Girl Geekette dotNet

Needless to say, I was inspired by an article on Windows Security that did a test using Windows 2000 to try my own test with Windows XP using NTFS. Now, I have decided to test it using Windows 2003. Below are my findings and screen by screen snapshots (Thumbnails are shown, click them to see a larger picture that opens in a new window):

ADS test using Windows 2003

1. I begin by making a test directory and copying the c:\windows\system32\calc.exe to it. Notice the original date and timestamp (last modified time and date stamp) of the file is 4/3/2003 8:00AM and the size is 113KB.

Here is a listing in DOS that shows the directory with the copied calc.exe file.

2. I append an ADS (Alternate Data Stream) to the Windows Calculator program I copied to the test directory with another Windows program (Notepad - c:\windows\notepad.exe).

Notice the size of the calc program did not change, bit the timestamp (last modified time and date stamp) DID change.

3. Next, I executed the new ADS notepad.exe using the standard command start.

On the desktop, the NOTEPAD program popped up, even though I had executed the CALC program in the command line.

4. By using CTRL + ALT + DELETE to get the Task Manager, I noticed that my test varied a bit. In the task manager, I could clearly see that calc.exe was running (which I had executed at the command prompt) but, unlike the simple demonstration using Windows 2000, Windows 2003 displayed the calc.exe name and ADS command, much like Windows XP.

This is where I must stop and note that depending on the version of windows used, things can be displayed slightly different.

While searching around, I happen to run across something that caught my eye. It deals with Microsoft’s NTFS and security. ADS 0r Alternate Data Streams - was originally created to provide compatibility with HFS (Macintosh Hierarchical File System).

Although widely unknown by most that ADS even exists, it is has been used by sometime by people to exploit Windows Boxes that use NTFS. Not all anti-virus programs will pick up alternate data streams. It is easy to exploit the ADS and let it go undetected for some time. Although with technology getting better, some anti-virus scanners are now picking up the ADS when changes have been made to the default configuration.

Security Focus has a demonstration of how this is used by rooting or exploiting a lab box using the MS04–011 vulnerability. The Metaspoilt Framework can allow someone to break into a computer via the lsass overflow.

The demonstration can be found at securityfocus.com/infocus/1822

An easier way to demonstrate the idea of ADS is to use a simple command such as

“type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe”

This will "fork" or run the calculator program in Windows with any executable that is chosen. So, by running a command like this, almost anything can be hidden behind a valid (Windows) program. When seen in task manager, this program looks like or almost like a normal program (depending on the operating system, and that is explained later) and most people will pay no notice.

Many people have noticed when using the MSCONFIG with windows that there are some programs in the startup file that might look like that in the path. It is possible to write it so that in the registry, a program that is used by ADS will start up with every boot up of the Windows box. (Think spyware, viruses, trojans and the like)