Categories: Kali Linux

StegCloak : Hide Secrets With Invisible Characters In Plain Text Securely Using Passwords

StegCloak is a pure JavaScript steganography module designed in functional programming style, to hide secrets inside text by compressing and encrypting the secret before cloaking it with special unicode invisible characters.

It can be used to safely watermark strings, invisible scripts on webpages, texts on social media or for any other covert communication. Completely invisible!. See how it works in-depth in this medium article or watch our demo to know what it does.

Features

  • Protect your invisible secret using passwords and HMAC integrity
  • Cryptographically secure by encrypting the invisible secret using AES-256-CTR.
  • Uses 6 Invisible characters in unicode characters that works everywhere in the web. Including the most important ones Tweets, Gmail, Whatsapp, Telegram, Instagram, Facebook etc.
  • Maximum Compression to reduce the payload (LZ, Huffman).
  • Completely invisible, uses Zero Width Characters instead of white spaces or tabs.
  • Super fast! Hides the Wikipedia page-source for steganography (800 lines and 205362 characters) within a covertext of 3 words in under one second.
  • Hiding files in strings can be achieved by uploading the file to cloud and stegcloaking the link in the string
  • Written in pure functional style.
  • Usage – Available as an API module, a CLI and also a Web Interface (optimized with web workers).

Installing

Using npm,

$ npm install -g stegcloak

Using npm (to use it locally in your program),

$ npm install stegcloak

How it works?

CLI Usage

  • Hide

$ stegcloak hide

  • Options:

hide [options] [secret] [cover]

-fc, –fcover Extract cover text from file
-fs, –fsecret Extract secret text from file
-n, –nocrypt If you don’t need encryption (default: false)
-i, –integrity If additional security of preventing tampering is needed (default: false)
-o, –output Stream the results to an output file
-c, –config Config file
-h, –help display help for command

  • Reveal

$ stegcloak reveal

  • Options:

reveal [message]

-f, –file Extract message from file
-cp, –clip Copy message directly from clipboard
-o, –output Stream the secret to an output file
-c, –config Config file
-h, –help display help for command

Additional Support

  • STEGCLOAK_PASSWORD environment variable if set will be used by default as password
  • Config file support to configure Stegcloak CLI and to avoid prompts. Read Config docs here

API Usage

const StegCloak = require('stegcloak');

const stegcloak = new StegCloak(true, false);  // Initializes with encryption true and hmac false for hiding

// These arguments are used only during hide

// Can be changed later by switching boolean flags for stegcloak.encrypt and stegcloak.integrity

What’s HMAC and do I need it?

HMAC is an additional fingerprint security step taken towards tampering of texts and to verify if the message received was actually sent by the intended sender. If the data is sent through WhatsApp, Messenger or any social media platform, this is already taken care of! However, if you are using StegCloak in your program to safely transmit and retrieve, this option can be enabled and StegCloak takes care of it.

Hide

stegcloak.hide(secret,password,cover) -> string

const magic = stegcloak.hide("Voldemort is back", "mischief managed", "The WiFi's not working here!");

// Uses stegcloak.encrypt and stegcloak.integrity booleans for obfuscation

console.log(magic);  // The WiFi's not working here!

Reveal

stegcloak.reveal(data, password) -> string

const secret = stegcloak.reveal(magic, "mischief managed");

// Automatically detects if encryption or integrity checks were done during hide and acts accordingly

console.log(secret); // Voldemort is back

Important

StegCloak doesn’t solve the Alice-Bob-Warden problem, it’s powerful only when people are not looking for it and it helps you achieve that really well, given its invisible properties around the web! It could be safely used for watermarking in forums, invisible tweets, social media etc. Please don’t use it when you know there’s someone who is actively sniffing your data – looking at the unicode characters through a data analysis tool. In that case, even though the secret encoded cannot be deciphered, the fact lies that the Warden (middle-man) knows some secret communication took place, because he would have noticed an unusual amount of special invisible characters.

Resources

The following papers were referred to for insight and understanding of using Zero Width Characters in steganography.

  • Milad Taleby Ahvanooey, Qianmu Li , Jun Hou, Ahmed Raza Rajput and Chen Yini

Modern Text Hiding, Text Steganalysis, and Applications: A Comparative Analysis

  • Taleby Ahvanooey, Milad & Li, Qianmu & Hou, Jun & Dana Mazraeh, Hassan & Zhang, Jing.

AITSteg: An Innovative Text Steganography Technique for Hidden Transmission of Text Message via Social Media. IEEE Access

R K

Recent Posts

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

1 week ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

2 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

3 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

3 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

3 weeks ago

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…

3 weeks ago