by Rohan Sethi / Aug 20,2009 / Tags: security, ADS, threat

Alternate Data Streams in NTFS (NT file system) is a rather unknown compatibility feature in Windows NT systems. It was introduced in NTFS with the intent of compatibility with HFS, or the old Macintosh Hierarchical File System. The Primary Function of ADS is to hold metadata about files: Writing details in summary of a text document (right clicking the TXT file, selecting properties, and then selecting the summary tab) gets attached as an ADS.

So what’s so special about ADS?

One may think, “A text document’s summary is stored as ADS… so what?” Well, there’s more to it — executable code can also be stored as an alternate data stream without the Timestamp, listed File’s size or running process name being modified. Moreover, files with ADS are almost impossible to be detected by native file browsing techniques like Windows Explorer or the command line; software that can identify them are few and far in between…

Exploiting ADS

The lengths a malicious hacker can go to hide his tracks can be astonishing, and this is what makes ADS the worst nightmare of a System Administrator. Due to the concealed nature of ADS, detecting and preventing execution of malicious code is intricate.

Once a hacker has acquired administrator access on the system, he’ll strip off all information of concern, covering the detection of his presence and will try to install a backdoor (a remote access Trojan) for easy future access. This backdoor needs to be veiled from the system administrator, this is where ADS comes to in – it can be used to hide files on the breached system, evading detection and executing them without the knowledge of the sys admin.

The ability to hide executable code in an invisible form inside ADS can also make viruses difficult to be detected within a file system, because most virus scanners only verify the default data stream of files. Major Anti-virus vendors point out that ADS must be loaded into the memory before execution and thus will be detected with real-time scanning (when a file is scanned after it is loaded in memory (just after commanded to execute), the type of scan is known as a “real-time” scan). The problem with this approach is that many network administrators do not run real-time scanning on their servers or workstations due to performance issues.

Denial of Service (DoS) attacks that exploit the use of ADS also exist. It is the difficulty of detection that increases the threat. For example, it is quite common for an attacker to create a file large enough to fill up the system partition on a Windows NT/2000 system, to crash the server due to lack of space for temporary files. When using the main stream of a file in such an attack, the violating files are easily identified due to their abnormally large size. By using Alternate Streams here, it can be made difficult to detect where the violating files are located on the system. Another attack exploiting ADS can be launched by creating a large number of alternate streams, more than 6,000 on a specific file. If the attacker or the system tries to access the default stream of the file, the system’s response slows considerably and in worst case, the system crashes thus creating a Denial of Service.

Moreover, this vulnerability is not confined to the NTFS file system; any other file system that uses streams for alternate data is vulnerable.
Read More

Google security specialists Tavis Ormandy and Julien Tiennes report that a critical security vulnerability in the Linux kernel affects all versions of 2.4 and 2.6 since 2001, on all architectures. The vulnerability enables users with limited rights to get root rights on the system. The cause is a NULL pointer dereference in connection with the initialisation of sockets for rarely used protocols.
Read more

The following google search queries can be used to identify information about your network thats being exposed to everyone.

site
The site operator is great for trolling through all the content Google has gathered for a target.
This operator is used in conjunction with many of the other queries presented here to narrow the focus of the search to one target.

intitle:index.of
The universal search for Apache-style directory listings.
Directory listings provide a wealth of information for an attacker.

error | warning
Error messages are also very revealing in just about every context.
In some cases, warning text can provide important insight into the behind-the-scenes code used by a target.

login | logon
This query locates login portals fairly effectively.
It can also be used to harvest usernames and troubleshooting
procedures.

username | userid | employee.ID | “your username is”
This is one of the most generic searches for username harvesting.
In cases where this query does not reveal usernames, the context around these words can reveal procedural information an attacker can use in later offensive action.

password | passcode | “your password is”
This query reflects common uses of the word password.
This query can reveal documents describing login procedures, password change procedures, and clues about password policies in use on the target.

admin | administrator
Using the two most common terms for the owner or maintainer of a site, this query can also be used to reveal procedural information (“contact your administrator”) and even admin login portals.

ext:html –ext:htm –ext:shtml –ext:asp –ext:php
This query, when combined with the site operator, gets the most common files out of the way to reveal more interesting documents.
This query should be modified to reduce other common file types on a target-by-target basis.

inurl:temp | inurl:tmp | inurl:backup | inurl:bak
This query locates backup or temporary files and directories.

intranet | help.desk
This query locates intranet sites (which are often supposed to be protected from the general public) and help desk contact information and procedures.

Website-specific searches:

Show all indexed pages for a specific domain:

site:{url}

Find pages that link to a specific URL:

link:{url}

Find pages related to a specific URL:

related:{url}

Show Google’s cached version of a specific URL:

cache:{url}

Show a page containing links to related searches about a URL:

info:{url}

Find only results from a specific domain:

site:{url} {terms}

Content-, Link-, and Title-specific searches:

Find results with the specified terms in the link URL or title of links to a website:

allinanchor:{terms}

Find results with only the first specified term in the link URL or title of links to a website:

inanchor:{terms}

Find results with the specified terms in the URL:

allinurl:{terms}

Find results with only the first specified term in the URL:

inurl:{terms}

Find results with the specified terms in the page title:

allintitle:{terms}

Find results with only the first specified term in the page title:

intitle:{terms}

Find results with the specified terms in the page text, not the links or page title:

allintext:{terms}

Find results with only the first specified term in the page text, not the links or page title:

intext:{terms}

Find results with the specified terms in the page links, not the text or title:

allinlinks:{terms}

Find results with only the first specified term in the page links, not the text or title:

inlinks:{terms}

Find results containing the specified filetype:

filetype:{filetype}

Find results not containing the specified filetype:

-filetype:{filetype}

Other Tips & Tricks

Find directory indexes (a listing of web server files) for specific topics and with specific filetypes:

{term} intitle:"index of /" {filetype}
php intitle:"index of /" .pdf

Find only images containing faces in a Google Image search result by adding ‘&imgtype=face‘ to the end of the search URL:

http://images.google.com/images?q=google

http://images.google.com/images?q=google&imgtype=face

This is a continuation of multiple educational video demonstrations
related to Web application attacks, however this video is focused specifically on database security. This video looks at a Direct Database Access SQL Injection attack. In this attack a non-privileged user is able to exploit a vulnerability that existed in both Oracle 8i and 9i in which the malicious user could grant themselves DBA privileges. Read More