lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1066741687.2378.89.camel@rh9lt.intern.adiscon.com>
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Subject: Windows covert channel

This is a well-known "issue" that was even part of the MCSE for NT 3.51
tutorial guides ;) Anyhow, it is still an issue, and the root cause for
others (like the IIS $$DATA information disclosure vulnerability). If
you google for it, you will also find tools to detect those alternate
data streams. There presence can be the indication for an attack ("can"
as in "may") ;)

Those of you doing forensics please keep in mind that ADS can be stored
in the MFT, only, if the amount of data is low enough so that it will
fit in the unallocated part of the 4k MFT entry.

Just my 2cts...
Rainer

On Tue, 2003-10-21 at 14:16, Wally Eaton wrote:
> James,
> You may be thinking of "Streams" in Windows files. Data can be hidden in secondary files on NTFS partitions. I believe it was developed to be compatible with Apple/ MAC systems. In any case the following is an example:
> 
> Run CMD
> On a NTFS partition
> 
> D:\> echo Hello > FrontFile
> D:\> type FrontFile
> Hello
> 
> D:\> echo Good Day >> FrontFile
> D:\> type FrontFile
> Hello
> Good Day
> 
> D:\> echo Secret Info > FrontFile:BackFile
> D:\> type FrontFile
> Hello
> Good Day
> 
> D:\> more < FrontFile:BackFile
> Secret Info
> 
> Now add data to the FrontFile only
> 
> D:\> echo Good Evening >> FrontFile
> D:\> type FrontFile
> Hello
> Good Day
> Good evening
> 
> Now add data to the BackFile only
> 
> D:\> echo More Secret Data >>FrontFile:BackFile
> D:\> more < FrontFile:BackFile
> Secret Info
> More Secret Data
> 
> You will notice if you enter a DIR command that only the FrontFile will be displayed. Furthermore, the size of the file will reflect only the content of the FrontFile.
> Have a great day.
> Wally 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ