|
Title: [Article]-Alternate Data Streams (ADS): Hiding In Plain Site Post by: don on February 27, 2007, 11:27:15 PM Quote By Brian Wilson, CCNA, CCSE, CCAI, MCP, Network+, Security+, JNCIA In this little article I am going to show you how Alternate Data Streams (ADS) work and show you a small example of how to make one. ADS is a feature in the NTFS file systems to make a compatibility with HFS, or the old Macintosh Hierarchical File System. ADS has been a function of NTFS since NT 4.0 and is still available in Windows XP (and yes even Windows Vista). ADS gives you the ability to inject/add file data into existing files without affecting their functionality, size, or display in utilities like Windows Explorer or even "dir" under command line. Permanent Link: [Article]-Alternate Data Streams (ADS): Hiding In Plain Site (http://www.ethicalhacker.net/content/view/115/24/) Offer your thoughts and experiences, Don PS - ADS is covered in many of the ethical hacking certification exams. This is a good introductory article that shows you exactly how it works. Title: Re: [Article]-Alternate Data Streams (ADS): Hiding In Plain Site Post by: CadillacGolfer on February 28, 2007, 09:23:56 AM Why MSFT includes this in NTFS, yet provides no native tools to work with ADS is completely beyond me.
Title: Re: [Article]-Alternate Data Streams (ADS): Hiding In Plain Site Post by: don on February 28, 2007, 11:13:06 AM ADS was originally created for compatability with Macs. Macs by nature don't have file extensions in the file name. The data that tells a Mac the file association was held in a seperate "fork" of the file as opposed to the file name itself. This has been changes since Mac OSX, but ADS has taken on additional duties for Windows such as the Summary feature. Google for more details.
As with most things, hackers find a unique way of making a feature do something it was not initially meant to do. This is not a bad thing. But "crackers" do the same thing for bad purposes. Thus the difference between a hacker and a cracker (just threw that in for those about to take a cert exam). Hope this helps, Don PS - digg this story! (http://www.digg.com/security/Tutorial_Alternate_Data_Streams_ADS_Hiding_Information_In_Plain_Site) Title: Re: [Article]-Alternate Data Streams (ADS): Hiding In Plain Site Post by: ChrisG on February 28, 2007, 04:08:28 PM good article, cool stealth fighter....
actually like Don said you'll probably catch a couple of ADS question on either the CEH or CPTS exam, good info to have. Title: Re: [Article]-Alternate Data Streams (ADS): Hiding In Plain Site Post by: p0et on March 21, 2007, 11:01:12 PM Great work, Brian! :D
It's a fun topic and am glad you brought me in on the project. 8) Title: Re: [Article]-Alternate Data Streams (ADS): Hiding In Plain Site Post by: jimbob on March 22, 2007, 03:28:23 AM Quick question, is there any legitimate uses for ADS other than the summary metadata attached to some files? If there was a way of disabling ADS would this break windows?
Jim Title: Re: [Article]-Alternate Data Streams (ADS): Hiding In Plain Site Post by: slimjim100 on March 22, 2007, 08:44:37 AM I know alot of other programs now use ADS. I think the "Thumbs.db" file uses ADS It's used for picture icons in windows folders also some PDF's use the ADS file space. I am unaware of anyway to disable ADS but if you convert your file system to FAT32 you will drop all ADS streams from the drive. I guess if you had a lot of spare time on your hands you could convert your drive to FAT32 and then convert it back to NTFS to kill all the ADS streams. There are tools freely avaible on the net to find and ID ADS streams on you harddrvie. I like using a tool called LNS.exe (http://ntsecurity.nu/toolbox/lns/) it free and is command line driven so it's very light weight to use and works very fast.
Brian
Powered by SMF 1.1.7 |
SMF © 2006-2008, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com |