Lab 2
Hiding Files Using NTFS Streams
A. stream consists of data associated rvith a main file or directory (known as the main unnamed stream). Each fie and directory in NTFS can have multiple data streams that are generally hidden from the user.
Lab Scenario
Once the hacker has fully hacked the local system, installed their backdoors and port redirectors, and obtained all the information available to them, they will proceed to hack other systems 011 the network. Most often there are matching service, administrator, or support accounts residing 011 each system that make it easy for the attacker to compromise each system in a short amount of time. As each new system is hacked, the attacker performs the steps outlined above to gather additional system and password information. Attackers continue to leverage information 011 each system until they identity passwords for accounts that reside on highly prized systems including payroll, root domain controllers, and web servers. in order to be an expert ethical hacker and penetration tester, you must understand how to hide files using NTFS streams.
Lab Objectives
The objective of tins lab is to help students learn how to lnde files using NTFS streams.
It will teach you how to:
■ Use NTFS streams
■ Hide tiles
Lab Environment
To carry out the lab you need:
■ A computer running Windows Server 2008 as virtual machine
■ Formatted C:\ drive NTFS
Lab Duration
Tune: 15 Minutes
Overview of NTFS Streams
NTFS supersedes die FAT file system as the preferred file system lor Microsoft
Windows operating systems. NTFS has several improvements over FAT and HPFS
(High Performance File System), such as unproved support lor metadata and die
use of advanced data structures.
Lab Tasks
1. Run this lab in Windows Server 2008 virtual machine
2. Make sure the C:\ drive is formatted for NTFS.
3. Create a folder called magic on the C:\ drive and copy c a lc .ex e from C:\windows\system32 to C:\magic.
4. Open a command prompt and go to C:\magic and type notepad readme.txt in command prompt and press Enter.
5. readme.txt in Notepad appears. (Click Yes button 11 prompted to create a new readme.txt file.)
6. Type Hello World! and Save the file.
7. Note the file siz e of the readme.txt by typing dir 111 the command prompt.
8. Now hide ca lc .e x e inside the readme.txt by typing the following 111 the
command prompt: type c:\magic\calc.exe > c:\magic\readme.txt1ca lc .ex e
![]() |
FIGURE 2.2: Command prompt with hiding calc.exe command |
![]() |
FIGURE 23: Command prompt with executing hidden calc.exe command |
10. Tlie tile size of the readme.txt should not change. Now navigate to the directory c:\magic and delete calc.exe.
11. Return to the command prompt and type command: mklink backdoor.exe readme.txt:calc.exe and press Enter
![]() |
FIGURE 2.4: Command prompt linking die executed hidden calc.exe |
![]() |
FIGURE 2.5: Command prompt with executed hidden calc.exe |
Document all die results discovered during die lab
Questions
1. Evaluate alternative methods to hide the other exe files (like calc.exe).
Không có nhận xét nào:
Đăng nhận xét