create – alternate data streams (ads)

Alternate Data Streams (ADS) provides a method of hiding text and files on a system and allows them to be executed without being detected.

For instance:  the command

“type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe”

will fork the common windows calculator program with an ADS “anyfile.exe.”

Alternate Data Stream Hidden files in windows.

 

1. Open CMD

2. Type in notepad test.txt

As seen below

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\frog>notepad test.txt

3. Pop up will state cannot find the test.txt file Do you want to create – Yes

4. Type something in it like this is simply a test.

5. Save test.txt

6. Go back to the CMD screen and type in notepad test.txt:real.txt

As seen below

C:\Users\frog>notepad test.txt:real.txt

7. Pop up will state cannot find file Do you want to create – Yes

8. Write your real message in here and save.

9. Then if you go and look at the directory were you saved test.txt you will only see this file and not test.txt:real.txt.

This is because real.txt is hidden inside of test.txt.

There will be no size change  to the original file as Windows cant understand it.

10. To open the hidden file go back to CMD and type in notepad test.txt:real.txt

As seen below

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\frog>notepad test.txt:real.txt

This is easily found so don’t think of it as a great security function use truecrypt instead.

 

Advertisements

2 thoughts on “create – alternate data streams (ads)

    1. Hi Whitehat, Thanks for reading. ADS is a basic way of hiding data. This only works with the Windows NTFS file structure. I have re-read the original instructions and changed to try and make more clear. MyExploit is a note book. We use it to simply keep notes of tools we use while pentesting. Please feel free to ask any questions and one of us will try and update you. Were don’t always reply fast as often working on week long projects.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s