Alternative Data Streams within NTFS

Sie

Alternative Data Streams within NTFS

Just been having a play again with the Alternative Data Streams in NTFS and its quite interesting and a very real security problem so I thought I would provide some information here for those not aware of this functionality of NTFS.

ADS Functionality was originally added to NTFS by Microsoft to help with compatibility with MHFS (Macintosh Hierarchical File System) and involves the process of forking file data into existing files.

This does not affect the functionality, size or display information of the original file so is a favourite with Hackers to hide various tools and files within a compromised system, which can later be run from a command line.

I will firstly explain the process and provide links to various files that can detect the ADS to enable people to detect this hidden threat.

The Process

The basic functionality includes the type command, the > (Redirection) command and the : character.

Fire off a command prompt and we will run through a basic example!

Firstly we pipe a string of text into a new text document:

C:\> echo Normal Text File > Text1.txt

Now we check the size of the Normal Text File we created:

C:\>dir
Volume in drive C is CSCESOE20
Volume Serial Number is B8C0-5565

Directory of C:\

23/06/2008 00:46 <DIR> .
23/06/2008 00:46 <DIR> ..
23/06/2008 00:46 19 Text1.txt
1 File(s) 19 bytes
2 Dir(s) 7,061,213,184 bytes free

At this point you can open the text document to check you can view the text “Normal Text File” if you wish.

Next we create a second file and fork the data into the first.

C:\>echo Hidden Text File > Text2.txt

C:\>type Text2.txt>Text1.txt:Text2.txt

C:\>del Text2.txt

You will notice I also deleted the second text file so we know its no longer present, running the directory command we can see the following output:

C:\>dir
Volume in drive C is CSCESOE20
Volume Serial Number is B8C0-5565

Directory of C:\

23/06/2008 00:50 <DIR> .
23/06/2008 00:50 <DIR> ..
23/06/2008 00:50 19 Text1.txt
1 File(s) 19 bytes
2 Dir(s) 7,061,213,184 bytes free

As you can see the file size has not been altered.

Opening the file displays the original text “Normal Text File”. In order to view the ADS we need to specify the stream.

C:\>notepad Text1.txt:Text2.txt

As you can see this now displays the hidden string we attached to the file.

This is a simple example but the problem comes when you realise you can inject various files, audio, video, text or even exe files.
In the following example I have already copied the notepad.exe and calc.exe files to the folder I am using.

C:\>dir
Volume in drive C is CSCESOE20
Volume Serial Number is B8C0-5565

Directory of C:\

23/06/2008 01:02 <DIR> .
23/06/2008 01:02 <DIR> ..
23/06/2008 01:01 114,688 calc.exe
04/08/2004 05:56 69,120 notepad.exe
2 File(s) 183,808 bytes
2 Dir(s) 7,060,746,240 bytes free

C:\>type notepad.exe>calc.exe:test.exe

C:\>del notepad.exe

C:\>dir
Volume in drive C is CSCESOE20
Volume Serial Number is B8C0-5565

Directory of C:\

23/06/2008 01:00 <DIR> .
23/06/2008 01:00 <DIR> ..
23/06/2008 01:00 114,688 calc.exe
1 File(s) 114,688 bytes
2 Dir(s) 7,060,967,424 bytes free


Now when we run calc.exe the calculator starts.

C:\>start calc.exe

However when we specify the ADS notepad.exe starts.

C:\>start calc.exe:test.exe

At this point open up Task Manager and see what application is running….

That’s right its calc.exe and not the program we have actually run.

As you can see from these simple examples this process can be used to hide and run exe files from a comprimised system without the owner knowing of their existance.

(Note: The files do not need to be injected to other files at all they can be injected to a directory aswell)

In order to locate the ADS and injected files you need to use a third party application, lads.exe by Frank Heyne (http://www.heysoft.de) and crucialADS by CrucialSecurity (http://www.crucialsecurity.com/index.php?option=com_content&task=view&id=95&Itemid=137) both display the additional stream and can highlight this issue.

So my final question, what is really lurking on your FTP/RRAS Server?

Disclaimer: This documentation is provided to highlight this security issue and is not provided to enable the reader to use the above for malicious use. By using the above information you agree that I accept no responsibility for its utilization.

astorrs

Good write up. The tool I've used in the past to work with them is streams.exe from Sysinternals. http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx

Sie

astorrs wrote:

Good write up. The tool I've used in the past to work with them is streams.exe from Sysinternals. http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx

Cheers Astorrs, yeah have looked at streams aswell but forgot to add it to the write up, doh!

tiersten

dir /r on a recent version of Windows will show it and Microsoft have an extension that will show it in the properties dialog box.

Sie

Thanks tiersten, I cannot find any documentation about these do you have any links you can supply?

Both XP SP2 and Win 2003 Enterprise SP2 dont seem to support the dir/r or dir/R switch - Invalid Switch - "r". Are we talking 2008 here?

The only file I can find mentioned in MS documentation for displaying ADS is Streams as stated by astorrs

dynamik

Interesting post. Thanks

astorrs

Sie wrote:

Thanks tiersten, I cannot find any documentation about these do you have any links you can supply?

Both XP SP2 and Win 2003 Enterprise SP2 dont seem to support the dir/r or dir/R switch - Invalid Switch - "r". Are we talking 2008 here?

The only file I can find mentioned in MS documentation for displaying ADS is Streams as stated by astorrs

Server 2008 and Vista support the /r switch, but you can't really search the HDD for files with associated streams as it displays way to much information.

Never heard of the extension. I'd like to have a look though...