I was looking around on this site and this article caught my eye. It was about hiding text in ADS or Alternate Data Streams. While this is nothing new in the tech world, it seems that more and more people are looking at ADS for one reason or another.
Years ago, I created a simple bot that crawled target sites parsing links and searching for pictures. It was a hybrid bot that also attempted to access random filenames after locating the image folder on the target, UA = 'The Kraken'. Back then, I was less aware of data obscurity, but I noticed that some files took longer to download, especially pictures. After a little searching, I found out why, but I digress!
Back to the point!
Now, most articles involved opening binary files in text editors or using some third-party software to perform the task. However, one did cover using the command line, but it was a video (by the way, excellent video, Steve Blair).
Here, I will explain how to hide any file in a JPG picture without using ADS (this method takes advantage of filetype association), so that you can post your messages online in the form of a picture. Users of image boards are most likely familiar with this tactic.
With the release of Windows 7, we finally got a built-in command line option to view ADS, using "dir /R" or "dir /R filename.type" in the directory, which will list all files and any ADS associated with them. Then a quick "more < filename.type:streamname" and you can read the texture data within the stream.
Tips
- You can give your data stream any name you like.
- On Windows, use "dir /R" in the directory to view all files and associated streams.
- On Windows, use "more < filename.filetype:streamname" to output the data to the terminal.
- Most servers (now) scrub files users upload after moving it from the temp directory.
Oddly enough though, if you plan to hide your secrets online for others, you might not want people to be able to see your ADS with the above command. So that you can feel a little more confident when practicing data obscurity, we will go over adding another layer of clouds.
Get Your Files Together
In this case, I am going to call my picture pic.jpg and my archive will be msg.rar with an output picture of secret.jpg.
Open the Terminal (CMD.exe)
With the 'prompt' open, you will need to 'cd' to the correct directory or just add the path to the filenames. Once in the directory, simply type "copy /B pic.jpg + msg.rar secret.jpg" and that is it!
Send It
You can send this file to anyone you like, but keep in mind the tip mentioned above; most servers scrub files these days, so posting it on Facebook or something might not yield the desired results.
Simply change the file extension back to .rar to extract the archived files, or leave it as .jpg to display a picture. If you do a "dir /R" on that file, you will not see any ADS. However, you will notice that the picture is now the combined size of archive and itself. This is because you just appended the archive to the picture and stored that data in the new file.
If you were to couple this technique with the ADS technique described in Steve Blair's video, you will be able to hide very large 'pictures' in streams, thus hiding the actual size of your secret and creating another layer of obscurity.
I hope this helps you out! Let the search begin!
Comments
No Comments Exist
Be the first, drop a comment!