CTF steganography

#ctf Some personal summaries of steganography

One 、 File separation

1.binwalk binwalk -e sim.jpg Separate files

2.foremost foremost file name -o Output directory name

3.dd dd if= Source file of= Destination filename bs=1 count= A few pieces skip= Number of bytes to begin separation Parameter description ： if=file Output file name of=file Output file name bs=bytes At the same time, set the read-write block size to bytes, May replace ibs and obs skip-blocks Skip from the beginning of the input file blocks Start copying after blocks

4. File merge ： cat gif01 gif02 gif03 > 1.gif md5sum 1.gif see 1.gif Of MD5 Check value

Two 、 Picture steganography

1.zsteg xxx.png testing lsb Steganography

2.wbstego encryption bmp

3.TwwakPNG testing crc Check value

4.bftools stay Windows Of cmd Next , Decrypt the encrypted picture file

 Format ：
bftools.exe  decode  braincopter   The name of the picture to decrypt  -output  Output file name 

5.stegdetect The tool detects the encryption method Mainly used to analyze peg file

stegdetect  xxx.jpg

stegdetect -s Sensitivity xxx.jpgex

6.<img src="https://img-blog.csdnimg.cn/20200828231104472.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3RhbnN0eV96aA==,size_16,color_FFFFFF,t_70#pic_center" alt=" Insert picture description here "> 7.<img src="https://img-blog.csdnimg.cn/20200828231122421.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3RhbnN0eV96aA==,size_16,color_FFFFFF,t_70#pic_center" alt=" Insert picture description here ">

3、 ... and 、 Pseudo encryption of compressed files

I won't say the principle , Just use the simplest way Use ZipCenOp.jar Directly crack the pseudo encryption

1. java -jar ZipCenOp.jar e xxx.zip  encryption 
2. java -jar ZipCenOp.jar r xxx.zip  Decrypt 
3. java -jar ZipCenOp.jar r LOL.zip

rar File pseudo encryption ： The first 24 individual 16 The mantissa of the hexadecimal number is changed to 0

Four 、 Traffic Forensics

wireshark Filter command ：

1. Filter IP, Ruyuan IP Or the goal x.x.x.x
ip.src  eq  x.x.x.x  or  ip.dst eq x.x.x.x

2. Filter port 
tcp.port eq 80 or udp.port eq 80
tcp.dstport ==80   Display only tcp The target port of the protocol is 80‘
tcp.srcport ==80  Display only tcp The source port of the protocol is 80
tcp.port  >=1  and  tvp.port <=80


3.http Mode filtering 

<img src="https://img-blog.csdnimg.cn/20200828231341468.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3RhbnN0eV96aA==,size_16,color_FFFFFF,t_70#pic_center" alt=" Insert picture description here "> Tracking flow

common HTTP Stream key content ： 1、HTML Contains important information directly 2、 Upload or download file content , Usually contains the file name 、hash Value and other key information , Commonly used POST Request upload 3、 In a word, Trojans ,POST request , It contains eval, Content to use base64 encryption

wireshark Data Extraction file – Export object

Wireless traffic packet ：

1.aircrack-ng Check cap package ：
aircrack-ng  xxx.cap

2. use aircrack-ng Run the dictionary to crack the handshake package 
aircrack-ng  xxx.cap  -w  pass.txt