Full Disclosure mailing list archives
Re: Windows covert channel
From: Rainer Gerhards <rgerhards () hq adiscon com>
Date: Tue, 21 Oct 2003 15:08:07 +0200
This is a well-known "issue" that was even part of the MCSE for NT 3.51 tutorial guides ;) Anyhow, it is still an issue, and the root cause for others (like the IIS $$DATA information disclosure vulnerability). If you google for it, you will also find tools to detect those alternate data streams. There presence can be the indication for an attack ("can" as in "may") ;) Those of you doing forensics please keep in mind that ADS can be stored in the MFT, only, if the amount of data is low enough so that it will fit in the unallocated part of the 4k MFT entry. Just my 2cts... Rainer On Tue, 2003-10-21 at 14:16, Wally Eaton wrote:
James, You may be thinking of "Streams" in Windows files. Data can be hidden in secondary files on NTFS partitions. I believe it was developed to be compatible with Apple/ MAC systems. In any case the following is an example: Run CMD On a NTFS partition D:\> echo Hello > FrontFile D:\> type FrontFile Hello D:\> echo Good Day >> FrontFile D:\> type FrontFile Hello Good Day D:\> echo Secret Info > FrontFile:BackFile D:\> type FrontFile Hello Good Day D:\> more < FrontFile:BackFile Secret Info Now add data to the FrontFile only D:\> echo Good Evening >> FrontFile D:\> type FrontFile Hello Good Day Good evening Now add data to the BackFile only D:\> echo More Secret Data >>FrontFile:BackFile D:\> more < FrontFile:BackFile Secret Info More Secret Data You will notice if you enter a DIR command that only the FrontFile will be displayed. Furthermore, the size of the file will reflect only the content of the FrontFile. Have a great day. Wally _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Windows covert channel, (continued)
- Re: Windows covert channel Jeremiah Cornelius (Oct 19)
- Re: Windows covert channel jazper (Oct 19)
- RE: [inbox] Re: Windows covert channel Curt Purdy (Oct 20)
- RE: Windows covert channel Joe (Oct 19)
- Re: Windows covert channel madsaxon (Oct 19)
- RE: Windows covert channel Bojan Zdrnja (Oct 19)
- Re: Windows covert channel KF (Oct 19)
- Re: Windows covert channel Karl DeBisschop (Oct 19)
- Re: Windows covert channel Kain (Oct 19)
- Windows covert channel Wally Eaton (Oct 21)
- Re: Windows covert channel Rainer Gerhards (Oct 21)