Steghide & Steganography Quick Reference
=========================================

STEGHIDE
  # Embed data in image
  steghide embed -cf image.jpg -ef secret.txt
  steghide embed -cf image.jpg -ef secret.txt -p "password"

  # Extract hidden data
  steghide extract -sf image.jpg
  steghide extract -sf image.jpg -p "password"

  # Get info about embedded data
  steghide info image.jpg

  # Supported formats: JPEG, BMP, WAV, AU

ZSTEG (PNG/BMP)
  zsteg image.png                All checks
  zsteg -a image.png             Try all combinations
  zsteg image.png -b 1           Check LSB
  zsteg image.png -E "b1,r,lsb" Extract specific channel

STEGSOLVE (GUI)
  java -jar stegsolve.jar
  # Cycle through bit planes
  # XOR / AND / OR images

OTHER TOOLS
  # strings — find readable text
  strings file
  strings -n 10 file             Min length 10
  strings -e l file              Little-endian

  # exiftool — metadata
  exiftool image.jpg
  exiftool -all= image.jpg       Remove all metadata

  # pngcheck — PNG structure
  pngcheck -v image.png

  # foremost — file carving
  foremost -i image.png -o ./output/

  # outguess
  outguess -r image.jpg output.txt
  outguess -k "password" -r image.jpg output.txt

LSB STEGANOGRAPHY (Python)
  from PIL import Image

  img = Image.open("steg.png")
  px = img.load()
  bits = ""
  for y in range(img.height):
      for x in range(img.width):
          r, g, b = px[x, y][:3]
          bits += str(r & 1)
          bits += str(g & 1)
          bits += str(b & 1)

  msg = bytes(int(bits[i:i+8], 2) for i in range(0, len(bits), 8))
  print(msg)

COMMON CTF WORKFLOW
  1. strings file           Look for readable text
  2. exiftool file           Check metadata / comments
  3. binwalk file            Check for embedded files
  4. steghide info file      Check for steghide data
  5. zsteg file (if PNG)     Check LSB channels
  6. Compare with original   Visual / binary diff
