Category Archives: Security Tools

How to Hide Data in NTFS Streams and Break Software Integrity – From the WikiLeaks CIA Vault Leaks

WikiLeaks leaked out a CIA operations manual. Documents posted, with promises of more.  Currently, I am working on them like many other security researchers/hackers/technologically curios. Due to the semi-partial leak status, missing any real exploits. I decided to fill in the operations manual with exploits and how-to articles.

One technique caught my eye, hiding data in NTFS data streams. The full instructions were missing. I have enjoyed using this technique for many years now.  Some people already know about it. Microsoft even posted a blog on it back in 2013. We’ll take it one step further in a how to with some hashing J Microsoft has had a tool out called SysInternals Streams.exe available for free download which can be used for this technique.

If an attacker wants to hide data in plain sight, this is one method which can be considered based on the situation. NTFS ADS is also referred to as Forking. Yes, it has been used maliciously in the past. I decided to update the original posting with full instructions. Then take it up a notch to show you how to break file integrity by using SHA256++ with NTFS ADS.

Update to the leak original CIA manual for Everyone 🙂

NTFS Alternate Data Streams (ADS)

Exfiltration, manipulation of software and file integrity, obfuscation

Alternate Data Streams on the Root of the Drive

Depending on the target and system configuration. An NTFS alternate data stream (ADS) should be considered a viable method to hide data and foil protection or alerting. Particularly cases where protection present relies heavily or is dependent on file hashing as a method to verify file integrity. Whether it’s for exfiltration, manipulation of integrity, obfuscation or general tradecraft. Great for bypassing many security controls and pivoting deeper into a target network.

There are several methods. One of the easiest is from the command prompt. Work in the root of a hard drive directory. This can also be accomplished remotely if you already have remote access to the victim.

Gain access to the victim local or remote

Using a victim D drive as an example, due to limited privileges. The attacker has a file of IP addresses, which are additional Command and Control domains related to both StoneDrill and NewsBeEF, in addition to Kaspersky’s list. As part of a targeted attack, the attacker needs to get this list onto a victim machine silently. The attack can also be done with PowerShell or a batch file. Renaming Batch files once they are on the system to bypass security controls is normally easy with limited access. If it’s an executable, you can also use this technique with PSExec.exe. Many anti-malware and other protection will catch PSExec, but not always.

ntfs 1

Sample contents of the evil file

Perform the NTFS ADS and hide the Evil file

Open a command prompt local or remote on the victim machine. The attacker, for ease of use. Has placed the text file of Command and Control servers in the root of D, naming it evilcncips.txt

Create the file you want to hide the evil file in. In this example, we will call this file: testfile.txt. Type at the root the following commands. The command first creates the innocent file. The second command hides the evil file behind the innocent looking file.

ECHO “This is a test file” >testfile.txt

ECHO “This is the evil text in the ADS file” >testfile.txt:evilcancips.txt

ntfs 2

Verify the NTFS ADS Stream worked

Check what the directory shows in the command prompt. It should look the same as before the NTFS ADS

ntfs 3

What the directory looks like in the GUI

ntfs 4

Although it is possible to display ADS NTFS streams/Forks easily in a command prompt. This is beyond the normal user level and most technical as well. The technique is still somewhat obscure as a method for attack or espionage.  The GUI portion of Windows will not readily show the NTFS ADS file.

At the command prompt, ensure the NTFS ADS stream worked. It will show a double line with the original file, then show the hidden file.

dir /r

ntfs 5

When practicing, also verify using Streams.exe. In this example, Streams.exe was installed.

Open a command prompt and charge the working directory to where Streams is located. Then execute Streams against the innocent looking file: testfile.txt

streams d:\testfile.txt

ntfs 6

Hashing to F*ck with File Integrity

To ensure you hid the evil file on the victim machine. Hash the innocent file prior to NTFS ADS, recording the hash. The default hashing level in PowerShell is Sha256. Because modern Windows based victim machines have PowerShell. No additional tools are required to hash. The attacker does not need to be an administrator to use the PowerShell to hash a file. PowerShell is not being run as an administrator in this example. Most users and enterprise administrators are still unfamiliar with PowerShell and leave functionality default configured in a manner an attacker could exploit.

At a PowerShell prompt, use the cmdlet Get-FileHash, then the -Path where the original file is located.

Get-FileHash -Path d:\testfile.txt

ntfs 7.png

After the NTFS ADS, hash the original file again where the evil file is hidden.

ntfs 8

The hash will show the same hash. 9BB114C0FE4F787EF64A43F310EA81F273FC87001503A141A125D9689AE8DFEF

If the victim uses the NTFS file system, which most modern Windows uses. Anyone can hide whatever evil file they wish into an innocent one in a root directory like the examples shown. The victim nor attacker can display the hidden file in the GUI. Defence is based on if the target protection mechanisms can recognize the evil file or behaviour. Rarely is dir /r used. The file can be hidden and hashed with MD5, SHA1, SHA256, etc… The evil file will look hidden. This technique can be easily recreated and practiced before using on a target.

Conclusion

The result, relying on hashes for file integrity does not mitigate this risk or attack technique completely. The Hash process in a way hides the data further by giving a false impression of limiting risk. Many security products rely on hashing for file integrity. It’s accepted best practice. Now everyone knows it can be manipulated under certain conditions. I wrote about it in 2012, but never shared with the public. I feared an evil government could misuse it. Even if a great, free hug for everyone government is in power, sitting on exploits. Can you trust the next person or party in power won’t be or turn evil?

ntfs 9

I guess I don’t need that password or to encrypt the paper anymore. Thanks CIA & WikiLeaks 🙂

Microsoft’s Docs.com: Search your privacy away

Because searching another user’s documents is a great idea!

Last week a friend sent me the Docs.com link, said it was a gold mine. Yes it is 😊 The Docs.com breach was announced on Radio 1 Netherlands on 27 March 2017 as limited to some CV’s or resumes. No, no, no my friend. It is wide open. Microsoft sounded as if they had already fixed part of the problem. It’s days later and I can say nope.

Using the search function for “SSN” which is an acronym of the USA tax payer identification Social Security Number.

Search using a browser that allows JavaScript:

Docs com search bar

Get filled out loan, school, medical, tax, and other related documents. Below is a sanitized example of a person’s filled out loan deferment request form.

docs com school deferment form

I currently live in the Netherlands, land of the free, home of the Orange. To discover documents in Dutch. We changed the search terms and the language. A search for “kanker” which is cancer in Dutch yielded financial tax documents.

docs com kanker search

Using the search term “schulden” which is debts in Dutch, on 3 April 2017 documents with personally identifiable information is still viewable.

docs com schulder debts form

Business yearly financial workbooks viewable and can edit fields on 3 April 2017. A quick snap of my virtual machine system clock

docs com editable excel financial dutch business

There are debt collector’s documents listing court fees. Hospital documents. When I was informed of the leak last week. I went looking for a Microsoft Bug Bounty for privacy based vulnerabilities or breaches. There aren’t any. There are bounties for most of their products on the application level. Explains a lot about Windows 10.  In the Netherlands, the Dutch Data Protection Agency fines companies for these types of violations.

A search for “NHS Cards” yields NHS numbers, scanned cards, NHS email accounts:

docs com NHS card scanned straight

Since internet search engines index when they can. You don’t even need to search in Docs.com to find content in Docs.com. Use Google, Bing, DuckDuckGo, etc.

docs com searchable by indexing search engines

Please Microsoft, flash a big warning to users of the system “Before you save documents to Docs.com. Please remove any personally identifiable information and do not post the PII of others. Anything you post here can be seen by the world!” Also, seriously consider a privacy based bug bounty program. The EU GDPR comes into full effect soon and the fines are promising pain.

 

Hospital patient insecurity due to lacking patches or decent passwords

This time only 493,000 patients lost their privacy, systems left wide open for years.

A hospital in Gouda, the Netherlands called Groene Hart Ziekenhuis (Green Heart Hospital) had according to Bonnie at the Nederlands Genootschap van Hackende Huisvrouwen (Netherlands Society of Hacking Housewives) and reported to the journalist Brenno de Winter (@brenno) allowed weakly configured servers which contained confidential information accessible to the internet which contained patient data for almost half a million people. These sensitive systems had been left in an insecure state for several years. This is nothing new in the Netherlands; the same group reported a similar data leak involving over 800,000 Dutch citizens and residents at another facility in July, 2012.

Information which was exposed:

  • Patient Name
  • Date of Birth
  • Address
  • Tax ID number (BSN like US Social Security number)
  • Telephone number
  • Patient number
  • Insurance number
  • Diagnosis
  • Medication
  • Lab results
  • X-rays and similar medical imaging
  • Treatment plans

Why was the information accessible?

  1. Unpatched and outdated versions of Microsoft, Adobe Flash and VMWare. Recently the CSIS Denmark released a report that highlighted 99.8 % of malware or virus infections could be mitigated by patching these applications along with Adobe Reader and Java.
  2. The password for the administrator account was ‘groen2000‘. The password is both easily guessable and extremely weak 40 bit strength. Using Jack the Ripper, and a beefed up system could crack the password in seconds. I wonder if 2000 was the last year the systems were patched?

Why are medical facilities, hospitals, insurance companies and doctor offices seemingly so lacking in security and unsympathetic towards patient privacy?

  • Shockingly, the maximum fine in the Netherlands for data breaches is only 4,500 euro. This is cheaper in some cases then implementing anti-virus or buying a decent firewall. My previous Dutch GP once told me without flinching “Our systems are secure because we use MacOS, no anti-virus is needed.” If the punishment is cheaper, way cheaper that remediation I would take a fine any day.
  • DRA the agency tasked with ensuring data privacy and investigating breaches is staffed with about 80 personnel, which includes all support staff whilst the Dutch Animal Police has over 500 officers.

Link to original story:

http://www.nu.nl/binnenland/2927832/groene-hart-ziekenhuis-lekt-medische-dossiers.html

More proof that patching, keeping systems on supportable versions and strong, secured passwords are a basic requirement for you and all organizations. Lastly, Dank uw wel/thank you very much to Bonnie and the
Nederlands Genootschap van Hackende Huisvrouwen, it is good to know we have highly technical, expert, hacker housewives willing to take a risk and help protect our privacy when governments fail to do so.

 

 

 


 

Patches! We don’t need no stinking Patches!

And you thought implementing a vulnerability program was too expensive!

Recently the CSIS Denmark released a report which highlighted 99.8 % of malware or virus infections could be mitigated by patching five key applications. Those applications, some of our favorite:

Internet Explorer – Lots of bells and whistles elements built into the browser which must be kept up-to-date for them all to be as secure as possible. IE is now a very secure browser for the most part, if kept patched! As with all browsers, if there is a dodgy website setup to exploit a browser weakness, unless it is a zero day (rare), patching will protect from this risk and is easy to deploy locally and administratively.

Windows Vista & Server 2003 – Both operating systems need to be kept up-to-date with a roadmap for upgrade to Windows 7 & Server 2008 respectively. If you weren’t aware, most users would rather still use Windows XP over Vista and would love to be upgraded to Windows 7. Both Server 2003 and Windows Vista have been out for a number of years and those naughty cyber-criminal syndicates are very familiar with exploitation. The operating systems are weaker than their upgrade counterparts due to some architectural flaws. An operating system infection is dreadful, you can’t trust any installed applications or the OS itself. They can also take the greatest amount of time and highest cost to remediate.

Adobe Acrobat Reader/Writer – The business, internet, research, and education necessary applications all computer users at one time (or 20 times today) have used much to our delight and frustration. Due to the widespread usage of the apps and lack of patch management they are a juicy, luscious easy target.

Java JRE– Again, widespread usage and lack of general patch management is a driving force behind infections. Also, this application, similar to many Adobe products, suffers from a less than favorable security reputation.

Here how expensive not patching and vulnerability testing is:

You have to call the CEO and or the board to an emergency meeting. A trusted third party supplier infected your network and compromised very publically a primary database of customer information. It seems quite sensitive customer information that is. The CEO and or other higher up well known for arse-chewing or at least the level that can terminate you instantly is on vacation. As an extra bonus, it is 2 am his/her friendly, understanding corporate officer’s local time. No matter if your IT Security department had sign off, documented meetings, warnings etc.… to the upper management or board that a program was needed it will still cost reputation, business and possibly jobs before the dust is all cleared.

If you are new to the topic, a fantastic resource for assistance is Reddit NetSec and need some solid answers. Try to avoid loss from the door being left unlocked to all your organization’s information because of an aged or insecure application that in most cases just needs a free patch. If your patch and vulnerability testing is lacking, get up to speed now. If all else fails, you can learn to use some new tools and update your CV/resume, just in case due to pressures within your organization there is a risk of ever having to make that loud, uncomfortable and/or demoralizing phone call.

There are low cost, awesome, high feature, speedy tools that can be used to express the importance of patching and vulnerability testing. They also have a low learning curve for new users:

Nessus– There is a limited free version which is perfect to perform quick (non) commercial tests. If you contact them and explain you wish to use a demo with more features I’m guessing they will likely send you one. Once you use Nessus it’s a fairly easy sell after presenting the app’s generally solid results.

FOCA-This is one of my favorite tools, always impressed when I use it. It is a succulent, meta-data driven beauty that makes basic to medium level pen testing feel like a holiday on a warm tropical beach during winter. At a push of a button, to paraphrase from their Hack in the Box presentation: Perfect for the lazy pen-tester. FEAR the FOCA!

Belarc Advisor– There are fully functional (free) home and low cost corporate versions. Its HTML based and can be parsed with functions such as displaying software keys, if patches were correctly installed with hyperlinks for rectification, review of user accounts and a custom security score. I have used it for more years than I care to reveal lest I date myself out of the abundant job market.

   
 

   
 

   
 

   
 

   

Software Security Tools Inventory List

Organising, testing and keeping your tools updated. This is especially important if you collect any digital evidence which might be used in a civil or criminal process.

Currently I am taking the SANS Self Study course SANS 504 Hackers, Exploits and Techniques. The topic of tools came up on Day 1 with a focus on the following:

  1. Organise your tools before an incident occurs
  2. Test your tools
  3. Keep your tools updated
  4. Ensure tool integrity with Hash Codes

It got me thinking about organising my own toolset much more formally. I didn’t readily find templates on-line so I created my own and began working on my toolset. It might sound a little boring or digital based OCD but I think it will be highly useful nonetheless. Besides, I am tired of switching from one system to the next forgetting to copy something and loosing access to some tool or trying to open a tool when I really need it only to find it doesn’t work.

I went through my tools and organised my them into one location which is backed-up and performed the following steps:

  1. Checked the versions in my toolset against the most current version and updated as applicable
  2. Recorded via hyperlink the website locations and/or download location
  3. Verified the hash codes from the vendor if applicable or made my own if trusted
  4. Verified the tool worked
  5. Recorded the date added into the toolset (after verifying the tool worked)
  6. Recorded the tool release date


Example Security Software Tools List

 I have uploaded a two-page tools list which lists some of the tools I personally use:

Chris’s Example Tool List

I also uploaded a completely blank Security Software Tools List template which you can download and customise for you or your organisation:

Blank Security Software Tool Inventory List Template


 Please feel free to post any comments, questions or ideas!