The Dark Side of NTFS



  1. COM Structured Storage
  2. ADS(Alternate Data Streams)
ADS commandline tools
more < filename:stream

'Create File
echo Hello World! > 1.txt

'Add data stream 
echo > 1.txt:URL

'Edit data stream
echo > 1.txt:URL

'Delete data stream
more < 1.txt >
del 1.txt
ren 1.txt

10 Things to know about ADS
  1. There is no limit on the size of streams and there can be more than one stream linked to a normal file. ADS are not visible in explorer or via command prompt. In fact, their size is also not reported by Windows!
  2. Streams can be attached not only to files but also to folders and drives!
  3. The content of an ADS should not be considered limited to simply text data. Any stream of binary information can constitute a file which includes executables, Mpeg files, Jpeg files etc.
  4. ADS have no attributes of their own. The access rights assigned to the default unnamed stream are the rights that control any operation on ADSs such as creation, deletion or modification. This means if a user cannot write to a file, that user cannot add an ADS to that file. A user with guest privileges can also create such streams in every file where he has write access.
  5. Some Browser helper Objects (BHOs) have started storing their malicious files inside ADS and very few anti-spyware/malware actually detect it.
  6. Windows File Protection prevents the replacement of protected system files; it does not prevent a user with the appropriate permissions from adding ADS to those system files. The System File Checker (sfc.exe) will verify that protected
    system files have not been overwritten, but will not detect ADS.
  7. Microsoft Windows provides no tools or utilities either within the operating system software distribution or the Resource Kits for detecting the presence of ADS.
  8. The stream can only be executed if called directly by a program with the full path to the file given. It is impossible to accidentally execute a stream.
  9. None of the Internet protocols enabling file transfer such as SMTP, FTP etc. support streams. This means that ADS can't be sent via Internet. However, files containing ADS can be sent across a local LAN provided the target drive is in the NTFS format.
  10. In certain cases, streams have been used to remotely exploit a web server. Some web servers are susceptible to having their file source read via the: $DATA stream. If a server side script such as PHP or ASP is running on a web server which is not patched properly, instead of getting output as a result of processing the script, the source code of the ASP/PHP file could be viewed by using a URL like this:$DATA

    This is a critical vulnerability as the server-side source code could reveal sensitive information including how the site has been coded and how the information is flowing. This information could be used by the attacker to launch a specific attack on the server.