stegtools

# Supported: JPEG, BMP, WAV, AU

# Check if data is embedded
steghide info image.jpg
steghide info image.jpg -p ""     # empty password

# Extract with empty password
steghide extract -sf image.jpg
steghide extract -sf image.jpg -p ""
steghide extract -sf image.jpg -p "password"

# Extract to specific file
steghide extract -sf image.jpg -of output.txt

# Embed data
steghide embed -cf image.jpg -ef secret.txt
steghide embed -cf image.jpg -ef secret.txt -p "pass"

# stegseek: fast steghide cracker
# Install: https://github.com/RickdeJager/stegseek

# Crack with rockyou
stegseek image.jpg /usr/share/wordlists/rockyou.txt

# Crack with custom wordlist
stegseek image.jpg mywordlist.txt

# Just check if any steghide data (no password)
stegseek --seed image.jpg

# steghide brute via bash (slow fallback)
while IFS= read -r pass; do
  steghide extract -sf image.jpg -p "$pass" -f 2>/dev/null \
    && echo "PASSWORD: $pass" && break
done < rockyou.txt

# Supports PNG, BMP only
# Install: gem install zsteg

# Try all channels
zsteg image.png
zsteg -a image.png          # exhaustive (all methods)

# Specific channel
zsteg -e b1,r,lsb,xy image.png  # red channel, bit1, LSB, L-R T-B
zsteg -e b1,rgb,lsb,xy image.png
zsteg -e b1,bgr,lsb,xy image.png
zsteg -e b2,rgb,lsb,xy image.png   # bit 2
zsteg -e b1,rgba,lsb,xy image.png  # with alpha

# Save extracted data to file
zsteg -e b1,rgb,lsb,xy image.png > extracted.bin
file extracted.bin   # check what it is

# Verbose output
zsteg -v image.png

python3 -c "
from PIL import Image

img = Image.open('image.png').convert('RGB')
pixels = list(img.getdata())

# Extract LSB of red channel, left-to-right top-to-bottom
bits = [px[0] & 1 for px in pixels]

# Group into bytes
chars = []
for i in range(0, len(bits)-8, 8):
    byte = int(''.join(map(str, bits[i:i+8])), 2)
    chars.append(chr(byte))
    if byte == 0: break

result = ''.join(filter(lambda c: 32<=ord(c)<127, chars))
print(result[:200])
"

# Try all channel combinations
python3 -c "
from PIL import Image
img = Image.open('image.png').convert('RGBA')
pixels = list(img.getdata())
for ch in range(4):       # R G B A
    bits = [px[ch] & 1 for px in pixels]
    data = bytes(int(''.join(map(str,bits[i:i+8])),2)
                 for i in range(0,len(bits)-8,8))
    if b'picoCTF' in data or b'flag' in data.lower():
        print(f'Channel {ch}:', data[:100])
"

# Download: https://github.com/eugenekolo/sec-tools/tree/master/stego/stegsolve
java -jar stegsolve.jar

# Load image → use arrow buttons to cycle views:
# Red plane 0  (LSB of red)
# Red plane 1
# ...through all bit planes of R,G,B,A
# Grey bits, Random colour, Colour inversion

# Analyse menu:
# Data Extract → manually set: bit, channel, order
# → save extracted bytes

# File Format → check file header / trailer anomalies

# Combine (XOR/AND/OR two images)
# Analyse → Image Combiner
# Useful for: two images XOR = hidden message

# Stereo (magic eye / depth illusion)
# Check if two similar images differ in specific rows

# Runs many steg tools automatically
# pip install stegoveritas
# stegoveritas_install_deps (first time)

stegoveritas image.png
stegoveritas image.jpg
# Output in ./results/ directory
# Check each file in results/

# stegoveritas checks:
# - all bit planes
# - color channel histograms
# - EXIF data
# - appended data after EOF
# - LSB extraction attempts
# - string extraction

ls ./results/
strings ./results/* | grep -i "flag\|picoCTF"

# Open in Audacity → View → Spectrogram
# OR change track to spectrogram view:
# Click track name → Spectrogram
# Zoom in vertically to see hidden text/image

# Sonic Visualiser (better for CTF)
sonic-visualiser audio.wav
# Add Layer → Colour Spectrogram
# Adjust frequency range + colour map

# Generate spectrogram image (CLI)
sox audio.wav -n spectrogram -o spec.png
convert spec.png -resize 200% spec_big.png   # zoom in

# Python spectrogram
python3 -c "
import matplotlib.pyplot as plt
import scipy.io.wavfile as wav
import numpy as np
rate, data = wav.read('audio.wav')
if data.ndim > 1: data = data[:,0]
plt.specgram(data, Fs=rate, cmap='hot')
plt.savefig('spec.png', dpi=200)
"

# WAV LSB extraction
python3 -c "
import wave, struct
w = wave.open('audio.wav', 'rb')
n = w.getnframes()
frames = w.readframes(n)
# 16-bit samples: unpack as shorts
samples = struct.unpack(f'<{n}h', frames[:n*2])
bits = [s & 1 for s in samples]
chars = [chr(int(''.join(map(str,bits[i:i+8])),2))
         for i in range(0,len(bits)-8,8)]
result = ''.join(filter(lambda c:32<=ord(c)<127, chars))
print(result[:200])
"

# DTMF tones (phone key presses)
multimon-ng -t wav -a DTMF audio.wav

# Morse code in audio
morse2ascii audio.wav   # if installed
# Or: listen manually / Audacity visual inspection

# steghide with WAV
steghide extract -sf audio.wav -p ""