Steganography Cheat Sheet

A field-tested toolkit of copy-ready commands for solving CTF steganography challenges, from first-pass triage through image and audio extraction to passphrase recovery. (28 payloads)

Try it interactively with the What Is This?

Triage & File Identification

(7)

file suspicious.jpg

Identify the true file type from magic bytes (not the extension). A '.jpg' that reports as PNG/Zip is a red flag worth chasing.Always the first command on any unknown artifact.

exiftool -a -u -g1 image.jpg

Dump all metadata including duplicate and unknown tags, grouped. Flags often hide in Comment, Artist, UserComment, or XMP fields.-a shows duplicates, -u shows unknown tags.

strings -n 8 -e l file.bin

Extract printable strings of length >=8; -e l/b also catches little/big-endian UTF-16 (Windows wide chars) that default ASCII scans miss.Pipe to grep -i flag or grep -E 'flag\{|CTF\{' to filter.

binwalk file.png

Scan for embedded/appended file signatures (Zip, gzip, JPEG, PDF, etc.) hidden inside another file.Detects polyglots and concatenated archives without extracting yet.

binwalk -e --dd='.*' file.png

Carve out every embedded file binwalk recognizes into _file.png.extracted/. The --dd='.*' overrides the default extraction allowlist.Use 'binwalk -Me' for recursive (matryoshka) extraction of nested layers.

foremost -i file.bin -o out_dir/

Header/footer-based file carver; recovers embedded JPEG/PNG/ZIP/PDF/etc. into out_dir/ when binwalk misses fragmented data.Good fallback carver. scalpel and photorec are alternatives.

xxd file.bin | head -n 40

Inspect the raw hex/ASCII header and trailer to confirm magic bytes (e.g. FFD8...FFD9 for JPEG, 504B for Zip) and spot trailing junk after EOF.Use 'xxd file | tail' to check for data appended past the file's end marker.

Image Stego (LSB & Embedded)

(7)

zsteg -a image.png

Run every detection method on PNG/BMP: LSB across bit planes and channels, plus common encodings. The go-to first tool for PNG/BMP stego.zsteg only handles PNG and BMP, not JPEG. -a = run all checks.

zsteg -E 'b1,rgb,lsb,xy' image.png > out.bin

Extract a specific payload using the channel/order spec that -a flagged (e.g. b1,rgb,lsb,xy), writing raw bytes to a file.Copy the exact spec string from zsteg -a's interesting hits.

steghide extract -sf image.jpg -p ''

Extract data steghide embedded in JPEG/BMP/WAV/AU. Try an empty passphrase first; many CTF challenges use no password.steghide is JPEG-capable (unlike zsteg). -p '' = empty passphrase.

steghide info image.jpg

Check whether a file even carries a steghide payload and see capacity/encryption details before attempting extraction.Prompts for a passphrase; confirms steghide is the right tool.

java -jar stegsolve.jar

GUI to step through individual bit planes and color channels, apply XOR/transforms, and use the Data Extract dialog for manual LSB recovery.Best for visual LSB and plane-toggling that automated tools miss.

convert image.png -separate channel_%d.png

Split an image into separate R/G/B/A channel images (ImageMagick) so you can inspect each plane individually for hidden patterns.Useful when a flag is visible only in one channel or the alpha layer.

stegoveritas image.png

Automated multi-technique runner: extracts metadata, applies color-plane transforms, runs LSB checks, and carves embedded files in one pass.Good broad-sweep tool when you don't yet know the technique.

Audio Stego

(4)

audacity hidden.wav

Open the audio, switch the track to Spectrogram view (track dropdown > Spectrogram) to reveal text/images drawn into the frequency domain.Classic CTF trick: the flag is 'painted' in the spectrogram.

sox input.wav -n spectrogram -o spectro.png

Generate a spectrogram image headlessly from the command line without opening a GUI.sox is scriptable; great for batch-checking many audio files.

steghide extract -sf audio.wav -p ''

steghide also embeds in WAV and AU audio; try empty/known passwords to pull the payload out.Same workflow as image steghide, just a WAV/AU carrier.

multimon-ng -t wav -a MORSE_CW -a DTMF audio.wav

Decode Morse (CW) tones, DTMF dial tones, and other modem/pager modes embedded in audio into text.Reach for this when the spectrogram or audio sounds like beeps/tones.

Appended Data, Archives & Polyglots

(5)

unzip image.jpg

A JPEG/PNG with a Zip concatenated to its end is still a valid Zip; unzip reads from the central directory at EOF and extracts the hidden files.Works because Zip is parsed from the end of the file.

cat cover.jpg secret.zip > polyglot.jpg

Reproduce the classic append trick: a valid image to viewers, a valid archive to unzip. Knowing how it's built tells you how to break it.Reverse with binwalk/unzip; offset shown by binwalk.

dd if=file.jpg of=hidden.zip bs=1 skip=$OFFSET

Carve the appended blob starting at the byte offset binwalk reported, when you need just the trailing archive isolated.$OFFSET = decimal offset from 'binwalk file.jpg'.

7z l file.png && 7z x file.png

List then extract any archive container 7-Zip recognizes inside the file; handles Zip/RAR/7z/tar and often succeeds where unzip fails.7z is more tolerant of odd offsets and container types.

pngcheck -v image.png

Validate PNG chunk structure and reveal extra, malformed, or hidden chunks (e.g. data after IEND) that legit viewers ignore.Data after the IEND chunk is a common hiding spot.

Brute Force & Passphrase Recovery

(5)

stegseek image.jpg /usr/share/wordlists/rockyou.txt

Vastly faster steghide cracker; brute-forces the passphrase against a wordlist and auto-extracts the payload on a hit.On authorized CTF artifacts only. rockyou.txt is the standard list.

stegseek --seed image.jpg

Recover steghide's empty-password / default-seed payloads without any wordlist by attacking the embedding seed directly.Try when a wordlist run fails but you suspect steghide was used.

for p in $(cat words.txt); do steghide extract -sf img.jpg -p "$p" -xf out_$p 2>/dev/null && echo "HIT: $p"; done

Plain-shell steghide passphrase loop when stegseek isn't available; prints the passphrase that successfully extracts.Slower than stegseek but dependency-free.

stegcracker image.jpg /path/to/wordlist.txt

Alternative steghide brute-forcer that wraps the steghide binary; usable when stegseek isn't installed.stegseek is much faster; prefer it when both are available.

fcrackzip -u -D -p rockyou.txt secret.zip

Dictionary-attack a password-protected Zip recovered from a stego carrier; -u verifies against actual decryption to drop false positives.Use zip2john + john/hashcat for stronger AES-encrypted Zips.

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Tools

What Is This?Cipher Decoder

Related Cheat Sheets

Hashcat Password Cracking Cheatsheet Cryptography Attacks Cheat Sheet

Frequently asked questions

What is the Steganography Cheat Sheet?+

It's a quick-reference collection of 28 Steganography payloads for testing Steganography vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Steganography payloads?+

Copy any payload straight into your authorized test, or use the What Is This? to apply them interactively. Only test systems you have explicit permission to assess.

Are these Steganography payloads free to use?+

Yes — this cheat sheet and all Steganography payloads are completely free, with no account required. Everything runs in your browser.

$loading...