Basic Tools Contd.¶
Peepdf is a Python based tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files.
Download the tool from the official Github Repo
$ ./peepdf.py -i pdffile.pdf
We will now see how to extract an embedded object file in PDFs
As we can see there is no suspiction in the pdf file when viewed normally in a pdf viewer.
So now lets load the pdf file in peepdf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
$ ./peepdf.py -i nothing.pdf File: nothing.pdf MD5: 56572d46b09ef2b3de1faa4c9d5e1cb0 SHA1: 99b73b7d87815f669d54bb1c430b703d4ae827a4 SHA256: 98d1aa64f417da1a331b18c3b57d8d25e642c8f23a661e5298730c01d0a04ad2 Size: 925647 bytes Version: 1.1 Binary: True Linearized: False Encrypted: False Updates: 0 Objects: 8 Streams: 2 URIs: 0 Comments: 0 Errors: 0 Version 0: Catalog: 1 Info: No Objects (8): [1, 2, 3, 4, 5, 6, 7, 8] Streams (2): [5, 8] Encoded (1):  Suspicious elements: /Names (1):  /EmbeddedFiles:  /EmbeddedFile: 
As we can see there is an embedded file in the pdf.
So now we need to extract the embedded file using the stream command as follows,
PPDF> stream 8 > embedfile
1 2 3
$ file embedfile embedfile: PNG image data, 960 x 640, 8-bit/color RGB, non-interlaced $ xdg-open embedfile
A tool to test PNG image files for corruption, display size, type, compression info.
pngcheck is the official PNG tester and debugger. Originally designed simply to test the CRCs within a PNG image file (e.g., to check for ASCII rather than binary transfer), it has been extended to check and optionally print almost all the information about a PNG image and to verify that it conforms to the PNG specification. It also includes partial support for MNG animations.
It can dump the chunk-level information in the image in human-readable form. For example, it can be used to print the basic stats about an image (dimensions, bit depth, etc.); to list the color and transparency info in its palette; or to extract the embedded text annotations. All PNG and JNG chunks are supported, plus almost all MNG chunks (everything but PAST, DISC, tERm, DROP, DBYK, and ORDR). This is a command-line program with batch capabilities.
$ sudo apt install pngcheck
We will now use pngcheck with the following Image
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
$ pngcheck -v image.png File: image.png (40711 bytes) chunk IHDR at offset 0x0000c, length 13 2560 x 1440 image, 32-bit RGB+alpha, non-interlaced chunk bKGD at offset 0x00025, length 6 red = 0x00ee, green = 0x00ee, blue = 0x00ee chunk pHYs at offset 0x00037, length 9: 2835x2835 pixels/meter (72 dpi) chunk IDAT at offset 0x0004c, length 8192 zlib: deflated, 32K window, maximum compression chunk IDAT at offset 0x02058, length 8192 chunk IDAT at offset 0x04064, length 8192 chunk IDAT at offset 0x06070, length 8192 chunk IDAT at offset 0x0807c, length 7799 chunk IEND at offset 0x09eff, length 0 No errors detected in image.png (9 chunks, 99.7% compression).
For more information about the tool,
$ man pngcheck
John The Ripper¶
John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version. John can almost crack all password encrypted archives.
$ sudo snap install john-the-ripper
$ zip2john file.zip
$ zip2john flag.zip flag.zip:$zip2$*0*1*0*47690c81c096c3c8*4d21*1f*7b9718219de608c6c2d860c4cf5566471d3d4bb5c73b5449ab75ac357c185c*6114d207125db9159c6a*$/zip2$:::::flag.zip
$ zip2john flag.zip >> hash.txt
1 2 3 4 5 6 7 8 9 10 11
$ john hash.txt Warning: detected hash type "ZIP", but the string is also recognized as "zip-opencl" Use the "--format=zip-opencl" option to force loading these as that type instead Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 8x SSE2]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 123321 (flag.zip) 1g 0:00:00:02 DONE 2/3 (2019-04-26 17:31) 0.4651g/s 16946p/s 16946c/s 16946C/s 123456..MATT Use the "--show" option to display all of the cracked passwords reliably Session completed
So the password found is 123321, similarly we can crack the archive compressions like 7z, Rar.
For more information about the tool,
$ man john
Fcrackzip is a password cracking tool for ZIP files. Fcrackzip cracks the password by Brute-Force Attack or by a Dictionary Attack.
In a Brute-force Attack the attacker checks all the known combinations of passwords until the correct password founds.
Dictionary Attack involves providing a wordlist which contains a set of commonly used passwords.
$ sudo apt install fcrackzip
The general usage of fcrackzip for brute forcing the password is as follows.
$ fcrackzip -v -b -u -p <file_name.zip>
- -v for knowing what's going on in background. Commonly Know as verbose.
- -b for brute-forcing.
- -u for unzip.
- -p for setting the initial password for brute forcing or the file to supply password for dictionary attack.
- -D sets dictionary mode and reads passwords from a wordlist alphabetically.
The general usage for the dictionary attack is as follows.
$ fcrackzip -v -u -D -p <path_to_wordlist_file> <file_name.zip>
The common wordlist which is publicly available is rockyou.
Here is an example, using a dictionary attack. On opening the zip file, we found that the file was protected.
We used dictionary attack to find the password.
In this way cracking the zip is possible when you don't know the password.
For more information about the tool,
$ man fcrackzip
Audacity is a GUI based tool. It is an open-source audio editor and recording application software.
Audacity is available for Windows, macOS & Linux. You can download Audacity from its official site, or in Ubuntu, you can download it from the Ubuntu store.
Audacity can be used from the command line or by directly clicking the icon in applications.
$ audacity <file_name>
Audacity displays the audio files in a wave form. You change the waveform into spectrogram by changing the layer into spectrogram. You can do it by clicking the arrow next to the track name to switch from waveform to spectrogram.
Spectrogram is a visual based view of representing the signal strength, or “loudness”, of a signal over time at various frequencies present in a particular waveform.
There are so many effects like changing speed, pitch, tempo etc. By clicking the effects option in the menu bar, you can see many options, and users can apply the effect only in the selected area or the entire track.
In CTFs we come across quite a few audio challenges. Mostly, these challenges are mainly about changing the layer to spectrogram or they embedding some data in morse format.
Morse Code means converting the text into Dot-Dash format. You can use this link for decoding that morse code. If you hear the audio has beeps, it is confirmed that, the audio file contains a morsecode you can directly upload that in this link and get the message you wanted. In CTFs we get challenges which have the morse code or we see that morse code after changing the layer to spectrogram.
An example for changing the layer to spectrogram,
An example for changing the layer and getting the morse code, You can see some extra data above the separation of two tracks, that is nothing but morse. Big lines represent Dash and Small lines represent Dot, the space between them separates each letter. If you want a clear idea of each and every letter you can separate it with / or |.
The morse code for alphabets and number is as follows,
For more information about morse code and usage of Audacity,
Sonic-Visualiser is also a GUI based tool. It is similar to Audacity but a bit more powerful than it. It is an application software for viewing and analysing the contents of audio files.
Sonic Visualiser is available for Linux, OS/X, and Windows. You can download Sonic-Visualiser from its offical site, or in Ubuntu, you can download it from the Ubuntu store.
Sonic-Visualiser can be used from the command line or by directly clicking the icon in applications.
$ sonic-visualiser <file_name>
Similar to Audacity, Sonic-visualiser also has a feature of changing layers like spectrogram. To do that, go to layer option in the option menu. You can find so many features like spectrogram and some more features like changing the speed of the audio etc, by clicking the "playback" option in the option menu. We can view the morse code etc.
Finally, after analysing both Audacity and Sonic-Visualiser, Sonic-Visualiser has more flexibility of revealing the data in audio files.
Sonic visualiser reveals more information which can't be shown in the audacity also. Look at this example,
When a file was opened in Audacity under spectrogram,
When the same file was opened using sonic visualiser under spectrogram,
In this way, sonic visualiser reveals the information present in the audio files.
Visit its Documentation.
PDF Crack is a tool for recovering the pass for Encrypted PDF files. Encrypted files means the metadata of the file was encrypted with some characters.
It has some special features like: * Checks with the system password and also the user provided password. * It can crack password by brute-forcing method only for character sets and only when we provide the maximum and minimum length of the password. * Searches the password from the wordlist. * Optimized search for owner-password when user-password is known.
To install PDF Crack,
$ sudo apt-get install pdfcrack
The general usage of pdfcrack for brute-forcing is,
$ pdfcrack -f <file_name>
The genearal usage of pdfcrack when we provided a wordlist is,
$ pdfcrack -f <file_name> -w <location_of_wordlist_file>
Here is an example, using a wordlist. On opening the PDF, we found that the file was protected.
We used dictionary attack(using a wordlist) to find the password.
In this way cracking the password of PDF files is done when you don't know/forget the password.
If you unfortunately, click ctrl+c then it will save the process until you clicked into an another file called savedstate.sav in the directory where the PDF is present or the current directory.
For further reference visit,
$ man pdfcrack
Deep Sound is a steganography tool and audio converter that hides the information in audio files or audio/CD tracks. It is a windows tool. It allows us to extract the secret hiding data from the audio files or CD tracks. DeepSound also support encrypting secret files using AES-256(Advanced Encryption Standard) to improve data protection.
This tool can be installed from it's official site.
On opening the Deep Sound after downloading it in Windows it looks something similar to this,
There you can see Open Carrier Files option, click on it and choose a music file(of any type like wav, mp3, etc) which you are choosing to embed secret files in it. Then click on Add Secret Files option next to it. And choose the embedding file. Then click Encode Secret Files option. then you will see a window something similar to this,
You can encode the secret file using a password also, by clicking the tick mark, you will be able to see the password choosing option.
and chooose the password with which you are going to encrypt the file. After click Encode Secret Files option in the bottom, then it will save the encoded file in the output directory mentioned which you have mentioned.
Here's an example of encoding a secret file into an audio file,
Choose an audio file which you needed to embed a file.
Choose the embedding file which you needed to embed it in the audio file.
Click on the Encode secret files option and choose the output format.
Then it will give an another file in the format you specified.
Here's am example of decoding the secret file from the audio file,
In the above picture you can see a file(1(1).wav) in Carrier audio files and in secret file name you can the embeded file and click the Extract secret files option, then it will decode the file present in that audio into an another file.
By going to the directory mentioned in the Information window you will get the embedded file in the audio.
For further information, visit the documentation.
Jsteg is a package for hiding data inside JPEG files with a technique known as steganography. This is accomplished by copying each bit of the data into the least-significant bits (LSB) of the image. The amount of data that can be hidden depends on the file size of the jpeg; it takes about 10-14 bytes of jpeg to store each byte of the hidden data.
1 2 3 4
$ sudo wget -O /usr/bin/jsteg https://github.com/lukechampine/jsteg/releases/download/v0.1.0/jsteg-linux-amd64 $ sudo chmod +x /usr/bin/jsteg $ sudo wget -O /usr/bin/slink https://github.com/lukechampine/jsteg/releases/download/v0.2.0/slink-linux-amd64 $ chmod +x /usr/bin/slink
Jsteg tool can be initialised by typing the following command.
Now, let's hide some data using jsteg. Consider this image of Itachi.
Let the name of the file to be embedded be 'jsteg.txt'.
The file to be embedded contains the following data.
Commands to embed a file in the JPEG image is as follows.
$ jsteg hide <in.jpg> <secret file name> <out.jpg>
Now, the image looks like this.
The syntax for revealing data is as follows.
$ jsteg reveal <in.jpg> <output file name>
For further reference , click here.
Zsteg is also a tool like Jsteg but it is used to detect LSB steganography only in the case of PNG and BMP images.
$ sudo apt install ruby $ sudo gem install zsteg
Zsteg tool can be initialised by typing the following command.
Now, let's see a challenge from Securinets CTF Quals 2019 in which the following PNG image is given .
Let's use zsteg on this image and see what happens. The syntax is as follows.
$ zsteg <filename>
Then the result can be seen below.
In the above result, we can find some meaningful data embedded in the LSBs of the PNG image. This meaningful data helped in solving the challenge.
For further reference of this tool, click here.
TweakPNG is a low-level utility for examining and modifying PNG image files. It supports Windows XP and higher. In order to make much use of it, you have to be at least familiar with the internal format of PNG files. This is a windows based tool so we need to install a tool called wine to run TweakPNG on Linux.
Installation for wine can be done by executing the following command.
$ sudo apt install wine-stable
TweakPNG executable can be downloaded from here.
Let's open this PNG image in TweakPNG and examine it. Open 64-bit version of TweakPNG using wine. The syntax is as follows.
$ wine tweakpng.exe
Then the following window will be displayed.
Now, if the above cat image is opened in TweakPNG, the following window will be displayed.
For an in-depth understanding on PNG file structure , click here.