Alternate Data Streams (ADS): Hiding In Plain Site

| February 27, 2007

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Wilson}

b2By Brian Wilson, CCNA, CCSE, CCAI, MCP, Network+, Security+, JNCIA

Contributions to this article and the accompanying ADS Video were provided by Dan Honkanen, GCIH, Security+, MCP, DCSE

In this little article I am going to show you how Alternate Data Streams (ADS) work and show you a small example of how to make one. ADS is a feature in the NTFS file systems to make a compatibility with HFS, or the old Macintosh Hierarchical File System. ADS has been a function of NTFS since NT 4.0 and is still available in Windows XP (and yes even Windows Vista). ADS gives you the ability to inject/add file data into existing files without affecting their functionality, size, or display in utilities like Windows Explorer or even "dir" under command line.

For my example I am adding my resume which is on the root "C:" drive named "s.doc".

 

1

 

[c:s.doc]

Now I have a copy of the Ethical Hacker Network's banner I copied down from the website.

 

2

 

 

 I then named the Ethical Hacker Network banner to "e.jpg" and moved it to a folder off of the root "c:ts" [c:tse.jpg].

 

3

 

Now you will see how I have added the resume (s.doc) into the banner image (e.jpg) with out changing the file size of the jpg file. The commands used for this are very simple:

Type (TYPE supports file streams on NTFS drives. You can type an individual stream by specifying the stream name.)

Redirect [>]

Colon [:]

Start (optionally run a program in that session. Just typing "start" will open a new command window.)

Example command

 

4

 

"C:ts>type C:s.doc >c:tse.jpg:s.doc"

Basically I have my command line in the directory of the folder /ts.

I use the command "type" and then select the file I would like to inject [c:s.doc] into the ADS; you can use any file you like.

Next I use the ">" {redirect} command to point the file I would like to inject. Now I enter the command for injection e.jpg:s.doc. The ":" is the path of the ADS file I am making.

Now to see the file in the ADS all you need to do is type:

 

5

 

 

Start (then the path to the ADS file)

Example command

C:ts> start c:tse.jpg:r.txt

Now it is time to try to find the files we have added. I will try to see the ADS files with a simple "dir" command.

 

6

 

 

Now let's look in the folder With windows explorer.

 

7

 

Now we will use a program from www.ntsecurity.nu/toolbox/ call lns.exe. Here is the description from the website "LNS is a tool that searches for NTFS streams (aka alternate data streams or multiple data streams)".

 

8

 

 

Command used "lns c:ts"

When using the program "lns.exe" you can run it for one folder or on the whole root of the C: drive. Running lns.exe on the root drive can take some time. One trick for this is to run lns.exe with the added command switch "> output.txt" ("lns c:ts >output.txt"). This will make a text document (output.txt) of the output from the command, so you can read the information later.

For more information on ADSs try Google as there is a lot of articles on the internet that covers this topic. For more information on different commands for "cmd.exe" I recommend going to http://jpsoft.com/help/index.htm?cmd_comp.htm. There is a lot of good information on http://www.jpsoft.com/. Thanks for reading this paper and please join me on the "Ethical Hackers Network" Forums (http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/) to learn and discuss many different topics on Security.

Editor's Note: ADS in Vista

Being a function of NTFS, ADS is not only still in Vista, but extra command line options for the dir command have also been added. One of the additions is "dir /r" that allows you to see ADSs just like LNS does above.


stealthfighterBrian Wilson (bwilson@ethicalhacker.net) has over 12 years experience in IT starting with a tour in the United States Army. He has worked in and out of the US Government in many different organizations and technical roles including a stint as a Cisco Certified Instructor. Currently he works for one of the largest US broadband providers (ISP) as a Senior Data/Voice Engineer supporting over 3 million High Speed Internet/ VoIP subscribers. He has attained a number of industry credentials covering many aspects of IT including CCNA, CCSE, CCAI, MCP, JNCIA, Network+, Security+, and many DoD Certifications. He also uses his knowledge of IT to benefit a number of charitable organizations. Clearly Brian's knowledge and interests are wide, and his affinity for philanthropy will be the overiding theme of his vast set of articles and videos.

Category: Wilson

Comments are closed.