Showing posts with label alternate data stream. Show all posts
Showing posts with label alternate data stream. Show all posts

Tuesday 20 March 2012

Some Fun With Alternate Data Streams

I have not been blogging for a while because of exams but now I'm free for few days so here comes another post back from my home village. This time, I'm going to share some basic funs with alternate data streams from theory to some practical stuffs.

What is Alternate Data Stream Alternate Data Stream(ADS) is a kind of file system fork which allows more than one data stream to be associated with a single filename. Alternate Data Stream was introduced by Microsoft as a part of its NTFS file system. Alternate Data Streams are not shown by Windows Explorer and even the dir command and size of ADS is also excluded from the file size. The dir command however allows us to view the alternate data streams using the dir /R command in Windows Vista and above.

One use of ADS could be hiding the information as alternate data streams in the file but beware that copying the file to non-NTFS file systems will make you loose the information in the ADS. ADS was originally introduced to store file information and properties however any user can hide any kind of information in the ADS. Some malwares have utilized the ADS to hide their code so most antiviruses today also scan the ADS of any file to find anything fishy.

Note that the format used to create(and access) ADS is filename:ADSname. A relatively simple guide I had written a while ago is HERE.

Now lets move on to some interesting stuffs and for that, I am creating a directory named "samar" in Desktop. We will first create a simple text file by using the command below:

echo An ordinary text file > ads.txt

Now lets add an alternate data stream by issuing the following command:

echo I am secret > ads.txt:private.txt

Lets issue the dir command to see what it lists:

Volume in drive C has no label.
 Volume Serial Number is 90E7-CBCA

 Directory of C:\Users\SINDHUS\Desktop\samar

03/20/2012  09:58 AM    <DIR>          .
03/20/2012  09:58 AM    <DIR>          ..
03/20/2012  09:56 AM                24 ads.txt
               3 File(s)             24 bytes
               3 Dir(s)  22,683,332,608 bytes free

We can see no information regarding the alternate data stream we just added to the file and lets see if the type command shows anything by just opening the file.

C:\Users\SINDHUS\Desktop\samar>type ads.txt
An ordinary text file

So where is the private stuff we've put as ADS in the file? Even viewing the file from windows explorer does not show the content in ADS and of course the size is also not included. The point here is the malicious user might add something bad in the alternate data stream and send to a normal PC user. The unsuspecting user will not know if there's anything other than just the text file. Now lets see how we can see the alternate data stream.

For a while, lets pretend that we don't know that the ADS is added in the file. So first we will use the commands to see if there's any ADS in the file. The simplest one is to use dir /R command as below:

C:\Users\SINDHU'S\Desktop\samar>dir /R
 Volume in drive C has no label.
 Volume Serial Number is 90E7-CBCA

 Directory of C:\Users\SINDHU'S\Desktop\samar

03/20/2012  09:58 AM    <DIR>          .
03/20/2012  09:58 AM    <DIR>          ..
03/20/2012  09:56 AM                24 ads.txt
                                    14 ads.txt:private.txt:$DATA
03/20/2012  09:58 AM               496 info.txt
               2 File(s)            520 bytes
               3 Dir(s)  22,881,669,120 bytes free

We can see that besides the ads.txt file, there is another entry ads.txt:private:$DATA. By examining this file, we come to know that the alternate data stream with the name private is present in the file ads.txt and the alternate data stream is nothing but just the data. However, as stated earlier, only Vista and above contain the dir command that lets us list the alternate data streams. In such case, you can download a small utility named streams from Microsoft Technet. The streams tool also allows us to delete the ADS easily which is possible but a bit obscure for normal PC user. Now to view the content of the alternate data stream, we will use notepad:

C:\Users\SINDHUS\Desktop\samar>notepad ads.txt:private.txt

Note that this time we didn't use type command since it does not support the use of colon in the command. We used the notepad but we could also use another command known as more as below:

C:\Users\SINDHU'S\Desktop\samar>more < ads.txt:private

I am secret

The fun with ADS just does not stop here. We could do much more than this but the basic idea is same. We can embed executables and codes within the ADS and run those executable whenever necessary. I'll leave this as homework for you guys since it won't be hard to figure it out once you've understood the basics I've discussed above.

The alternate data stream has already been exploited in IIS, the primary web server from Microsoft. Following is the example I've taken from OWASP on how it could be exploited in IIS.
Normal access: Show code bypass accessing the :$DATA alternate data stream:$DATA

Last thing I would like to discuss is how to delete the alternate data streams. The streamers tool provides a -d switch to delete the ADS and it also supports the wildcards for deleting the streams. Another way of deleting the alternate streams is to copy the file in non-NTFS drives such as to FAT32-formatted pendrives and then copying back. Of course, you could also save the content of main stream in another file and then delete the original file that consists of stream.

I hope this helps you. Please let me know if I should add something to it. :)