How to Hide Payload in Images using ExifTool?

Hiding payloads in images is a well known technique used in Cyber Security to hide malicious data within seemingly harmless files. This method is common in areas such as Digital Forensics, Malware Delivery, and Penetration Testing.

One of the most effective tools for this process is ExifTool. ExifTool is a powerful, open-source tool used for reading and editing metadata in image files. It allows users to embed and extract data from images, making it ideal for hiding payloads within the metadata without changing the image’s visible content.

Steps to Hide Payload in Images using ExifTool:

All steps in this article are intended for Ubuntu or other Debian-based Linux distributions

Step 1: Installation

Install the ExifTool as per your system compatibility.

$ sudo apt install exiftool

Step 2: Read the ExifTool Manual

To learn more about how ExifTool works and explore its full range of features, you can refer to its manual page. This will provide you with detailed information about the available options, commands, and usage examples. To access the manual, simply run the following command in your terminal:

$ man exifTool | more

Step 3: Set Up the Image and Payload Files

Before we begin the process, it's important to set up the necessary files. We will be using an image file with a .pngextension and a payload, which can be any type of file. For this example, we'll use a .php web shell as the payload. These files need to be organized in a specific folder, Make sure to set up the following files before proceeding.

Image File: Start by selecting an image file with a .png extension. This will be the cover file where the payload will be hidden.
Payload File: Your payload can be of any file type, but in this article, we will use a .php file. For the example, we will use a web shell named webshell.php.
Create Folder: Next, create a folder named hide. This folder will store both the image file and the payload file.
Add Files: Inside the hide folder, place your .png image file and the .php payload file (in this case, webshell.php).

Checking for .png file in the webshell.php using 'ls' command

You can view the code of the webshell.php file by using the nano command followed by the filename

Viewing the PHP web shell using the nano text editor before embedding the payload

The nano command is a simple text editor for the terminal. To view or edit a file, type nano followed by the file name (e.g., nano webshell.php).
Press Ctrl + O to save changes.
Press Ctrl + X to exit.
It’s an easy tool for editing files directly from the command line.

Now that we have all the necessary files and components in place, we’re ready to proceed with hiding our payload.

Step 4: Inserting the Payload into the Image File

In this step, we will use the command to add the payload into the image file. This process allows us to hide the malicious payload within the image, making it appear like a regular image file while containing the payload in its structure.

$ exiftool "-comment<=<filename>" <imagename>

Inserting the Payload into the Image File

"-comment<=<filename>": This part of the command tells ExifTool to add the contents of the file <filename> into the comment section of the image's metadata.

Step 5: Check if the Payload is Embedded Successfully

Once the payload has been successfully hidden, you can verify its presence in the file by using the command below:

$ strings <filename> | grep system

Verifying if the payload is inserted successfully

The command $ strings <filename> | grep system extracts all readable text from a file and then searches for the word "system."
strings finds human-readable text in a file.
grep filters and shows all lines containing "system."
This is useful for detecting specific commands or code in files.

Step 6: Extracting the Hidden Information from the Image

As the final step, we will extract the hidden payload from the image using a simple command. This allows us to check if the payload is successfully embedded in the image and can be accessed when needed, all while keeping the image's appearance unchanged.

$ exiftool trees.png

Conclusion

In this article, we've learned how to hide payloads in images using ExifTool, a powerful tool for manipulating metadata. By following the steps, you were able to hide a payload within an image without changing its visible content, making it suitable for Security Testing and Digital Forensics.

Beyond hiding payloads, ExifTool offers a wide range of capabilities, including extracting and writing metadata from various file types such as images, videos, and audio files. It can be used to modify camera information, GPS coordinates, and even edit or remove EXIF data. Additionally, ExifTool allows for exporting metadata to different formats like HTML or text, making it a versatile tool for anyone working with file metadata.

With these skills, you can now explore further applications of ExifTool, such as managing metadata in media files, cleaning up sensitive data, or even performing detailed Forensic Analysis.