.

[Article]-Alternate Data Streams (ADS): Hiding In Plain Site

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Feb 28, 2007 12:27 am

[Article]-Alternate Data Streams (ADS): Hiding In Plain Site

By Brian Wilson, CCNA, CCSE, CCAI, MCP, Network+, Security+, JNCIA

In this little article I am going to show you how Alternate Data Streams (ADS) work and show you a small example of how to make one. ADS is a feature in the NTFS file systems to make a compatibility with HFS, or the old Macintosh Hierarchical File System. ADS has been a function of NTFS since NT 4.0 and is still available in Windows XP (and yes even Windows Vista). ADS gives you the ability to inject/add file data into existing files without affecting their functionality, size, or display in utilities like Windows Explorer or even "dir" under command line.


Permanent Link: [Article]-Alternate Data Streams (ADS): Hiding In Plain Site

Offer your thoughts and experiences,
Don

PS - ADS is covered in many of the ethical hacking certification exams. This is a good introductory article that shows you exactly how it works.
CISSP, MCSE, CSTA, Security+ SME
<<

CadillacGolfer

Newbie
Newbie

Posts: 36

Joined: Thu Dec 14, 2006 1:58 pm

Post Wed Feb 28, 2007 10:23 am

Re: [Article]-Alternate Data Streams (ADS): Hiding In Plain Site

Why MSFT includes this in NTFS, yet provides no native tools to work with ADS is completely beyond me.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Feb 28, 2007 12:13 pm

Re: [Article]-Alternate Data Streams (ADS): Hiding In Plain Site

ADS was originally created for compatability with Macs. Macs by nature don't have file extensions in the file name. The data that tells a Mac the file association was held in a seperate "fork" of the file as opposed to the file name itself. This has been changes since Mac OSX, but ADS has taken on additional duties for Windows such as the Summary feature. Google for more details.

As with most things, hackers find a unique way of making a feature do something it was not initially meant to do. This is not a bad thing. But "crackers" do the same thing for bad purposes. Thus the difference between a hacker and a cracker (just threw that in for those about to take a cert exam).

Hope this helps,
Don

PS - digg this story!
Last edited by don on Wed Feb 28, 2007 12:17 pm, edited 1 time in total.
CISSP, MCSE, CSTA, Security+ SME
<<

LSOChris

Post Wed Feb 28, 2007 5:08 pm

Re: [Article]-Alternate Data Streams (ADS): Hiding In Plain Site

good article, cool stealth fighter....

actually like Don said you'll probably catch a couple of ADS question on either the CEH or CPTS exam, good info to have.
<<

p0et

User avatar

Full Member
Full Member

Posts: 197

Joined: Thu Nov 02, 2006 4:38 pm

Location: Victoria, Canada

Post Wed Mar 21, 2007 11:01 pm

Re: [Article]-Alternate Data Streams (ADS): Hiding In Plain Site

Great work, Brian!  :D

It's a fun topic and am glad you brought me in on the project.  8)
GCIH, Security+, Network+, A+, MCP, DCSE
<<

jimbob

Post Thu Mar 22, 2007 3:28 am

Re: [Article]-Alternate Data Streams (ADS): Hiding In Plain Site

Quick question, is there any legitimate uses for ADS other than the summary metadata attached to some files? If there was a way of disabling ADS would this break windows?

Jim
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Thu Mar 22, 2007 8:44 am

Re: [Article]-Alternate Data Streams (ADS): Hiding In Plain Site

I know alot of other programs now use ADS. I think the "Thumbs.db" file uses ADS It's used for picture icons in windows folders also some PDF's use the ADS file space. I am unaware of anyway to disable ADS but if you convert your file system to FAT32 you will drop all ADS streams from the drive. I guess if you had a lot of spare time on your hands you could convert your drive to FAT32 and then convert it back to NTFS to kill all the ADS streams. There are tools freely avaible on the net to find and ID ADS streams on you harddrvie. I like using a tool called LNS.exe (http://ntsecurity.nu/toolbox/lns/) it free and is command line driven so it's very light weight to use and works very fast.

Brian
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP

Return to Wilson

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software