Académique Documents
Professionnel Documents
Culture Documents
PGP
When transferring sensitive information, a security professional should use some
precautions. PGP has long been the de-facto standard for sharing sensitive information.
Phil Zimmerman created PGP, but the ownership recently changed from NAI to the
newly formed PGP Corporation. PGP uses a combination of conventional and public-key
cryptography to let users encrypt and verify the integrity of data as well as communicate
securely with people they have never met.
16 - 1
PGP Details
• Name: PGP
• Operating system: most operating systems
• License: freeware for personal use
• Protocol used: N/A
• Category: encryption
• Description: a tool that can integrate within
mail clients and also be a stand-alone
application to encrypt and digitally sign files
• URL: http://www.pgp.com/
The following topics and action items are covered in this chapter:
• Installing PGP
• Running and Using PGP
• Exporting a Key
• Encrypting Files
• Fingerprint Verification
16 - 2
PGP Background
• PGP written by Phil Zimmerman
• It was originally written to help people
protect their files from eavesdroppers
• PGP quickly became the de-facto
standard across the Internet
• There is a commercial version and a
free version for personal use
PGP’s Purpose
• PGP provides an easy way to integrate
encryption into existing applications
– For e-mail, it has plug-ins
– For other applications, you save the file
and then encrypt it
• Encryption uses someone’s public key
• Decryption uses your private key
16 - 3
PGP Architecture
• The following are the steps PGP takes:
– Runs messages through a hash
– Encrypts the hash with your private key
– Encrypts the entire message and hash with
someone’s public key
• Note: Some steps can be skipped
16 - 4
PGP Installation
• Unzip the file
• Double-click the exe installation
program
• Import a key ring
• Select options
• Restart your computer
Installing PGP 8
Following are the steps for installing PGP 8:
1. To start the installation of PGP 8.0, unzip the PGP800-PF-W.zip file and
then double-click the PGP8.exe executable contained within it.
16 - 5
3. The License Agreement window appears. If you accept the terms of the
License Agreement, click Yes. Otherwise, click Cancel and move on to
the next chapter.
16 - 6
5. The User Type window appears. Select No, I’m a New User and click
Next.
16 - 7
6. The Install Directory window appears. Accept the default location and
click Next.
16 - 8
8. The Start Copying Files window appears. Click Next to start the
installation.
16 - 9
10. The PGP 8.0 install complete window appears. Because PGP uses a
number of device drivers to perform its duties, you must restart the system
before PGP can start. Click Finish to restart your system.
16 - 10
Running PGP
• First time: create a public/private key
pair
• Configure PGP using the options under
PGP tray
– Time to store pass phrase
– Types of encryption to use
• Use PGP tray to select the options you
want
• You can also use the plugins for various
mail clients
Security Essentials Cookbook © 2003 SANS 16-8
16 - 11
Creating PGP Key Pairs
The next step is the creation of a PGP key pair. Follow these steps:
2. The Name and E-mail Assignment window appears. Because you will
be sharing your public key with many people and possibly housing it on a
public-key server, enter the full name and e-mail address you want others
to know you by, and then click Next.
16 - 12
3. The Passphrase Assignment window appears. After you enter a full
name and e-mail address, the PGP Key Generation Wizard prompts you to
enter a passphrase. Select a strong one: The only thing protecting your
private key from a person with access to it is your passphrase. PGP
stresses the use of passphrases instead of passwords because they can be
stronger if chosen wisely. Enter and confirm your passphrase and then
click Next.
16 - 13
4. The Key Generation Progress window appears. This window shows the
status of the key generation process. When this process is done, click
Next.
16 - 14
You should notice a new item in your system tray. The padlock on the left is the PGP
tray.
1. Right-clicking the PGP tray opens a pop-up menu. From here, you can
access all components of the PGP tray. This section takes a look at some
of the PGP tray components.
2. While the PGP tray right-click menu is open, click PGPkeys. The
PGPkeys window appears. It displays the key you created earlier. As you
obtain the public keys of others, they are added to PGPkeys. You should
notice that the validity and trust columns are both set. Because you own
the key, you implicitly trust yourself. Click Edit, Options.
3. The PGP Options window appears. The default view is of the General
tab. Leave the Always encrypt to default key option checked. Because
the key you created earlier is set as the default key, anything you encrypt
16 - 15
will be encrypted for your key as well as any others you select. With the
Faster key generation option checked, PGP does not calculate a new set
of random prime numbers when creating key pairs. There is not much of a
security risk by leaving this option checked, but unchecking it can cause
key-creation times to become much longer. The Number of passes option
tells PGP how many times to overwrite a file when securely wiping it.
16 - 16
4. Click on the Files tab. The Files options tab shows you the path to your
public and private key rings. Your public key ring contains all of the
public keys that you have collected, including your own. The private key
ring contains any private keys you have created or obtained and should
remain in a secure location because the only thing protecting it is that
super-secure passphrase you assigned to it.
16 - 17
5. Click on the E-mail tab. The E-mail options tab contains settings for your
e-mail software. Depending on your level of paranoia, you might want to
start signing your messages by default. Doing this allows anyone with
your public key to verify that a message in fact came from you. The
Secure Viewer option is for really paranoid people. Anything you encrypt
with the Secure Viewer must be read in the Secure Viewer application.
You cannot copy the text or "print screen" any of the contents within the
viewer.
16 - 18
6. Click on the HotKeys tab. The HotKeys options tab allows you to set up
shortcuts to commonly used operations, such as encrypting and decrypting
text within the current window.
16 - 19
7. Click on the Servers tab. The Servers option tab lists the default key
servers that can be used to store your public keys. You can add additional
servers to the list by clicking New.
16 - 20
8. Click on the Advanced tab. The Advanced options tabbies used to
configure the algorithms and trust levels within PGP. Note the grayed-out
option, Warn when encrypting to keys with ADKs. The commercial
version of PGP gives you the ability to create preconfigured installations
for PGP. One of the options you can configure is the inclusion of an ADK,
or additional decryption key. If you assign an ADK to an installation of
PGP, the user cannot encrypt anything without the ADK being included.
That way, if he forgets his passphrase, or if his key becomes corrupt, you
can decrypt any data with the ADK.
16 - 21
Exporting a Key
1. To send your public key to another person, you need to export it to an .asc
file. To accomplish this, right-click on the key in the PGPkeys window,
and then select Export.
2. The Export Key to File window appears. When saving your key, make sure that
you do not select Include Private Key(s) unless you intentionally want to send someone
your private key. Select or enter a filename and click OK.
16 - 22
Encrypting a File
One of the most common tasks that you will perform with PGP is the encryption of
documents. Following are the steps for encrypting a file:
1. Open WordPad and type a message that you would like to encrypt. Save
the file as Sensitive_Data.rtf.
2. Using Windows Explorer, locate your message file and right-click on it.
Select PGP, Encrypt & Sign. The Create SDA option allows you to
create a passphrase-protected, self-extracting executable that anyone can
open, even if they do not have PGP installed.
16 - 23
3. The PGPshell - Key Selection Dialog window appears. Because you do
not have any other keys on the public key ring, the only possible recipient
is your key. This is where you have the opportunity to do a number of
additional tasks, such as wipe the original file or encrypt the file using
conventional encryption, which uses passphrases instead of public keys.
Select your key and click OK.
16 - 24
5. In Windows Explorer, you should now see two files, the original file and
the PGP encrypted file.
6. Open the encrypted file using WordPad to ensure that all contents are in
fact encrypted.
16 - 25
7. Delete the unencrypted file, and rename the encrypted file from Sensitive
Data.rtf.pgp to Public Data.rtf. Now it won't draw as much attention.
8. You just renamed a PGP encrypted file to a plain old .rtf file. Let's make
sure that the contents are still encrypted by opening the file with
WordPad.
16 - 26
9. Yep, still encrypted. To decrypt the file, right-click on it and select Open
With, PGP Encryption/Decryption Tool.
16 - 27
11. The PGPlog window appears. It details the information about the file that
was encrypted.
12. Looking back in the Windows Explorer window, you can see in that a
new file was created with the name of the original file you encrypted.
13. When you are done with the file, you can securely wipe the file from the
file system. Right-click on the file, and select PGP, Wipe.
16 - 28
14. The Are you sure … window appears. Before PGP wipes the file, it
prompts you for confirmation because once the file is wiped, there is no
return. Click Yes and the file is securely deleted.
16 - 29
Fingerprint Verification
To ensure that the public key you have received is in fact the public key of the original
sender, PGP provides a unique fingerprint with each key. You can find the fingerprint by
right-clicking your key in the PGPkeys window and selecting Key Properties. The
fingerprint appears as a list of words or as a hexadecimal string.
When you receive a public key, you can call the other party and ask her to read her
fingerprint to you. If the fingerprints match, you can be reasonably sure that the key was
not tampered with. This window also provides you with an interface to change the
passphrase for your private key (note the Change Passphrase button).
16 - 30
PGP Summary
16 - 31
Cisco ConfigMaker
ConfigMaker allows
administrators to more
effectively design and maintain
their corporate infrastructure
Security Essentials Cookbook © 2003 SANS 17-1
Cisco ConfigMaker
17 - 1
So it is Monday morning on your first day of work when your new boss comes into your
cube with the following assignment: Map out our Cisco environment and provide him
with a schemata of the company’s topology. Because you are brilliant and worth every
cent you are paid, you browse on over to Cisco’s website and download Cisco
ConfigMaker.
This is a wonderful utility provided by Cisco for Cisco environments (makes sense) that
not only maps out the network similar to Microsoft Visio or What’s Up Gold but also can
assist with configuring devices by creating the Cisco IOS configuration files. The
program is designed to help get the network running from a first step integration process.
After installing the devices and setting up some preliminary settings, the administrator
would still need to do some additional fine-tuning of the configuration.
ConfigMaker Details
• Name: ConfigMaker
• Operating system: Windows
• License: Shareware
• Protocol used: multiple
• Category: network design and configuration
• Description: ConfigMaker is a tool that allows
administrators to not only map out and design
their networks, but to also maintain the
environment through remote management
• URL: http://www.cisco.com
The following topics and action items are covered in this chapter:
17 - 2
Please note you can download Cisco ConfigMaker version 2.6, from now on simply
referred as ConfigMaker, from Cisco at:
http://www.cisco.com/univercd/cc/td/doc/clckstrt/cfgmkr/download.htm
ConfigMaker Background
• This tool was created to assist
administrators with the task of
designing their corporate networks
as well as having the ability to
centrally control not only the IOS
on the multiple devices, but also
the configurations
17 - 3
ConfigMaker’s Purpose
• To provide a central console to
design, test and maintain a Cisco
environment
• This tool also allows you to add
non-Cisco devices
1. The easiest way to install this product is to locate where the executable
you downloaded is stored, or from the CD, and double-click on the file.
The Welcome window appears. Click Next.
17 - 4
2. The Software Licensing Agreement window appears. After reading the
license agreement, if you accept it, click Yes. Otherwise, click No and go
on to the next chapter.
17 - 5
4. The Setup Complete window appears. Unselect I want to view the
README file and click Finish.
Running ConfigMaker
17 - 6
1. Let’s start the program and begin defining and documenting your network.
Click on Start, All Programs, Cisco ConfigMaker. The Getting
Started with Cisco ConfigMaker window appears. Click No to skip the
tutorial.
2. The main Cisco ConfigMaker window appears. Note that the window is
divided into several areas: the Network Diagram area in the middle
where the network diagram is created, the Devices area in the upper-left
which displays a list of available devices, the Connections area in the
lower-left which displays a list of network connection types, and the
Using Cisco ConfigMaker area on the right which provides helpful
information.
17 - 7
3a. Lets start mapping our network! Under Devices, click on Internet.
3b. Drag the Internet icon over to the Network Diagram workspace. Click
somewhere in the middle of the Network Diagram workspace. The
Internet Device Wizard – Finish window appears. Click Finish. An
Internet icon appears in the Network Diagram workspace.
17 - 8
4a. The next step is to place a router below the Internet connection. Under
Devices, expand Router, Cisco 1700 Series and click on Cisco 1720.
4b. Drag the Cisco 1720 icon over to the Network Diagram workspace.
Click on the Network Diagram workspace below the Internet icon. The
Cisco 1720 Device Wizard – Assign Name window appears. Leave the
device name of Cisco1720. Click Next
17 - 9
4c. The Cisco 1720 Device Wizard - Assign Password window appears.
The administrator needs to assign two unique passwords for the router, the
Login password and the Enable password. For the purposes of this lab,
use something easy to remember. One suggestion, for the lab ONLY, is to
use password for the Login and passphrase for the Enable. After
entering the Login and Enables passwords, click Next.
4d. The Cisco 1720 Device Wizard - Select Network Protocols window
appears. Select only TCP/IP and click Next.
17 - 10
4e. The Cisco 1720 Device Wizard – Indicate Cards Installed window
appears. This screen identifies the different interface cards installed on the
router. Initially, the slots are empty. Continue to the next step.
4f. For WAN Slot 0, select 1 Ethernet . For WAN Slot 1, select 1 T1
CSU/DSU. Click Next.
17 - 11
4g. The Cisco 1720 Device Wizard – Finish window appears. Click Finish.
4h. The main Cisco ConfigMaker window reappears. A new icon for the
Cisco1720 router appears in the Network Diagram area.
17 - 12
5a. The next step is to connect the Internet to your Cisco1720 border router.
Under Connections, click on HDLC. Move to the Network Diagram
area and click on Internet. A dialog box appears and asks you to click on
the connecting device. Click on Cisco1720 to complete the connection.
17 - 13
5c. The HDLC Wizard – Cisco1720 – Specify IP address window appears.
You will enter the IP address for the external interface of the router.
5d. For this exercise, use an IP address of 207.59.192.1 and a subnet mask of
255.255.255.252. When done entering the information, click Next.
17 - 14
5e. The HDLC Wizard – Select Whether to Use NAT window appears.
Select NAT and then select Use WAN interface IP address for source
address translation. Click Next.
17 - 15
5g. The HDLC Wizard – Finish window appears. Click Finish.
5h. You should now see a completed network connection labeled with the IP
addresses and connection type in the Network Diagram area.
17 - 16
6a. Now begins the fun part; creating a screened subnet, aka a DMZ. Under
Devices, expand Switches, Cisco 1500 Series and click on Cisco 1548.
6b. Drag the Cisco 1548 icon over to the Network Diagram workspace.
Place it to the right of the Cisco1720 icon.
17 - 17
6c. The next step is to connect the Cisco1548 switch to your Cisco1720
border router. Under Connections, click on Ethernet. Move to the
Network Diagram area and click on Cisco1720. A dialog box appears
and asks you to click on the connecting device. Click on Cisco 1548 to
complete the connection.
17 - 18
6e. The Ethernet Wizard – Cisco1720 - Interface window appears. Leave
the default interface selected and click Next.
17 - 19
6g. The Ethernet Wizard – Finish window appears. Click Finish.
7a. Now that we have our screened host segment, aka a DMZ, we need to add
some hosts. Under Devices , click on Host.
17 - 20
7b. Drag the Host icon over to the Network Diagram workspace. Place it to
the right of the Cisco 1548 icon.
7c. Repeat steps 7a and 7b two more times so that there are three hosts on the
screened network. Rename each host by clicking on the icons and
renaming them DNS Server, Mail Server and Web Server.
17 - 21
7d. The next step is to connect the Cisco1548 switch to your three DMZ hosts.
Under Connections, click on Ethernet. Move to the Network Diagram
area and click on Cisco1548. A dialog box appears and asks you to click
on the connecting device. Click on DNS Server to complete the
connection.
17 - 22
7f. The Ethernet Wizard – Finish window appears. Click Finish.
7g. Repeat steps 7e thru 7f for the Mail Server and Web Server objects. Use
the IP address 207.54.160.3 for the Mail Server and 207.54.160.4 for the
Web Server.
17 - 23
8a. Now that we have an Internet connection, an external router and a DMZ
network with active hosts, We need to complete this network by adding
an trusted internal network. Under Devices, expand Switches, Cisco 1500
Series and click on Cisco 1548. Drag the Cisco 1548 icon over to the
Network Diagram workspace. Place it below the Cisco1720 icon. It will
be named Cisco1548_1.
8b. The next step is to connect the Cisco1548_1 switch to your Cisco1720
border router. Under Connections, click on Ethernet. Move to the
Network Diagram area and click on Cisco1720. A dialog box appears
and asks you to click on the connecting device. Click on Cisco 1548_1 to
complete the connection..
17 - 24
8c. The Ethernet Wizard - Setup window appears. Click Next.
17 - 25
8e. The Ethernet Wizard – Cisco1720 – Specify IP Address window
appears. For this exercise, use an IP address of 192.168.0.1 and a subnet
mask of 255.255.255.0. When done entering the information, click Next.
17 - 26
9a. As we created three hosts in the DMZ network, we now need to create
three hosts on the internal network. Under Devices, click on Host.
9b. Drag the Host icon over to the Network Diagram workspace. Place it
below the Cisco1548_1 switch icon. Repeat steps 9a and 9b two more
times so that there are three host icons under the Cisco1548_1 switch icon.
17 - 27
9c. Next, connect the Cisco1548_1 switch to your three internal hosts. Under
Connections, click on Ethernet. Move to the Network Diagram area
and click on Cisco1548_1. A dialog box appears and asks you to click on
the connecting device. Click on Host to complete the connection. The
Ethernet Wizard – Setup window appears. Click Next.
17 - 28
9e. The Ethernet Wizard – Finish window appears. Click Finish.
9f. Repeat steps 9c thru 9e for HOST_1 and HOST_2. Use the IP address
192.168.0.3 for HOST_1 and 192.168.0.4 for HOST_2. We now have a
network diagram with a router, a DMZ and an internal network.
17 - 29
10a. We now need to configure the firewall to protect this network. The first
step is to start the Firewall wizard. Click on the Cisco1720 router in the
Network Diagram area. Click on Configuration, Firewall listed in the
Configuration menu. The Firewall Wizard window appears. Click
Next.
10b. The Firewall Wizard – Firewall window appears. Select Yes to indicate
that the router has the firewall IOS feature set. Click Next.
17 - 30
10c. The Firewall Wizard – DMZ window appears. Select I have a DMZ.
Select Cisco1548 as the DMZ LAN. Click Next.
17 - 31
17 - 32
10e. The Firewall Wizard – Cisco 1548 – Access Policy window appears.
This is where we implement rules about allowing access from specific
devices utilizing a specific application. In this case, we will begin with
setting some rules for the internal Cisco1548_1 switch. Left-click on the
ellipsis ….
17 - 33
10g. The following error message will appear when you double-click on
ICMP. Click OK to remove the message.
10h. Finish adding the specified services and then click OK.
17 - 34
10i. The Firewall Wizard – Cisco 1548 – Access Policy window reappears.
Click on the ellipses … on the line with HOST.
17 - 35
10k. The Firewall Wizard – Cisco 1548 – Access Policy window reappears.
Repeat steps 10i and 10j for HOST_1, HOST_2 and Internet.
The Access Policy window should appear like the following after adding the services for
each of the hosts.
Now repeat the steps for the Internet client. Click Next when you are done.
17 - 36
10l. Following the configuration of the Cisco1548 switch, the wizard now
begins to configure the access policies for the DNS Server. You can
always tell which device is being configured by looking on the left hand
side of the window. The device in bold is currently being configured,
whereas any devices with a checkmark have already been successfully
configured.
17 - 37
10m. Click on the ellipses … on the row with Cisco 1548_1. The Firewall
Policy – Cisco1548_1 accessing DNS Server window appears. Select
Access Selected Services from the Permission pulldown menu. Double-
click on each of the following services to be allowed: DNS and ICMP.
You will see the same error dialog on ICMP as before. Click OK to
dismiss the error dialog. Finish adding the specified services and then
click OK.
10n. The Firewall Wizard – DNS Server – Access Policy window reappears.
Repeat step 10m for HOST, HOST_1 and HOST_2.
10o. Repeat step for 10m for Internet but only add DNS. When done, click
Next.
17 - 38
10p. The Firewall Wizard – Mail Server – Access Policy window appears.
Repeat step 10m for Cisco1548_1, HOST, HOST_1 and HOST_2.
Select the following services to be allowed: ICMP and SMTP.
10q. Repeat step for 10m for Internet but only add SMTP. When done, click
Next.
10r. The Firewall Wizard – Web Server – Access Policy window appears.
Repeat step 10m for Cisco1548_1, HOST, HOST_1 and HOST_2.
Select the following services to be allowed: HTTP and ICMP.
17 - 39
10s. Repeat step for 10m for Internet but only add HTTP. When done, click
Next.
17 - 40
10u. The Firewall Wizard – HOST – Access Policy window appears. As with
the Cisco1548_1 object, the policy should be left to deny all services.
Click Next.
17 - 41
10w. The Firewall Wizard – HOST_2 – Access Policy window appears. As
with the Cisco1548_1 object, the policy should be left to deny all services.
Click Next.
17 - 42
10y. The Firewall Wizard - Summary window appears. Click Finish.
17 - 43
11. And here we are…only a few hours since your new boss on your first day
asked you to diagram the network and you have created this:
17 - 44
ConfigMaker Exercise
1. Can ConfigMaker be used to manage
Nortel switches
2. What protocol is used to push and pull
configuration changes to remote
devices
3. Do you need detailed knowledge of
the Cisco IOS to use ConfigMaker
4. Can you add ingress and egress ACLs
to routers through ConfigMaker?
This section poses a set of questions that are answered in the following section.
Following are the questions:
17 - 45
ConfigMaker Exercise Solutions
1. No
2. TFTP
3. No. You can actually configure all of your
switches with little or no knowledge of the
actual Cisco IOS. The authors of this book
Highly recommend that you do not use this tool
as a replacement for actually learning the IOS
4. Yes. Any configuration changes you can make
at the console of the device you can make with
this tool
Security Essentials Cookbook © 2003 SANS 17-7
1. No
2. TFTP
3. No. You can actually configure all of your switches with little to no knowledge
of the actual Cisco IOS. The authors of this book recommend strongly that you
do not use this tool as a replacement for actually learning the IOS
4. Yes. Any configuration changes you can make at the console of the device you
can make with this tool
Summary
When it comes to network design tools are key. Diagramming a network is as difficult as
your tool makes it. Cisco has created an easy to use, GUI interface network definition
tool that makes the initial design and implementation easier. Through the experiences in
this chapter you became familiar with the simple interface which made our task easier.
As is the case with all software, the user must provide the analytical knowledge to
properly define the data. ConfigMaker streamlines the process.
Realize that ConfigMaker is one of many tools existing in the marketplace. Some, like
Microsoft Visio, are flowchart design applications and are not simply for network
architecture. Regardless of the tool you use, the need for having a network diagram
exists and is an important tool for good network security.
17 - 46
For additional information:
http://www.cisco.com/warp/public/779/smbiz/netguide/v_network_design.html
17 - 47
S-Tools
S-Tools
S-Tools can be used to hide messages inside of BMP, GIF, and WAV files. Depending on
the options that you choose, the output file that contains the hidden data may have
different properties than the original file.
S-Tools Details
• Name: S-Tools
• Operating system: Windows
• License: freeware
• Protocol used: NA
• Category: Steganography
• Description: S-Tools is a GUI tool used to
hide data in multiple file types
18 - 1
The following topics and action items are covered in this chapter:
• Installing S-Tools
• Running S-Tools
• Hiding files in images
• Hiding files in WAV files
S-Tools Background
18 - 2
S-Tools’ Purpose
• Like all Steganography tools, the main
purpose of S-Tools is to hide data in multiple
data types
• Give the user the ability to encrypt and hide
data in a manner to hide itself through
obscurity
• Utilizes symmetric cryptography for its
encryption method
S-Tools Architecture
The file in which data is hidden is called the carrier file. After hiding a file within a
carrier file, you can send the carrier file to another person who knows to use S-Tools with
the appropriate password; he or she will be able to view the contents of the hidden file,
while unsuspecting others view a regular image file.
18 - 3
Installation
Installing S-Tools
S-Tools does not require installation. Simply extract the zip archive s-tools4.zip to
C:\tools\s-tools.
Running S-Tools
18 - 4
Running S-Tools
Start S-Tools by double-clicking S-Tools.exe, which is located in C:\tools\s-tools\. The
interface for S-Tools launches and you are presented with the following window.
Click Continue to get to the main screen. As you can tell, there are not many options in
the S-Tools interface.
18 - 5
Hiding Files in Images
This section explains how to hide files in images with S-Tools. Follow these steps:
1. Select File, Properties to view the compression ratio for the file that you
are hiding. The higher the compression, the longer it will take to hide a
file; however, you will be able to hide larger files when the compression is
cranked up. Click OK to close the Properties dialog box.
2. Start a Windows Explorer session and find one of several bmp files that
are on your system. For this example you could use c:\icons\icon.bmp or
any other bmp file. Copy this file to your s-tools directory and then drag
the bmp file onto the S-Tools window.
18 - 6
3. Create a document called Secret_data.txt by opening up WordPad and
typing in some text. Now drag Secret_data.txt on top of the bmp image
that is in the S-Tools window. You will then receive a passphrase prompt,
as shown in the following screen. Enter and confirm the passphrase that
you will use to secure the file. The dialog box also details the amount of
data that you are hiding; in this case, we are hiding 196 bytes of data
inside of the BMP file.
5. As shown in the following screen, the next prompt deals with the quality
of the output file. If you convert it to a 24-bit file, the output file will be
larger than the original due to the storage of the extra hidden data. The
other option, Attempt color reduction, reduces the quality of the picture
in an attempt to keep the output file size close to the original. Accept the
default value of Attempt color reduction and click OK.
18 - 7
6. The newly created .bmp file now appears in the S-Tools interface. Notice
that in the following screen, the newly created file appears to the human
eye to be the same as the original file.
7. Right-click the picture that includes the hidden file, and then select
Properties. Notice the dimensions of the file as well as the memory usage.
8. Now right-click the original file and click Properties. You will see that
the dimensions are the same, except for the memory usage. The hidden
file's memory usage is larger due to the added data that is masked within
the file.
18 - 8
9. To save the newly created hidden file, right-click it and select Save as.
18 - 9
11. After you have saved the file, close out of S-Tools and then restart it. Drag
the newly created hidden.bmp file onto the S-Tools window. Then right-
click the picture and select Reveal.
12. You are now prompted for the passphrase in order to reveal any data
hidden in hidden.bmp. Enter and confirm the passphrase that you’ve
selected, and click OK.
13. The Revealed Archive window, listing our hidden file Secret_data.txt,
now appears.
18 - 10
14. Highlight Secret_data.txt. Then, right-click it and select Save as, as
demonstrated in the following screen. Save the file as
Secret_data_after_steg.txt so it will be easy to compare it to
Secret_data.txt.
15. You can now open the new text file to ensure that your message is still
intact.
18 - 11
Hiding Files in WAV Files
Images are not the only things that S-Tools can use for hiding files. This section describes
how you use the same steps in the previous section to hide files; however, this time, you
will use a WAV file as the carrier file. Follow these steps:
1. Using Windows Explorer find a wav file on your system and drag the file
onto the S-Tools window. For this example you could use
C:\WINDOWS\Media\\Windows XP Startup.wav
18 - 12
2. Once again, drag our Secret_data.txt onto the WAV file. Enter and
confirm the passphrase with which you wish to secure the hidden file, and
click OK.
The new file containing the hidden data is now present in the S-Tools
window.
18 - 13
3. Next, right-click within the hidden data window and click Save as. Accept
the default file name hidden.wav.
4. After saving the newly created file, you can reveal the information in the
same way that you did for the .bmp file.
18 - 14
S-Tools Exercise
This section poses a set of questions that are answered in the following section.
Following are the questions:
18 - 15
S-Tools Exercise Solutions
18 - 16
Summary
S-Tools provides an easy way to disguise sensitive data within media files. Practice is the
best way to gain experience to know what compression setting works best for stealthily
hiding data and still appearing as the original file.
18 - 17
Invisible Secrets 2002
• JPEG
• PNG
• BMP
• HTML
• WAV
19 - 1
Invisible Secrets 2002 Details
• Name: Invisible Secrets 2002
• Operating system: Windows
• License: trial version
• Protocol used: NA
• Category: steganography
• Description: Invisible Secrets 2002 allows users to
hide encrypted information inside of pictures
• URL: http://www.neobytesolution.com/invsecre/
The following topics and action items are covered in this chapter:
19 - 2
Invisible Secrets 2002
Background
• Invisible Secrets is an application
created by Neobyte Solutions
• It is a full-featured stego tool that
provides multiple encryption methods
for protecting your hidden data
• Allows users to put sensitive data in
seemingly normal files such as pictures
of your latest vacation
19 - 3
Invisible Secrets 2002
Architecture
• It is a Windows-based GUI application
used to hide information inside of
multiple file types
• It can use multiple symmetric
encryption algorithms to secure hidden
data
• Incorporates a DOD 5220.22-M
complaint data shredder
19 - 4
In this chapter, you use Invisible Secrets 2002 as a steganographic tool. If you do not
need a covert method of disguising information but still need to store sensitive
information securely, Invisible Secrets 2002 allows you to encrypt and decrypt files using
a number of algorithms. Of course, these added features cost money. This chapter uses
the 30-day demo version of Invisible Secrets 2002.
Installation
• To install make sure you are logged in
as the administrator
• Locate the invsecr.exe file on your
CD-ROM and copy it to your local drive
• Double click on invsecr.exe to begin
the installation
19 - 5
Installing and Running Invisible Secrets 2002
This section discusses how to install and run Invisible Secrets 2002.
19 - 6
2. The License Agreement window appears. If you agree to the 30-day
evaluation License Agreement, click Yes; otherwise, you cannot continue
with this chapter.
19 - 7
4. The Select Program Manger Group window appears. Accept the default
Program Manager group by clicking Next.
19 - 8
6. The Installation Complete window appears. After the installation is
finished, uncheck Yes, I would like to view the README file and click
Finish.
19 - 9
Running Invisible Secrets 2002
After you finish the install, Invisible Secrets 2002 launches. Follow these steps to run it:
19 - 10
2. The settings you access with the Options button let you perform a number
of tasks, including the following:
19 - 11
3. The Welcome window appears. You will be using the default settings for
the purposes of this book. Click Next to start the fun.
19 - 12
5. The Select the files … window appears. You are prompted to select the
files that you want to hide. Click Add files.
6. Select a file to hide. I am going to use the secret-data.txt file that I created
in the S-Tools exercise but any text file will do and click Open.
19 - 13
7. The Select the files … window reappears. Click Next to continue.
8. The Select Carrier File window appears. You are prompted to select the
carrier file that you will use to hide data in.
19 - 14
9. Click the open folder image to the right of the field, as shown in the next
figure. Select a jpg file from your system and click Open. You can
search you hard drive for sample jpg files that are included with the install.
10. The file Blue Hills.jpg is selected as the carrier file. You are given the
option to wipe the original carrier after the encryption and hide process
finishes. Do NOT select this option.
19 - 15
11. If you don't know where a good carrier file is located, click Search for
Carrier. Invisible Secrets provides you with an interface to search for a
carrier by file type. After you have selected a file, you can view it by
clicking View Carrier, and if you decide to use it, just click Use Carrier.
12. Click Close in the Search Carrier window and then click Next in the
Select Carrier File window.
The next window prompts you for the password and the algorithm to use
when encrypting the file. The algorithms that are natively supported
include:
• AES
• Twofish
• RC4
• CAST
• GOST
• Diamond 2
• Sapphire II
• Blowfish
19 - 16
13. The Encryption Settings window appears. If you want to hide a file but
do not want to assign a password to the file, you can check the box Skip
encryption/hide only at this time. Enter and confirm the password that
you want to use for the newly created file. When you are done click Next.
Note: The demo version of Invisible Secrets limits you to five symbols
due to U.S. export restrictions.
14. The Select Target File window appears. Enter the name that you want to
use for this new file. To do this, click the open folder button located to the
right of the field.
19 - 17
15. The Select Target Carrier window appears. Enter test.jpg as the name
of the target carrier, save it to C:\ and click Save.
16. The Select Target File window reappears. After reviewing the location
and filename of your target file, click Hide.
17. The Encrypting / Hiding window appears. The file is now encrypted
while the Secret_Data.txt file is hidden within your new target carrier.
When this process is done, click Next.
19 - 18
19 - 19
Performing Actions on the Newly Created File
Invisible Secrets allow you to perform a number of steps on the newly created file,
including sending it via e-mail and FTP. Follow these steps to perform actions on the
newly created file:
19 - 20
2. When you are ready to reveal the information contained within c:\test.jpg,
start Invisible Secrets. After clicking on the Try button and Next, the
Select Action window appears. Select the Unhide and Decrypt file(s)
from a carrier file radio button and click Next.
3. The Select Carrier File window appears. To choose the carrier file, click
the open folder button to the right of the field.
19 - 21
4. Select c:\test.jpg and click Open.
6. You are prompted for the password that you entered during the
encrypt/hide phase. Remember that it will only be a five-character
password due to the demo restrictions.
19 - 22
7. The Carrier Access/Decryption Settings window appears. Enter the
passphrase you selected and click Next.
19 - 23
9. The Unhiding / Decrypting window appears. After the process is
finished, you can explore the data by clicking the Explore Extracted
Data button, as shown in the next figure.
10. Invisible Secrets starts Windows Explorer and starts at the location that
you selected.
19 - 24
11. Invisible Secrets also adds a right-click option in Windows Explorer to
hide and encrypt files. Simply right-click a file that you want to hide or
encrypt, and select Invisible Secrets and then the option you want to
perform. If you select Hide, the Invisible Secrets Wizard automatically
starts at the prompt for the carrier file.
This section poses a set of questions that are answered in the following section.
Following are the questions:
19 - 25
Invisible Secrets 2002 Exercise
Solutions
1. No, the included program is a demo version. You must pay to access all of
the available features.
2. Yes. You can add new carrier file types and algorithms.
3. No, unless you choose to lower the default overwrite settings and spend
money to send your hard drive to a company that specializes in recovering
data. Even then, your chances may be slim.
4. Yes, you can assign a password that must be entered before Invisible
Secrets will start.
Summary
As corporate policies and methods become more stringent, employees may turn to
steganographic tools hide the presence of restricted information. Invisible Secrets
provides a powerful method for securely transferring data between parties. As these tools
come into use, steganalysis, or the art of discovering the use of steganography, will be
more important.
19 - 26
Xsteg/Stegdetect
Xsteg/Stegdetect is a tool
used to determine if there is
information hidden in a
particular file
Security Essentials Cookbook © 2003 SANS 20-1
Xsteg
You have learned how to hide a file within another file. You may need to know how to
detect when a file has been altered with a steganograhic tool. Steg Detect is a tool
designed for this purpose.
Xsteg/Stegdetect Details
• Name: Xsteg/Stegdetect
• Operating system: Windows
• License: Freeware
• Protocol used: NA
• Category: File alteration detection
• Description: XSteg is a GUI front-end for a
steganography detection tool called
Stegdetect
20 - 1
The following topics and action items are covered in this chapter:
• Installing Xsteg
• Running Xsteg
Xsteg Background
• Xsteg was created as a GUI front-end
for the command line application
stegdetect
• Used to determine whether
steganographic techniques were used
on a file via multiple means
• It is a freeware tool used to attempt to
counter Stego techniques, but still
requires manual scanning of each file
Security Essentials Cookbook © 2003 SANS 20-3
Xsteg’s Purpose
20 - 2
Xsteg Architecture
• Xsteg is a GUI front-end for Stegdetect
• Stegdetect has the capability to
determine if there is hidden information
inside of a file
• Stegdetect also can launch a dictionary
attack against the hidden information in
an attempt to crack the cryptography
used to protect it
• Jsteg
• Outguess
• Jphide
• Invisible Secrets
Installation
• Neither Stegdetect or Xsteg require
installation
20 - 3
Running Xsteg/Stegdetect
Installing Xsteg
The only step that is required for installing Xsteg is to extract the contents of the zip
archive to the appropriate folder. Extract the file stegdetect-0.4.zip folder to
C:\stegdetect\.
Running Xsteg
Xsteg is the graphical interface to StegDetect. To run it, follow these steps:
1. First you will need to open a command prompt. Click Start, Run. Type
cmd and click OK.
20 - 4
2. A command prompt appears, as shown in the following screen.
3. Next, change the directory to the location from which the archive was
extracted by issuing the command cd c:\stegdetect.
20 - 5
4. To start Xsteg, simply type xsteg at the command prompt and press Enter.
The Xsteg window appears. The easy-to-use interface just needs to know
which tools to look for, as well as the sensitivity level to use. Adjusting
the sensitivity will help identify files that have been altered, but it may
also result in false positives.
20 - 6
5. Select File, Open.
6. You can now select a file or directory that you want to search for files that
have been subjected to steganographic changes. Select C:\test.jpg which
is the file you create in the Invisible Secrets exercise and click OK. If you
do not have this file just scan the C:\ drive.
20 - 7
As shown in the previous screen, Xsteg detected that the file test.jpg has
been altered using Invisible Secrets. The message window details the
options that were used during the test.
Xsteg/Stegdetect Exercise
This section poses a set of questions that are answered in the following section.
Following are the questions:
20 - 8
Xsteg/Stegdetect Exercise
Solutions
Summary
As new options and capabilities are added to Stegdetect, it will become more and more
efficient at detecting the use of steganographic tools.
20 - 9