{"id":665,"date":"2012-05-13T00:23:10","date_gmt":"2012-05-12T23:23:10","guid":{"rendered":"http:\/\/www.phillips321.co.uk\/?p=665"},"modified":"2012-05-13T10:56:10","modified_gmt":"2012-05-13T09:56:10","slug":"nftf-alternative-data-streams-bits-and-pieces","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2012\/05\/13\/nftf-alternative-data-streams-bits-and-pieces\/","title":{"rendered":"Alternative Data Streams &#8211; bits and pieces."},"content":{"rendered":"<div class='posterous_autopost'>\n<p>To those not familiar with the world of NTFS. It offers a feature known as <a href=\"http:\/\/en.wikipedia.org\/wiki\/NTFS#Alternate_data_streams_.28ADS.29\" target=\"_blank\">Alternate Data Streams<\/a>&nbsp;which can allow a user to create hidden content attached to a file.<\/p>\n<p>Typically generated using echo or type it normally requires a command prompt to get to generate these files or view the files.<\/p>\n<p>However an alternative method in XP and 2K\/2K3 series of operating systems was to add data to the summary properties of a text document created in notepad as it turns out this data was held within an ADS associated with the original text file.<\/p>\n<p>What happens if like me last week you find yourself on&nbsp;a system with a tight group policy forbidding command line access and an execution arbiter that worked from a whitelist of very very few programs?<\/p>\n<p>You get creative.<\/p>\n<p>I know:<\/p>\n<p><div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"text codecolorer\">type hideme.txt &amp;gt; public.txt:hideme.txt<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<\/p>\n<p>will generate an ADS.<\/p>\n<p>I also know that typing<\/p>\n<p><div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"text codecolorer\">notepad c:\\path\\to\\public.txt:hideme.txt<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<\/p>\n<p>will let me edit the contents of hideme.txt which would not ordinarily be accessible by any other means.<\/p>\n<p>Unfortunately opening a file in notepad and throwing public.txt:hideme.txt as a filename within the save as box will not work as windows dislikes the colon.<\/p>\n<p>But what else runs&nbsp;console commands?<\/p>\n<p>Batch files &#8211; nope not in this case, execution arbiter stops batch files running.<\/p>\n<p>What about shortcuts?<\/p>\n<p>Bang on.<\/p>\n<p>Right click &#8220;Create New -&gt; Shortcut&#8221;<\/p>\n<p>Enter in &#8220;notepad&#8221; without quotes as the target, and complete the wizard with defaults.<\/p>\n<p>Right click the created shortcut change the target field to show<\/p>\n<p><div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"text codecolorer\">%windir%\/system32\/notepad.exe &quot;c:\\path\\to\\public.txt:hideme.txt&quot;<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<\/p>\n<p>Save the changes and double click the shortcut.<\/p>\n<p>Pow! You&#8217;re now editing an ADS attached to the public.txt file that you had available earlier, ADS created and without additional tools you&#8217;re free to hide data away from an administrators prying eyes on a system that gave you no access to a command prompt, stopped you running Batch files and more&#8230;<\/p>\n<p><strong><span style=\"font-family: mceinline\">What Next<\/span><\/strong><\/p>\n<p>So with that juicy thing done what else could I do? What about exporting sensitive company data? Maybe the customer contact list for a company or medical records or financial details?<\/p>\n<p>Hmm okay so I&#8217;m going to have to get it off the system some how, but the company is smart and doesn&#8217;t allow the use of USB drives so I can&#8217;t use an NTFS formatted USB drive to export data (on non NTFS file systems the ADS is dropped as it&#8217;s not supported).<\/p>\n<p>What about CD? Well I did say on non NTFS file systems the ADS disappears. It&#8217;s true for CDs ISO9660 and UDF formats don&#8217;t support alternate data streams so you&#8217;re stuck again.<\/p>\n<p>Except, what if you change the file?<\/p>\n<p>What if you zip it? then burn the zip?<\/p>\n<p>Well sad to say using WINZIP v14+ and the default compressed folders function in windows, I believe you&#8217;re out of luck, both tools appeared to just drop the ADS content on the floor.<\/p>\n<p>Using winrar however to create the zip&#8230; I&#8217;ve shown that it maintains the ADS across filesystems, now my test was using a local FAT32 formatted partition and an NTFS one, I didn&#8217;t actually burn it to CD-ROM so it may not be the case but it&#8217;s certainly looking promising.<\/p>\n<p>If it is the case, having the ability to covertly export and import information using ADS suddenly becomes a big issue.<\/p>\n<p>I plan on looking into it&nbsp;a bit more as it could have just been a series of flukes that worked for me but it was definitely promising.<\/p>\n<p>My initial thoughts for this are: uuencoded zip file (ASCII friendly so will play nice as ADS content) containing lots of juicy personal information that shouldn&#8217;t be leaked. Add to a benign text file expected to leave the building. Winrar zip the lot, burn to CD&#8230; get home and do the reverse.<\/p>\n<p>Ba doom boom! You&#8217;ve just circumvented the whole lot of data controls put in place to protect a companies data.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>To those not familiar with the world of NTFS. It offers a feature known as Alternate Data Streams&nbsp;which can allow a user to create hidden content attached to a file. Typically generated using echo or type it normally requires a command prompt to get to generate these files or view the files. However an alternative [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/665"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=665"}],"version-history":[{"count":2,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/665\/revisions"}],"predecessor-version":[{"id":667,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/665\/revisions\/667"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=665"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=665"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}