Certainly many people recognized Lena in some earlier post on bindump or bin2file and asked to themselves: "WTH? Why keeping Lena in the article?". Now I can say that the real goal of bindump and bin2file is to hide informations _into any file_ (with consciousness) or _on each part of hard disk_ (with consciousness) having the opportunity to _manage every single bit_. As POC I wrote inside boot loader a message. DON'T TRY THIS AT HOME!!! (if you don't know what are you doing) All these steps have been done on my virtual machine debian (called elisabetha in Dracula's wife honor). I extract the boot loader: elisabetha:~# dd if=/dev/sda of=BOOT_LOADER.ORIG bs=466 count=1 1+0 records in 1+0 records out 466 bytes (466 B) copied, 0.00416124 s, 112 kB/s Then I write on the text file insert_in_boot_loader the string "eddy22 was here": elisabetha:~# ./bindump insert_in_boot_loader 00000000 01100101 01100100 01100100 01111001 00110010 00110010 00100000 01110111 eddy22 w 00000008 01100001 01110011 00100000 01101000 01100101 01110010 01100101 00001010 as here. elisabetha:~# ./bindump insert_in_boot_loader > insert_in_boot_loader.txt Now I copy the bits from insert_in_boot_loader to boot_loader.txt  ...and I "reassemble" (with bin2file) the new boot loader with the message and overwrite the old one: elisabetha:~# cat boot_loader.txt [...] 00000416 00010000 10101100 00111100 00000000 01110101 11110100 11000011 00000000 ..<.u... 00000424 01100101 01100100 01100100 01111001 00110010 00110010 00100000 01110111 eddy22 w 00000432 01100001 01110011 00100000 01101000 01100101 01110010 01100101 00001010 as here. 00000440 01001101 10011111 00001011 00000000 00000000 00000000 10000000 00000001 M....... [...] elisabetha:~# cat boot_loader.txt | cut -c10-80 | xargs ./bin2file -w new_boot_loader elisabetha:~# ls -l BOOT_LOADER.ORIG new_boot_loader -rw-r--r-- 1 root root 466 9 apr 18:22 BOOT_LOADER.ORIG -rw-r--r-- 1 root root 466 9 apr 18:25 new_boot_loader elisabetha:~# dd if=new_boot_loader of=/dev/sda bs=466 count=1 1+0 records in 1+0 records out 466 bytes (466 B) copied, 0.00327222 s, 142 kB/s Now I try to reboot and... it works! (-:  ATTENTION!!! If you have fuck*d your system, restore the original boot loader with this command: # dd if=BOOT_LOADER.ORIG of=/dev/sda bs=466 count=1 Well, the first part is ended. Next example'll show you how to hide a "secret" file into another file, even better we will use two file, in fact: has anybody said that we must use only one file to hide informations? (-; The secret file (called "secret") is here At first I use bindump to extract the bits from secret file (and I cut off the first and last column of the output) eddy22@elisabetha:~/myprog/bindump$ ls -l secret -rw-r--r-- 1 eddy22 eddy22 13277 9 apr 19:32 secret eddy22@elisabetha:~/myprog/bindump$ ./bindump secret | cut -c10-80 > secret.txt I calculate the lines of new file and I halve it. eddy22@elisabetha:~/myprog/bindump$ cat secret.txt | wc -l 1660 eddy22@elisabetha:~/myprog/bindump$ sed -n "1,830w secret1.txt" secret.txt eddy22@elisabetha:~/myprog/bindump$ sed -n "831,\$w secret2.txt" secret.txt eddy22@elisabetha:~/myprog/bindump$ ls -l secret* -rw-r--r-- 1 eddy22 eddy22 13277 9 apr 19:32 secret -rw-r--r-- 1 eddy22 eddy22 59760 9 apr 19:39 secret1.txt -rw-r--r-- 1 eddy22 eddy22 59760 9 apr 19:39 secret2.txt -rw-r--r-- 1 eddy22 eddy22 119520 9 apr 19:35 secret.txt Now I choose two file as boxes: one mp3 file and a bitmap file. eddy22@elisabetha:~/myprog/bindump$ ./bindump 04\ Fade\ To\ Black.mp3 > fade_to_black.txt
To include the first part of secret I use a regular expression and a simple perl script to insert bit per bit into less order bit of the first byte of the line (which match the regular expression).
if (($i <= $#con) && /^.[19][258]/) {
substr ($_, 16, 1, $con[$i++]);
}
eddy22@elisabetha:~/myprog/bindump$ ./stega.pl fade_to_black.txt secret1.txt fade_secret.txt
Now I "reassemble" the mp3 steganographed file (using bin2file) and I repeat the same steps for bitmap file (but using a different regular expression):
eddy22@elisabetha:~/myprog/bindump$ cat fade_secret.txt | cut -c10-80 |
xargs ./bin2file -w fade_secret.mp3
eddy22@elisabetha:~/myprog/bindump$ ls -l *.mp3
-rw-r--r-- 1 eddy22 eddy22 10012025 18 mar 15:14 04 Fade To Black.mp3
-rw-r--r-- 1 eddy22 eddy22 10012025 9 apr 19:43 fade_secret.mp3
eddy22@elisabetha:~/myprog/bindump$ ./bindump lena.bmp > lena.txt
if (($i <= $#con) && /^.....[4-9]/) {
substr ($_, 16, 1, $con[$i++]);
}
eddy22@elisabetha:~/myprog/bindump$ ./stega.pl lena.txt secret2.txt lena_secret.txt
eddy22@elisabetha:~/myprog/bindump$ cat lena_secret.txt | cut -c10-80 |
xargs ./bin2file -w lena_secret.bmp
 Here we are at last, we have the secret file splitted and hidden into fade_secret.mp3 and lena_secret.bmp!!! ... eddy22@elisabetha:~/myprog/bindump$ ./bindump fade_secret.mp3 | grep -m53120 "^.[19][258]" | cut -c17 | perl -nle 'undef $\; print $_' | sed -e 's/\(........\)/\1 /g' | xargs ./bin2file -w secret_destega eddy22@elisabetha:~/myprog/bindump$ ./bindump lena_secret.bmp | grep -m53096 "^.....[4-9]" | cut -c17 | perl -nle 'undef $\; print $_' | sed -e 's/\(........\)/\1 /g' | xargs ./bin2file -w secret_destega eddy22@elisabetha:~/myprog/bindump$ file secret_destega secret_destega: JPEG image data, JFIF standard 1.02 eddy22@elisabetha:~/myprog/bindump$ cp secret_destega secret_destega.jpg I'd like to explain that -m53120 and -m53096 means the amount of bits to be extracted for first and second secret file. Last thing, as I wrote on my last post, is that the file take as argument from bin2file is opened in append mode to allow multiple file usage. Here it is the secret file:  |
|||
 |
hack4fun...the fun side of hacking |
|
|
|
