Some people might say it’s good, others would consider it a bad thing. Well, as many elements in this world, it depends on its usage.
● What is an ADS?
Imagine you have a pair of jeans, and it has a pocket in your front-left size. You go to a tailor and he creates another one in the same place, but on the inside. The new one is attached to the existing compartment, but when it was created, the original wasn’t changed in any way. The shape, capacity or content remained the same.
If somebody looks at your jeans, he will only see the front pocket, but he won’t notice the one on the inside, unless he already knows about its existence.
Now, let’s try to correlate the terms. Assuming we have a file, pizza_recipe.txt, we could say it represents the pair of jeans. The front pocket would be the content of the file, basically, ingredients and instructions for pizza. This is considered the default stream. However, you might want to add a secret item. For instance, having another file, secret.txt, attached to the original, where you say “add extra mozzarella”. Your secret pocket would be secret.txt, and its content, the data in this document.
Each file comes with a default data stream, $DATA. This is illustrated by the actual data the file incorporates. In our previous example, it is the recipe itself. MFT (Master File Table) contains a list of all streams a file has, as well as their location on the disk. Comparing to our case, we could consider MFT as our brain, because it knows about the hidden pocket and its location.
● How are they created?
Before we begin with this part, I must mention one thing. Alternate Data Streams are specific to NTFS file system. If you copy a file which contains ADSs to a different type of file system, those ADSs will be lost.
I will use the previous example and explain how to perform this action with PowerShell. However, this is not the only way to do it.
First, we will create the standard file, in the current directory. In our case, pizza_recipe.txt.
Set-Content -Value "Dough, toppings, bake" -Path .\pizza_recipe.txt
To read the content of this newly created document, we will use the command below:
Get-Content -Path .\pizza_recipe.txt
Now, we will create the ADS. The command is almost the same with the one used initially to create the normal file, the only difference being an extra parameter.
Set-Content -Value "Mozzarella" -Path .\pizza_recipe.txt -Stream secret.txt
Next, to read the content of the ADS, just add Stream parameter to the command used earlier.
Get-Content -Path .\pizza_recipe.txt -Stream secret.txt
Below, you can see a screenshot with all these commands executed and the corresponding result:
● What are they used for?
The initial purpose for NTFS ADS was to be compatible with the file system from Apple.
Anyway, this is not the only purpose. Sometimes, specific data is contained in an alternate data stream. I downloaded a simple .jpg photo from the internet, which has some info in an ADS.
As you can see above, that photo has 2 streams: the default one, $DATA, and an extra ADS, called Zone.Identifier. If we take a look at the content inside, we are able to see what kind of info it retains. A value for HostUrl and another one for ReferrerUrl are available.
The previously presented example is harmless, its purpose is legitimate. But it’s not the unique usage. It can also be applied in steganography. Who says only secrets with extra mozzarella can be added there? It can include passwords, sensitive files, and so on. Is steganography good or bad? As I mentioned in the beginning of this article, it depends on how it’s used.
However, not only text files can be embedded in alternate data streams. Other type of files might be carried as well. Photos, videos, or even executables. Well, a such situation can lead to the dark side. Malicious software can be incorporated in an ADS and bad things can happen, having various consequences.
In my new video about ADS, among some info about this topic, I made a demo on how I create a backdoor by abusing alternate data streams. Don’t miss it!
● How to identify alternate data streams?
To detect the presence of an ADS, there are several possibilities. You can use standard Windows tools or external specialized software. Let’s see a couple of them.
1) Run dir command in cmd, with /r option
We can see in this screenshot that both streams were detected when the command was executed with /r flag.
2) Run Get-Item cmdlet in PowerShell, with -Stream parameter
Here, I extended a bit the command, just to format the output in a nicer way. However, it is enough to run only the first part to get the info you want. In this case also, both streams were found.
3) Use streams tool from SysinternalsSuite
Using this software, all the hidden streams are revealed. The default stream is not shown.
● Disclaimer
This article is for educational purposes only. Attacking targets without prior mutual consent is illegal. I take no responsibility for any misuse or damage caused due to the usage of the information provided here.
If you got here, I want to thank you for the time you took to read my article. I hope you enjoyed it and also learned something from it. Why not take a look at some of my other articles? Or, maybe, watch one of my YouTube videos?
Top comments (0)