Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Windows (http://www.go4expert.com/articles/windows/)
-   -   Hide Data WITHOUT Steganography (http://www.go4expert.com/articles/hide-data-steganography-t18217/)

SaswatPadhi 26Jun2009 22:00

Hide Data WITHOUT Steganography
 

Introduction



Hello everyone. :) Good morning/afternoon/evening/whatever :p
First of all, thank you all for your feedback on my articles. :pleased:
This is my 2nd article in the OS/Windows section. I hope this article will be enjoyable and useful for all. ;)

Some years back, I badly required a satisfactory method to store my passwords. I used to create a password protected document with my login details, but many times I used to forget the password to the protected file. So, later I switched to hiding my passwords "behind" my photo (a jpg file) using steganography. But the passwords could be read with hex editor :( Finally when I heard about ADS, I found it the most satisfactory.

In this article, I will be talking about "hiding" data without using steganography. The whole concept behind this is the use of Alternate Data Streams (ADS).

For those who don't know what steganography is, here is what Wikipedia mentions :
Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. The word steganography is of Greek origin and means "concealed writing".

Alternate Data Streams



Today most Windows users rely on NTFS. ADS is a relatively unknown feature of NTFS. ADS is the ability to fork data (streams) into existing files. ADS capabilities are found in all versions of NTFS. ADS was originally created to allow for compatibility with the HFS : Macintosh Hierarchical File System, in which file information is sometimes forked into separate resources. Alternate Data Streams have come to be used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage.

Advantages and Dis-advantages of ADS



ADS has many advantages (even over conventional steganographic methods) :
  • ADS does not increase the size of the target file, no matter how much data you hide. (believe me !)
  • ADS cannot be detected with MOST file browsers like Windows Explorer or the DOS command DIR.
  • ADS does not affect the functionality of the target file inside which data is hidden.
  • You can work with the hidden data directly without extracting it again and again.
  • You do not need any special software to read/write hide data using ADS. Plain old MS-DOS ("cmd.exe") is all that you need !
  • ADS does not involve any sophisticated hacking skills or anything like that.
  • Moving/Copying the file into which data is hidden, also moves/copies the hidden data.
  • Using ADS, you can hide any kind of data : binary/text streams.

Dis-advantages of ADS :
  • ADS changes the time stamp of the target file into which data is hidden.
  • ADS is not supported on all systems. So, copying a file with ADS to such a system will remove all the hidden streams.

Time for some Action



(1) Hiding data using ADS

So, ready to test the newly learnt skill ? OK. Gear up "cmd.exe".
You heard it right, "cmd.exe" : the DOS command prompt.

[[ In all the codes below, BLUE TEXT represents computer generated ones and GREEN TEXT represents the ones, you are expected to type ]]

To begin, create a text file named test.txt and check it's contents :
Code:

C:\>ECHO This is the test target>test.txt

C:\>TYPE test.txt
This is the test target

C:\>DIR test.txt
Volume in drive C is WiND0WS XP
 Volume Serial Number is D86F-8B7A

 Directory of C:\

06/26/2009  09:15 PM <                25 TEST.txt
              1 File(s)            25 bytes
              0 Dir(s)  9,065,259,008 bytes free

Now, let's put some secret data into this test target and check it's contents:
Code:

C:\>ECHO This data is hidden>test.txt:hidden.txt

C:\>TYPE test.txt
This is the test target

C:\>DIR test.txt
Volume in drive C is WiND0WS XP
 Volume Serial Number is D86F-8B7A

 Directory of C:\

06/26/2009  09:17 PM <                25 TEST.txt
              1 File(s)            25 bytes
              0 Dir(s)  9,065,259,008 bytes free

Note that only the time stamp has changed, but the file size (25 bytes) and the file contents are *exactly* the same !

Now, let's see the hidden data:
Code:

C:\>DIR test.txt:hidden.txt
Volume in drive C is WiND0WS XP
 Volume Serial Number is D86F-8B7A

 Directory of C:\

File Not Found


C:\>TYPE test.txt:hidden.txt
The filename, directory name, or volume label syntax is incorrect.

C:\>NOTEPAD test.txt:hidden.txt

Did you note that the DOS commands DIR and TYPE do not detect the hidden data, but notepad did !

Now, lets try hiding something else:
Code:

C:\>TYPE WallPaper_1.jpg>test.txt:Wall.jpg

C:\>START .\test.txt:Wall.jpg

I first hid a wallpaper inside test.txt and then I try to view it directly. And, it works !!

Let me give you the general syntax to hide any file :
TYPE [data to be hidden]>[target file]:[Alternate stream]
You need to fill in the parts inside []. For example,

TYPE Passwords.doc>My_Pic.jpg:MyPasswords.doc will fork My_Pic.jpg with an ADS MyPasswords.doc.

Even exe file can be hidden and *directly* accessed through ADS. For example :
Code:

C:\>TYPE Virus>test.txt:MyVirus.exe

C:\>START .\test.txt:MyVirus.exe

The above code will embed fork text.txt with Virus.exe and will directly run it from the ADS MyVirus.exe.

You can note only use ADS with files, but also with directories ! It can be done this way :
Code:

C:\TestADS>ECHO This is hidden inside this directory > :hidden.dat

C:\TestADS>
DIR
Volume in drive C is WiND0WS XP
 Volume Serial Number is D86F-8B7A

 Directory of C:\TestADS

06/28/2009  21:37    <DIR>          .
06/28/2009  21:37    <DIR>          ..
              0 File(s)              0 bytes
              2 Dir(s)  2,828,603,392 bytes free

C:\TestADS>
notepad :hidden.dat

See that the DIR command does not show the hidden.dat, but notepad opens it.

(2) Removing attached ADS

Now, suppose you want to delete the alternate data streams from a file without deleting the file itself. So, what you do is you copy the original contents to another file and then delete the original file, which would also delete all ADS. For example :
Code:

C:\>REN test.txt temp.txt

C:\>TYPE temp.txt>test.txt

C:\>DEL temp.txt

This would rename test.txt to temp.txt first, then copy its contents to a new file named test.txt and then delete the original temp.txt.

(3) Recovering attached ADS

Suppose you want to extract the attached ADS to a separate file. For this you need the *nix utility CAT from http://sourceforge.net/projects/unxutils. Now you can simply retrieve ADS using :
Code:

C:\>CAT "test.txt:hidden.txt">"Recovered.txt"
This will recover data from the ADS hidden.txt to Recovered.txt.

(4) Detecting ADS

There are quite a few tools to detect ADS in Windows. Some popular ones are :

LADS - List Alternate Data Streams by Frank Heyne
http://www.heysoft.de/en/software/lads.php

Streams.exe from SysInternals:
http://www.sysinternals.com/ntw2k/so....shtml#streams

ADS Spy GUI Scanner:
http://www.spywareinfo.com/~merijn/downloads.html

Crucial ADS GUI Scanner:
www.crucialsecurity.com/downloads.html

ADS Detector for Explorer:
http://www.codeproject.com/csharp/Cs...torArticle.asp

Conclusion



So, we have come to the end of this ADS tutorial. ADS has been extensively used by malicious coders to make viruses, that are difficult to detect. ADS is a potentially dangerous vulnerability in the NTFS, but the security features of the NTFS outweigh this vulnerability.

Thanks all for reading this article :)
Hope you like it.

Good bye and Take care.

mayjune 27Jun2009 14:06

Re: Hide Data WITHOUT Steganography
 
great job saswat, although i'll have to work on it to really understand the depth of it, but i didnt get one thing, how is the size still the same no matter what the code to be hidden is???? how does it do that??
ps - one point, do consider some newbies, when you mentioned "without stenography" to tell what stenography is....else more then your article there mind will be filled with what is stenography is...
else it was :2thumbsup

SaswatPadhi 27Jun2009 17:57

Re: Hide Data WITHOUT Steganography
 
Thanx for the feedback, mayjune :)

>> how is the size still the same no matter what the code to be hidden is???? how does it do that??
The data still resides on your hard disk, but the file size is unaffected because it shows the size of the primary data stream and not of the alternate data streams.

And, I'll try to add "Steganography" definition to the article.

shabbir 27Jun2009 18:06

Re: Hide Data WITHOUT Steganography
 
PM Me the definition as no one can edit the articles once posted.

nimesh 28Jun2009 22:29

Re: Hide Data WITHOUT Steganography
 
Nice Article Saswat.

I came to knew about this vulnerability of ADS in Trend Micro's HiJackThis tool, but didn't knew how do use it :)

Thanks.

mayjune 28Jun2009 23:01

Re: Hide Data WITHOUT Steganography
 
questions..

Quote:

Did you note that the DOS commands DIR and TYPE do not detect the hidden data, but notepad did !
nope it did not detect, it said file did not exist??? (using vista)

the download link does not work give alternative....

how do i recover a pic file???

SaswatPadhi 29Jun2009 05:57

Re: Hide Data WITHOUT Steganography
 
Answers:

(1) Vista does detect the file. You can also use "DIR /R" command in vista to show Alternate Data Streams (it's not supported in XP).
Did you create the file before opening in notepad ?? I mean did you do something like "ECHO Hidden Text>Test.txt:Hidden" before "notepad Test.txt:Hidden" ?? If not, then no ADS is present with Test.txt, so notepad won't find any ADS.

(2) New-link : http://sourceforge.net/projects/unxutils. (Will update the article)

shabbir 29Jun2009 09:03

Re: Hide Data WITHOUT Steganography
 
Link Updated.

mayjune 29Jun2009 10:20

Re: Hide Data WITHOUT Steganography
 
Quote:

(1) You can also use "DIR /R" command in vista to show Alternate Data Streams (it's not supported in XP).
nope it does not show any ads...

C:\>dir \R
Volume in drive C has no label.
Volume Serial Number is 8C19-481A

Directory of C:\

File Not Found

ok ok it showed...i used \ instead of /R... :p

17 test:hidden.txt:$DATA
28-06-2009 22:58 17 test.txt
26 test.txt:hidden:$DATA

Quote:

Did you create the file before opening in notepad ??
yes i did create the file before i tried opening in notepad....i followed the steps you said for test.txt

NOTE THIS

C:\>notepad test:hidden.txt
(THIS showes my hidden text)

C:\>notepad test.txt:hidden.txt
(THIS doesnt work, says file doesnt exist..????)

(2) New-link : http://sourceforge.net/projects/unxutils. (Will update the article)
downloading, will update you on that..

mayjune 29Jun2009 10:37

Re: Hide Data WITHOUT Steganography
 
one more point, i just added more text in hidden.txt
using
C:\>notepad test:hidden.txt
(added more text)
C:\>dir test.txt
Volume in drive C has no label.
Volume Serial Number is 8C19-481A

Directory of C:\

28-06-2009 22:58 17 test.txt
1 File(s) 17 bytes
0 Dir(s) 33,659,916,288 bytes free
^MY date and time didnt change???? how come it should? i checked, the text is added in hidden.txt


All times are GMT +5.5. The time now is 12:33.