{"id":13608911,"url":"https://github.com/RickdeJager/stegseek","last_synced_at":"2025-04-12T17:33:19.791Z","repository":{"id":47538129,"uuid":"308354794","full_name":"RickdeJager/stegseek","owner":"RickdeJager","description":":zap: Worlds fastest steghide cracker, chewing through millions of passwords per second :zap:","archived":false,"fork":false,"pushed_at":"2023-10-10T12:20:59.000Z","size":1604,"stargazers_count":1029,"open_issues_count":4,"forks_count":111,"subscribers_count":17,"default_branch":"master","last_synced_at":"2024-11-07T14:42:31.984Z","etag":null,"topics":["brute-force","cracking","ctf","ctf-tools","pentesting","security","steganography","stegcracker","steghide","stego"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/RickdeJager.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-10-29T14:33:10.000Z","updated_at":"2024-11-06T17:45:31.000Z","dependencies_parsed_at":"2024-01-29T09:19:22.932Z","dependency_job_id":"bb7cd68c-5fee-46a5-9c7b-5a6af8d67673","html_url":"https://github.com/RickdeJager/stegseek","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RickdeJager%2Fstegseek","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RickdeJager%2Fstegseek/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RickdeJager%2Fstegseek/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RickdeJager%2Fstegseek/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/RickdeJager","download_url":"https://codeload.github.com/RickdeJager/stegseek/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248605412,"owners_count":21132165,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["brute-force","cracking","ctf","ctf-tools","pentesting","security","steganography","stegcracker","steghide","stego"],"created_at":"2024-08-01T19:01:30.946Z","updated_at":"2025-04-12T17:33:14.783Z","avatar_url":"https://github.com/RickdeJager.png","language":"C++","funding_links":[],"categories":["C++","3. [↑](#-content) Cryptography","Steganography","Exfiltration"],"sub_categories":["[↑](#-content) 3.3 Steganalysis","Steganography"],"readme":"# :zap: Stegseek\n\nStegseek is a lightning fast steghide cracker that can be used to extract hidden data from files. It is built as a fork of the original steghide project and, as a result, it is _thousands of times_ faster than other crackers and can run through the entirety of **`rockyou.txt`\\* in under 2 seconds.**  \n  \nStegseek can also be used to extract steghide metadata without a password, which can be used to test whether a file contains steghide data.\n  \n\u003e\\* `rockyou.txt` is a well-known password list with over 14 million passwords.\n\n## Demo: random rockyou.txt password (in real time)\n\n![](./.demo/crack.gif \"PoC || GTFO\")\n\nSkip ahead to [Performance](#chart_with_upwards_trend-performance) for some raw numbers.\n\n# :wrench: Installation\n\nThe following instructions walk you through the installation process. Alternatively, you can run Stegseek in a Docker container. Skip ahead to [Docker](#whale-docker) for instructions.\n\n## Releases\n\n### Linux\n\nOn recent Ubuntu and other Debian-based systems, you can use the provided `.deb` package for installation:\n\n1. Download the latest [Stegseek release](https://github.com/RickdeJager/stegseek/releases)\n1. Install the `.deb` file using `sudo apt install ./stegseek_0.6-1.deb`  \n  \nOn other systems you will have to build Stegseek yourself. See [BUILD.md](BUILD.md) for more information.  \n\n### Windows\n\nBuilding Stegseek as a native Windows app is sadly not supported. Instead you should run Stegseek using [WSL](https://docs.microsoft.com/en-us/windows/wsl/about). The Ubuntu WSL distribution is recommended for optimal compatibility.  \nOnce you have configured WSL, Stegseek can be installed using the above Linux instructions.  \n\nBy default, WSL mounts the `C:\\` drive at `/mnt/c/`, which you can use to easily access your files.\n\n\n# :arrow_forward: Using Stegseek\n\n## Cracking\nThe most important feature of stegseek is wordlist cracking:\n```\nstegseek [stegofile.jpg] [wordlist.txt]\n```\n\nThis mode will simply try all passwords in the provided wordlist against the provided stegofile.\n\n## Detection and passwordless extraction (CVE-2021-27211)\nStegseek can also be used to detect and extract any **unencrypted** (meta) data from a steghide image. This exploits the fact that the random number generator used in steghide only has 2^32 possible seeds, which can be bruteforced in a matter of minutes.  \n\n```\nstegseek --seed [stegofile.jpg]\n```  \nThis command will tell you:\n* Whether this file actually contains steghide content.\n* How much hidden content the file contains.\n* How the content was encrypted  .\n  \nIf you're (very) lucky and the file was encoded without encryption, this mode will even recover the encoded file for you!  \n  \nThe below demo features [a challenge from X-MAS CTF 2020](https://ctftime.org/writeup/25391). A flag was hidden using a secure random password, but without encryption enabled.\nWithin a few minutes, Stegseek is able to recover the embedded file without needing to guess the correct password.\n\n![](./.demo/seed.gif \"Sped up by a factor of 3 for your viewing pleasure.\")\n\n## Available arguments\n\nUse `stegseek --help` to get the full list of available options:\n```\n=== StegSeek Help ===\nTo crack a stegofile:\nstegseek [stegofile.jpg] [wordlist.txt]\n\nCommands:\n --crack                 Crack a stego file using a wordlist. This is the default mode.\n --seed                  Crack a stego file by attempting all embedding patterns.\n                         This mode can be used to detect a file encoded by steghide.\n                         In case the file was encoded without encryption, this mode will\n                         even recover the embedded file.\nPositional arguments:\n --crack [stegofile.jpg] [wordlist.txt] [output.txt]\n --seed  [stegofile.jpg] [output.txt]\n\nKeyword arguments:\n -sf, --stegofile        select stego file\n -wl, --wordlist         select the wordlist file\n -xf, --extractfile      select file name for extracted data\n -t, --threads           set the number of threads. Defaults to the number of cores.\n -f, --force             overwrite existing files\n -v, --verbose           display detailed information\n -q, --quiet             hide performance metrics (can improve performance)\n -s, --skipdefault       don't add guesses to the wordlist (empty password, filename, ...)\n -n, --nocolor           disable colors in output\n -c, --continue          continue cracking after a result has been found.\n                         (A stego file might contain multiple embedded files)\n -a, --accessible        simplify the output to be more screen reader friendly\n\nUse \"stegseek --help -v\" to include steghide's help.\n```\n\n## Steghide\nStegseek includes nearly all of steghide's functionality, so it can also be used to embed or extract data as normal. The only catch is that commands must use the `--command` format.  \nFor example, `steghide embed [...]` becomes `stegseek --embed [...]` .  \n\n### Positional arguments\n* `stegseek --embed \u003cdata\u003e \u003ccoverfile\u003e [\u003cstegofile\u003e]`\n* `stegseek --extract \u003cstegofile\u003e [\u003coutput\u003e]`\n\n# :whale: Docker\nYou can also run Stegseek as Docker container:\n\n```\ndocker run --rm -it -v \"$(pwd):/steg\" rickdejager/stegseek [stegofile.jpg] [wordlist.txt]\n```\n\nThis does require that the wordlist and stegofile are located in current working directory, as that folder is mounted to `/steg` inside of the container.\n\n# :chart_with_upwards_trend: Performance\nThis is where Stegseek really shines. As promised, let's start with the \"`rockyou.txt` in just 2 seconds\" claim.  \nAll of these numbers are measured on a laptop with an Intel i7-7700HQ CPU @ 2.80GHz and 8 GB of RAM.  \n\n## RockYou.txt\nI picked the last password in `rockyou.txt` without control characters: \"␣␣␣␣␣␣␣1\" (7 spaces followed by '1').  \nThis password is on line `14344383` out of `14344391`  \n\n```\n\u003e StegSeek 0.6 - https://github.com/RickdeJager/StegSeek\n\n[i] Found passphrase: \"       1\"          \n[i] Original filename: \"secret.txt\".\n[i] Extracting to \"7spaces1.jpg.out\".\n\n\nreal\t0m1,211s\nuser\t0m9,488s\nsys\t0m0,084s\n```\n\nAnd there it is, over 14 million passwords in less than 2 seconds :heart_eyes:.\n\n## How does this compare to other tools?\n\nTo test the performance of of other tools, I created several stego files with different passwords, taken from `rockyou.txt`. I ran each of the tools with their default settings, except Stegbrute where I increased threading for a fair comparison.\n\n| password    | Line        | Stegseek v0.6  | Stegcracker 2.0.9 | Stegbrute v0.1.1 (-t 8) |\n|-------------|-------------|----------------|-------------------|-------------------------|\n| \"cassandra\" | 1 000       |          0.05s |              3.1s |                    0.7s |\n| \"kupal\"     | 10 000      |          0.05s |             14.4s |                    7.1s |\n| \"sagar\"     | 100 000     |          0.09s |           2m23.0s |                 1m21.9s |\n| \"budakid1\"  | 1 000 000   |          0.73s | [p]      23m50.0s |                13m45.7s |\n| \"␣␣␣␣␣␣␣1\"  | 14 344 383  |          1.21s | [p]    5h41m52.5s | [p]          3h17m38.0s |\n\n[p] = projected time based on previous results.  \n  \n  \n----\n  \n\nTo compare the speed of each tool, let's look at the last row of the table (otherwise Stegseek finishes before all threads have started).  \n\nAt this scale Stegseek is over **12 000** times faster than Stegcracker and over **7000** times faster than Stegbrute.\n\n# :notebook: Changelog\n\n## v0.6\n2021-04-18  \nimprovements:  \n* Fixed BMP cracking for files with a large palette.\n* Added a `--continue` flag to search for multiple hidden files.\n* Added an `--accessible` flag to make the CLI more screen reader friendly\n* Made the CLI more consistent, added colors.\n* `--crack` and `--seed` now throw proper exit codes for easier scripting.\n* Lower performance overhead for metrics.\n* fixed compiler flags for default build. \n\n## v0.5\n2020-12-28  \nimprovements:  \n* Uses way less memory (memory usage is no longer tied to Wordlist length)\n* Wordlist is loaded on the fly, so we can start cracking immediately.\n* Fixed high false positive rate on `--seed`  \n  \n## v0.4\n2020-12-01  \nimprovements:  \n* Added seed cracking to allow for passwordless data extraction\n* Overhauled parser to allow for positional arguments\n* cracks `rockyou.txt` in 2 seconds\n### v0.4.1\n2020-12-23  \nFixed a bug where stegseek would fail to find a password on rare occasions.\n\n## v0.3\n2020-11-08  \nimprovements:  \n* Made threading lock-free s.t. multiple threads are used more efficiently\n* Added `-xf` argument to `--crack`, used to specify the location of the extracted file\n* Made the .deb package compatible with Debian/Kali\n* cracks `rockyou.txt` in 4 seconds\n\n## v0.2\n2020-11-05  \nimprovements:  \n* Give up on a passphrase once a single bit of the magic fails to decode\n* Removed costly BitString / EmbData allocations\n* Improved performance of the selector\n* cracks `rockyou.txt` in 5 seconds.\n\n## v0.1\n2020-11-04  \nInitial release, features:  \n* Only loads the stego file once, unlike conventional crackers\n* Workpool based threading\n* Attempts to crack the first 3 bytes first, before attempting full decryption\n* Added .deb package and docker container\n* cracks `rockyou.txt` in 41 seconds.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRickdeJager%2Fstegseek","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FRickdeJager%2Fstegseek","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRickdeJager%2Fstegseek/lists"}