lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: 4 Aug 2005 16:22:42 -0000
From: inge_eivind.henriksen@...llo.no
To: bugtraq@...urityfocus.com
Subject: Creating a secret web site on IIS 5.x using Alternative Data Streams


** Inge Henriksen Security Advisory http://ingehenriksen.blogspot.com/ **

Creating a secret web site on IIS 5.x using Alternative Data Streams 
--------------------------------------------------------------------

Using a little known feature of the Windows NT file system (NTFS) one can create a secret website, this website can not be detected without third party tools made specifically for it.

Confirmed Applications
Microsoft® Internet Information Server® V5.x and probably earlier versions. 

Confirmed Platforms
Should work with all NT based Windows as long as the fil system is NTFS and not FAT. Does not work on Vista Beta 1 with IIS 6.

Technical Description
A NTFS file can contain a number of alternative data streams that bypasses the regular directory listing, the data in the alternative data does not even count when the number of free bytes left on the disk is calculated.

Proof of Concept
Start a console on the NT system in question and change directory to the web root(usually c:\inetpub\wwwroot\)
In the example we will use the help.gif file that is already in the directory, you can use any file though.  Type "dir" and take notice of the number of free bytes left on the disk
Type "echo This is a hidden data stream > help.gif:hidden" , we have now created a hidden data stream called "hidden", the name of the stream can be anything if you just avoid some special characters
Type "dir" againm notice that even though we added data to the file in an alternative data stream the free bytes left on the disk is left unchanged
Open you web browser and type in" http://localhost/help.gif " and you should see the little icon just as it was before we added the alternative data stream
Now, type in " http://localhost/help.gif:hidden " and you will see the data in the alternative data stream "hidden", eg the text "This is a hidden data stream". In the example I have used text as data, but one could easily use binary data too.
If you want to read alternative data streams from the console, in our example you would use "more < help.gif:hidden"

If the Virtual Folder in question allows for execution, then we can also hide a executable file in help.gif and remotely execute it later:

Type "type c:\WINDOWS\NOTEPAD.EXE > help.gif:notepad.exe"
Open a web browser from a remote computer type in " http://myremoteserver/help.gif:notepad.exe " , the browser hangs as the executable does not end
Go back to your web server and open task manager and select to see process from all users on the process tab, you will se a prosess called "help.gif:notepad.exe" running. In this manner one could hide a trojan or backdoor inside any file as long as it resides in a Virtual Folder that allows for execution.


Links
http://lists.gpick.com/pages/NTFS_Alternate_Data_Streams.htm

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ