Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Windows (http://www.go4expert.com/articles/windows/)
-   -   Hide Data WITHOUT Steganography (http://www.go4expert.com/articles/hide-data-steganography-t18217/)

SaswatPadhi 26Jun2009 22:00

Hide Data WITHOUT Steganography
 

Introduction



Hello everyone. :) Good morning/afternoon/evening/whatever :p
First of all, thank you all for your feedback on my articles. :pleased:
This is my 2nd article in the OS/Windows section. I hope this article will be enjoyable and useful for all. ;)

Some years back, I badly required a satisfactory method to store my passwords. I used to create a password protected document with my login details, but many times I used to forget the password to the protected file. So, later I switched to hiding my passwords "behind" my photo (a jpg file) using steganography. But the passwords could be read with hex editor :( Finally when I heard about ADS, I found it the most satisfactory.

In this article, I will be talking about "hiding" data without using steganography. The whole concept behind this is the use of Alternate Data Streams (ADS).

For those who don't know what steganography is, here is what Wikipedia mentions :
Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. The word steganography is of Greek origin and means "concealed writing".

Alternate Data Streams



Today most Windows users rely on NTFS. ADS is a relatively unknown feature of NTFS. ADS is the ability to fork data (streams) into existing files. ADS capabilities are found in all versions of NTFS. ADS was originally created to allow for compatibility with the HFS : Macintosh Hierarchical File System, in which file information is sometimes forked into separate resources. Alternate Data Streams have come to be used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage.

Advantages and Dis-advantages of ADS



ADS has many advantages (even over conventional steganographic methods) :
  • ADS does not increase the size of the target file, no matter how much data you hide. (believe me !)
  • ADS cannot be detected with MOST file browsers like Windows Explorer or the DOS command DIR.
  • ADS does not affect the functionality of the target file inside which data is hidden.
  • You can work with the hidden data directly without extracting it again and again.
  • You do not need any special software to read/write hide data using ADS. Plain old MS-DOS ("cmd.exe") is all that you need !
  • ADS does not involve any sophisticated hacking skills or anything like that.
  • Moving/Copying the file into which data is hidden, also moves/copies the hidden data.
  • Using ADS, you can hide any kind of data : binary/text streams.

Dis-advantages of ADS :
  • ADS changes the time stamp of the target file into which data is hidden.
  • ADS is not supported on all systems. So, copying a file with ADS to such a system will remove all the hidden streams.

Time for some Action



(1) Hiding data using ADS

So, ready to test the newly learnt skill ? OK. Gear up "cmd.exe".
You heard it right, "cmd.exe" : the DOS command prompt.

[[ In all the codes below, BLUE TEXT represents computer generated ones and GREEN TEXT represents the ones, you are expected to type ]]

To begin, create a text file named test.txt and check it's contents :
Code:

C:\>ECHO This is the test target>test.txt

C:\>TYPE test.txt
This is the test target

C:\>DIR test.txt
Volume in drive C is WiND0WS XP
 Volume Serial Number is D86F-8B7A

 Directory of C:\

06/26/2009  09:15 PM <                25 TEST.txt
              1 File(s)            25 bytes
              0 Dir(s)  9,065,259,008 bytes free

Now, let's put some secret data into this test target and check it's contents:
Code:

C:\>ECHO This data is hidden>test.txt:hidden.txt

C:\>TYPE test.txt
This is the test target

C:\>DIR test.txt
Volume in drive C is WiND0WS XP
 Volume Serial Number is D86F-8B7A

 Directory of C:\

06/26/2009  09:17 PM <                25 TEST.txt
              1 File(s)            25 bytes
              0 Dir(s)  9,065,259,008 bytes free

Note that only the time stamp has changed, but the file size (25 bytes) and the file contents are *exactly* the same !

Now, let's see the hidden data:
Code:

C:\>DIR test.txt:hidden.txt
Volume in drive C is WiND0WS XP
 Volume Serial Number is D86F-8B7A

 Directory of C:\

File Not Found


C:\>TYPE test.txt:hidden.txt
The filename, directory name, or volume label syntax is incorrect.

C:\>NOTEPAD test.txt:hidden.txt

Did you note that the DOS commands DIR and TYPE do not detect the hidden data, but notepad did !

Now, lets try hiding something else:
Code:

C:\>TYPE WallPaper_1.jpg>test.txt:Wall.jpg

C:\>START .\test.txt:Wall.jpg

I first hid a wallpaper inside test.txt and then I try to view it directly. And, it works !!

Let me give you the general syntax to hide any file :
TYPE [data to be hidden]>[target file]:[Alternate stream]
You need to fill in the parts inside []. For example,

TYPE Passwords.doc>My_Pic.jpg:MyPasswords.doc will fork My_Pic.jpg with an ADS MyPasswords.doc.

Even exe file can be hidden and *directly* accessed through ADS. For example :
Code:

C:\>TYPE Virus>test.txt:MyVirus.exe

C:\>START .\test.txt:MyVirus.exe

The above code will embed fork text.txt with Virus.exe and will directly run it from the ADS MyVirus.exe.

You can note only use ADS with files, but also with directories ! It can be done this way :
Code:

C:\TestADS>ECHO This is hidden inside this directory > :hidden.dat

C:\TestADS>
DIR
Volume in drive C is WiND0WS XP
 Volume Serial Number is D86F-8B7A

 Directory of C:\TestADS

06/28/2009  21:37    <DIR>          .
06/28/2009  21:37    <DIR>          ..
              0 File(s)              0 bytes
              2 Dir(s)  2,828,603,392 bytes free

C:\TestADS>
notepad :hidden.dat

See that the DIR command does not show the hidden.dat, but notepad opens it.

(2) Removing attached ADS

Now, suppose you want to delete the alternate data streams from a file without deleting the file itself. So, what you do is you copy the original contents to another file and then delete the original file, which would also delete all ADS. For example :
Code:

C:\>REN test.txt temp.txt

C:\>TYPE temp.txt>test.txt

C:\>DEL temp.txt

This would rename test.txt to temp.txt first, then copy its contents to a new file named test.txt and then delete the original temp.txt.

(3) Recovering attached ADS

Suppose you want to extract the attached ADS to a separate file. For this you need the *nix utility CAT from http://sourceforge.net/projects/unxutils. Now you can simply retrieve ADS using :
Code:

C:\>CAT "test.txt:hidden.txt">"Recovered.txt"
This will recover data from the ADS hidden.txt to Recovered.txt.

(4) Detecting ADS

There are quite a few tools to detect ADS in Windows. Some popular ones are :

LADS - List Alternate Data Streams by Frank Heyne
http://www.heysoft.de/en/software/lads.php

Streams.exe from SysInternals:
http://www.sysinternals.com/ntw2k/so....shtml#streams

ADS Spy GUI Scanner:
http://www.spywareinfo.com/~merijn/downloads.html

Crucial ADS GUI Scanner:
www.crucialsecurity.com/downloads.html

ADS Detector for Explorer:
http://www.codeproject.com/csharp/Cs...torArticle.asp

Conclusion



So, we have come to the end of this ADS tutorial. ADS has been extensively used by malicious coders to make viruses, that are difficult to detect. ADS is a potentially dangerous vulnerability in the NTFS, but the security features of the NTFS outweigh this vulnerability.

Thanks all for reading this article :)
Hope you like it.

Good bye and Take care.

mayjune 27Jun2009 14:06

Re: Hide Data WITHOUT Steganography
 
great job saswat, although i'll have to work on it to really understand the depth of it, but i didnt get one thing, how is the size still the same no matter what the code to be hidden is???? how does it do that??
ps - one point, do consider some newbies, when you mentioned "without stenography" to tell what stenography is....else more then your article there mind will be filled with what is stenography is...
else it was :2thumbsup

SaswatPadhi 27Jun2009 17:57

Re: Hide Data WITHOUT Steganography
 
Thanx for the feedback, mayjune :)

>> how is the size still the same no matter what the code to be hidden is???? how does it do that??
The data still resides on your hard disk, but the file size is unaffected because it shows the size of the primary data stream and not of the alternate data streams.

And, I'll try to add "Steganography" definition to the article.

shabbir 27Jun2009 18:06

Re: Hide Data WITHOUT Steganography
 
PM Me the definition as no one can edit the articles once posted.

nimesh 28Jun2009 22:29

Re: Hide Data WITHOUT Steganography
 
Nice Article Saswat.

I came to knew about this vulnerability of ADS in Trend Micro's HiJackThis tool, but didn't knew how do use it :)

Thanks.

mayjune 28Jun2009 23:01

Re: Hide Data WITHOUT Steganography
 
questions..

Quote:

Did you note that the DOS commands DIR and TYPE do not detect the hidden data, but notepad did !
nope it did not detect, it said file did not exist??? (using vista)

the download link does not work give alternative....

how do i recover a pic file???

SaswatPadhi 29Jun2009 05:57

Re: Hide Data WITHOUT Steganography
 
Answers:

(1) Vista does detect the file. You can also use "DIR /R" command in vista to show Alternate Data Streams (it's not supported in XP).
Did you create the file before opening in notepad ?? I mean did you do something like "ECHO Hidden Text>Test.txt:Hidden" before "notepad Test.txt:Hidden" ?? If not, then no ADS is present with Test.txt, so notepad won't find any ADS.

(2) New-link : http://sourceforge.net/projects/unxutils. (Will update the article)

shabbir 29Jun2009 09:03

Re: Hide Data WITHOUT Steganography
 
Link Updated.

mayjune 29Jun2009 10:20

Re: Hide Data WITHOUT Steganography
 
Quote:

(1) You can also use "DIR /R" command in vista to show Alternate Data Streams (it's not supported in XP).
nope it does not show any ads...

C:\>dir \R
Volume in drive C has no label.
Volume Serial Number is 8C19-481A

Directory of C:\

File Not Found

ok ok it showed...i used \ instead of /R... :p

17 test:hidden.txt:$DATA
28-06-2009 22:58 17 test.txt
26 test.txt:hidden:$DATA

Quote:

Did you create the file before opening in notepad ??
yes i did create the file before i tried opening in notepad....i followed the steps you said for test.txt

NOTE THIS

C:\>notepad test:hidden.txt
(THIS showes my hidden text)

C:\>notepad test.txt:hidden.txt
(THIS doesnt work, says file doesnt exist..????)

(2) New-link : http://sourceforge.net/projects/unxutils. (Will update the article)
downloading, will update you on that..

mayjune 29Jun2009 10:37

Re: Hide Data WITHOUT Steganography
 
one more point, i just added more text in hidden.txt
using
C:\>notepad test:hidden.txt
(added more text)
C:\>dir test.txt
Volume in drive C has no label.
Volume Serial Number is 8C19-481A

Directory of C:\

28-06-2009 22:58 17 test.txt
1 File(s) 17 bytes
0 Dir(s) 33,659,916,288 bytes free
^MY date and time didnt change???? how come it should? i checked, the text is added in hidden.txt

SaswatPadhi 29Jun2009 17:59

Re: Hide Data WITHOUT Steganography
 
Quote:

Originally Posted by mayjune (Post 50696)
ok ok it showed...i used \ instead of /R... :p

17 test:hidden.txt:$DATA
28-06-2009 22:58 17 test.txt
26 test.txt:hidden:$DATA

yes i did create the file before i tried opening in notepad....i followed the steps you said for test.txt

NOTE THIS

C:\>notepad test:hidden.txt
(THIS showes my hidden text)

C:\>notepad test.txt:hidden.txt
(THIS doesnt work, says file doesnt exist..????)

LOL :rofl: Look at what your drive contents :

17 test:hidden.txt:$DATA
28-06-2009 22:58 17 test.txt
26 test.txt:hidden:$DATA

So, you have created a ADS named "hidden.txt" in the file "test" (without ".txt" extension) and you have also created an ADS named "hidden" (without the ".txt" extension) in the file "test.txt". That means you can either use :

(1) notepad test.txt:hidden or
(2) notepad test:hidden.txt

And not :

(1) notepad test.txt:hidden.txt or
(2) notepad test:hidden

Quote:

Originally Posted by mayjune (Post 50698)
one more point, i just added more text in hidden.txt
using
C:\>notepad test:hidden.txt
(added more text)
C:\>dir test.txt
Volume in drive C has no label.
Volume Serial Number is 8C19-481A

Directory of C:\

28-06-2009 22:58 17 test.txt
1 File(s) 17 bytes
0 Dir(s) 33,659,916,288 bytes free
^MY date and time didnt change???? how come it should? i checked, the text is added in hidden.txt

Reason is mentioned in the first part of this reply.
When you added more text to the "hidden.txt", you added it to the ADS "hidden.txt" attached to "test" not "test.txt". So, the time-stamp of "test" changed and not "test.txt".
Try to modify "hidden" and not "hidden.txt", like this :

notepad test.txt:hidden

You will see, the time-stamp of test.txt will change.

You probably messed up with the extensions while creating the file or the ADS. Delete both and start again, as mentioned in the article.

mayjune 29Jun2009 22:13

Re: Hide Data WITHOUT Steganography
 
What's in a (Exntension) name????
Everything!!! :p
lol....it worked, the way it should have, the time changed and other things...

ps -
1) what are the systems it will not work on?
2)
i made a new file t.txt:h.txt and checked it worked. It had a hidden file
i sent it to myself on gmail. Downloaded, and tried it on that, didnt work...?
is it because at the end where it went to the system didnt support it? or am i doing something wrong..?

mayjune 30Jun2009 00:02

Re: Hide Data WITHOUT Steganography
 
LADS link is not working...

and after downloading the *nix zip, what do i do...?

SaswatPadhi 30Jun2009 00:24

Re: Hide Data WITHOUT Steganography
 
Quote:

Originally Posted by mayjune (Post 50724)
1) what are the systems it will not work on?

As mentioned in the article, it won't work on an FS which does not support ADS e.g. FAT32 and FAT16. But it works fine if the source and destination file-sytems, both support ADS e.g. transferring from NTFS to Mac HFS is fine.

Quote:

Originally Posted by mayjune (Post 50724)
2) i made a new file t.txt:h.txt and checked it worked. It had a hidden file, i sent it to myself on gmail. Downloaded, and tried it on that, didnt work...?
is it because at the end where it went to the system didnt support it? or am i doing something wrong..?

Nothing wrong, may be GMail uses an FS that does not support ADS. So, when your file was stored in GMail, all alternate data streams were lost. So, when you downloaded the file and tested it, it had no ADS !

Quote:

Originally Posted by mayjune (Post 50726)
LADS link is not working...

Sorry, I provided an old link. New link = http://www.heysoft.de/en/software/lads.php.
Thanx for the report, I'll request shabbir to update article.

Quote:

Originally Posted by mayjune (Post 50726)
after downloading the *nix zip, what do i do...?

Extract all the "*.exe" from "usr\local\wbin" folder inside the zip file to your %WINDIR%\system32 folder.
Then you can directly use the *nix utilities from command prompt. :)

mayjune 30Jun2009 00:52

Re: Hide Data WITHOUT Steganography
 
Quote:

Extract all the "*.exe" from "usr\local\wbin" folder inside the zip fil
there is no folder like that, no usr, no local, nor wbin????

SaswatPadhi 30Jun2009 07:35

Re: Hide Data WITHOUT Steganography
 
You downloaded the UnxUtils.zip file, right ?? (The binary file, not the source !)
Then inside the zip, there are two folder : bin and usr.
The executables are @ : usr->local->wbin

mayjune 1Jul2009 22:45

Re: Hide Data WITHOUT Steganography
 
ok i got the binary file not the source (which i did last time), extracted the exes from usr>local>wbin>
to C:\Windows\System32\
but yet the cat command in not recognized...?
what could be wrong? i checked, cat is there....

SaswatPadhi 1Jul2009 23:19

Re: Hide Data WITHOUT Steganography
 
May be something with the permissions, that's a really annoying feature in Vista. Allow full control to all the exes and see if they work.
Or, may be C:\Windows\System32 is not listed in your PATH environment variable, which is nearly impossible.

shabbir 2Jul2009 11:21

Re: Hide Data WITHOUT Steganography
 
Nomination for article of the month - Jun 2009 Started. Nominate this article for Article of the month - Jun 2009

shabbir 15Jul2009 23:21

Re: Hide Data WITHOUT Steganography
 
Start voting for this article for Article of the month - June 2009

mayjune 22Aug2009 00:04

Re: Hide Data WITHOUT Steganography
 
more detailed info about this


All times are GMT +5.5. The time now is 11:46.