 So for those of you who don't recognize me, my name is Grifter. I've spoken several times at DEF CON before. I didn't steal this shirt, I'm a goon, and run several of the contests here at DEF CON and UI. And my name is Tiara, for maybe a number of you know me from the scoundrel hunt. That's been running that for the past three years here at DEF CON. Alright, I guess we'll get started. Basically, I know the thing in the program is kind of vague. Project Prometheus is the tentative name for a tool that we started working on a couple months ago and then were absolutely flooded with things to do for this con, among other cons and things like that. So we decided that we couldn't get the work done to release the tool at DEF CON so we would do a talk at DEF CON and see if there was any community interest, if we were wasting our time or if people thought it was kind of cool. So I guess I will start with how many people know what alternate data streams are. Alright, cool. That will help. There's a large number of you. For those that don't know, NTFS, the file system for the Windows server-like operating systems 2,000 XP NT, yadadadada, have support for the HFS or Hierarchical... How do you say that? You don't know what to do. HFS, there you go. Which is to support the Apple file format. It's always had support for this format and basically it's because Apple doesn't have a three dot extension on its files. It just keeps that information in a stream or a fork. There are two forks, the data fork and resource fork. And it just knows that the file is unexecutable, it attacks file things like that and associates it with the proper program. So Windows or Microsoft I should say decided that would be a good idea to have support for this file system and in doing so made it possible to create alternate data streams. An alternate data stream is basically just somewhere to hold little bits of information about the file. It's where some of the comments or summary information is stored. The thing that is fun about alternate data streams or makes them fun to nerds like us is that the file size does not change in the file that hosts that stream. So if you take a 1k or even 7 byte file and decide to chuck 100, 200 gigs worth of files into a stream on that file it always looks like it's that 7 byte or 1k file or whatever. So I guess the whole idea behind that was just for the fact that just having support between HFS and NTFS so that you could transfer all that file information from Macintosh computers and still keep it when you transfer it back so that Macintosh knows what that file is and how to open it and that's just such small amounts of information that I guess they didn't want to add in the support to show those file sizes. Yeah, those crazy Mac cores. So I guess I will do a short demonstration on what it takes currently to create alternate data streams by attaching them to files and other good stuff. Yeah, look at him for a minute. Pay no attention to the porn directory. Okay, I'm going to sit down the microphone for a second. You think you could kind of narrate what I'm doing? Or I can just go like this. Hello. Now I actually haven't seen this demo in progress so I'm going to just watch him as he does it. Alright. Just make stuff up. Now the odd part about alternate data streams is you may know that you can attach them to files but you can also attach alternate data streams to individual folders and also the root hard drive directory. If you attach alternate data streams to say the root computer directory just straight to the C, you're not going to be able to delete them. You can clear them out but they cannot be deleted. So for anyone who wasn't looking at him and was actually watching the screen because you like to watch people type, I just created the host file. This is the text file and then as you can see listening to the directory it shows that the file is 25 bytes. So I shall continue. Now for those of you that don't know the kind of syntax that alternate data streams use, you've just got the file name, a colon, and then the stream name. And this is only going to work in NTFS. Obviously not in Fat32. So as you can see, I added something into a stream. It still says it's 25 bytes and just to show you that there is indeed data in that stream we will pull up Notepad and you will be wowed and amazed by the fabulous world of alternate data streams. Ta-da! So anyway, there is the stream. So obviously it's not very nefarious to just put text into a file. I guess if you're writing your memoirs or something and you don't want other people to read them you could type them into Notepad and hide them in an alternate data stream and no one would know they're there. What makes alternate data streams a little fun is this. There you go, that didn't help much. There we go, perfect, perfect. Thanks dude. Alright! Look at me master window! Thank you! That's the talk. So if you can't tell, it's really currently just a big pain in the ass to create and use alternate data streams as he's just sitting here in a command line interface. It really does suck. So you can see that the CALC program is 114k or something there about. Now, again, I set the mic down. Currently this is actually the only way to copy files back and forth between alternate data streams and actual files. Now the goal of Project Prometheus is to eventually be able to do all that from a graphical user interface. Make it easier to do all this without the command line. So there you go. I just inserted the CALC program into the host.text and as you can see it still says that it is 25 bytes. Now you can see where it shows how much space is free. That does change. Only after Windows XP Service Pack 1 did they start recognizing the fact that they were not showing that data inside of streams was taking up space on the hard drive. So if you use something like Windows 2000 and you, let's say you have a 100 gig hard drive and you put, you have two gigs of data on there but you put 98 gigs worth of stuff into an alternate data stream it would just tell you that your drive is full. Look at it and it would say it has two gigs but your drive is full. So you can imagine what a pain in the ass that would be as an administrator wondering why the drive is full and it's because someone has all kinds of files stored in streams that you can't see or if you wanted to be more malicious storing a virus or something that just ate up space on the hard drive until it was full. Now what it's showing here is that you can actually execute files straight from alternate data streams using the start command and you just run calculator straight from the alternate data stream. Amazing. So you can see that these are fun. You can put all kinds of things in there. You can also run these from the run key in the hkey vocal machine hive so if you wanted to have something pop up on startup you can go nuts with that. Again if you think on the black hat side of things then you can do some seriously damaging things if not like you know fun things with alternate data streams. If I'm not mistaken correct me if I'm wrong are there only two viruses that used virus warning are they interchangeable now? I've only heard of two viruses that actually use alternate data streams which is why I was so surprised that so many of you have heard about alternate data streams. The only one I can think about without my head is W2K.stream. So I believe 29A was the creator of that virus for those who don't know who 29A is they are the leading virus writers in the world I guess if that's like your thing. So there you go. You can see what a pain in the ass that was to insert a file into a text file things like that but it does have some data hiding potential being that currently Windows itself does not have support to detect alternate data streams within its own file system that they created and put the support there for alternate data streams and then didn't allow you to find them. So that's part of what we're trying to take care of as well. There are tools out there go ahead and tell them there. Do you want to pull up the screen? Do I want to pull up the screen? Oh am I pulling up slides now? Awesome. Oh actually I wanted to do another thing. Here let me bust. Okay we'll get to the tools in a minute here. Did I close that? No there it is. See right here? Now it shows it's showing that it's running in a stream. Again before Windows XP Service Pack 1 that does not show up it would just show. For those that can't read that it's showing a process as host.txt colon in calc and then yeah what's up? What's that? Did they? Right. I think they did fix that in Windows 2K. Yeah and again being a patch we all know about patch management and how many systems do you think actually took care of that? Probably all of yours but not many people like across the street. So oh yeah by the way if you have a question seriously just yell out because the whole point of this is to kind of get feedback from you guys if you have ideas on what features you think should be in there or if we're completely and utterly talking out of our asses let us know. Yeah and that's exactly what he said though. I don't think everybody heard him. He was just saying how IIS had been the only time the only one to support from writing to alternate data streams and actually made use of alternate data streams I think was what you were getting at. Okay he's saying that IIS actually had support for unintentional support yeah unintentional support unintentional support for actually you'd have your Rayor website and then if you attached the alternate data stream to your URL you had a separate website kind of a hidden website and IIS was actually I was going to get around to that too because it's the first or it's the only actual Windows program that I've heard of that actually makes use of alternate data streams and it was one of the few things that a lot of tool makers had issues with because there's a lot of scanning tools that have to go through there and look for alternate data streams for viruses and what not and they had to skip over the IIS stuff if you had it on there let's go ahead and back there um no there isn't actually um there's there uh how does Windows do their summary they uh they have file file statistics I guess if you right click and you go to the properties of the file in Windows 2K and Windows XP you have different um different values to describe the file um in one of the tabs and that actually attaches to an alternate data stream under some crazy hashed name that I don't think I've ever looked at enough to figure out how that works I didn't hear what you said you really? I don't think it supports alternate data streams there's a lot of stuff out there that just doesn't touch alternate data streams out there um I know there's not a lot of obviously it doesn't list alternate data streams in the Explorer and you're not going to get file size statistics and that's also one of the other goals of Project Prometheus is to give you that information um are you saying attached to a file that does not exist do you want to find out alright yeah I'm actually that's like the he's saying uh um they are resource forks alternate data streams um in the same sense that they're used on Macintosh they're used the same in Windows um I'm going to get around to the tools though in a minute here because I've got a number of tools that I've looked into for manipulating alternate data streams um and uh I mean in the sense that we're creating another tool I'd like to know what other tools are out there for use and I couldn't find anything that does quite what we want to do and which is why we started up this project there you go there's your answer so it does uh if you create just the stream it creates the host file and then gives it a zero byte uh fabulous so interactive what are you saying including the alternate data streams oh I think I got what you're saying um it it does exactly what we're looking at right here but it'll just add up what we've got and it shows you what the but it does not show you the streams like Explorer um doesn't have it's the same support that we're looking at like they it's obviously you know we have some flaws and we're hoping to exploit them to make a pretty cool privacy tool so um you want to continue on with what we're attempting to do let me get into first slide what tools are out there so that we have an idea of what we're looking at as far as what's currently out there for manipulating alternate data streams um first up we we of course have uh LADS um which is a simple command line interface um and we'll do single folder you can check on a single folder to see what kind of alternate data streams are in there um that was written by Fran Cade I believe um that that seems to be the most popular tool out there right now for scanning for alternate data streams um checking again to see if you have either of those two single viruses out there that use alternate data streams um moving on you have crucial ADS it's a another simple uh directory scan directory and drive scan it will scan the entire drive for alternate data streams um you have sysinternals streams version 1.5 and that's another single folder alternate data stream detection and also has support for deleting um alternate data streams and I just can't do sorry I was cutting out but you can't do that without actually copying the file to somewhere else uh deleting the original and then copying it back so um that's a you know it's like in order to delete something that you put in there you have to delete the host file and you can put a ridiculous amount of streams into each host file and uh if you just want to get rid of one you would have to you know get rid of them all so yes you actually have to delete the file you have to copy the file um no no like you any if you move if you're moving the file back and forth between any uh NTFS system like let's say even across a network if you map a drive or something like that you can the and it's NTFS to NTFS the it will transfer that data stream across so the only way to delete any of the streams that you have in there is to you know copy it over you could copy if it was small enough you could put it on a floppy disk because they're usually fat you know formatted and uh you know that's another way to delete the streams if you copy it over to a fat drive but you know that is a little bit ridiculous to have to go through that just and again you know losing if you you know use a file to put multiple streams in and you just want to get rid of one obviously it's not uh the hottest thing to use for any kind of file management so going on moving on um I've heard of a program called file scavenger which um which is a restoration tool file restoration tool um restore all of your deleted files that claims that they can even restore um information in alternate data streams I haven't looked into that one so um has anyone has anyone played with streams enough to have checked out some of these alright um you also have scan ADS um as implied it scans for alternate data streams um you have NT objectives forensic toolkit um and that is again yet another um alternate data stream scanner and then you have tripwire um another ADS scanner so basically all the tools out there right now are just tools for scanning and finding alternate data streams I couldn't find anything for creating your own data streams for manipulating them in any way um for just about doing anything with them the only thing out there is just for scanning alternate data streams so everybody's willing to get rid of them but what if you wanted to create them then you have to go through you know the uh ridiculous task of you know doing it manually for each one and it's a little tedious so uh going on um so what we're what we're attempting to do here with Project Prometheus is create a program just for doing what we want to do here now is actually manipulating the streams using them for our advantage using them for data hiding um I mean even with Service Pack 1 in Windows XP um it might actually it reports the uh the full drive um free space correctly and it also shows in the uh Task Manager any executable ADS streams it does show them what they are um but even at that individual files if you even if you know that there's ADS on the drive you still don't know what file they're attached to um even with XP Service Pack 1 um so there's a lot of uh there's a lot of opportunity in there to take advantage of that um and so what we want to do is create a tool that makes it easy for you to drag and drop files into alternate data streams on a single host file um not just like one or two files um in this case with even doing it manually you're only going to be able to throw one file in an alternate data stream and you got to do it manually every time yeah and uh so basically like what we had when we started doing this you know was it February? like we have you know a little bit of code but uh again right now we do the DEF CON Movie Channel under Hunt um some of the guys also from the area are other goons um we're doing the latest link this con and all other kinds of good stuff and you know so it was busy leading up to this but uh we're uh look at we called it ADS Explorer and uh we're uh then decided that that name was lame and so Project Prometheus is it's development name was here because um he does some work with different covert channels and stuff like that he thinks that he has discovered a way to uh manipulate the data in such a way because right now you can't transfer alternate data streams over FTP or anything like that but he thinks he has figured out a way to make the data encapsulate in such a way that we can pass them wherever the hell we want as long as they eventually end up on an NTFS system um so that could be fun um and I'd also like to apologize right now for us being so monotone and ridiculous because he got heat stroke yesterday and I almost got hypothermia so it's like two sides of the spectrum I was in the dump tank and they poured 60 pounds of ice in there um for anybody who saw me shivering in 102 degree weather um so next slide okay so yeah um so we have some basic requirements for the tool that includes reading, writing being able to throw more than one file into a single host file um and the idea behind that is actually going to be where we have one single file goes into one single ADS stream um and then there's going to be one main alternate data stream that has all the file information that our program will read and be able to tell you what's in those alternate data streams so what you see here is um you see a host file um in this case I called it DLL for the reasons that I wanted to point out that alternate data streams can be attached to system files um and the windows are what is it that windows has a protection to watch the system file so they're not changed yeah windows file protection thanks to whoever was back there um but uh that actually does not watch alternate data streams um if you attach an alternate data stream to a system file it's not going to change how that system file works and it doesn't pose any threat so windows file protection doesn't um warn against that um but the thing is is those files cannot be deleted by the user thus your alternate data streams attached to it are usually pretty safe where they're sitting um that's another thing is your alternate data streams only have um as much access as you do to the file so it has to be an administrator to attach to those system files right it uh it inherits whatever uh permissions the host file has so um nice yeah um uh also one of the other things that we want our tool um to go over is being able to delete alternate data streams um because it's obviously a pain to move the file um and then move it back or copy the file delete the original and move it back and making it just uh it's really hard to do that with a multiple file system where we're attaching multiple streams and we can't delete single streams um the tool will also take care of making sure that the right streams that you want to keep will stay in there um and that will just save you a lot of time overall um basically if you're uh you know 16 year old sitting in the audience living at your mom's house using your mom's computer and you have all kinds of porn and you want to hide it somewhere an alternate data stream is a good place to do it it's just really really hard right now we're doing this for the kids alright so obviously some of the features of the program has got to be it's got to be a hidden kind of program um if you know where the program is and it's installed on the computer um anybody and everybody can find that and realize that we're probably hiding stuff in alternate data streams um so one of the goals is to keep it a semi hidden interface maybe explore shell extensions um that's all hypothetical from here we still haven't worked out implementation on that basically the reason we're here is we want your brains uh you know uh we've been coming to DEF CON for a few years and the media says there's some unbelievably intelligent people in these audiences so we'll we'll exploit you um so if you have further ideas to add on to how you might think that we should work this program go ahead and speak up um we uh um go ahead you can attach uh can you create, are you saying you can create a directory or attach streams to a directory um so a whole directory in an alternate data stream no you can't and that's actually what our tool is going to be able to do is uh with the sense that you can throw in multiple files and we'll have that single um alternate data stream that says all the file information it will also hold folder information and I'll get to that in a minute here but with the tool you will be able to throw entire folders into alternate data streams um that's the gentleman back there asked that question and again it will the files that you attach in the streams uh will will have the same attributes that the host file has so you set the permissions on the host file for whatever files are within it so um hopefully this thing will be pretty cool when we're done with it we're pretty excited about it and we figure you know if Microsoft likes to call their bugs features we'll actually make one one um some other ideas that we had jumping into the program and this is far from implementation I mean this is uh one other idea that we had that the tool had the possibility of is if we're hiding the data um why not add in more tools for hiding and we can build in possible combinations of stenography um stenography we're not in the courtroom here and also possibly some cryptography um possibly some integration with windows privacy tools um automatic encryption upon throwing into an alternate data stream we were also discussing that like the settings on the program would have paranoia levels where at you know at one level you could have uh more authentication the next level would be encryption uh you know another level that um that we were talking about was um which I guess we'll probably touch on a little more is taking a um taking a file and then splitting it into multiple streams on multiple host files um I don't know if anybody is familiar with part two the the you know for anyone familiar with that um not that I'd do anything with wears but in the wear scene or like movies and things like that pirate movies that usually will include part two files or and if any file has had any kind of corruption right now that there can be a significant chunk of a file missing but uh using the part two files you can correct those files and um and move on so we're hoping uh I was talking with uh Dan Kaminsky about this if anybody is familiar with Dan's work and he he said that there's another um like algorithm out there that that someone is working on that's better than part two and um can actually reclaim um up to ten percent of any corrupted data so um we'll be talking with Dan more in the future about that and um and different aspects of the project but uh uh because he's smart um and uh so it let's say you split it up into you have something that's very important to you you don't want people to find it it gets encrypted there's also a password and then you split it up into twenty different files and one of those files gets deleted you one of the host files is deleted somewhere you don't have to worry about you know losing that if the file's so important that you've done all of these things to it and having it and then your host file gets deleted and the same in the same sense that you're hiding it in alternate data streams and nobody knows it's there there's the possibility that somebody might delete the file not knowing that you've got other stuff in it which is where attaching it to a system file or something like that would you know be good alright he's he's talking about uh he's read up on um possible do s-ing um by attaching what was it six thousand in excess of six thousand alternate data streams attached to a single system file can lock up the system um um you know I haven't read anything like that but we'll do it and see what happens um also I know in my own uh personal experience that not not necessarily uh and I don't even know like you know I just did it on you know two or three different machines and maybe I just set up my systems different but um after so many gigs of data it gets really hard to work with them as well so using multiple host files is you know the a really good way to do it I mean it's gigs and gigs of data nothing like you know if you're using a couple hundred megs um then you don't really have to worry about it but uh when you get into the ridiculous um file sizes and ridiculous size of the streams then then there are some lag issues so uh again we'll be doing a lot of testing with that and seeing what we can break yeah is there something else to add to that one so yeah there you go very good point well we'll leave you saying maybe the solution is just to attach it straight to the root volume directory um because you cannot delete them um we'll leave the option open for the user to decide to throw it there or not um you can put it anywhere you want yeah you can put it wherever you want in the red shirt uh I don't think that zip recognizes alternate data streams so it just I think it just trashes them I don't I don't think it looks for them going back to the fact that there are not a lot of programs out there that support doing anything with alternate data uh data streams you just end up losing them people pretty much ignore them and they're really kind of cool to play with I mean you can do some some really cool things that we hope by creating this tool I think it left up some lung there or something too much smoke in Vegas I'll let him think about what he's thinking there for a minute and we'll take another question um again the only programs I've seen that use them aside from Mac using them for file information um is IIS um using it to thumbnail images um for web space and that's the only other time I've seen it actually legitimately used aside from the two viruses what's that are they using more image thumbnailing okay he's saying office 2000 saying with office 2003 uses alternate data streams for session saving um just to be able to back up your data back up your data and that's when you download what kind of stuff uh is that just like he was saying that in service pack 2 for windows xp when you use internet explorer and download that it stores in the alternate data stream what zone you downloaded from is that all exes from anywhere while using internet explorer is that only for microsoft using internet explorer something that like to touch on that point I'm liking the fact that microsoft tends to use these more I think that they've uh realized that they put something in there that you know not many people are aware is there and they're using it more and more uh because when we were discussing doing this we were like well what happens when longhorn comes along and then you know if they don't have support for alternate data streams or anything but they seem to be using it in their products and things like that so it'll be there and we'll be happy very good yes you can attach alternate data streams to a directory so in the back there in the of that um I don't know let's find out um that's up to the tool that you're using for encryption again the tool like his question was what about encryption if you encrypt the file does it um does it encrypt the stream as well and that's if the tool doesn't recognize that the stream is there then I don't believe that it would which is why we're hoping that we can just drag files and drop them on and then we'll encrypt on on the fly and then you know you'll you'll be sure that your information is um is safe from the prying eyes of your mom um or wife um so oh okay I haven't poised with that so I don't know yeah we'll talk with you after this too you're that guy and that guy back there yeah good you're saying that dot net access um supports it oh how you access streams in your code um you use the same file syntax actually um Microsoft has a technical paper on um on how to write up your code to access alternate data streams um I don't have a link on me right now but um we'll be showing some contact information afterwards and you can go ahead and email me and I'll give you the link to that um yeah moving on well okay you're kind of in the backspace I think okay um moving on uh we've got um for the implementation of this program um we decided we've got to have this single that you've got to have the single ads stream with information on the file um if we're going to be able to support multiple files um you've got to know where those files are what streams they're on um and this uh so basically how the idea for doing this is um we've got a single XML structure in one given name alternate data stream such uh and it will look something like this um where you've got the file system um the type whether it's a single file host file or whether it's multiple um host files um which is going back to the idea of the multiple host files for data recovery stuff in case one of your files gets deleted um we'll have to go more into that when we get down to it um basically and then you have the folder tag again being able to support multiple files in there along with the folder information someone you extracted out of there you can extract whole folders or you can put multiple folders in there um basically all in one host file um now what it's going to do when you put those files in there is uh it's it's going to go through the program program's going to say here's the folder and file information it's going to hash together some sort of hash number um to determine a alternate data stream to assign it to um in the same sense that we're hiding files if you've got tools to scan those alternate data streams and it comes up with names um that's basically going to hide the file name because you're just going to get a data stream that says we have this data stream attached that's called A942BC23 F3 which isn't going to give anybody any idea um okay here's um here's the XML for the multiple host file um I just wrote this up like an hour ago so um this is all um just ideas floating around um and this just shows how we might go about being able to span multiple host files um for specific um for specific attached alternate data stream files um and it's going to pretty much be the program decides which data streams to assign it to on what files and every file that has them is going to keep information on what other host files might contain other folders and file information and every one of the host files will contain the same XML that says here's our host files yeah um here's the contact information and um yeah we're almost out of time is there any other questions real quick and then if anybody is interested in helping out with this get ahold of us there's our information grifter at root compromise dot org and here at it's nuke not gannuck nuke.net and then um dc801.org doesn't have anything up on it right now the project will be going up on there shortly and if you would like to talk to us real time we are always and I mean always in IRC in Pound Newt 2600 on fnet um thank you