CSCI 530 Lab
Steganography
This lab covers two forms of steganography.
1) text insinuation, within a media file as cover text, using S-Tools in Windows
2) covert channel creation through network packet headers, using proof-of-concept demo covert_tcp under linux.
S-Tools: embedding a text message in a photo as covertext
Hiding a file
a. Obtain the program S-Tools, either from the CSCI 530 Shared Folder on the Instructor drive, or from the CSCI530 Lab website.
b. Open up S-Tools, after extracting the zip file.
c. Open up the folder My Documents / My Pictures / Sample Pictures
d. Double Click on the file Sunset.jpg to open the file using Microsoft Photo Editor
e. In Microsoft Photo Editor, go to File / Save As…
Under Save as Type, select Windows Bitmap (.bmp), and select Save.
f. Back to the folder, drag Sunset.bmp over to the S-Tools window. You will now see the picture in the S-Tools window.
g. Go to Start / Run, and type in notepad in the run line
h. Type in any text that you want into notepad, for example, “This is a test of the steganography tool”
i. Select Save, select the desktop on the left, and give the text file a name, such as test.txt
j. Go to the Desktop, where the file test.txt is saved. Drag the file test.txt over the picture displayed in S-Tools.
k. You will see a window saying “Hiding X Bytes”, where X is the size of the file. You will be asked for a passphrase, to verify the passphrase, and an encryption algorithm. Type “Password” for the passphrase, and select Triple DES for the algorithm.
l. Another picture of the Sunset will appear, but with a title of “hidden data”. Right click on the image, and select save.
m. Save the image as hidden_sunset.bmp
n. You have now hidden a text file within a bitmap
Revealing the hidden text
a. Open S-Tools
b. Drag the picture with the hidden text message into the S-Tools window. Using the previous example, the file was hidden_sunset.bmp
c. Right-Click on the picture, and select Reveal
d. It will ask for a passphrase, and an encryption algorithm. You must use the exact passphrase and encryption algorithm used above, or you will not be able to see the hidden message.
e. It might take some time to reveal the hidden file, but once it does, you will see a window that says “Revealed Archive”, with the file name and the size. Right-click on the file name, and select Save as…
f. Save the file. When you open the saved file, you will see your exact text.
Limitations of steganography
a. Using the hidden file above (hidden_sunset.bmp), right click on the file, select open with, and select Microsoft Photo Editor
b. Go to File / Save As…, and select JPEG as the file type
c. Close Microsoft Photo Editor.
d. Double Click on the file hidden_sunset.jpg, which should re-open Microsoft Photo Editor
e. Go to File / Save As…, and save the file as a bitmap (.bmp). Save the file with the name hidden_sunset2.bmp
f. Now drag the file hidden_sunset2.bmp, and try to reveal the hidden text using the instructions above.
covert_tcp: hitching a ride in a packet header
In VMware, boot your fedora7 virtual machine. In it, you will want 3 separate virtual terminals (independent command sessions). You will run covert_tcp as a server in one, as a client in another, and in the third you will run tcpdump to record what happens between them. There are several virtual terminals provided and you can switch among them with the key combinations <ctrl>-<alt>-<Fn> where Fn is a function key and n represents its number.
Login as root. You are in virtual terminal 1. Switch to virtual terminal 2:
<ctrl>-<alt>-<F2>
Login as root again, there.
Switch to virtual terminal 3:
<ctrl>-<alt>-<F3>
Login as root again, there. Now switch back to virtual terminal 2:
<ctrl>-<alt>-<F2>
Obtain the demo program's source code:
wget http://www-scf.usc.edu/~csci530l/downloads/covert_tcp.c
Compile it:
gcc covert_tcp.c -o covert_tcp
We're now ready to 1) run reciver/server in terminal2, 2) run a listening packet sniffer in terminal 3, 3) run sender/client in terminal 1. The client will send something to the server while the sniffer detects it. In your current terminal (2), launch the server:
./covert_tcp -server -source 127.0.0.1 -file captured.txt
Now switch to terminal 3:
<ctrl>-<alt>-<F3>
and launch the "listener:"
tcpdump -nntvi lo
Now switch to terminal 1. Then prepare something to send, specifically the first 3 letters of your last name in uppercase. As example I'll use the last name "Smith" (you use yours please). After preparing it, send it. The whole sequence is:
<ctrl>-<alt>-<F1>
echo -n SMI > stufftosend.txt
./covert_tcp -dest 127.0.0.1 -source 127.0.0.1 -file stufftosend.txt
Switch briefly to terminal 2.
<ctrl>-<alt>-<F2>
Note that the server printed your 3 letters as it received them. Then switch to terminal 3.
<ctrl>-<alt>-<F3>
Terminate the capture:
<ctrl>-<C>
and study the results on the screen. Locate the content of the IP identification field in the 3 packets that carried your letters from client to server. Verify that they are each the ascii value of their letter times 256.
Repeat, but this time to produce a file that records the exchange. Relaunch tcpdump, with different syntax:
tcpdump -i lo -w captured.cap
Return to terminal 1 and re-send:
<ctrl>-<alt>-<F1>
./covert_tcp -dest 127.0.0.1 -source 127.0.0.1 -file stufftosend.txt
Return to terminal 3 and terminate the capture (which doesn't show up on the screen this time, becuase diverted into a file instead). The file captured.cap can be "replayed" by tcpdump. Please replay
it. The whole sequence is:
<ctrl>-<alt>-<F3>
<ctrl>-<C>
tcpdump -vXr captured.cap
Do it again, saving the output to a file you will incorporate in your lab
report:
tcpdump -vXr captured.cap > captured.textdump
Retain a copy of this file for use in your lab write-up. You could for example write it onto a floppy with:
mcopy captured.textdump a:
Alternatives are to put it on a USB flash drive (probably requires a mounting step, floppy is easier) or if you have an ftp account somewhere send it there using the character based "ftp" command.
(You might, just might, even manage to email it to yourself with something like
" cat captured.txt | mail -s assignment <your email address> "
though I would never guarantee it.)
For reference
For each letter of the alphabet here's the encoding you'll find representing it in the IP Identification field when you use covert_tcp in ipid mode (default). If you use seq mode, where covert_tcp places its covert payload characters in the TCP sequence number field instead, they will appear there in their own right, printable, represented as usual by their ascii value unmodified.
| Letter | Ascii | x256 |
| A | 65 | 16640 |
| B | 66 | 16896 |
| C | 67 | 17152 |
| D | 68 | 17408 |
| E | 69 | 17664 |
| F | 70 | 17920 |
| G | 71 | 18176 |
| H | 72 | 18432 |
| I | 73 | 18688 |
| J | 74 | 18944 |
| K | 75 | 19200 |
| L | 76 | 19456 |
| M | 77 | 19712 |
| N | 78 | 19968 |
| O | 79 | 20224 |
| P | 80 | 20480 |
| Q | 81 | 20736 |
| R | 82 | 20992 |
| S | 83 | 21248 |
| T | 84 | 21504 |
| U | 85 | 21760 |
| V | 86 | 22016 |
| W | 87 | 22272 |
| X | 88 | 22528 |
| Y | 89 | 22784 |
| Z | 90 | 23040 |
Assignment
Perform all the steps above to demonstrate using steganography. In your lab report answer the following questions:
1. Why were you not able to reveal the hidden text after converting the file to a .jpg, and then back to a .bmp?
2. S-Tools uses a combination of Steganography and Cryptography (it encodes the file using an encryption
algorithm). Are there cases where we want to use only one or the other?
3. Is it easy or difficult to detect Steganography? What techniques and/or tools are used to detect Steganography in a file?
4. Using Bacon’s cipher, state the plaintext that is masked in the covertext
"USc atHlETICS is SURpasSed BY ComPuTer ScIenCE"
5. At the end of your report insert the content of your "captured.textdump"
file