Posts

How To Hide All NTFS Alternate Data Streams

It’s possible to dump Alternate Data Streams (ADS) using the /r switch in the dir command.

Moreover, you can also use the streams.exe tool found within the Windows Sysinternals to dump the streams

On earlier Windows versions, ADS was hidden by concealing the reserved names as the base names.

Examples of such names include CON, NUL, COM1, COM2, LPT1, and others.

However, in Windows 10, this seems to be fixed; and doing the same may not be possible, but it still works.

The ADS on “…” was successfully created and listed by the tools.

Creating an ADS on COM1 results in an error, but does not have an effect on the system.

ADS can also be created on the drive using echo Sample123 > C:\:Sampleabc.txt that hides it from the dir/r command inside the C:\.

However, it will show the ADS inside subfolders of C:\ for the “..” directory, as shown below

The 12 NULL:Sample.txt:$DATA was created by the C:\:Sampleabc.txt ADS. This stream is also visible using the Sysinternals streams.exe tool, if it is called on directory C:\. You can use the “…” to hide it from both tools.

There is also another way of hiding it by using “<space>”at the end of the file, and Windows will automatically remove the space.

However, we can create such a file with ADS using tools that cannot open the file because of the file name. After truncation, it will be changed to a name without any space, which, in actual sense, does not exist.

Have a look at the screenshot below.

The ADS foobar.txt is not visible using the normal searching tools

NOTE: such files can be created using the echo test> . ..:$DATA

Also, note that Sampleabc.txt uses the same ADS that was used to create one on C:\:Sampleabc.txt.

Going by that reasoning, we can create a directory with the name “..”, as shown below.

If you try entering the folder or opening it, you’ll get the following error.

Other techniques such as cd ..\..\ also do not work. However, cd “..::$INDEX_ALLOCATION” works (the double quotes are part of the command).

Directories using the name “..” can be entered using the earlier mentioned technique.

NOTE 1: The folder named Test22 can be opened through the GUI by clicking it twice and all its contents will be displayed correctly. The only downside is that you cannot open its files because Windows will interpret it as a wrong path. Using PowerShell will lead to endless loops when searching such folders.

NOTE 2: An ADS can be created on a folder with names such as Sampleabc, and be renamed by including a number, because the name will not work. To access the folder, you must rename it to its original Sampleabc name.

File System Tricks vs. Antivirus Products and Forensic Software

We conducted a quick verification of the file system tricks against an antivirus software to see if some malware could go past the system vulnerabilities. The most notable discovery was that files or folders ending with “..” bypassed the system with ease.

Upon re-enabling the antivirus software and scanning the folder and file, the program identified its own files, the folder containing the copied files, and bypassed the virus in “Sample123..” or in any of the “foo..” folders.

When the folder and the file were opened, the antivirus program found them because the contents were loaded from the system to memory. Using the “remove” action from Windows Defender could not remove the files but the “remove” action from the antivirus software deleted them.

You can change this behavior in the file guard settings by setting the scan to “Thorough” so that it can scan through all the files. The Windows defender blocks the reading of some antivirus’ text files.

Furthermore, we conducted another test using forensic software (in this case Autopsy 4.6.0) by loading “logical files” into the tool within the running system, and not using an image. As a result, we could open the “..” folder but not the “foo. .” folder.

If we created another file called “Valid”, in addition to the “..” folder that contained a space at the end of its name, it was read by the system as “..” and could be opened by double clicking.

This is possible only on “logical files” mode, disk image mode, and when running Autopsy live mode (with everything configured correctly to access data using the API).

Protect yourself and discover all permissions owner on your Windows fileservers!

Pass your next security audit without worrying about security leaks!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!



NTFS – How to Bypass Path Restrictions with Alternate Data Streams

Windows systems come with the Alternate Data Streams (ADS) feature that is supported by NTFS (Windows New Technology File System).

With ADS, you can fork data into an existing file without changing its size or functionality. You can use DOS commands, such as type to create ADS, alongside redirects [>] and colon [:] to fork one file into another.

Besides its benefits, hackers can compromise the ADS feature and penetrate into your system.

In this article, we’ll talk about how to use Alternate Data Streams to bypass path restrictions.

Storing NTFS files

Here is the format for storing NTFS files:

<filename>: <stream-name>:<type>

For example, by creating a file and naming it as Sample.txt, it will be stored as Sample.txt::$DATA because the stream name is empty and $DATA is the default type.

The loophole that exists in the creation of folders without permissions can enable this to be changed to INDEX_ALLOCATION, which may end up creating a directory.

You can also store data using Alternate Data Streams. For example, with Sample.txt you can use Sample.txt::$DATA even if the stream name is empty.

You can also do the same by changing it to Sample.txt:foo or Sample>txt:$DATA, which involves the same default type.

You can use a different name for file stream and store files depending on their origin. For example, if a file is downloaded from the Internet or email, Windows will add a Zone identifier to it via the stream name.

The zoning is what brings the popup dialog when you want to execute such a downloaded file.

For example, a file named Firefox.exe has an additional identifier as Firefox.exe:Zone.Identifier:$DATA, meaning that the stream names are visible using the /r switch alongside the dir command

The above command proves that you cannot read the Zone Identifier command via the command prompt.

It is recommended to omit the $DATA type when reading the file via notepad. What matters is that we can store data in ADS alongside their applications.

In our case, Firefox can be copied into an ADS and executed via the Windows Management Interface Command (WMIC).

NOTE: This vulnerability was reported to Microsoft and they made an update on WMIC process requests.

Bypassing path restrictions

ADS can be used to hide data when you use the dir command without the /r switch. ADS can also be used to create folders.

Creating folders is only possible if you own the “create folder” permission on the directory and that you will not use a number as the folder name.

The fact remains that an ADS on a folder is the same as a file from the parent folder.

When using Windows, any user cannot create files inside the C:\Windows, unless they are an administrator.

This scenario makes applications accessing drive C:\Windows to assume that files coming in are trusted; because of the assumptions that only admins can access this part of the system.

Normal users can use the C:\Windows\Tracing folder, which allows for the creation of both folders and files.

As an example, if a user writes to C:\Windows\Tracing:Sample.dll, this path passes to the Windows Application Programming Interface (API) that calculates the base folder, starting at the end of the path and going backwards until it finds the first \.

Then, it will read everything on the left of \ before being returned to the base folder. The result of C:\Windows|Tracing\:Sample.dll will be C:\Windows\ as base.

As already stated, a normal user cannot create files in this folder but use the trick shown here, which gives the impression that it has been stored in C:\Windows.

This behavior is applicable when bypassing some applications and whitelisting solutions that go through security checks.

For instance, if you have an application that allows the uploaded data to be stored in \uploadedData\, the application should start running scripts / application from the applicationFolder, and not the applicationFolder/ uploadedData.

A user who decides to upload a file by the name :foo.Sample can instruct the system to create an ADS in the applicationFolder\uploadedData:foo.Sample, and the file will look as if it’s stored in the application Folder\, which can enable the bypassing of security checks.

Another important aspect in ADS naming is the symbols used in filenames. Such symbols include and  *. This will force files to be created using the native Windows API because the cmd.exe filters the two symbols.

Filenames with symbols or those enclosed using the (quotation mark) may lead to several problems.

Dangers of ADS

If a website is running on Internet Information Services (IIS) and allows the uploading of files, it can be prone to Cross Site Request Forgery (CSRF) attacks.

Furthermore, if the process of uploading new files is not sanitized, the website may be susceptible to an injection attack, such as cross-site scripting attacks (XSS).

This scenario explains why file names should not have some symbols such as < or >. Since ADS can have the symbols, an attacker can send files and upload requests for filenames with ADS.

Prevent Unauthorized Access to Sensitive Windows Folders!

  • No more unauthorized access to sensitive data
  • No more unclear permission assignments
  • No more unsafe data
  • No more security leaks

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

NTFS Alternate Data Streams: The Good and the Bad

Alternate Data Stream (shortened as ADS) is a feature of the Windows New Technology File System (NTFS) that, surprisingly, has both good and bad aspects.

In this article, we’ll uncover both its two sides so that you can be prepared at using it.

What are Alternate Data Streams?

An Alternate Data Stream is a little-known feature of the NTFS file system. It has the ability of forking data into an existing file without changing its file size or functionality.

Think of ADS as a ‘file inside another file’.

ADS exists in all versions of Microsoft’s NTFS file system, and it has been available since Windows NT was released.

It was originally intended to allow for compatibility with Macintosh’s Hierarchical File System (HFS).

Currently, all Windows Operating Systems, including the latest Windows 10 OS, supports the ADS feature.

So, what can you do with Alternate Data Streams?

ADS can allow you to store any type of file, such as texts, audios, videos, images, or even nefarious codes like viruses or trojans.

ADS contains metadata for identifying files according to various attributes, such as author, title, date modified, and more.

Furthermore, hackers can use Alternate Data Streams to launch Denial of Service Attacks (DOS).

Benefits of ADS

Before we look at how an attacker can hijack ADS for malicious reasons, let’s talk about some of its benefits, as described below.

  • Windows Resource Manager leverages ADS to identify high risk files that shouldn’t be accessed.
  • The Windows operating system uses ADS to encrypt and store files in a secure manner.
  • The Windows Attachment Manager uses ADS as a file scanner. This explains why sometimes you receive warnings when you open a file downloaded from the Internet.
  • The SQL Database server uses ADS to maintain database integrity.
  • Citrix’s virtual memory uses ADS to boost DLL loading speed.
  • Anti-virus applications, such as Kaspersky, uses ADS to enhance the scanning of files.

Creating an Alternate Data Stream

Creating an Alternate Data Stream is not rocket science; it’s extremely easy.

Basic DOS commands like type can be used, in conjunction with the [ > ] redirect symbol and [ : ] colon symbol, to fork a file into another file.

Let’s demonstrate the steps of using ADS to hide information in a file.

Step 1: Open the terminal and create a text file

C:> echo Today is going to be a great day > file1.txt

This command saves the given string to a text file called file1.txt

Step 2: Confirm the contents of the file 

Let’s now confirm the contents of the file by using the type command, as shown below.

C:> type file1.txt

Today is going to be a great day

Everything is working well, just as expected.

Then, let’s check the directory listing.

C:> dir file1.txt

Step 3: Append new content to the hidden file 

Let’s execute the following command:

C:> echo The sun is all up and the coast is clear > file1.txt:hidden

It appears that we have created a new file called file1.txt:hidden, which is not the case.

We have just created an Alternate Data Stream within the file1.txt file under the name ‘hidden’.

The filenamed file1.txt:hidden does not exist.

In fact, if we try to examine its contents, the Windows prompt will return an error, as illustrated below.

C:> type file1.txt:hidden

The filename, directory name or volume label syntax is incorrect

However, we can reveal the contents of the file, as shown below.

C:> more < file1.txt:hidden

The sun is all up and the coast is clear

Remember, the ‘original’ data stream is still there.

C:> type file1.txt

Today is going to be a great day

Yet, when we check the directory, there’s only one file, which is file1.txt.

C:> dir file1*

Here are three interesting points to note about the last directory listing.

  1. The timestamp has changed after adding the Alternate Data Stream file to the existing file. That is the only indication that a change has indeed happened.
  2. The file size remains unchanged as evidenced by the prefix 36 in file1.txt when checking the directory listing. This implies that you could have many ADS files within a file without your knowledge.
  3. Because of the subtle changes, it’s difficult to detect Alternate Data Stream files unless you use a third-party tool.

Risks Associated with Alternate Data Streams

Alternate Data Streams enables information to be hidden within other files. As such, it can be a security risk.

An attacker can easily store malicious codes or payloads and use them to cause damages to your system.

Let’s consider this example.

c:> type c:\windows\system32\calc.exe > file1.txt:calc.exe

The above command copies the Windows calculator program into an ADS file called calc.exe, which is linked to file1.txt.

To launch the hidden calc.exe copy from its ADS in file1.txt, an attacker can run the following command.

c:>start c:\file1.txt:calc.exe

Now, suppose that was not a calc.exe file but a destructive malware, it could lead to extensive damages to your system.

Conclusion

The greatest challenge with Alternate Data Streams is that, if used for nefarious purposes, they are extremely difficult to detect, unless you use third party applications.

Additionally, ADS cannot be turned off.

Therefore, it’s critical to institute robust measures to prevent its abuse.

Do you have any question or comment?

Please post them below.

Prevent Unauthorized Access to Sensitive Windows Folders!

  • No more unauthorized access to sensitive data
  • No more unclear permission assignments
  • No more unsafe data
  • No more security leaks

Get your free trial of the easiest and fastest NTFS Permission Reporter now!