unforum

[sVz]

Yeah well, I'm not thinking of it as any solution, but out of the 580k+ words I've tried this one makes steghide respond differently, with stegbreak 'boime' is a definite negative.

[Paul_G]

Ok, the big dictionary attack just finished (nearly 2.5 hours to run). With 37.5 million individual attempts in just this attack (not counting the several others I've run), I'm officially conviced that brute force/dictionary attacks will not work.

I'm going to sit back and wait to see if I get anything from Dana. Depending on her response, I may write the stegdetect results off as coincidence and lay this whole angle to rest.

[CoffeeJedi]

just a quick question for all you Stegosauruses:

are you removing the Widow's tale text before you try to unsteg or do you leave it in there? how about trying it both ways?

edit: aw hell, i have to work late anyway, why don't i just download the program and try it while i wait for my servers to reboot!

[linuxfan]

On the wiki, there has been discussion on a possible password for the steg in the whitespcae of the source html hidden as snow. Having never used it before, I downloaded snow, and ran it against the source for honey.html, and seemed to get some kind of result.

[Paul_G]

I've already done a good bit of poking around with SNOW, I don't think it's looking for a password so much as just reporting an error with the compression. If you read the docs, you'll see that you can compress the data before SNOWing it. I remember getting a similar message about residual bits, but I'm pretty sure it's just saying that the bitcount is wrong for decompression to be possible, i.e. there's probably nothing there.

However, the strange spacing on some of the text makes me wonder if there's not some SNOWed text lurking somewhere in the site.

[Roc]

Even if there were snow'd data in the html source, we'd be back to looking for a passphrase for that too. Only I don't know of any mature tools for detecting or running dictionary attacks on snow.

and the passphrase for bee2 is almost certainly a literal phrase, probably with numeric components.

anyone know of a reference for the syntax of stegbreak's rules.ini?
I'm just hacking through it, guessing, but there has to be a reference somewhere.

[mmdoogie]

roc: The stegbreak rules.ini is taken verbatim from John the Ripper.
IIRC, there is a file called RULES in the JtR package describing the syntax.

all: I am currently running a brute-force on all possible passphrases
with length less than 20 characters on the bee2 image. Its been running
for over a day, but, even on my P4-3.0 GHz, it'll take somewhere near
1.3x10^25 millenia to finish. So, if we get anything this way,
it'll be through shear luck.

For anyone on linux wishing to attempt something like this,
get both stegbreak and John the Ripper,
take out all of the rules in the rules.ini except the first one, a single colon :,
then run these two commands:

[Roc]

I've got a rules.ini that contains the default rules, and I've found a few here and there through googling. I also saw where the rules are supposed to follow Solar Designer and John the Ripper syntax - I just can't find a breakdown of that syntax.
I've been mixing the rules and clips and phrases from the wiki, but had no success thus far. What I would like to do though, and why I was interested in the rules, is I'd like to be able to prepend Bungie-isms. Such as multiples of 7, powers of 7, that sort of thing.

Not that I'm working on it night and day, in any case.
I'm not even entirely convinced there's any steganography going on.

[Paul_G]

Experimenting with my own SNOWed files:

To detect possible SNOWed content, just run
>snow thefile.txt

If there is no output, there is definitely no SNOWed content.

If you get a clear message, obviously, you're done.

If you get garbage characters, there is a good possibility that there is SNOWed content that has been compressed and/or encrypted, although this could just be a false positive.

Next, try the following:
>snow -C thefile.txt

If you still get garbage characters, then the content (if it indeed exists) has definitely been encrypted, although not necesarily compressed. If you get here, you're stuck until you find the passphrase.

HTH.

[peeveen1]

Maybe the key is a number ... a big number?

Grasping at straws ... does anyone think there's any significance in the long string of "on"/"off"s that appear on one of the pages? Perhaps a binary number?

If anyone wants to try these:

In base-16 (hexadecimal): 1555552aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

In base-10 (decimal):
632379121302588084728864277240087529058135134281305400381082138940018316855126698

And just for kicks, in base-7:
320004212460141161445605432204420635114464445403034405642333145351455262630300046256352451464406

[quackquack]

Re: Corrupted images

[clamatius]

[Paul_G]

I have run stegdetect on most (not quite all) of the site's images, both original and corrupted. The only one that comes up with anything but "negative" is bee2_margaretphoto.jpg, which comes up with a 3 star possibility of having jphide steg in it.

Hence my interest. None of the other images have even the slightest indication, but this one pegs the meter. However, until I hear back from Dana, I've pretty much exhausted the cracks I can think of.

Steg is very difficult to break, especially when you don't have any hints (original file, passcode length, etc) to get you started, and especially when your knowledge of the entire concept is about two days old

[halofan]

I've got an idea on what might be the keywords.....just to say....but I have two questions first....
1) How do you find hidden info in the pictures? I'm using Mozila Firefox and I've tried readin the source code, but doesn't work for that...

2) How would I be able to access the data in these stegged files you are talking about, and how do I know if each one is stegged or not?

here's my guesses

Oley Oley Oxen Free (Seen it on something else, and, it's something said during Hide and Seek if I recall)... Not sure if that's the speeling though

and did you try using Aunt M's Cat's Name? That might work....or the names of the bees listed on the site?

Also, I've seen things where it's said....If a bee stings you, it dies... and the sort be refenced way too much to be a coincidence....I've seen it on at least 4 different pages, once when it wasn't even relevant....it pops up randomly though, and sparsly....

[halofan]

oh yeah, and maybe something with the pc commands might be a clue too....