Stegseek is a lightning fast steghide cracker that can be used to extract hidden data from files. It is built as a fork of the original steghide project and, as a result, it is thousands of times faster than other crackers and can run through the entirety of rockyou.txt
* in under 2 seconds.
Stegseek can also be used to extract steghide metadata without a password, which can be used to test whether a file contains steghide data.
Demo: random rockyou.txt password (in real time)
Installation
The following instructions walk you through the installation process. Alternatively, you can run Stegseek in a Docker container. Skip ahead to Docker for instructions.
Releases
Linux
On Ubuntu and other Debian-based systems, you can use the provided .deb
package for installation:
.deb
file using sudo apt install ./stegseek_0.4-1.deb
On other systems you will have to build Stegseek yourself. See BUILD.md for more information.
Windows
Building Stegseek as a native Windows app is sadly not supported. Instead you should run Stegseek using WSL. The Ubuntu WSL distribution is recommended for optimal compatibility.
Once you have configured WSL, Stegseek can be installed using the above Linux instructions.
By default, WSL mounts the C:\
drive at /mnt/c/
, which you can use to easily access your files.
Using Stegseek
Cracking
The most important feature of stegseek is wordlist cracking:
stegseek [stegofile.jpg] [wordlist.txt]
This mode will simply try all passwords in the provided wordlist against the provided stegofile.
Detection & Passwordless Extraction
Stegseek can also be used to detect and extract any unencrypted (meta) data from a steghide image. This exploits the fact that the random number generator used in steghide only has 2^32 possible seeds, which can be bruteforced in a matter of minutes.
stegseek –seed [stegofile.jpg]
This command will tell you:
If you’re (very) lucky and the file was encoded without encryption, this mode will even recover the encoded file for you!
In this demo I used a very secure random password to embed a file, but disabled encryption by passing the -e none
argument to steghide. Within a few minutes, Stegseek is able to recover the embedded file.
Available Arguments
Use stegseek --help
to get the full list of available options:
Stegseek version 0.4
=== Stegseek Help ===
To crack a stegofile:
stegseek [stegofile.jpg] [wordlist.txt]
Commands:
--crack Crack a stego file using a wordlist. This is the default mode.
--seed Crack a stego file by attempting all embedding patterns.
This mode can be used to detect a file encoded by steghide.
In case the file was encoded without encryption, this mode will
even recover the embedded file.
Positional arguments:
--crack [stegofile.jpg] [wordlist.txt] [output.txt]
--seed [stegofile.jpg] [output.txt]
Keyword arguments:
-sf, --stegofile select stego file
-wl, --wordlist select the wordlist file
-xf, --extractfile select file name for extracted data
-t, --threads set the number of threads. Defaults to the number of cores.
-f, --force overwrite existing files
-v, --verbose display detailed information
-q, --quiet hide performance metrics
Use "stegseek --help -v" to include steghide's help.
Steghide
Stegseek includes nearly all of steghide’s functionality, so it can also be used to embed or extract data as normal. The only catch is that commands must use the --command
format.
So steghide embed [...]
becomes stegseek --embed [...]
.
Docker
You can also run Stegseek as Docker container:
docker run –rm -it -v “$(pwd):/steg” rickdejager/stegseek [stegofile.jpg] [wordlist.txt]
This does require that the wordlist and stegofile are located in current working directory, as that folder is mounted to /steg
inside of the container.
Performance
rockyou.txt
in just 2 seconds” claim.RockYou.txt
rockyou.txt
without control characters: “␣␣␣␣␣␣␣1” (7 spaces followed by ‘1’).14344383
out of 14344391
time stegseek 7spaces1.jpg rockyou.txt
Stegseek version 0.4
[i] Read the entire wordlist (14344391 words), starting cracker
[ 14231679 / 14344391 ] (99,21%)
[i] --> Found passphrase: " 1"
[i] Original filename: "secret.txt"
[i] Extracting to "7spaces1.jpg.out"
real 0m1,912s
user 0m10,355s
sys 0m0,144s
And there it is, over 14 million passwords in less than 2 seconds 😍.
How does this compare to other tools?
To test the performance of of other tools, I created several stego files with different passwords, taken from rockyou.txt
. I ran each of the tools with their default settings, except Stegbrute where I increased threading for a fair comparison.
password | Line | Stegseek v0.4 | Stegcracker 2.0.9 | Stegbrute v0.1.1 (-t 8) |
---|---|---|---|---|
“cassandra” | 1 000 | 0.9s | 3.1s | 0.7s |
“kupal” | 10 000 | 0.9s | 14.4s | 7.1s |
“sagar” | 100 000 | 0.9s | 2m23.0s | 1m21.9s |
“budakid1” | 1 000 000 | 0.9s | [p] 23m50.0s | 13m45.7s |
“␣␣␣␣␣␣␣1” | 14 344 383 | 1.9s | [p] 5h41m52.5s | [p] 3h17m38.0s |
[p] = projected time based on previous results.
To compare the speed of each tool, let’s look at the last row of the table (otherwise Stegseek finishes before all threads have started).
At this scale Stegseek is over 10 000 times faster than Stegcracker and over 6000 times faster than Stegbrute.
Changelog
v0.4
2020-12-01
improvements:
rockyou.txt
in 2 secondsv0.3
2020-11-08
improvements:
-xf
argument to --crack
, used to specify the location of the extracted filerockyou.txt
in 4 secondsv0.2
2020-11-05
improvements:
rockyou.txt
in 5 seconds.v0.1
2020-11-04
Initial release, features:
rockyou.txt
in 41 seconds.Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…