What is Steghide?

Steghide is an open-source steganography tool that allows you to hide secret files inside image (JPEG, BMP) or audio (WAV, AU) files. The main concept is to hide information so that the existence of the secret message is not noticeable.

Concept Behind Steganography

Steganography differs from cryptography because:

  • Encryption: Makes the message unreadable, but obvious (anyone can see that there is a coded message)
  • Steganography: Hides the existence of the message (the secret message "walks" disguised in a regular file)

Steghide works by modifying the least significant bits (LSB) of the data in the cover file, changes that are imperceptible to the human senses.

Usage Details with Examples

1. Hide a File (Embed)

steghide embed -cf photo.jpg -ef secret_file.txt
  • -cf: Cover file
  • -ef: File to be hidden (embedded file)
  • You will be prompted for a password to encrypt the data

2. Extract a File (Extract)

steghide extract -sf photo.jpg
  • -sf: Steganographic file (stego file)
  • Steghide will attempt to extract hidden data, asking for the password.

3. Check for Hidden Data

steghide info suspicious_file.jpg
  • Shows information about embedded files (format, encryption algorithm)

4. Specify a Password Directly

steghide embed -cf photo.jpg -ef secret.txt -p "mypassword"
steghide extract -sf photo.jpg -p "mypassword"

Practical Use

Step 1: Extracting the Hidden File

└─ $ steghide extract -sf HackerAccessGranted.jpg
Enter passphrase:
wrote extracted data to "id_rsa"
  • An RSA private key (id_rsa) was extracted from the image

Step 2: RSA Key Contents

The extracted key is encrypted with AES-128-CBC, as indicated by the headers:

Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,7265FC656C429769E4C1EEFC618E660C

Step 3: Cracking the RSA Key Password

└─ $ ssh2john id_rsa > id_rsa.john

└─ $ john id_rsa.john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
  • ssh2john: Convert the SSH key to a John the Ripper-compatible format
  • john: Brute-force/dictionary password cracking tool
  • Password found: superpassword

Commands that would follow for use in ssh:

#Make the key readable for SSH
chmod 600 id_rsa

#Connect to an SSH server using the key
ssh -i id_rsa user@target-server.com

Tags

steghide

Notes

Some of this writeup is revised by AI. My own writing can be a bit clunky, so I get it to review certain parts to make things flow better and be a bit easier to read.

If you liked this content, please give me a respect on my Hack The Box profile. I'd be happy to hear I've helped you.

If anything here isn't clear, check out the cookbook. If you can't find the answer or need further clarification, please contact me at my e-mail.

Last updated: 2025-10-12