Alternate Data Streams (ADS)
Practical but basic application of ADS in CTF and Pentesting environments
So what are Alternate Data Streams (ADS) ?
It is feature which was added to the New Technology File System also known as NT File System (NTFS) to increase comparability with the Macintosh Hierarchical File System (HFS), in lay man terms it is something that made it easier to use your files on your Mac (Apple) and PC (Windows) both.
How does it work and why should I care about it ?
Usually when you are saving something to a file a .txt file for example, you are storing the contents of your file(ascii text) in a data stream which windows recognizes as the default stream so the next time you open your file you will be accessing the same stream to view your data.
As an example
If I create a .txt file using Notepad on my windows system and save it to a file (secret.txt) then every time I open it I would see my data.
But what if there is more data in the file that you aren’t aware of ?
That is where alternate data streams come into play.
I will be using cmd.exe (Command Prompt) to demonstrate the examples to make it easier for people to understand the CLI (Command Line Interface) but the same results can be achieved using Power Shell too.
So when I use command prompt to view the contents of my directory I can see my secret.txt and the size of the file being 33 bytes.
dir
This looks like a normal file but what if I add the /r to my command ?
dir /r
Now we can see another file in the same directory with the same prefix as our originally created secret.txt but with a suffix of evil.txt where as the $DATA tells us that this is a $DATA type stream.
By adding the /r to our command we can see that both the files are in the same directory but we can only see the secret.txt on our Desktop, we can also see the difference in file size while our secret.txt file is still 33 bytes our secret.txt:evil.txt is 74 which is more then 2 times our secret.txt.
Comparing the output of both the commands.
# First Command
dir# Second Command
dir /r
In this we can see the information by both the command more accurately we are able to see the changes in a more clear perspective.
- Both the outputs say there are only 2 files in the directory and give us the same size, it is because secret.txt and secret.txt:evil.txt are the same file not different files but the data is stored in separate streams.
- The total space used in the directory and available on the system are still the same.
Let’s view the content’s of both together:
While viewing them both we can see the content being different, we can also see the difference in the name of the files, which gives us the idea that we can easily store information in an alternate data stream for multiple purposes. Data streams follow a basic naming convention in the NTFS file system which is FileName:StreamName:StreamType having said that the full name of secret.txt in the NTFS file system would be secret.txt::$DATA
An alternate method to view both without opening them in notepad would be.
# View secret.txt
type secret.txt# View Alternate Data Stream
more < secret.txt:evil.txt
Now that we know what Alternate Data Streams are how would you create one ?
- Let’s create a normal secret.txt file first
# Creating a basic .txt file
echo <YOUR TEXT> > filename.txt
- Now we have created a secret.txt file without any alternate data stream.
# Creating an Alternative Data Stream
echo <YOUR DATA> > filename.txt:streamname.txt
Another upside is that alternate data streams allow more than 1 data stream to be associated with a single filename.
You don’t need to limit your alternative data streams to just the type $DATA as there are other types of streams that might suit your purposes better.
For more information I’d recommend visiting the link in the Resources section.
Now we know how to view and create Alternate Data Streams but this all seems very harmless and you are still wondering why should you care about this.
Even though the ADS was not created with any nefarious intent it can easily be used for running a malicious file like a backdoor or a rootkit on the targets system from something as innocent as your calculator.
POC:
Let’s add an alternate data stream to our calculator app but this time we won’t add a text file but an executable file.
While the evil.exe can be anything you want, in this test case it is a reverse shell which will connect back to my Kali Linux machine. If you aren’t familiar with reverse shells you can refer to my article Reverse & Bind for everyone to learn more about it.
- In the first command we are sending (redirecting) the contents of our evil.exe to an alternate data stream of our calc.exe called calc.exe:evil.exe .
- With dir /r we can see that we were successful creating an alternative data stream with our malicious file.
Now we could run it from our CLI as any executable file but if we do we get this:
The reason being: windows has patched this vulnerability in newer versions of windows so this method would fail as windows would not know what to do with it but we still have a way around it.
Before we run this we should make sure to set up a listener on our Kali machine.
forfiles /P C:\Windows\System32 /m calc.exe /c "C:\Users\admin\Desktop\calc.exe:evil.exe"
This now has worked and executes our evil.exe data stream.
We can see that we have caught a reverse shell from this windows box on our Kali machine.
Summary
While the topic of Alternate Data Streams is well covered in other resources it can be particularly insidious as some analysts maybe unaware of it. Most major Antivirus Companies can scan for them and many tools are available to view and manipulate data streams there are still methods to use them in many malicious ways while going undetected by coupling it with AV Evasion as this attack surface is not just limited to .txt or .exe files and what you can do with it is only limited to your imagination and ingenuity. Since alternate data streams don’t show up in the Windows Explorer or in the default output of the dir command most users are not aware of its existence while there are still known malware samples that make use of ADS to hide there code the commands used to interact with it have changed over the years a simple example is shown in the POC. I would recommend trying to replicate the shown method with Powershell too as you would have a lot more flexibility with that and ADS can at times be seen in CTF’s and on machines hosted on platforms such as hackthebox.
