# NTFS Stream Manipulation
## NTFS (New Technology File System)
**NTFS** is a proprietary Microsoft file system and was introduced as a replacement for earlier file systems such as **FAT (File Allocation Table)** and **HPFS (High Performance File System)** and incorporates technical improvements over these. Among some of the advantages **NTFS** it includes improved metadata support, improvements in disk space management, performance enhancements, an improved security system and a file encryption system called **EFS (Encrypting File System)**.
Since **Windows NT 3.1** it has been the default file system in the **Windows NT** family such as, for example, **Windows Server 2008**, **Windows 7** and **Windows 10** to name a few. It is supported on desktop and server operating systems. Support on **Linux** and **BSD** is possible through the **NTFS Driver (NTFS-3G)** which offers read and write support. On **macOS** read support is offered.
## NTFS Alternate Data Streams
To be able to understand how the attack of `NTFS Stream Manipulation`, first we must know the basics about **`ADS`**` ``(alternate data streams)`. ADS is a feature of the **`NTFS`**` ``(NT File System)` file system that allows more than one `stream` of data to be associated with the same file. Each file has its main content known as **`default stream`** and can have one or more **`ADS`**.
These **`streams`** of data use a particular format: **`fileName:streamName:streamType`**. For example a **`ADS`** whose **`stream`** is called **`payload`** and is hosted inside a file called **`malicious.txt`** would look like this: **`malicious.txt:payload:$DATA`**. It is worth noting that ADS can exist on any type of file, including executables. The content of ADS can be of any type and therefore does not need to be the same type as the file that contains it. For example an image file **`JPG`** can contain **`streams`** data of type video, audio, etc.
Another characteristic of **`ADS`** is that their size is not reported as part of the total size of the file that contains them and they also do not appear listed in widely used Windows applications such as **`Windows Explorer`**. A file containing one or more ADS also does not alter the original functioning of the file and it will continue to work as always. For these reasons, files with malicious ADS are quite common.
{% hint style="danger" %}
When **`copying or moving`** files that contain **ADS** to file systems that do not support **`Alternate Data Streams`**, the user receives a warning that the **`streams`** will be lost. However, this warning **`is not usually issued`** when files are attached by **`email`** or are uploaded to a **`web`**. In those cases all information of **ADS** that was contained in the file will **be lost.**
{% endhint %}
## NTFS Stream Manipulation
The main idea behind the manipulation of `NTFS Data Streams` is to hide information inside another file, normally for malicious purposes. For example it allows an attacker to hide sensitive information collected from a system inside the user's own files without them noticing any change in their files. The attacker can then simply extract those apparently normal files from the target system taking with them all the relevant information stored in the **ADS**.
### Let's see the basic use of ADS using the Windows command console
In this part of the lab we will see how we can create a text file and then add **Alternate Data Streams** with information only visible to **NTFS**.
To begin we open the **Windows (cmd)** console and create our first file, in this case a text file. For this we use the command **`echo`** , the content of our file and finally redirect everything to our file using the character **`>`** followed by the **`file name and extension`** we want to create. Let's see this in the console:
{% hint style="success" %}
**`echo`** *{content}* **`>`** *{file name}***.***{extension}*
{% endhint %}
As we can see in the image, the file is created correctly and has a size of **`36 bytes`**. We can use the command **`type`** to see its content:
Now, using again the command **`echo`** as we did in step 1, we will add the first **`Alternate Data Stream`** to our file. The only difference is that in this case we must indicate the name of the **`stream`**. Let's see this in the console:
As we can see the **`stream`** seems to have been added without error and our file reports the same size of **`36 bytes`**. We also see that nowhere is it reported that there is a **`ADS`** in the file. This is precisely what makes ADS a good option to hide information without the user noticing.
Let's add a second ADS and see how we can obtain information from them in the console:
To see the content of **`additional data streams that a file may contain, we use the command`** dir /r **`which lists files including their`** . As we can see in the previous image the reported size of the file remains the same **`ADS`**even though it contains two **`36 bytes`** 23 bytes **`ADS`** version of **`each. If we pay attention to the available disk space after creating the file and after each creation of the`** , we can observe that **`ADS`**does correctly keep track of how much space is actually being used. **NTFS** If we open the file with Notepad we see that only the data of the
are presented **`default stream`**:
If we want to edit or view the content of each ADS, we must invoke it directly as follows:
As we said before the content of an ADS can be of any format just like the file that contains them. It is worth noting that **Alternate Data Streams** can be added to **`directories`** in the same way as with**`files`**. Let's see this quickly in the console:
As we can observe in the image the folder **`DIRECTORY`** contains a **`ADS`** To Domains \[Sharing this NS] **`ADS1`**.
### ADS with PowerShell
PowerShell includes certain commands (**cmdlets**) that make it easier to work with ADS. Let's see how we can list the ADS present in the file we have created in this lab:
In the case of **PowerShell**, the **`default stream`** it is known as **`unnamed stream`**, or **`unnamed stream`** since it appears listed simply as **`:$DATA`**.
To view the content for example of the **`ADS2`**, we can use the command **`Get-Content`** as follows:
If we want to add content to the ADS we can do it with the command **`Set-Content`**. Let's see how we can add inside a new text file a **ADS** To Domains \[Sharing this NS] **`payload`** that contains a **`executable file`** such as for example the classic **`Microsoft Paint`**. For that we use the following command:
{% hint style="info" %}
We can also make use of the **`cmdlet`** **`Add-Content`**.
{% endhint %}
```
Set-Content -path .\NTFS_ADS_DEMO.txt -value $(Get-Content $(Get-Command mspaint.exe).Path -readcount 0 -encoding byte) -encoding byte -stream payload.exe
```
In this command we explicitly indicate the **`encoding for the bytes`**, the **`readcount to 0`** (to read the file in a single operation and the command **`Get-Command`** to quickly obtain the path of **`mspaint.exe`** without having to specify it manually. Then we simply indicate the name of the **`stream`** that we want to add using the switch **`-stream {streamName}`**.
As we can see in the image, our text file contains a new **ADS**. Let's see how we can **`execute`** that **ADS** which we know contains an executable file. To achieve this we can use **`Windows Management Instrumentation`** to create a process that executes our **ADS**.
{% hint style="danger" %}
This method of executing files using **`wmic`** seems to have been patched in Windows in the version I have in the VMs therefore when trying to execute it both in **`CMD`** and in **`Powershell`** I get an error and the program does not run. In vulnerable versions of Windows, the program would be executed directly and in our case we would see **`mspaint.exe`** running. I will investigate a bit more about other ways to execute ADS in updated versions of Windows, if I find any I will update this article.
{% endhint %}
**Update:** After several attempts I managed to add the content of the Windows calculator **`calc.exe`** to our practice file and execute it correctly using **`wmic`**:
As we see when the command runs correctly it generates a new process which returns a **`ProcessId = 4344`** and a **`ReturnValue = 0`** indicating that the process completed successfully. I do not understand why the initial attempt did not work, perhaps it is the executable of **`mspaint.exe`** or some error that I am making and cannot realize. If you notice the problem, let me know with a tweet to my account [@tzero86](https://twitter.com/Tzero86).
If we want to **delete** a **ADS** in particular we can use the **cmdlet** **`Remove-Item`** as follows. For example to remove our **ADS** To Domains \[Sharing this NS] **`payload`**:
```
Remove-Item -Path .\NTFS_ADS_DEMO.txt -stream payload
```
As we can see our file now contains only two **ADS** additional. Up to here we saw and practiced a bit **NTFS Stream Manipulation**.
{% hint style="info" %}
These labs are subject to modifications and corrections; the most up-to-date version is available online at [the following link](https://tzero86.gitbook.io/tzero86/).
{% endhint %}
