An interesting data hiding technique.
keatron
Member Posts: 1,213 ■■■■■■□□□□
Hello TE community,
I decided to begin posting some training like posts in order to help those of you coming into the security field get a dose of the real world. I’ll start with something known as alternate data streams (or ADS). This is unique to NTFS volumes, and before anybody posts the question, don’t even get me started on speculating why Microsoft included this with the NTFS file system, it’s there, I’m going to explain it and show you how to take advantage of it (and how attackers take advantage of it), and pray that you only use the knowledge for good intentions. I recently did some forensics on a few workstations at a finance company. The suspected person used this technique for....errrr, let's just say the wrong reasons. So don't ever under-estimate the resourcefulness and research skills of end users when they're trying to do something dirty. Remember, google and relay rooms keep no secrets.
Since the earliest creation of NTFS, Microsoft has included support for HFS (an Apple file system). HFS consists of two different arms, a data arm and a resource arm. What does this mean for NTFS? Well a file entry in the MFT (Master File Table), can have additional attributes, mainly additional data streams associated with the primary stream. I’m going to post instructions to demonstrate this to yourselves, and again, don’t misuse this knowledge. You will not need to download any tools, or special software, this is NTFS in it’s native default mode. So let’s go. All commands should be typed exactly as they are displayed in bold.
Go to your command prompt, CD.. all the way to your root (when the prompt reads C:\) then type the following from a command prompt
C:\mkdir techexamstest
Then CD to that directory by typing cd techexamstest
Now type the following exactly as I type it
echo “What is Keatron up to?” >techexamstest.txt
For those of you not to familiar with the command prompt we just instructed your machine to create a text document named techexamstest.txt in the current directory. The text file will contain the text “What is Keatron up to?”. Go ahead and browse to the current directory via explorer, find the file and open to verify that you got it right. Open it and make sure the text is there.
No big deal right? Now type the following at your command prompt.
echo “Now I see how people hide data, and various files by using this technique. I promise not to get myself in trouble with this” >techexamstest.txt:ads.txt (there is a space between the last " and the > symbol)
Now browse to the same directory again and see if you see the file you just created. Not there? Do a dir command from the dos prompt and see if the file shows up……not there again. Now, type the following at the command prompt
notepad techexamstest.txt:ads.txt
The document should open in notepad and have the text in it you typed previously. Where was the file? Why couldn’t explorer see it, why couldn’t you see it listed in dos when you did the dir command? What could be some damaging results of someone maliciously using this functionality?
Needless to say, you need tools to detect and locate these kinds of files. We'll talk more about that later.
Keatron.
I decided to begin posting some training like posts in order to help those of you coming into the security field get a dose of the real world. I’ll start with something known as alternate data streams (or ADS). This is unique to NTFS volumes, and before anybody posts the question, don’t even get me started on speculating why Microsoft included this with the NTFS file system, it’s there, I’m going to explain it and show you how to take advantage of it (and how attackers take advantage of it), and pray that you only use the knowledge for good intentions. I recently did some forensics on a few workstations at a finance company. The suspected person used this technique for....errrr, let's just say the wrong reasons. So don't ever under-estimate the resourcefulness and research skills of end users when they're trying to do something dirty. Remember, google and relay rooms keep no secrets.
Since the earliest creation of NTFS, Microsoft has included support for HFS (an Apple file system). HFS consists of two different arms, a data arm and a resource arm. What does this mean for NTFS? Well a file entry in the MFT (Master File Table), can have additional attributes, mainly additional data streams associated with the primary stream. I’m going to post instructions to demonstrate this to yourselves, and again, don’t misuse this knowledge. You will not need to download any tools, or special software, this is NTFS in it’s native default mode. So let’s go. All commands should be typed exactly as they are displayed in bold.
Go to your command prompt, CD.. all the way to your root (when the prompt reads C:\) then type the following from a command prompt
C:\mkdir techexamstest
Then CD to that directory by typing cd techexamstest
Now type the following exactly as I type it
echo “What is Keatron up to?” >techexamstest.txt
For those of you not to familiar with the command prompt we just instructed your machine to create a text document named techexamstest.txt in the current directory. The text file will contain the text “What is Keatron up to?”. Go ahead and browse to the current directory via explorer, find the file and open to verify that you got it right. Open it and make sure the text is there.
No big deal right? Now type the following at your command prompt.
echo “Now I see how people hide data, and various files by using this technique. I promise not to get myself in trouble with this” >techexamstest.txt:ads.txt (there is a space between the last " and the > symbol)
Now browse to the same directory again and see if you see the file you just created. Not there? Do a dir command from the dos prompt and see if the file shows up……not there again. Now, type the following at the command prompt
notepad techexamstest.txt:ads.txt
The document should open in notepad and have the text in it you typed previously. Where was the file? Why couldn’t explorer see it, why couldn’t you see it listed in dos when you did the dir command? What could be some damaging results of someone maliciously using this functionality?
Needless to say, you need tools to detect and locate these kinds of files. We'll talk more about that later.
Keatron.
Comments
-
Slowhand Mod Posts: 5,161 ModWow, that is actually very interesting. . . and useful. I'm going to be playing more with the ADS, and see what comes up. (I don't even want to think of what's hidden on our servers, at work.) Thanks a lot, keatron. Keep those training-like posts comin'.
Free Microsoft Training: Microsoft Learn
Free PowerShell Resources: Top PowerShell Blogs
Free DevOps/Azure Resources: Visual Studio Dev Essentials
Let it never be said that I didn't do the very least I could do. -
keatron Member Posts: 1,213 ■■■■■■□□□□Slowhand wrote:Wow, that is actually very interesting. . . and useful. I'm going to be playing more with the ADS, and see what comes up. (I don't even want to think of what's hidden on our servers, at work.) Thanks a lot, keatron. Keep those training-like posts comin'.
I've actually had nightmares of some nasty perl scripts or shell code being hidden in files waiting for an attacker to come back and make use of. -
eurotrash Member Posts: 817With me the file shows up, it simply doesn't display any text (or at least not the text I put in with the ads thing) unless I open it as you said.witty comment
-
keatron Member Posts: 1,213 ■■■■■■□□□□1. Are you using NTFS volume.
2. Are you sure you're seeing the right file. You should see techexamstest.txt, but you shouldn't see techexamstest.txt:ads.txt -
eurotrash Member Posts: 817keatron wrote:1. Are you using NTFS volume.
2. Are you sure you're seeing the right file. You should see techexamstest.txt, but you shouldn't see techexamstest.txt:ads.txt
2. I'll admit I thought it was supposed to be the same file. But how about this:
I created an empty folder, then did the echo "blah" >file.txt:ads.txt (without first creating a normal file) -- the "file.txt" appears, but when opened is empty. However opening it with notepad file.txt:ads:txt produces the hidden text.
Now I know that the visible file is the one created with the :ads.txt, because not only does it appear when I do that command, but when I delete the file I am no longer able to open the :ads.txt file.
From your point 2, it seems you're saying that there should be two files: one visible (techexamstest.txt) and one invisibe (techexamstest.txt:ads.txt).
However I just did it your way again and then deleted the visible file (.txt), after which I was no longer able to open the :ads.txt version.
So what am I missing?witty comment -
Slowhand Mod Posts: 5,161 ModYou're not missing anything, that's the way it's supposed to work. The ADS isn't a "seperate file", per say. It's a seperate data stream for the original, visible file.
Free Microsoft Training: Microsoft Learn
Free PowerShell Resources: Top PowerShell Blogs
Free DevOps/Azure Resources: Visual Studio Dev Essentials
Let it never be said that I didn't do the very least I could do. -
Slowhand Mod Posts: 5,161 Modkeatron wrote:I've actually had nightmares of some nasty perl scripts or shell code being hidden in files waiting for an attacker to come back and make use of.
I think we've all had that dream. Of course, in mine, it's always a clown doing the scripting. . . can't sleep, or clown will hack me. (Yeah, I've been watching too much Simpsons.)
Free Microsoft Training: Microsoft Learn
Free PowerShell Resources: Top PowerShell Blogs
Free DevOps/Azure Resources: Visual Studio Dev Essentials
Let it never be said that I didn't do the very least I could do. -
Non-Profit Techie Member Posts: 418 ■■□□□□□□□□Thanks Keatron. that is pretty cool. I can hide stuff from my wife now, lol. JK
I can clearly see how stuff like this will make having a secure computer very difficult. -
sprkymrk Member Posts: 4,884 ■■■□□□□□□□One thing to keep in mind if you do use a tool that scans for ADS's is that there are some legitimate ones (okay, maybe legitimate is the wrong word) that Windows does create and use. Off the top of my head I think thumbnail images files are one example.
Keatron can you confirm?All things are possible, only believe. -
Slowhand Mod Posts: 5,161 ModI think IE adds some info in the ADS about "transfers from zone 3", (which would be the internet.) Sound about right?
Free Microsoft Training: Microsoft Learn
Free PowerShell Resources: Top PowerShell Blogs
Free DevOps/Azure Resources: Visual Studio Dev Essentials
Let it never be said that I didn't do the very least I could do. -
keatron Member Posts: 1,213 ■■■■■■□□□□sprkymrk wrote:One thing to keep in mind if you do use a tool that scans for ADS's is that there are some legitimate ones (okay, maybe legitimate is the wrong word) that Windows does create and use. Off the top of my head I think thumbnail images files are one example.
Keatron can you confirm?
Yes Mark you're correct, but it's just like scanning the system for ANY types of files to delete; you need to have an idea of what's required and what's extra. Your point simply illustrates the depth of knowledge you need to have as far as the Windows OS before doing a forensic investigation. -
KGhaleon Member Posts: 1,346 ■■■■□□□□□□That's pretty nifty, but can you view the data with a Hex editor?
KGPresent goals: MCAS, MCSA, 70-680