NTFS Alternate Data Streams

Presented at DEF CON 9 (2001), July 15, 2001, 2 p.m. (50 minutes).

Windows NT (WNT) and Windows 2000 (W2K) have powerful graphical user interfaces that make the job of assessing the security condition of and securing these operating systems considerably easier. Changing the bad logon limit is, for example, relatively easy to both understand and do in both of these Windows operating systems. Providing adequate security does not, however, always involve working with mainstream features of applications, operating systems, and networks. Alternate data streams (ADSs) are an example. This little-known feature available with the NT File System (NTFS) in WNT 4.0 and Win2K (RICH98) has been available since the advent of NTFS in the first WNT release, WNT 3.1. Although this feature is relatively unknown by the vast majority of WNT users and administrators, it provides a potentially very powerful attack mechanism for malicious individuals intent on compromising and exploiting WNT and W2K systems.

What is an ADS? How can ADSs be created and how can executables be run in them? How can they be misused (e.g., by having malicious executables run in them)? How can they be found? This paper addresses these and other related issues concerning ADSs and security considerations.


Presenters:

Links:

Similar Presentations: