Creating a secret web site on IIS 5.x using Alternative Data Streams

[inge_eivind.henriksen () chello no]

** Inge Henriksen Security Advisory http://ingehenriksen.blogspot.com/ **

Creating a secret web site on IIS 5.x using Alternative Data Streams 
--------------------------------------------------------------------

Using a little known feature of the Windows NT file system (NTFS) one can create a secret website, this website can not 
be detected without third party tools made specifically for it.

Confirmed Applications
Microsoft® Internet Information Server® V5.x and probably earlier versions. 

Confirmed Platforms
Should work with all NT based Windows as long as the fil system is NTFS and not FAT. Does not work on Vista Beta 1 with 
IIS 6.

Technical Description
A NTFS file can contain a number of alternative data streams that bypasses the regular directory listing, the data in 
the alternative data does not even count when the number of free bytes left on the disk is calculated.

Proof of Concept
Start a console on the NT system in question and change directory to the web root(usually c:\inetpub\wwwroot\)
In the example we will use the help.gif file that is already in the directory, you can use any file though.  Type "dir" 
and take notice of the number of free bytes left on the disk
Type "echo This is a hidden data stream > help.gif:hidden" , we have now created a hidden data stream called "hidden", 
the name of the stream can be anything if you just avoid some special characters
Type "dir" againm notice that even though we added data to the file in an alternative data stream the free bytes left 
on the disk is left unchanged
Open you web browser and type in" http://localhost/help.gif " and you should see the little icon just as it was before 
we added the alternative data stream
Now, type in " http://localhost/help.gif:hidden " and you will see the data in the alternative data stream "hidden", eg 
the text "This is a hidden data stream". In the example I have used text as data, but one could easily use binary data 
too.
If you want to read alternative data streams from the console, in our example you would use "more < help.gif:hidden"

If the Virtual Folder in question allows for execution, then we can also hide a executable file in help.gif and 
remotely execute it later:

Type "type c:\WINDOWS\NOTEPAD.EXE > help.gif:notepad.exe"
Open a web browser from a remote computer type in " http://myremoteserver/help.gif:notepad.exe " , the browser hangs as 
the executable does not end
Go back to your web server and open task manager and select to see process from all users on the process tab, you will 
se a prosess called "help.gif:notepad.exe" running. In this manner one could hide a trojan or backdoor inside any file 
as long as it resides in a Virtual Folder that allows for execution.


Links
http://lists.gpick.com/pages/NTFS_Alternate_Data_Streams.htm