Hiding websites on IIS with Alternate Streams

[iago]

I made a post here about Hiding Files in NTFS with Alternate Streams a long time ago, but here's a way you can use the Alternate Streams to hide an entire website:

** Inge Henriksen Security Advisory http://ingehenriksen.blogspot.com/ **

Creating a secret web site on IIS 5.x using Alternative Data Streams
--------------------------------------------------------------------

Using a little known feature of the Windows NT file system (NTFS) one can create a secret website, this website can not be detected without third party tools made specifically for it.

Confirmed Applications
Microsoft® Internet Information Server® V5.x and probably earlier versions.

Confirmed Platforms
Should work with all NT based Windows as long as the fil system is NTFS and not FAT. Does not work on Vista Beta 1 with IIS 6.

Technical Description
A NTFS file can contain a number of alternative data streams that bypasses the regular directory listing, the data in the alternative data does not even count when the number of free bytes left on the disk is calculated.

Proof of Concept
Start a console on the NT system in question and change directory to the web root(usually c:\inetpub\wwwroot\)
In the example we will use the help.gif file that is already in the directory, you can use any file though.  Type "dir" and take notice of the number of free bytes left on the disk
Type "echo This is a hidden data stream > help.gif:hidden" , we have now created a hidden data stream called "hidden", the name of the stream can be anything if you just avoid some special characters
Type "dir" againm notice that even though we added data to the file in an alternative data stream the free bytes left on the disk is left unchanged
Open you web browser and type in" http://localhost/help.gif " and you should see the little icon just as it was before we added the alternative data stream
Now, type in " http://localhost/help.gif:hidden " and you will see the data in the alternative data stream "hidden", eg the text "This is a hidden data stream". In the example I have used text as data, but one could easily use binary data too.
If you want to read alternative data streams from the console, in our example you would use "more < help.gif:hidden"

If the Virtual Folder in question allows for execution, then we can also hide a executable file in help.gif and remotely execute it later:

Type "type c:\WINDOWS\NOTEPAD.EXE > help.gif:notepad.exe"
Open a web browser from a remote computer type in " http://myremoteserver/help.gif:notepad.exe " , the browser hangs as the executable does not end
Go back to your web server and open task manager and select to see process from all users on the process tab, you will se a prosess called "help.gif:notepad.exe" running. In this manner one could hide a trojan or backdoor inside any file as long as it resides in a Virtual Folder that allows for execution.


Links
http://lists.gpick.com/pages/NTFS_Alternate_Data_Streams.htm

[GameSnake]

That seemed too easy.
What are the practical uses for this? I wonder if you could hide virtual-folder hosted files under a Windows Server machine and cloak various malicious files with other ones?

One thing I'm not sure on is how does it use alternate data when no bytes are changed, it literally makes text alternate readible bytes? Isn't there a more practical use for this?

[iago]

To answer your question on the mechanics, it's a little complicated.  The NTFS file system lets you associate "meta-data" with the files, which includes things like thumbnails for pictures and where it was downloaded from on downloaded files.  You can technically put anything in the "meta-data" field for a file, then access it with filename:metadataname.  I hadn't thought of doing that on a website, however.  I'll think about it and get back to you.

[Newby]

That's.... sad.