as follows.

1
$ fcrackzip -v -u -D -p <path_to_wordlist_file> <file_name.zip>

The common wordlist which is publicly available is rockyou.

Example

Here is an example, using a dictionary attack. On opening the zip file, we found that the file was protected.

We used dictionary attack to find the password.

In this way cracking the zip is possible when you don't know the password.

References

For more information about the tool,

1
$ man fcrackzip

Audacity

Audacity is a GUI based tool. It is an open-source audio editor and recording application software.

Installation

Audacity is available for Windows, macOS & Linux. You can download Audacity from its official site, or in Ubuntu, you can download it from the Ubuntu store.

Usage

Audacity can be used from the command line or by directly clicking the icon in applications.

1
$ audacity <file_name>
On opening a file with the audacity you would see something similar to it.

Audacity displays the audio files in a wave form. You change the waveform into spectrogram by changing the layer into spectrogram. You can do it by clicking the arrow next to the track name to switch from waveform to spectrogram.

Spectrogram is a visual based view of representing the signal strength, or “loudness”, of a signal over time at various frequencies present in a particular waveform.

There are so many effects like changing speed, pitch, tempo etc. By clicking the effects option in the menu bar, you can see many options, and users can apply the effect only in the selected area or the entire track.

Example

In CTFs we come across quite a few audio challenges. Mostly, these challenges are mainly about changing the layer to spectrogram or they embedding some data in morse format.

Morse Code means converting the text into Dot-Dash format. You can use this link for decoding that morse code. If you hear the audio has beeps, it is confirmed that, the audio file contains a morsecode you can directly upload that in this link and get the message you wanted. In CTFs we get challenges which have the morse code or we see that morse code after changing the layer to spectrogram.

An example for changing the layer to spectrogram,

An example for changing the layer and getting the morse code, You can see some extra data above the separation of two tracks, that is nothing but morse. Big lines represent Dash and Small lines represent Dot, the space between them separates each letter. If you want a clear idea of each and every letter you can separate it with / or |.

The morse code for alphabets and number is as follows,

References

For more information about morse code and usage of Audacity,

Visit Wikipedia for detailed information on morse code and visit the documentation for usage of Audacity.

Sonic Visualiser

Sonic-Visualiser is also a GUI based tool. It is similar to Audacity but a bit more powerful than it. It is an application software for viewing and analysing the contents of audio files.

Installation

Sonic Visualiser is available for Linux, OS/X, and Windows. You can download Sonic-Visualiser from its offical site, or in Ubuntu, you can download it from the Ubuntu store.

Usage

Sonic-Visualiser can be used from the command line or by directly clicking the icon in applications.

1
$ sonic-visualiser <file_name>
On opening a file with the sonic visualiser you would see something similar to it.

Similar to Audacity, Sonic-visualiser also has a feature of changing layers like spectrogram. To do that, go to layer option in the option menu. You can find so many features like spectrogram and some more features like changing the speed of the audio etc, by clicking the "playback" option in the option menu. We can view the morse code etc.

Finally, after analysing both Audacity and Sonic-Visualiser, Sonic-Visualiser has more flexibility of revealing the data in audio files.

Example

Sonic visualiser reveals more information which can't be shown in the audacity also. Look at this example,

When a file was opened in Audacity under spectrogram,

When the same file was opened using sonic visualiser under spectrogram,

In this way, sonic visualiser reveals the information present in the audio files.

References

Visit its Documentation.

PDF Crack

PDF Crack is a tool for recovering the pass for Encrypted PDF files. Encrypted files means the metadata of the file was encrypted with some characters.

It has some special features like: * Checks with the system password and also the user provided password. * It can crack password by brute-forcing method only for character sets and only when we provide the maximum and minimum length of the password. * Searches the password from the wordlist. * Optimized search for owner-password when user-password is known.

Installation

To install PDF Crack,

1
$ sudo apt-get install pdfcrack

Usage

The general usage of pdfcrack for brute-forcing is,

1
$ pdfcrack -f <file_name>

The genearal usage of pdfcrack when we provided a wordlist is,

1
$ pdfcrack -f <file_name> -w <location_of_wordlist_file>

Example

Here is an example, using a wordlist. On opening the PDF, we found that the file was protected.

We used dictionary attack(using a wordlist) to find the password.

In this way cracking the password of PDF files is done when you don't know/forget the password.

If you unfortunately, click ctrl+c then it will save the process until you clicked into an another file called savedstate.sav in the directory where the PDF is present or the current directory.

For further reference visit,

1
$ man pdfcrack

Deep Sound

Deep Sound is a steganography tool and audio converter that hides the information in audio files or audio/CD tracks. It is a windows tool. It allows us to extract the secret hiding data from the audio files or CD tracks. DeepSound also support encrypting secret files using AES-256(Advanced Encryption Standard) to improve data protection.

Installation

This tool can be installed from it's official site.

Usage

On opening the Deep Sound after downloading it in Windows it looks something similar to this,

There you can see Open Carrier Files option, click on it and choose a music file(of any type like wav, mp3, etc) which you are choosing to embed secret files in it. Then click on Add Secret Files option next to it. And choose the embedding file. Then click Encode Secret Files option. then you will see a window something similar to this,

You can encode the secret file using a password also, by clicking the tick mark, you will be able to see the password choosing option.

and chooose the password with which you are going to encrypt the file. After click Encode Secret Files option in the bottom, then it will save the encoded file in the output directory mentioned which you have mentioned.

Example

Here's an example of encoding a secret file into an audio file,

Choose an audio file which you needed to embed a file.

Choose the embedding file which you needed to embed it in the audio file.

Click on the Encode secret files option and choose the output format.

Then it will give an another file in the format you specified.

Here's am example of decoding the secret file from the audio file,

In the above picture you can see a file(1(1).wav) in Carrier audio files and in secret file name you can the embeded file and click the Extract secret files option, then it will decode the file present in that audio into an another file.

By going to the directory mentioned in the Information window you will get the embedded file in the audio.

Reference

For further information, visit the documentation.

Jsteg

Jsteg is a package for hiding data inside JPEG files with a technique known as steganography. This is accomplished by copying each bit of the data into the least-significant bits (LSB) of the image. The amount of data that can be hidden depends on the file size of the jpeg; it takes about 10-14 bytes of jpeg to store each byte of the hidden data.

Installation

1
2
3
4
$ sudo wget -O /usr/bin/jsteg https://github.com/lukechampine/jsteg/releases/download/v0.1.0/jsteg-linux-amd64
$ sudo chmod +x /usr/bin/jsteg
$ sudo wget -O /usr/bin/slink https://github.com/lukechampine/jsteg/releases/download/v0.2.0/slink-linux-amd64
$ chmod +x /usr/bin/slink

Usage

Jsteg tool can be initialised by typing the following command.

1
$ jsteg

Image can't be displayed. Just try typing the above command.

Hiding data

Now, let's hide some data using jsteg. Consider this image of Itachi.

Sorry, the image can't be displayed.

Let the name of the file to be embedded be 'jsteg.txt'.

The file to be embedded contains the following data.

Jsteg is used for JPEG steganography.

Commands to embed a file in the JPEG image is as follows.

1
$ jsteg hide <in.jpg> <secret file name> <out.jpg>

Sorry, image can't be displayed.

Now, the image looks like this.

Sorry, image can't be displayed.

Revealing data

The syntax for revealing data is as follows.

1
$ jsteg reveal <in.jpg> <output file name>

Sorry, the image can't be displayed.

References

For further reference , click here.

Zsteg

Zsteg is also a tool like Jsteg but it is used to detect LSB steganography only in the case of PNG and BMP images.

Installation

1
2
$ sudo apt install ruby
$ sudo gem install zsteg

Usage

Zsteg tool can be initialised by typing the following command.

1
$ zsteg
Sorry, the image can't be displayed

Now, let's see a challenge from Securinets CTF Quals 2019 in which the following PNG image is given .

Sorry, the image can't be displayed

Let's use zsteg on this image and see what happens. The syntax is as follows.

1
$ zsteg <filename>

Then the result can be seen below.

Sorry , the image can't be displayed.

In the above result, we can find some meaningful data embedded in the LSBs of the PNG image. This meaningful data helped in solving the challenge.

References

For further reference of this tool, click here.

Tweak PNG

TweakPNG is a low-level utility for examining and modifying PNG image files. It supports Windows XP and higher. In order to make much use of it, you have to be at least familiar with the internal format of PNG files. This is a windows based tool so we need to install a tool called wine to run TweakPNG on Linux.

Installation

Installation for wine can be done by executing the following command.

1
$ sudo apt install wine-stable

TweakPNG executable can be downloaded from here.

Usage

Sorry, the image can't be displayed.

Let's open this PNG image in TweakPNG and examine it. Open 64-bit version of TweakPNG using wine. The syntax is as follows.

1
$ wine tweakpng.exe

Then the following window will be displayed.

Sorry, the image can't be displayed.

Now, if the above cat image is opened in TweakPNG, the following window will be displayed.

Sorry, the image can't be displayed.

References

For an in-depth understanding on PNG file structure , click here.