the main / Problems / Moving a file with an alternative stream. Alternative data streams in NTFS

Moving a file with an alternative stream. Alternative data streams in NTFS

Windows operating systems are endowed with two little-known functions Data hiding: NTFS data streams (also known as alternative data streams) and access to the list of resources based on Access-based Enumeration (ABE) permission database. Alternative streams The data is allowed to add to the file hidden information, such as file information. Most likely, you do not have to use hidden data streams, however, attackers can use this technology against you, so that it is necessary to have an idea about it and how it can work.

As for the ABE method, he can replenish your arsenal. This method allows you to do invisible folders and files shared resources for those users who do not have permits to access them.

That's what you need to know about these funds.

Rivers feeding the sea of \u200b\u200bdata

Alternative data streams are the NTFS File System feature. The Windows NT 3.1 system was energized with them in order to enable users of NT and Macintosh to share files.

The NTFS file consists of data streams. This is a standard $ DATA data stream, and perhaps one or more alternative data streams. Any user who has the necessary permissions to work with the file sees an existing $ Data data stream, can open it, as well as read and write data to this thread.

Alternative data flow is additional information or files that the user or application can attach to the NTFS file. Only the user who created it knows about the existence of an alternative data stream. Usually, users do not know whether an alternative data flow is attached to the file; The fact is that neither the contents of this stream nor his name are visible. In addition, it is not possible to see the change in the file size.

There are many ways to use alternative data streams. IN windows system These streams are used to store summary data created by applications that are not included in the kit. Microsoft Office., such as simple text files (.txt). Consolidated data, such as the title, theme and data on the author, can be entered on the Summary tab Properties dialog box of the corresponding file. These summary data are stored in an alternative SummaryInformation data stream.

Windows applications, such as Encrypting File System (EFS) and Windows Explorer, use alternative data streams to attach related to these or other data files to files that are stored on drives formatted under the NTFS system. The EFS program using alternative data streams joins the encrypted files information about coding and decoding, which ensures the possibility of decentralized encryption and decryption by means of this program.

Implemented in Windows XP Service Pack 2 (SP2) package microsoft app Internet Explorer. (IE) uses an alternative security.zone data stream to provide classification by the security zones recorded on the NTFS volume. As a result, IE has the ability to block the expansion of the scope of the user's rights of attacks that may occur in situations where the user loads malicious code From unreliable security zone security and saves this code on a local hard disk. IE relates locally saved content to the Local Machine security zone, which provides for the provision of longer rights than the Internet security area. The XP SP2 package always checks the security.zone data stream before allowing the downloaded code to take any actions on the local system.

Channel for malicious code

Drawn and dangerous alternative data streams become for the reason that their names and content are not displayed in the Windows Explorer program window. Therefore, the organizers of various kinds of attacks consider such streams with a convenient means of concealing the data or a malicious code that has fallen into the system. An example of using these threads can be a worm [Email Protected] Hackers used an alternative data stream for connecting to an existing one-file ODBC file of multiple scripts in Visual Basic (VB).

When activating the worm creates account With administrative authority and sends themselves to the addresses that the Microsoft Outlook itself detects in the address book.

Another danger lies in the fact that the disk space allocated for alternative data streams is not displayed in the size data (files) and the non-disk space of the Windows Explorer program. The hacker can use alternative data streams to fill the file server disk space, and the administrator will only remain to break the head, trying to get to the cause of the problem. In addition, I must say that the DIR command line utility does not take into account alternative data streams when counting data on sizes (files and folders). Today, there is only one Microsoft tool that can take into account alternative data streams when counting the sizes: This is the chkdsk utility.

Adding a new flow

Any person who has the right to write to the NTFS file can use the usual commands of the operating system to attach the alternate data stream file. For example, the following command creates an alternative MyStream data stream, connects mystream to the file named file.txt and saves the "Top Secret" phrase in the MyStream stream.

echo Top Secret\u003e File.txt: MyStream

View the contents of the Mystream stream using the command

As already noted above, executable files can be added to alternative data streams. So, there is an opportunity to add a hidden copy windows Calculator (Calc.exe) to file.txt file. To do this, just enter the command

type Calc.exe\u003e \u200b\u200bfile.txt: calc.exe

To start a hidden calculator, enter the command

start .file.txt: calc.exe

You yourself can make sure that alternative data streams and their contents are not displayed in the instrumental microsoft products. Open windows program Explorer and view the properties of the file.txt file in it. In fact, the file size is 112 KB (so much space occupies the built-in Calc.exe file) - but the program will show the file size to 0 KB: in the $ Data data stream there is no information about the built-in file, and windows application Explorer does not have the ability to read information from alternative data stream.

It is clear that many threats are associated with alternative data streams, especially in networks where the work on issuing permits to appeal to NTFS resources is not paid due attention and not installed hard access control windows servers. There is a simple protection mechanism capable of preventing hacker attempts to use alternative data streams - NTFS access control system. If the attackers do not have permission to write data into a file, they will not be able to create alternative data streams and attach them to this file.

Detection of changes

If you have the feeling that the hackers managed to get around the accomplice of the established permits, use one of the currently developed tools Detection of alternative data streams. Programs for testing the integrity of the system, such as Tripwire Enterprise and Tripwire for Servers, allow you to identify all changes in the NTFS file system that occurred in the Windows system, including adding or changing the data stream content.

The STREAMS SYSINTERNAL PROGRAM PROGRAM is a free command-line utility that defines the names of the alternative data streams attached to the files. On Screen 1 shows how to use the Streams utility to view the calic.exe data flow name, which we have previously added to the file.txt file. This utility can be downloaded at http://www.sysinternals.com/utilities/streams.html.

Another simple way to detect an alternative data stream - with using windows Explorer Copy a suspicious file to a file with a file system other than NTFS (Say, on the FAT drive). Other file systems are not equipped with means for working with alternative data flows. Therefore, if you try to copy the NTFS file with attached alternative data streams to place it in another file system, NTFS will display a warning similar to that shown on the screen 2. But keep in mind that if you copy this file in the command line window using the Copy command Windows will copy it to different from NTFS file System And without warning will remove the data stream.

Hiding the shared resources using ABE

ABE is additional feature File sharing levels that Microsoft first implemented in the package Windows Server 2003 SP1. It can be used in any general Windows directory regardless of which file system shared data is stored. ABE allows administrators to hide the folders stored on public resources and files from those users who do not have appropriate permissions to access them at the NTFS level. In other words, we are talking about ensuring security at the folder level.

In cases where ABE does not apply, users, connecting to a common directory, see all files and folders posted on the overall resource, including those for reading them there are no permits, and those access to which they are blocked. When the user tries to open a file or folder, access to which it is not allowed, the system issues an error message with an explanation of the access prohibition. These error messages can confuse users, so that ABE activation allows you to reduce the support of the support service.

However, the use of ABE has its own minuses. Before returning a list of objects contained in the Objects folder connected to a common resource, the server must check all access control lists to these objects: only after that it can determine which data should be returned. As a result, a significant decrease in system performance may be noted, especially when accessing common resources containing many objects.

ABE tools are appropriate to apply, for example, to configure public resources in user home directors. Instead of creating a hidden public resource for the home directory of each user, you can create one shared resourcecontaining home directories of all users in the root home directory folder. Users will connect to this root directory, and you can use ABE, as well as NTFS permissions to control the visibility of home directory of all users.

Activation of the ABE function

This feature uses a new SHI1005_FLAGS_ENFORCE_NAMESPACE_ Access; At the time when these lines are written, it is implemented only in windows packages 2003 SP1 and RELEASE 2 (R2). This flag means that you use the ABE function to one of the folders.

To install the flag, you can use the properties extensions. windows folders Explorer or abecmd.exe command line. Microsoft distributes the ABE Explorer and Abecmd.exe extension in the ABE installation package, which is additional module for windows platforms Server 2003 SP1. The installation package can be downloaded from the Microsoft node at http://www.microsoft.com/downloads/details.aspx?familyId\u003d04a563d 9-785-B03042-A485-B030AC442084. Since ABE is a server extension, it can be used regardless of which version of Windows is installed on the client.

After installing the ABE tools on the server, you can set this flag for a particular folder. Click on the Right-click folder, select Properties, go to the Access-based Enumeration tab and set the Enable Access-Based Enumeration On This Shared Folder flag, as shown on the screen 3. To apply the ABE feature to all public resources of the system, install the Apply flag This Folder "S Setting to All Existing Shared Folders On This Computer.

The second way is to use the ABECMD.exe command line tool. To apply the ABE feature to the SharedDocs public resource, enter the following command:

aBECMD / Enable Shareddocs

To activate the ABE function on all available resources, you can use the / All parameter, and to disable ABE - the / disable parameter.

Access control

ABE is a simple tool that allows you to limit user powers only to the files that are needed to work. Users can easily find filesBecause they do not have to wade through the folders that are not related to the case, and they do not bother the support service with questions about why there are no files, permits to work with which they do not have.

To protect against hackers using alternative data streams, administrators must follow the access control settings for public resources and use one of the utilities described by me to detect hidden alternative data streams, as well as changes in the NTFS system.

Jean de Clerk. (Declercq @hp .com) - Employee Security Office Hewlett -Packard. Engaged in managing identification and safety microsoft products. The author of Windows Server 2003 Security Infrastructures (Digital Press Press). Support for alternative data streams (ALTDS) was added to NTFS for compatibility with the HFS file system from Macintosh, which used the resource flow to store icons and other file information. Using Altds is hidden from the user and not available by conventional means. The conductor and other applications work with a standard stream and cannot read data from alternative. With ALTDS, you can easily hide data that cannot be detected by standard system checks. This article will give basic information about the work and definition of ALTDS.

Creating altds.

Create altds is very easy. To do this, we use the command line. To begin with, creating basic file.To which we will attach our streams.

C: \\\u003e ECHO JUST A Plan Text File\u003e sample.txt
C: \\\u003e Type sample.txt
Just a Plan Text File

Next, we will use the colon as an operator to indicate that we will use Altds:

C: \\\\\u003e Echo You Can "T See Me\u003e sample.txt: Secret.txt

You can use the following commands to view the contents:

C: \\ More< sample.txt:secret.txt

C: \\ NotePad sample.txt: secret.txt

If everything works well, then you will see the text: You can "T See Me, and when you open from the conductor, this text will not be visible. Altds can be attached not only to the file, but also to the folder. To do this, we will create a folder and laugh to it SETTE:

C: \\\u003e MD Stuff
C: \\\u003e CD Stuff
C: \\ Stuff\u003e Echo Hide Stuff in Stuff\u003e: hide.txt
C: \\ Stuff\u003e Dir
Volume in Drive C Has No Label.
Volume Serial Number IS 40CC-B506DIRECTORY OF C: \\ STUFF
09/28/2004 10:19 am. .
09/28/2004 10:19 am.…
0 File (s) 0 bytes2 dir (s) 12,253,208,576 bytes free
C: \\ Stuff\u003e NotePad: Hide.txt

Now you know how to view and edit the attached Altds, as well as how to attach it to files and folders.

Hiding and launching applications

Hide applications using Altds as easily as test files. To begin with, create a basic file again:

Next, place our application into the stream, for example, I used notepad.exe:

C: \\ Windows\u003e Type NotePad.exe\u003e \u200b\u200btest.txt: note.exe

Now make sure that in our file everything is also text:

C: \\ Windows\u003e TYPE TEST.TXT
Test

And now the most interesting, launch our hidden app:

C: \\ Windows\u003e Start. \\ Test.txt: note.exe
C: \\ Windows\u003e

Since this article is not a full translation of the article taken, it is decorated as a simple topic. Additional receptions can be found at the indicated link.

UPD:

Utilities for working with ALTDS (list taken from the article on the link above):

LADS - List Alternate Data Streams by Frank Heyne
www.heysoft.de/frames/f_sw_la_en.htm.

Streams.exe from sysinternals.

The article is written for the journal "Hacker" in 2004. She came out in the room 09/04 (69) called "destructive flows".

Capturing the next NT system and establishing its homemade spy software in it, it is necessary to solve the problem of storing the collected information on the victim's computer. Usually log is written in a simple file in the catalog with large quantity Files, for example, in System32.

NTFS features

This is common, but far from the best way Hide information on local computer. There is a chance that the user will notice an extra, constantly updated file, which suddenly suddenly appeared in his system directory. Add a log to an existing file? First you need to find such a file, adding to which information will not spoil its contents. What about keeping the info in such a place that will not be visible from the conductor, nor from the command line, nor from any file Manager? This feature provides us with the NTFS file system. It will rarely meet it on the usual home person speaking, since most users still prefer FAT32, even those who are sitting under XP. But on the local network of any firm working under Win2K / XP, NTFS is almost certainly used, because this file system provides features such as assigning access rights to users, encryption and compression of files. In addition, NTFS is much more reliable than FAT32. So the method of concealing the data that I will describe is ideal for industrial espionage. With the advent of Longhorn, NTFS has a chance to settle and on domestic components, since the upcoming WinFS file system, based on NTFS, promises additional features in ordering and searching for information that should attract ordinary users.

Capping to the file any data

The method is to save the data not to the file, as usual, and in the file stream NTFS. The stream can be attached to another file (in this case, its size does not change, and the data remain intact, and therefore utilities that check the champs of the files will not notice changes) to the catalog or to the disk. Alternative NTFS file streams are one of the possibilities of NTFS, present in it since the earliest versions of Windows NT. It lies in the fact that one file may have several streams containing data, with only the main thread in which the contents of the file is stored. Something similar is in the HFS file system on macs. There are threads (streams) are called branching (forks). Until recently, they were used as a file resource repository or contained information about the type of file. With the advent of MacOS X, Apple recommended to place resources in separate files, and file types to determine extensions. But the support of branching remains anyway. In Windows, streams are usually used to store any for more information About the file. For example, a stream may contain a document summary. If the system is on the disk with NTFS, the Explorer.exe file probably contains a summary. Depending on the contents of the summary, streams with the names of SummaryInformation, DocumentsummaryInformation and some others can be attached to the file. At my computer, I found a stream named $ MountMgrremoticAdabase, attached to the C drive.

On the streams attached to the stream file can only learn in some cases, for example, when copying a file with an attached stream to a disk with FAT / FAT32. These file systems do not support them, so the system will give a request to confirm the loss of information in flows, indicating their name. Of course, this situation will never arise if the thread is attached to the disk or to the system folder. It is not necessary to use spyware streams. If you are a developer of ShareWare programs, then you can easily use the flow information streams, the number of days before the expiration of the term of use, the word, all that should be hidden from your program.

Working with flows

In working with files and streams there are similarities, and differences. Looks like not so much. Both the files and their streams are created and deleted by the same WinAPI CreateFile and DeleteFile features. Reading and writing is implemented, respectively, functions readfile and writefile. There are similarities on this similarity, then some differences go. In the thread names may be contained specialivers that cannot be part of the name of the normal file: such as "*", "?", "<”, “>"," | " and quotation symbol. In general, any name of the stream is saved in Unicode format. Schedules from the range 0x01 - 0x20 can still be used. There is no standard stream copy and transfer function: MoveFile and CopyFile do not work with threads. But no one bothers to write their functions. Threads have no own attributes, creation and access dates. They are inherited from the file to which it is attached. If there are any data in the file itself, they can also be represented as a stream. Flow names are displayed as "File Name: Indoor Name: Attribute". The standard stream attribute in which the data is called $ DATA. There are many other attributes whose names are also starting from the "$" sign. The contents of the file is in the nameless stream (name_name :: $ DATA). With this property of the file system represent the contents of the file in the form of a stream, a bug in older was connected microsoft versions IIS, when a hacker who wanted to know the text of a script on a vulnerable server, simply added to his name ":: $ Data", and server, instead of executing the script, issued its source code. Working with streams is similar to working with files. Listing 1. This is a simple example of a program that creates a file with a stream and the information that writes to it. After starting the program, an empty "TestFile" file will appear in its directory. You can see the contents of the attached stream by typing in command line "More< testfile:stream». Как видишь, имя потока указывается после имени файла, отделенное от него знаком двоеточия. Самое трудное при работе с потоками – это получить их список для specific file.. There is no standard function, and therefore you have to write it yourself. Write small console programwhich would return a list of streams by file name. Such a program is the guys from sysinternals, with open sourceAnd she works, but I did not like their way. They use Native API calls, and therefore their code is large and difficult to understand. We will write your prog that will work from the command line, with the algorithm simpler and with standard API features.

We receive a list of streams

The algorithm is based on the application of the BackupRead function. It is intended for reserve copy files. When you do backup File, it is important to save as much data as possible, including file streams. Information is taken from the Win32_STream_ID structure. From there you can get the name of the stream, its type and size. We will need only threads such as Backup_alternate_Data. All functions and structures are described in Winnt.h header file. First you need to open a read file using CreateFile. In the DWFlagSandAttributes parameter, you must specify the File_Flag_Backup_semantics flag, which will allow you to open not only files, but also directories. Then run the While cycle, which reads the file information in the SID structure, from which we will get information about each stream. Before the next cycle pass, we clean the structure and shift the file pointer to the next thread using the BackupSeek function. After all the streams are found, we clean LpContext containing service information, and close the file. The source code of the program is listed in Listing 2. Already compiled prog you can take from our disk. To work with threads optional to write special programs. You can do something directly from the command line. Several examples are shown on the insertion.

Detection

Attaching the flow with information to anything, it is difficult to get to its content, not knowing his name. If the stream attach to the logical, then there is no standard toolsto detect it. Since the flow name may contain characters, invalid in the names of ordinary files, it creates additional difficulties when you try to find out the contents of the stream using the command line. The contents of the document reports is usually stored in a stream with a title that contains a symbol with a code 0x05. This symbol can be typed in the console (Ctrl + E), but if it were a 0x10 or 0x13 symbol (return carriage and row translation), then they would be impossible to dial them. Theoretically, you can learn about the attached streams by chance, using some software, which is likely to have on your computer. WinRAR has an option, and if it is enabled, you can notice that the size of a small file placed in the archive is not only not reduced, but even increases (due to the fact that the data in the streams are also placed in the archive). This can cause suspicions. A program for tracking calls to the file system - FileMonitor from the same SysInternals - does not make differences between files or threads. Accordingly, the attentive study of the log of appeals to the disk of a suspicious program (your keylogger) will be issued and the name of the flow where the log is written, and the name of the file to which it is attached.

Viruses

In September 2000, there was a first virus that uses alternative file streams for its distribution. W2K.Stream was the first representative of the new type of viruses - Stream Companion. He is looking for files in his directory .exe, and if it finds, it starts the process of infection. An additional stream is attached to the file to which the virus transfers the contents of the original file, and then the virus body is copied to the main file stream. After starting the infected file, the virus again tries to infect files in its directory, and then launches the program from the additional stream. Indeed, using the CreateProcess feature you can run a process from the stream. Moreover, the file with the stream can be calmly removed, and the process will remain. Just a fairy tale for Trojanov! Despite the fact that since the appearance of W2K.Stream has passed almost four years, not all antiviruses are capable of detecting malicious code in file streams. Therefore, the emergence of new worms and viruses using them may be a serious danger.

Other viruses using threads

In addition to w2k.stream, the streams found use in other viruses and worms. The first worm used file streams was i-worm.potok. This little animal attaches several threads to the ODBC.ini file in the Windows directory and stores there scripts for sending yourself by mail. Another virus is W2K.Team. Description of these and other similar viruses you can find on the site http://www.viruslist.com/

Work with console flows

Creating a stream file:
Type Nul\u003e SomeFile.txt: Stream

Stream entry:
Echo "Something" \u003e\u003e SomeFile.txt: Stream

Flow reading:
More< somefile:Stream

Copy the contents of an existing file in the stream:
Type File1.Txt \u003e\u003e SomeFile.txt: Stream

Copying the stream content to the file:
More< somefile.txt:Stream >\u003e File2.txt

Removal of streams

There is an opinion that the flow can only be deleted with the file to which it is attached. This is not true. If you know the name of the stream, you can always delete it with a standard DELETEFILE function.

Listing 1. Example of creating a stream.

#Include. int Main () (DWORD DWRET; Handle Hstream \u003d Createfile ("Testfile: Stream", Generic_Write, File_Share_Write, Null, Open_ALWAYS, NULL, NULL); WriteFile (HFile, "This Is A Stream", 17, & Dwret, NULL); Closehandle (Hstream); Return 0;)

Listing 2. X-Stream: program showing a list of streams

#Include. #Include. #Include. #Include. int _tmain (int argc, _tchar * argv) (win32_stream_id sid; zeromemory (& sid, sizeof (win32_stream_id)); dword dw1, dw2, dwread; int numofstreams \u003d 0; // buffer for the name of the stream in Unicode WCHAR WSZStreamName; lpvoid lpcontext \u003d Null; / * * Open the file to read with the * file_flag_backup_semantics parameter, which allows us to open not only files, but also directories with discs. * / Handle hfile \u003d createfile (argv, generic_read, file_share_read, , open_existing, File_Flag_Backup_semantics, NULL ); if (hfile \u003d\u003d invalid_handle_value) (PrintF ("\\ Nerror: Could" T Open File, Directory or Disk% s \\ n ", argv); EXIT (0);) DWORD DWSTREAMHEADERSIZE \u003d (Lpbyte) & sid.cstreamname - (Lpbyte) & sid + sid.dwstreamnamesize; printf ("\\ Nstreams information for% s: \\ n", argv); while (backupread (hfile, (lpbyte) & sid, dwstreamheadersize, & dwread, false, true, & lpcontext)) (/ / If the flow type is incorrect, then interrupt the IF cycle (sid.dwstreamid \u003d\u003d backup_invalid) Break; Zeromemory (& WSZStreamName, Sizeof (WSZStreamName)); // Get the IF stream name (! Backupread (HFile, Lpbyte) WSZStreamName, Sid.dwstreamNamesize, & Dwread, False, True, & LpContext)) Break; if (sid.dwstreamid \u003d\u003d backup_data || sid.dwstreamid \u003d\u003d backup_alternate_data) (numofstreams ++; printf ("\\ n \\ nstream \\ t \\ t #% u", numofstreams); switch (sid.dwstreamid) (Case Backup_data: Printf ("\\ NNAME: \\ T \\ T :: $ Data"); break; Case Backup_alternate_Data: PrintF ("\\ Nname: \\ T \\ T% s", wszstreamname); break;) PrintF ("\\ NSize: \\ t \\ // Clean the structure before the next passage of the Zeromemory cycle (& SID, SIZEOF (SID)); ) // Clean lpContext containing service information // To work BackupRead Backupread (HFile, Null, Null, & Dwread, True, False, & lpContext); // Close the Closehandle file (HFile); Return 0; )

The subject of file streams also have the following:

NTFS Stream Explorer 2.00 program for working with NTFS streams and

The purpose of this article to explain the meaning
Additional data streams (Alternate Data Streams)
in operating systems Windows
demonstrate how to create them and
compromise the car, how to find
hidden files using publicly available
utilities. First step will need to be aware
the meaning of ads and what threatening they carry, then
Let's see how they are used for hacking
And finally, consider the tools
To detect activity and how
stop further illegal work with
with them.

What for?

Additional data streams appeared in
Windows with NTFS. In fact, as far as I
I understand, there was no particular point in them - they
were made for compatibility with HFS, old
Macintosh file system - Hierachical File System. A business
that this file system uses
both the data branch and the resource branch for
Content storage. Data branch
accordingly, responsible for the content
document, and the branch of resources for
File identification - its type and other
data. By now the time of existence
additional streams from ordinary users
Few people know. However, in the world of computer
security they got a certain
Spread. For example, evil hackers
use ADS to store files on
hacked computers, as well as they sometimes
Apply viruses and other Malware. A business
After all, everything is that these streams are not
viewed by conventional methods, the same
Conductor or through the command line. Than
Are these streams interesting? And what in the case of
Investigations of hacking do not always pay
Attention on them, besides, not all antiviruses
By default, look through streams in
Search for malicious software.

To business

In order to understand a real danger
ADS better demonstrate work with them.
In the example, using Metasploit Framework penetrate
on the car. For this we use vulnerability
MS04-011 (LSAss). Then with the help of TFTP fill files,
which and put in additional streams
data. As soon as it is completed on
Remote machine run from the command
rows scanner that scans the network on
Availability of other machines. Note,
that the authors of Metasploit Framework provided their
creation signature MetaSploit, so that the creators
Protective programs could determine the package
Outgoing from MF. Pay attention to the package,
Outgoing from the attacker:

Here 192.168.1.102 PC attacker on
which is Metasploit Framework, and 192.168.1.101 -
Vulnerable Comp with Win2K Prof. In this case, the axis
set without patches and service spars,
exclusively for demonstration goals
:). Please note that ads themselves are not
too useful, they naturally please
attacker only if there is
Access to the car, system vulnerability in
operating system. In this network you
It is unlikely to find unscrupted W2K, so
will have to look for other principles
penetration.

Below we see that the attack was successful and on
the attackering machine is open reversible shell,
Delivered. Default for this
Vulnerabilities in Metasploit use port 4321,
However, it can be changed:

Penetrating the car should be passed there
Files. To do this, use TFTP, in this
Case we get ipheye.exe.

In the same way, we download psexec.exe, pslist.exe and
klogger.exe. Let's do the listing of the directory C: \\ Compaq \\,
Where everything collapsed:

Shoot now ipeye.exe with stream,
associated with an existing file
test_file.

Then the same can be done and stirring
Other files needed.
Note that alternative
stream can be organized not only for
files, but also for directories, the same C: \\ K
Example. Run the scanner about which we
spoke at the beginning, ipeye.exe, on infected
Computer:

c: \\ COMPAQ \\ TEST_FILE: ipeye.exe

(To be continued)

Apparently invisible

Victor's blog reader was not able to run PowerShell script downloaded from the Internet. Attentive reading of my instructions made it possible to avoid a problem, but its root was not at all in strict security policies PowerShell.

Victor downloaded from the TECHNET gallery archive with a script pswindowsupdate.zip to control Windows Update.I told about. However, the unpacked script refused to work. When I prompted the reader that in the first paragraph of my instructions, it is said about the need to unlock the archive, everything went like oil.

Victor asked to explain why the system blocked the script, and where she knows that the archive was downloaded from another computer.

Honestly, today's topic is not Nova, but I decided to highlight it in my blog for several reasons:

Many articles are written in windows times XP or Windows 7 and do not take into account the built-in features of the more new Microsoft OS.
In one of the articles planned for the near future, this topic is addressed, and it is easier for me to refer to the material, for the relevance and correctness of which I answer myself.
The blog has a big audience, and for many readers, this topic will still be in a novelty :)

Today in the program

NTFS data streams

Windows draws information about the source of the file from alternative data stream (Alternate Data Stream, following ADS) NTFS file system. In the properties of the file, it modestly writes that it is from another computer, but in fact knows a little more, as you will see on.

From the NTFS point of view, the file is a set of attributes. The file content is an attribute of data with the name $ DATA. For example, text file With the line "Hello, World!" It has the data attribute "Hello, World!"

In NTFS attribute $ DATA is a data stream and is called basic or unnamed, because ... does not have a name. Formally, it looks like this:

$ Data: ""

$ Data. - Name attributa
: - delimiter
"" - Name flood (In this case, the name is missing - there is nothing between quotes)

Interesting features of alternative data streams

In the context of examples, I want to mention a few curious moments.

Invisible changes

Having created the first text file command, you can open it in text editor And make sure that all further manipulations do not affect the contents of the file.

It becomes interesting when the file is open, let's say, in NotePad ++. This editor can warn about changing the file. And he will do it when you will write an alternative stream to the file, however, the content will remain the same!

Recording and View ADS from CMD

Ads can be created and display from the command line. The following commands record the hidden text in the second ADS named Mystream2, and then display it.

Echo Hidden Text\u003e C: \\ Temp \\ Test.txt: MyStream2 More< C:\temp\test.txt:MyStream2

View ads in text editors

The same NotePad ++ will show you the contents of the ADS, if you specify the name of the flow on the command line

"C: \\ Program Files (x86) \\ NotePad ++ \\ NotePad ++. Exe" C: \\ temp \\ test.txt: mystream1

Result:

With a notepad, such a focus will be held only if there is at the end of the flow name .txt. Teams are added below the third ADS and open it in the notebook.

Echo Hidden Text\u003e C: \\ Temp \\ Test.txt: MyStream3.txt NotePad C: \\ temp \\ test.txt: mystream3.txt

Result:

Lock downloaded files

Let's go back to the question that I asked me the reader. Whether the file will be blocked primarily on the program in which it was downloaded, and in the second - from the parameters of the OS. So, all modern browsers support blocking, and it is enabled in Windows.

Remember that when the archive is blocked, all unpacked files will be blocked "by inheritance." Also, do not forget that ADS is the NTFS function, i.e. When saving or unpacking the archive on FAT32 no blocking occurs.

View information about the source of the locked file

In PowerShell, go to the folder with the downloaded file and look at the information about all threads.

Get-Item. \\ Pswindowsupdate.zip -Stream * Filename: C: \\ users \\ vadim \\ downloads \\ pswindowsupdate.zip Stream Length ------ ------: $ Data 45730 Zone.identifier 26

As you already know, $ DATA is the contents of the file, but the list appears in the list Zone.identifier. This is a transparent hint that the file is obtained from some kind of zone. You know, where does this picture come from?

To find out the zone, you need to read the contents of the ADS.

Get-Content. \\ Pswindowsupdate.zip -stream zone.identifier zoneid \u003d 3

Obviously, it is aimed at batch unlocking (for example, when the archive is already unpacked). The command below unlocks all files containing in the downloads folder PS.:

Dir C: \\ Downloads \\ * PS * | Unblock-file.

Of course, there are all sorts of utilities with a graphical interface, even able to integrate into context menu. But, in my opinion, PowerShell or at the worst endams is quite enough.

How to prevent file blocking

The blocking is responsible for the group policy not to store information about the zone of origin of nested files. From the title it follows that blocking is standard Windows behavior, and the policy allows you to change it.

However, it is not obvious from the name that the policy applies not only to postal investmentsBut the files downloaded from the Internet. Read more about investment dispatcher in KB883260.

In the home editions of the group politician, there is no, but the registry has not been canceled: savezoneinformation.zip.

Other examples of practical ADS application

The ADS application area is not limited to the addition of the zone of the downloaded file, as not necessarily storage in ADS only text. Any program can use this NTFS function for storing any data, so I will give only a couple of examples from different areas.

File classification infrastructure

about the author

Interesting material, thanks. I learned something new about PowerShell, which I still have little familiar :)

To communicate with the family, we use WhatsApp often - while this service has less problems, even the parents have mastered there. Contacting is also mainly for the family, although there is a messaging exchange there are mainly around published albums with photos and videos. Some relatives keep loyalty to Viber - I didn't have it somehow, I just keep it for them, without leaving attempts to drag and them in WhatsApp.

To work mostly Slack, when something urgent - WhatsApp, very urgent - SMS. VKontakte to communicate with the outside world.

Skype I use only for video calls, mostly with the family again. I would be happy to replace it on Whatsapp, be there a video call.

uRIX.

Viber now has video calls, and even video calls for the desktop version. So it may be, Viber will be the following Skype ... in a good sense

Andrey Kuznetsov

Material interesting, thank you. I knew about the existence of streams, but I did not know that with them so easy to work through PowerShell.
As for IM: I have complaints about the launch time on Windows Phone. There are no such problems on the iPad and Windows. I use for voice communication when for some reason it is inconvenient to use GSM.
And the correspondence through WhatsApp. The presence of it only on the phone is rather plus, in terms of privacy.

Andrey Kuznetsov: And the correspondence through WhatsApp. The presence of it only on the phone is rather plus, in terms of privacy.

Andrei, explain what is the plus

Pavlovsky Roman

1. I use most often: Skype and Hangouts - on working on a PC, by the rest of the VKontakte correspondence from any device, since customers for work usually sit on Skype, and friends and acquaintances in social networks.

2. I would like to use ideally: jabber - for correspondence and calls from any devices. As for me, the client can be installed on any device and rewrite where the user would not be, even on a weak Internet connection +, you can deploy your Jabber server to this and store all the correspondence on the server so that you can quickly find the necessary correspondence, If the client does not know how to store the story, and the plugins for calls through Jabber can be found (for example, through the same SIP Asterisk 1.8+)

Andrei Bayatakov

Most often I use WhatsApp (mainly for work), for calls (audio / video / international calls) Skype. Although the desktop Skype is terribly infuriates (I have a transformer and at home I use it mostly as a tablet) ... Viber - I did not fit. To call through WhatsApp you need to have simply iron nerves. You will say something to the interlocutor and wait a minute or two when he hears you (50mbit connection) ...
Would have the opportunity to go completely on Skype. On Windows 10 Mobile, after a recent update of the message from Skype come directly into the built-in message application (as SMS), which is very convenient.

Maxim.

1. Starting the heart I use ICQ (for retrograde customers) and SLACK (for more modern).
2. I would like to use Jabber - for the same reasons that Roman Pavlovsky is higher.

Vladimir Kiryushin

Hello Vadim!
Read your article about this article about how to read the report checking total system Disc Team Chkdsk. Excellent article! Thanks to her today, after calving the CHKDSK command of the system disk, I received a text file report. And this article also clarifies a lot of things in powerShell program. Something to me the pensioner is incomprehensible, but I try not to panic and read hard until the end. Thank you for your studies that you are spent with us! All you are good!

Lecron.

What browsers and download programs create this stream?

What other options for using the streams by the user? And in particular, the user is a scriptive writer? Since, although I knew about them for a long time, I never used. With real work with the computer, they simply do not remember them, and because of this, perhaps the crutches, instead comfortable tool, without this work, in memory, do not think of anything.
I realized only about one version. Comment to the file, if there is no possibility or desire to write long text in the file name. But for this you need support from the manager's file, which earlier, and now, writes them in Descript.ion or Files.bbs.

Speed \u200b\u200bGuru.

Another trash technology like the USN magazine. Are you a lot of use from ZoneIdentifier or from a virus attached to the Fal or folder? Of course not. Moreover, this is an unnecessary system by unnecessary, in no way the "subfiles" is not necessary. Each unnecessary reading in the MFT catalog and other operations related to the maintenance and content of alternative streams, this is an extra spent processor cycles, random access memory, and most importantly excess load on the hard disk.
You can tell me that this technology is very much needed by the system. But this is nonsense - the system would work perfectly without threads. But no one asks the user - they have shifted (as a USN magazine) and the ability to completely disable the maintenance of these streams did not give. But I don't need users as ourselves, I think like you ...
All that we can do is "Streams -S -D% SystemDrive%". But it does not allow to remove flows on the system section.

Alexiz Kadev.

Named flows - the thing is excellent, and there existed, as far as I remember from the first release of NTFS. In the named streams, it is convenient to store, for example, a document version that if I am not mistaken a number of applications and did. But an ambush remains with copying to another file system - named streams are simply cut off.

It is a pity to the votor it was impossible to single out several messengers: I use some, since some of my contacts prefer some certain. So, I use whatsup, ICQ (though, of course, not a native client), Skype, Skypeforbusiness (quiet horror, and not a client, however, when it was called Lync was even worse) and Viber (here spam more than in other at least once at 5).
And Ideally use some one, such as Miranda with plug-ins, because if necessary, who, where when I said / wrote something in all this heap is simply unrealistic. But alas, a number of manufacturers close their protocols and protect them with their needle.

Vladimir Kokarev.

Vsh.

Vadim Sterkin.: Roman, I did not turn on the jabber in the survey. I decided that there are few people use and no prospects.

In vain
For example, I use Openfire (Freeware XMPP) as an office communicator on several domains.

Therefore, I have the main XMPP (pidgin.exe, spark.exe), but 99.8% of these messages are intraubricated.
Skype - for external im
WhatsApp and Viber - for "random relationships", the last N months are only spam, I think - do not remove?

Artem

I have everything for some reason in Vaiber. And the quality of communication is quite suitable. And so the telegrams would. Yes empty there.

hazet.

1. Skype (on PC) and Viber (on mobile). The reasons are mainly like most of the number of contacts and naturally the unwillingness of these most contacts, to transfer to another messenger.
2.Utox. Miniature, nothing superfluous, client for Win, Linux, Mac and Android. Positioned as protected.
P.S. SHAZHIZ WILL GIVE TREATMENT OF HAVE OF HAVE TO HER PERFECT :-)

Evgeny Karelov

Thank you for your work!

Regarding a survey, on a PC for correspondence I use the QIP 2012 to which the contacts of ICQ, VKontakte and others are connected. Personally, it is convenient for me to use one program to communicate for several protocols. Yes, and the ability to view the tapes of social networks from one place is very pleased. Ideally, there is not enough Skype support, which I use for voice communication, but it will not appear.
Although this program looks like "abandoned", because updates have not been long ago, the assigned functions perform perfectly.

strafer.

Interesting messanine from the topic of post about data streams and survey on Im.

According to a survey: Jabber / Jabber, which in vain did not turn on the list, although there is a otcup, based on XMPP, and even going to the success of Asechka.

Jabber in general solves all the indicated problems due to the openness of the protocol, the availability of customers for many platforms and the availability of servers that can be lifted independently. But cactuses chew more traditionally, yes.

In the list of clients, not the protocols.
ICQ ... Well, I did not put emoticons there, for it should be so clear.
Jabber exactly does not solve one problem - there is no one.
- strafer.
  
  Vadim Sterkin.: In the list of clients, not the protocols.
  
  Due to the fact that the protocol and source codes The official client is closed, regular identity is established between the only client and the protocol.
  
  Vadim Sterkin.: Icq ... Well, I did not put emoticons there, for it should be so clear.
  
  Rotina Mailrushechka is not enough that Aschek is dying natural death - they are also more efforts to make it faster.
  
  Vadim Sterkin.: Jabber does not exactly solve one problem - there is no one.
  
  Nevertheless, for Telegram you yourself wrote
  
  looks great, but there is empty (which is fixable)
  
  Jabber had all the chances of becoming the same than today is an e-mail ecosystem (full openness of the protocol, the ability to raise your servers to anyone and ensure interaction between servers, etc.), but it is not necessary for corporations, which is excellent on the exhibition From him Google or regaining a wrapper.
  - For Telegram - fixable, for Jabber - very unlikely. Therefore, the first is in the list, but the second is not.
    - strafer.
      
      Of course, Telegram is stylishly, fashionable, youth, and Jabber nobody like Pasha Durov does not move. What are the prospects here.
      
      GM ... Yes, come out of your tank the theories of the conspiracy "The whole world against free software." Everything much easier
      
      If it is incomprehensible, it looks like a first experience of interaction with the officially recommended Jabber client on the most common mobile platform.
      
      strafer.
    - I did not understand a little, where in my comments about the conspiracy.
      
      Yes, everywhere :) You are trying to write a jabber failure for non-aridity and non-modesty, while its customers from the first screen are not adapted for modern reality.
      
      What should I see in the screenshot?
      
      Offer Enter the phone number ~~~ O ~