17. Alternate Data Streams Demonstration – B
Let’s try how about notepad? And I’m going to start this with a colon, and I’m just saying U-D-E-M-Y um txt. Okay. And I’m going to put in a whole bunch of junk in here, all right? And I’m going to go ahead and save it, get out of here. And of course, that’s going to show up at where is it? Notepadny txt. Oh, there it is. Now, hold on a second, Tim. First off, you lied to us. You said it had to be anchored to a writable file. It is anchored to a writable file. Can anybody think of the writable file I’m anchored to? I’ll usually let this go by a little time with several guesses, and a lot of the people will say, well, yeah, but let’s check to make sure what attributes you have on here, and I’ll do anything you want here’s all the attributes.
They’re only archived, needed. There’s nothing. No smoke and mirrors. Here what happened? Well, in reality, it is anchored to a file. It’s anchored to the directory. The directory is a file. We typically don’t think of the directory as being a file, but it is a file. And usually about this time I get the question that says, how do we know if we have these? Well, until vista, Microsoft gave you no tools to be able to detect alternate data streams, so you had to rely on things from the resource kit. One that Mark rozanovich created called Streams. Streams. There was another one called Lads, which stands for locate Alternate Data streams that I like to use.
There are all my alternate data streams that I just created for you. Wow. Oh, it gets worse. Folks, just hang on for just a second. So let’s go back and do that same thing that I did with a type, but let’s change this to what? sol for solitaire. And I’m going to put this into Tim. Just do prog two, and I’m going to say C. Timprogue two. Okay. Now, if I type in dir right here, doesn’t seem to be anything there, but if I type in start more time, I’m going to type in startclonprog two exe and wow. Okay, so let me see if I understand this, Tim. What you’re saying is that I could have a file that I, let’s say, downloaded from the Internet. I can’t even see the file in my directory, and it could have malware attached to it.
Yeah, that’s what I’m telling you. That’s exactly what I’m telling you. When are they going to fix it? Remember, folks, this is a feature, and I’m going to explain exactly that about this time I usually get from somebody in the class. How do we get rid of this? Well, the easiest way to get rid of it, if you wanted to do so, is to copy it to a file system that doesn’t support alternate data streams. A fat or a fat 32 an ext three or ext four. None of those support alternate data streams, and they would be just simply stripped off. So let’s demonstrate that. I’m going to go ahead and go out to the Tim directory here, and I’ll open up another one where I’ve got you can see that this is back this up here.
You can see this is a fat file system here. And I’m going to grab that file right there and drag it over here. It says immediately the file Tim txt, or the file Tim has extra information attached to it that might be lost. If you continue copying, the contents of the file won’t be affected. The information that might be lost includes and it names both the data streams. If I click yes, this file right here, it’s like the old poltergeist movie when you saw the little old lady who cleaned the house. She came up and said, this house is clean. Well, this file is clean right now. Now, of course, I’d have to copy it back over here and override that file to complete the process, but you get the idea.
Well, what about the one that’s attached to the directory, Tim? Well, let’s just give this a shot. All right, if I click here okay, here’s prog two and udemy. Yes. Oh, and here comes the other ones, because tim’s in there, too. Yes. Now the entire file directory and the files are completely clean. And copying it back over here, of course, overwrites it. So you might be asking yourself at this point, okay, I can see that, but this just doesn’t seem like it’s a good idea. Well, let me show you how. Microsoft has been using this for years. This is the utility right here that’s going to scan my entire C drive right here and look for files that may have alternate data streams attached to it. It’s already found some.
You can see CA setup, ethereal setup. It looks like a lot of files that are set up files or maybe files I downloaded from the Internet. Notice. It says zone identifier. That’s the name of the alternate data stream. And I’m going to wait for this to finish, and I may speed the video up while I’m editing this, but you will see those files that I created as well. In other words, you’ll see the udemy and you’ll see the other ones that I created here after it gets done. There we go, right here. So there’s Prog Two, udemy, prog one, all of that kind of stuff. So you might be asking yourself, well, what are these things then? Have you ever double clicked on a file and it said, excuse me, this file came from the Internet, and it could be malicious?
Are you sure you want to do this? Where do you think it’s getting that information? microsoft’s attaching an alternate data stream to that file, and that’s how it knows. It knows that it came from a particular zone. Like I said, Microsoft has been using this for years. They just simply didn’t seem to think they needed to tell you about it. Let’s go even further. If you’ve ever seen the file Thumbsdb. Now, Thumbsdb, most people will tell you, is a database containing the thumbnail images for our files. And that’s partly true if we turn the thumbnails on doing just a little bit of calculation, a thumbnail is usually about 30 to 80k.
All right? And I also told you that we can only hold 256 alternate data streams attached to one file, right? If you look at Thumbsdb, you’ll typically see the size of it as about 100k. Just simply doing the math, it could not possibly contain those files. As a matter of fact, it doesn’t. Thumbsdb is the anchor file for the alternate data stream. Have you ever noticed as you’re scrolling through a bunch of, let’s say, family photos, and it pauses for just a second and, oh, here they come? Well, it has to shuttle the old ones out and the new ones in. It can only hold 256 at a time. Like I said, they didn’t seem to think they needed to tell you about it. And before you get all that upset, remember I’m using air quotes here.
Feature. This is a feature. They’re not fixing this. Okay, what else could we do? And this one is I have to admit, this one is a little bit upsetting. All right, so what I’m going to do is I’m going to type in Notepad. Let’s try udemy txt, and I’m just going to put in a bunch of junk in here, right? I’ll save the file. And we remember from our cryptography section that if I drag that particular file into this right here, it’s going to calculate the MD five hash of that file, as we would expect it to do. All right? So here’s the tim directory. Let’s move this up out of the way a little bit, and let’s drag in you to me.
And you could see that it ends in what looks to me as 3355. All right, there we go. Okay, so now what we’re going to do is I’m going to do notepad again. I’m going to put in secret. I guess you could name the alternate stream anything you want, okay? Put in just a whole bunch of junk, save the file, and naturally, I’m going to go back out here. I’m just going to do lads. All right? And you can see that udemy has 41 bytes in the main stream, and it has 48 bytes in the alternate data stream. Okay, great. And we also know that just the mainstream, it ended in 3355. So let’s go ahead and drag this in here. It didn’t change. Do one more time. Oh, it didn’t change. Okay, Tim, now I’m really upset.
You’re telling me that I could copy a file off of the Internet, make sure that the hash matches what they have on the Internet and it still comes back and wax me. Yeah, that’s what I’m telling you. Now, I was a little bit hard on Windows just then because in reality, most hashing algorithms do not hash alternate data streams. The only one that I have found out that does is tripwire. Now, I could write one that does, but your standard one does not. And unless it comes back and gives you several streams like tripwire, does, it’ll say, here’s the mainstream, here’s the second one, here’s the third one, and so on. I would imagine they did this to avoid confusion, but I’m not quite sure. More than likely, if it had all that stuff on there, you would know what to trust, right?
18. Alternate Data Streams Demonstration – C
Typically the questions I get at this point are, well what happens if I copy a file from a file share to another one? It will keep the alternate data stream as long as the source and the destination are in TFS. Okay, Tim, then what happens when I email it? Well now that’s a perplexing question. If you email it internally in your same corporation and your email server is an exchange hosted on an Ntfs file system, it will most likely keep it. But if it goes out onto the Internet, it’s almost guaranteed to lose it. Because email is a store and forward system and virtually all of the email servers on the Internet are Linux. And Linux doesn’t support this. It’ll just simply strip it off.
Wow, man, how am I going to remember all this stuff? Well, I tell you what, let me show you a real quick easy way to remember very quickly all the stuff I just showed you. Now in Google right here, I want you to type in this word naughty Linuxwomen Avi. It’s not dirty. I promise it’s not. And when you click on Google Search, the very first link is a practical guide to alternate data streams. I don’t know why I just remember naughty Linux women for some reason. That’s one of the examples he used in his examples. But every single thing that I showed you in the previous demonstration is right here. And I want to show you one more thing. I want you to take a look at this hiding and running an executable.
And I want you to notice that we can do the same thing on Iis. Here we have echo the file and put it into txt. Then I’m going to type Xx PHP and put that into txt PHP. Now when we navigate out to the file txt, it just simply says the text file just exactly as we’d expect. But when we navigated out all the way putting the colon in the XPhp, it said if I see this I know it works. So you’re saying that Internet Explorer would be able to whack you with an alternate data stream from your browser? Yeah. So I guess look for the colons and the URL. I mean, I’m being facetious of course there guys, but come on, this is just ridiculous. Let me tell you a couple of other things that we may need to be aware of. If any of you are developers.
It’s very easy for a developer to use what’s called a temporary file. We just take a temporary file, write something into it we don’t really care about it doesn’t matter and throw it down into the web root directory and maybe we’ll clean it out later, maybe we won’t. If there is any writable file from the web to that directory, I can not only write to that file, but I can take your whole stink and drop because I can just put in whatever I wanted to into the file, filling your file system up. And you’re going to have a very difficult time understanding what’s happening, because by doing just a dir, it’s going to look perfectly normal. There actually was a virus that came out back in 1999. You’ll get a kick out of this.
And what happened was it filled up the file system using an alternate data stream the very first day, and I’m holding my hands completely apart. It was completely full. The very next day, they deleted the alternate data stream. It was holding my hands together again. It’s back down to normal. The very next day, it filled up the file system again. I’m holding my hands completely apart, and the next day back down to normal by deleting the alternate data street and the parts you’ll get a chuckle out of, they call this the Oprah Winfrey Virus. Okay, guys, the jokes aren’t getting any better. You need to start laughing at them now. But here is all of the things that I showed you.
And I usually get a pretty good amount of applause on this because most people didn’t even know this was there. Another question before I take off. What I’m going to do is, first off, I want to type in Winver to prove to you that this is a Windows Seven machine, okay? And I was using a Windows XP machine. I want to make sure that you don’t think, well, they got rid of it later on, or it’s not as a bad later on. Make a directory. Call it tim, I guess. Change directory to Tim. And then I’m going to just do notepad, tim txt. And here’s my notepad here. I just put in some junk save. All right. If I type in Dir, you can see I do indeed have Tim txt. Now I’ll do the notepad. Tim txt. Now I’ll put in secret. Okay? It says file. I’ll just go ahead and put in save.
And Dir still shows 22 bytes. There is secret, and there’s Tim dot txt. Now, one thing Microsoft did do for us on this to and above, there is an undocumented command that will reveal alternate data streams. It’s part of the Dir command. So if you type in Dir capitalr, it will show you where your alternate data streams are. So naturally, you could do CD and do Dir capital R, and I could even pipe that over to find. And I’m looking for a string that has dollar sign data in it because that’s what all the altered data streams will have, dollar sign data here. And I think I put that over here. Yes, I do. And doing this, you can see my gosh, look who else is using it, folks. Dropbox also uses that alternate data stream, things that make you go, okay, folks, I hope you enjoyed that.
So let’s just recap our alternate data streams. And I bet you really were blown away by that Ntfs alternate data streams naturally has the ability to append data to existing files without affecting their functionality, their perceived size. We are taking up displace now or display traditional file browsing utilities like Dir, even Windows Explorer. Anything that we do, we would not have shown this up with the exception of the Dir command and the hidden switch R in Vista and above. And we went on to talk about typing and redirecting this and that kind of thing. Very, very difficult to find.
Despite the ease with which alternate data streams can be used and it’s ubiquity in modern Windows operating, relatively few systems administrators are aware of that function is therefore not checked. Since there’s no facility in Windows natively to detect that alternate data stream and no special tools are required to access them, they serve as an ideal place for hackers to store a set of tools for information that they have exfiltrated. I remember that I taught a class at a conference once and I took an entire virtual machine, I think it was like three or 4gb in size and hid it inside the boot in I file and booted it up using that alternate data stream. And that went over really well. Let’s talk a little bit about some countermet.
There are a number of third party utilities like those listed, that are able to detect alternate data streams. Now, remember, this is a feature, so creating an alternate data stream from a file will also modify its checksum. So applications such as Tripwire, like I said before, and OS tech that are set up to check for this would generate an alert. But if they are expecting to generate a hash off of the main data stream, which 99% of them are, they will not generate an alert. Alternate data streams is solely an Ntfs feature. So any files that are copied to Fat system like files that are on a Fat formatted USB thumb drive will lose this. As I demonstrate, this can also be handy for washing files that are suspected of being having used for this.
But keep in mind, I could also format that thumb drive to Ntfs and I can give it to someone that is unsuspecting as a systems administrator and say hey, I take this thumb drive right here and would you mind giving me a picture of that really pretty girl that’s sitting on that car in that bikini? I’d like to have that. And when they put it into their machine it’s very possible that I could create some kind of malware exfiltrate all of the password, hashes, store them into an alternate data stream. And when the systems administrator does a double check by doing a dir to make sure that all I got was that picture and gives it back to me smiling. I would also smile, too, because I got back a lot more than just the picture of that pretty girl.