Hello everyone. Hope you all are doing well. So let's begin the session of stack by first introducing myself. My name is Raid Asan and I am Pakistan's youngest rsecurity expert, and I've also spoken at many conferences and events like Black Hat, JISEC, and rsecurity summits held by government congresses as well. I'm also a threat researcher and a security researcher, along with being a certified purple teamer, which means that I can perform red team as well as blue team operations together towards protecting an enterprise rsecurity infrastructure. And I'm also available on LinkedIn for connections. So feel free to ask me any questions or any doubts that you have in a session or want to learn more about it. So yeah, feel free to connect and let's jump right into the session of stegnography. So in today's session we are going to have a look at a live demonstration of how adversaries are able to intercept your request of steganography. Like basically, steganography is the art of embedding data behind media files and people like why do people use it? Basically, IoT is to keep your confidential data safe from any unauthorized third party access. Now suppose you are sending a confidential data that is containing some bank details or username or passwords of any server that is pretty much confidential, and you don't want any unauthorized third party to gain access to it. So what you do is this is just one of the methods of encryption, or not encryption. Basically, it's just one of the ways of keeping your confidential data safe during transit or when it's in dynamic motion. So what you do is that you download any source, or you have any image, or any media file, or any audio file, and behind that image or any media file, you store your confidential data. And if you talk in terms of accurate terms, it means that you are embedding your data behind that media file. And what embedding does is that even if it's leaked to an unauthorized third party, they will open it and the data won't be seen, only the image will be seen. But if the adversary has both of the images or both of the media files that was original and as well as that was embedded with the data, there will be a difference between file sizes. The one with the embedded data will have a larger file size, and the one with not, which was originally downloaded or was from an original source won't contain any varying between sizes. So let's see it in action of how adversaries do this. Here I have the Kali Linux machine and on this side we have our target, which we are going to hack. Now what we are going to do is that we are going to access, first of all we are going to scan it if it's working or not, and if it has a web server application running behind it. And as we can see it has a port 80 open, that is the HTTP port. And by this we know that there is a web server running behind it. So we are going to access it on our browser. And this is for demonstration purposes. So I'm going to show you. This was a directory that a hacker is busting on the web server. For directory busting you can use go Buster OwAsp directory buster or the normal, the ordinary directory buster tool that is pre installed on your Kali Linux machine. And here you can see I have the image TxT and I have the secret TCM this file as well. So for now we are interested in the image and here you can see it's a normal image of a Lamborghini car. So we are going to save it in our directory of steganography hacking and we are going to verify it if it's of correct formatting. Yes, it shows that it's JpeG format image data and it's not malfunctioned or mal, the headers are not misplaced and everything is accurate over here. So we are going to also have a look at the secret TXT over here and it says please don't share the credentials for my file. It's a secret data TxT and password 1234. Now we know that there wasn't any data TXT over here, the file wasn't listed and nor the password over here. Like any, every credential was stored in the secret TXT. So this gives us a hint that it can be in either of the two files, it can be in the Jpeg file or it can be in the web file. So most people prefer keeping their data or embedding their data behind image files. So we are going to see if there is any embedded data behind this image. And what tool I'm going to use is staghide steg hide is something, is a tool that you can install on your Kali Linux machine or any hacking platform that you are using. And what it does is that it gives you some functions that you can perform. For example, you can extract data as well as you can embed data into images or any media file. You are focusing into embedding your data and sending Iot to your receiver or your colleague, et cetera. So we are going to use this tool called stackhide. We have the image jpg with us and we are going to extract it from the source file of image gpg. And as we know data txt from the secret txt file which was posted on a web server, we know that there is a data txt or there can be this file with this password that we need to track. Now I'm going to exfiltrate this data txt from this source file and it requires a passphrase. And here we have a passphrase over here, password 1234. We can test it out if it's working over here. And yes it did. Here it's showing that wrote extracted data to data txt. Now here you can see we have data txt with us and we are going to see what content IoT has for us. It shows that the username is trunks and the password is user hint s is in dollar symbol. Now what IoT does is that it has exfiltrated the data from that image file and given me the access to the credentials that was stored in that particular file. By cracking that file's password, which was just hosted on the web server in clear text. So there was no complex cracking methods of password cracking like John the ripper or any password cracking tool that you might use. So it was just a simple task. Now this username and password can be connected over ssh with the victim as well. But for clarity, I'm going to access it directly on the victim's machine over here so that you get a better understanding of how hackers do this. Username is trunks and the password we are going to use is user with the dollar symbol. And as you can see, I have successfully gained access over the user account. Now for verifying, I can show you the id mih trunks. Now, a hacker doesn't want to stop here. What he aims is that he needs to escalate his privileges. And from my perspective, my best practice is to see the bash history or the commanding history that the victim might have typed on his or her system or the server they are working on, because history might contain some juicy information. For example, you might have written your username or password, you might have logged in into some of the websites or any other system you might have connected to using RDP, Ssh, FTP, any other protocol you're connecting. And that can show the hacker, the adversary, what usernames and password you might have used. So we are going to access the bash history over here. Can bash history here we can see a Perl programming language command over here that shows the user has created a user called Tom which has been assigned the root privileges and it is stored in the etc password directory. And the password is password at the red 973 which is again encrypted. So we are going to see if that user really exists which has been assigned the root privileges. Now it's asking for the password of the user tom. So we are going to use the password at the rate 973 in order to see if Iot really works. So I think I have written the password wrong. Password at the rate 973. Yes, so we are successfully inside the root privileging machine. Like I have escalated my privileges from user to root, and I am able to perform any administrator task on this Linux system. For example, I can verify who am I and the id is zero, which means I'm the administrator and we can txt for where you got root. So we have successfully escalated our privileges and I have shown you a way, or the method of how hackers use stack height like tools in order to extract data that you might have embedded behind your media files for confidentiality purposes. And in this way the confidentiality and the integrity and the availability of the data has been broken, like the complete CIA tried has been broken by the adversary by just using the steganography cracking technique. And you also know the tool that's called the staghide. You can also learn more about it for educational purposes of how hackers and adversaries use these tools in order to extract data and also store data in multiple formats of files. For example, in our case we had a JPEG file, but people can also store it in audio files, in video files, or any document, so that they like the format of embedding data behind images is a traditional method. Every hacker, whoever sees these images will surely go in depth of it, will scan it, will analyze it in depth. We'll use these kinds of tools like Steghyde, to see if any embedded data is there behind the file, behind the image file. But if you're using documents or audio files or any video files, that might iot be like the hacker might not go into in depth analyzation most of the times. So this was it for today's session of mine, and I hope you have a great day ahead. And you got to learn some new techniques and insights on how hackers use stenography techniques in order to exfiltrate your confidential data and gain access to your system. So once again, thank you very much for joining my session, and I hope you have a great day ahead.