StegCracker 2 Released

Photo by Taskin Ashiq on Unsplash

A long time ago, on an awesome pentesting platform far far away, I had a problem. A problem many people that play CTF challenges can probably relate to.

Down the rabbit hole

It’s 3 in the morning, you promised to yourself you’d go to bed at 10, but you’re deep down the rabbit hole, stuck on this one machine you simply can’t break into. You’ve scanned every possible port, enumerated thousands of urls, tried every possible password you could think of. But nothing seems to work.

You get frustrated and cave in, you start looking for hints online. To your surprise, you you find out you’re not the only one. There’s been lots of angry people posting on Reddit and the official forums that they can’t get anywhere. You keep reading and eventually stumble on a comment:

There’s a private key hidden inside the banner image on the homepage, you need to guess a password in order to gain access to it.

I don’t know about you, but this just rips me straight out of my immersion. It’s not realistic, or ‘clever’, it’s just annoying. You think you’re here to better your pentesting skills, yet you end up having wasted 6 hours on a cheap, unrealistic trick where someone was simply too lazy to put in the effort to make a realistic machine.

The solution

Out of pure frustration, I went online and searched for solutions, and to my surprise, there were very few scripts out there which could do this. Those that did were unintuitive to use, had tons of bugs and would often times require you to edit the code for each file you wanted to crack.

So, I wrote it myself! I made a simple, easy-to-use shell script which would loop through the default RockYou wordlist included on every Kali Linux installation and try each password against the file. I published the project and went on with my day.

The project got quite a bit more attention than I expected

While the tool worked fine most of the time, it had some issues. The first and most obvious (as GitHub user pluggles pointed out), was that the tool was actually horribly inefficient.

It wrote every password it tried to the console and each attempt had to wait for the previous one to finish before it could start. Besides that, it had to work with the limitations of Bash (weird side effects include: not being able to handle spaces, skipping the last line when looping over a file if it doesn’t end with a newline and many more).

This is why I decided I’d take the shell script and my Python knowledge and re-write it from scratch.

Introducing, StegCracker 2

StegCracker 2 is a full-rewrite of the original, but tries to remain as similar as possible to the original. The main usage of the tool remains the same. Simply call the program, pass a file as it’s first argument and watch the magic happen.

Upgrade Guide

To upgrade from your previous installation, make sure you have Python 3.6 installed and, use the following:

$ sudo rm --force $(which stegcracker)
$ pip3 install stegcracker

Your stegcracker should now be updated. To test this, simply run the program without any arguments and it should show some new options.

Threading

The most obvious change to the program is: threading. Instead of making the program wait for each password to be cracked sequentially, it can now attempt thousands of passwords simultaneously.

The performance went up almost 2960% based on a rough 60 second test

To specify the number of threads, use:

$ stegcracker file.jpg --threads <number of threads, default: 16>

For additional fine-tuning, you can also change the number of passwords loaded into memory between console updates:

$ stegcracker file.jpg --chunk-size <size, default: 256>

Verbose / Quiet Mode

Sometimes you simply want the password, and nothing else from the program (eg: If you’re using it inside of a script), for this I’ve added the quiet-mode. To enable it, simply use:

$ stegcracker file.jpg --quiet

This will make sure only the password will be printed to stdout when the script finds the password.

If you run into issues however, you can also enable verbose-mode, this will print the output from each steghide process (alongside the thread number) to your stderr, if you wish to do this, you could use:

$ stegcracker file.jpg --verbose

Unit Tests

For additional stability, I’ve added unit tests to ensure that each change to the project won’t break any other functionality.

Breaking Changes

Due to the fact that the Python module is named stegcracker, it’s no longer possible to use —-update to update your current installation. The new way of updating (via PIP) should be more stable and will most likely not change in the near future. For an upgrade guide, scroll up.

Thank You

I’d like to thank everyone for the continued support and nice words I’ve received for making the tool.