WikiLeaks leaked out a CIA operations manual. Documents posted, with promises of more. Currently, I am working on them like many other security researchers/hackers/technologically curios. Due to the semi-partial leak status, missing any real exploits. I decided to fill in the operations manual with exploits and how-to articles.
One technique caught my eye, hiding data in NTFS data streams. The full instructions were missing. I have enjoyed using this technique for many years now. Some people already know about it. Microsoft even posted a blog on it back in 2013. We’ll take it one step further in a how to with some hashing J Microsoft has had a tool out called SysInternals Streams.exe available for free download which can be used for this technique.
If an attacker wants to hide data in plain sight, this is one method which can be considered based on the situation. NTFS ADS is also referred to as Forking. Yes, it has been used maliciously in the past. I decided to update the original posting with full instructions. Then take it up a notch to show you how to break file integrity by using SHA256++ with NTFS ADS.
Update to the leak original CIA manual for Everyone 🙂
NTFS Alternate Data Streams (ADS)
Exfiltration, manipulation of software and file integrity, obfuscation
Alternate Data Streams on the Root of the Drive
Depending on the target and system configuration. An NTFS alternate data stream (ADS) should be considered a viable method to hide data and foil protection or alerting. Particularly cases where protection present relies heavily or is dependent on file hashing as a method to verify file integrity. Whether it’s for exfiltration, manipulation of integrity, obfuscation or general tradecraft. Great for bypassing many security controls and pivoting deeper into a target network.
There are several methods. One of the easiest is from the command prompt. Work in the root of a hard drive directory. This can also be accomplished remotely if you already have remote access to the victim.
Gain access to the victim local or remote
Using a victim D drive as an example, due to limited privileges. The attacker has a file of IP addresses, which are additional Command and Control domains related to both StoneDrill and NewsBeEF, in addition to Kaspersky’s list. As part of a targeted attack, the attacker needs to get this list onto a victim machine silently. The attack can also be done with PowerShell or a batch file. Renaming Batch files once they are on the system to bypass security controls is normally easy with limited access. If it’s an executable, you can also use this technique with PSExec.exe. Many anti-malware and other protection will catch PSExec, but not always.
Sample contents of the evil file
Perform the NTFS ADS and hide the Evil file
Open a command prompt local or remote on the victim machine. The attacker, for ease of use. Has placed the text file of Command and Control servers in the root of D, naming it evilcncips.txt
Create the file you want to hide the evil file in. In this example, we will call this file: testfile.txt. Type at the root the following commands. The command first creates the innocent file. The second command hides the evil file behind the innocent looking file.
ECHO “This is a test file” >testfile.txt
ECHO “This is the evil text in the ADS file” >testfile.txt:evilcancips.txt
Verify the NTFS ADS Stream worked
Check what the directory shows in the command prompt. It should look the same as before the NTFS ADS
What the directory looks like in the GUI
Although it is possible to display ADS NTFS streams/Forks easily in a command prompt. This is beyond the normal user level and most technical as well. The technique is still somewhat obscure as a method for attack or espionage. The GUI portion of Windows will not readily show the NTFS ADS file.
At the command prompt, ensure the NTFS ADS stream worked. It will show a double line with the original file, then show the hidden file.
When practicing, also verify using Streams.exe. In this example, Streams.exe was installed.
Open a command prompt and charge the working directory to where Streams is located. Then execute Streams against the innocent looking file: testfile.txt
Hashing to F*ck with File Integrity
To ensure you hid the evil file on the victim machine. Hash the innocent file prior to NTFS ADS, recording the hash. The default hashing level in PowerShell is Sha256. Because modern Windows based victim machines have PowerShell. No additional tools are required to hash. The attacker does not need to be an administrator to use the PowerShell to hash a file. PowerShell is not being run as an administrator in this example. Most users and enterprise administrators are still unfamiliar with PowerShell and leave functionality default configured in a manner an attacker could exploit.
At a PowerShell prompt, use the cmdlet Get-FileHash, then the -Path where the original file is located.
Get-FileHash -Path d:\testfile.txt
After the NTFS ADS, hash the original file again where the evil file is hidden.
The hash will show the same hash. 9BB114C0FE4F787EF64A43F310EA81F273FC87001503A141A125D9689AE8DFEF
If the victim uses the NTFS file system, which most modern Windows uses. Anyone can hide whatever evil file they wish into an innocent one in a root directory like the examples shown. The victim nor attacker can display the hidden file in the GUI. Defence is based on if the target protection mechanisms can recognize the evil file or behaviour. Rarely is dir /r used. The file can be hidden and hashed with MD5, SHA1, SHA256, etc… The evil file will look hidden. This technique can be easily recreated and practiced before using on a target.
The result, relying on hashes for file integrity does not mitigate this risk or attack technique completely. The Hash process in a way hides the data further by giving a false impression of limiting risk. Many security products rely on hashing for file integrity. It’s accepted best practice. Now everyone knows it can be manipulated under certain conditions. I wrote about it in 2012, but never shared with the public. I feared an evil government could misuse it. Even if a great, free hug for everyone government is in power, sitting on exploits. Can you trust the next person or party in power won’t be or turn evil?
I guess I don’t need that password or to encrypt the paper anymore. Thanks CIA & WikiLeaks 🙂
Because searching another user’s documents is a great idea!
Last week a friend sent me the Docs.com link, said it was a gold mine. Yes it is 😊 The Docs.com breach was announced on Radio 1 Netherlands on 27 March 2017 as limited to some CV’s or resumes. No, no, no my friend. It is wide open. Microsoft sounded as if they had already fixed part of the problem. It’s days later and I can say nope.
Using the search function for “SSN” which is an acronym of the USA tax payer identification Social Security Number.
Get filled out loan, school, medical, tax, and other related documents. Below is a sanitized example of a person’s filled out loan deferment request form.
I currently live in the Netherlands, land of the free, home of the Orange. To discover documents in Dutch. We changed the search terms and the language. A search for “kanker” which is cancer in Dutch yielded financial tax documents.
Using the search term “schulden” which is debts in Dutch, on 3 April 2017 documents with personally identifiable information is still viewable.
Business yearly financial workbooks viewable and can edit fields on 3 April 2017. A quick snap of my virtual machine system clock
There are debt collector’s documents listing court fees. Hospital documents. When I was informed of the leak last week. I went looking for a Microsoft Bug Bounty for privacy based vulnerabilities or breaches. There aren’t any. There are bounties for most of their products on the application level. Explains a lot about Windows 10. In the Netherlands, the Dutch Data Protection Agency fines companies for these types of violations.
A search for “NHS Cards” yields NHS numbers, scanned cards, NHS email accounts:
Since internet search engines index when they can. You don’t even need to search in Docs.com to find content in Docs.com. Use Google, Bing, DuckDuckGo, etc.
Please Microsoft, flash a big warning to users of the system “Before you save documents to Docs.com. Please remove any personally identifiable information and do not post the PII of others. Anything you post here can be seen by the world!” Also, seriously consider a privacy based bug bounty program. The EU GDPR comes into full effect soon and the fines are promising pain.
Organising, testing and keeping your tools updated. This is especially important if you collect any digital evidence which might be used in a civil or criminal process.
Currently I am taking the SANS Self Study course SANS 504 Hackers, Exploits and Techniques. The topic of tools came up on Day 1 with a focus on the following:
- Organise your tools before an incident occurs
- Test your tools
- Keep your tools updated
- Ensure tool integrity with Hash Codes
It got me thinking about organising my own toolset much more formally. I didn’t readily find templates on-line so I created my own and began working on my toolset. It might sound a little boring or digital based OCD but I think it will be highly useful nonetheless. Besides, I am tired of switching from one system to the next forgetting to copy something and loosing access to some tool or trying to open a tool when I really need it only to find it doesn’t work.
I went through my tools and organised my them into one location which is backed-up and performed the following steps:
- Checked the versions in my toolset against the most current version and updated as applicable
- Recorded via hyperlink the website locations and/or download location
- Verified the hash codes from the vendor if applicable or made my own if trusted
- Verified the tool worked
- Recorded the date added into the toolset (after verifying the tool worked)
- Recorded the tool release date
Example Security Software Tools List
I have uploaded a two-page tools list which lists some of the tools I personally use:
I also uploaded a completely blank Security Software Tools List template which you can download and customise for you or your organisation:
Please feel free to post any comments, questions or ideas!