Ultimate diskspace trick

[n3rd]

I did not write this, LONG LIVE CTR+C.

QUOTE( From ChaseNET.org )
It doesn't matter how good your encryption is, it doesn't matter how obscure the program your using is, if you have a week password your putting yourself at risk.

General rule of thumb is, the harder it is for you to type the password, the stronger it is.
I don't mean, people with one arm and no fingers is less likly to be hacked, i mean passwords with caps, numbers, extended characters, ect ect, make much much better passwords that dictionary words.

Okay, no suprizes there, this is all pretty basic stuff eh.

Well, since XP came out i sorta made up my own meathod of how to keep track of all my passwords, as well as how to hide them so they can't be stolen.

This meathod is only really for people who think "It's better to have a confuzing password, but store it in a text file, than to have a simple password, and store it in your head"

I'm that sort of person. I can lock my shit down at my end, but it's the remote end which has to store my password/hash which i'm worried about.
Besides, if people can read files on my pc, they've pwned me already havn't they.

So here's how i do it:

I bet 90% of the people here are running windows right now, and of those 90%, 89% are running it on a hard drive partitioned with NTFS.
I won't lie, i'm running XP SP1 right now, and yes i'm also using NTFS.

As most of us know, but probibly arn't fully aware of, NTFS is a *very* diffrent partitioning scheme than FAT.
On NTFS, 12.5% of your disk is set aside to journal all the hard drive changes made. On top of that you have granular permissions and encryption, as well as Alternative Data Streams (what i'm getting to).

Basically, on NTFS, the file it's self can contain properties, such as which user is allowed to access it, if it's read-only or not, time stamps, ect.
All this extra infomation is stored in what Windows (the designers of NTFS) call 'Alternate Data Streams', or ADS.

For example, let's say we have a picture on our desktop of Bill Gates. You might think that that picture takes up a chunk of your hard drive in a liner sequence of 0 and 1's.

Well your wrong. That picture file will have a main stream (the picture it's self) and a whole bunch of other streams, with other infomation in it.
For example, there's a stream who who the author of the picture was, and a stream for what the thumbnail of that picture is, when viewed by explorer at 1024x768, and another stream when for the thumbnail is viewed at 600x800. ect ect.

Basically, an ADS can contain *anything*. A picture, a program, a text document, anything.

So why do we care?

Well, two reasons.
First, there's absolutly no limit to the amount storable in a ADS.
You could have a 10byte file, with 10Gb's worth of ADS attached to it.

And secondly, windows can't nativly find ADS's from a file. Only when you know that an ADS exists, can you find it. You can't search.

Okay, so...now i'll get to the point.

Pop open the run box, and type 'notepad chasenet.txt' with inverted commas.

You shold be prompted that chasenet.txt doesn't exist, and asked if you'd like to make it. Say yes.
If you now browse to 'My Folder' you'll see Chasenet.txt has been made.

Type some stuff in there, like "I like Chasenet!" or something.

Close it down, and save.

Check out the file size of your txt document. It should be only a few bytes big (not size on disc).

Okay, so you've probibly just learnt two things if your a real newbie.
1, you don't have to define where notepad is to run it. If you type a program name like 'calc', windows will go through the Windows file, the system32 file, and your documents to find it.
2, if you stick a filename at the end of notepad, it will either open the file or it will create it if it doesn't exist.

Super. Now how do we add some Alternative Data Streams?

Well, pop open run again, and this time type 'notepad Chasenet.txt:Secret.txt'
This will create a new notepad document, in an ADS called Secret.txt
This time, type a shit-load of stuff in here. I mean, copy and paste a whole password dictionary or something in here, two or three times over.
Exit and Save.

Go back to 'My Documents', and have another look at your text file.

Notice something weird? Your original Chasenet.txt hasn't changed in size AT ALL!
That's because windows can't find the ADS of Chasenet.txt, because it doesn't know where on the disc to look!

But let's not stop at text files!

Crack open a cmd prompt and type the below line: (And i you actually have to type 'type')

type "C:\myshizzle\someprogram.exe" > Chasenet.txt:someprogram.exe

This will stick your program into an ADS called program.exe from Chasenet.txt

To run this program, type:

start ./Chasenet.txt:someprogram.exe

Once again, you can check the file size, and it'll still be only a few bytes!

ADS is *still* an effective meathod to hide malware from AV, because some AV's don't check ADS at all.
Those which do, may only check .exe's.

As many people know, command prompt doesn't read file extensions like explorer does. For example, if you take a executable, and change the extension to .txt, in explorer notepad will open it. In cmd, it will run as normal.


Basically, i have a file on my computer called 'root' which has over twenty different ADS'.
Some contain modified Remote Administration Tool clients, some contain private e-mails, and some contain password files.
for example, root:hack is a txt file which has all the passwords for the security forums i use on it.
I also have renamed notepad to 'np' to simplify things.

So, if i want to sign into Chasenet, i hit the windows key + R, type 'np root:hack', and copy the password from the textfile. I then stick something else into my clipboard to stop dodgy javascripts stealing it (which they shouldn't do thanks to Proximitron...but just incase)

This way, i don't need cookies, i don't need a massive mental memory, i can have a crazy-long password, an i can be pretty sure that my friends and family (or anyone else with physical access) won't find it.


Having said that, there *are* programs which will find ADS. Winternal for example have a program called Stream. Wicked program. You wouldn't belive how many programs also use ADS to hide infomation from you!


Well, that's it really. I hope someone found it useful...

Hope u guys find it usefull.

[isapiens]

wow, never knew. Any side effects?

[n3rd]

not that I am aware of

[moophz]

1st of all, thank you for it's a great trick
2nd: If it had any side effects it would be when the hard disk reached it's limit

Or even, if the file you hided is too big

Consequences: this will increase the possibility to be replaced by others files, unhidden, beacyse the operating system doesen't know that this space on HDD is unallocated.
So the result will only affect the file you hided, but not anything else.[/b]

[p99]

Some kid told me to look that up to hide things from the school admins. If this works at school I finally have a C ++ project... I just started.
But im on a psp, anyone hear of this for linux file systems? I'll look for something. If someone can test with a small hardrive and a program maybe we can find an ADS filesize limit or if it will infact fill the drive. My laptop isnt XP-able :-{
Maybe a "disk is full" error but no plain evidence??
Im a tad excited to explore this obviously

[dekulex]

i never new about this trick thanx a lot

[leetnigga]

I knew about the existence of ADS but I never read anything more about them. This was a decent intro.

Code: Select all

for example, root:hack is a txt file which has all the passwords for the security forums i use on it.

What an idiot.

[Gogeta70]

Code: Select all

for example, root:hack is a txt file which has all the passwords for the security forums i use on it.

What an idiot.

I agree. Not only did he tell the entire world where his passwords are stored, but the method he uses to store them. That's pretty stupid.

Anyway, i've known about ADS's for a long time, and they're really not that great. Because windows doesn't know that the information in your ADS is allocated, there's a risk that your data will be written over at any time. Additionally, like mentioned at the end of the article, there are programs to find ADS's, which i have personally tested. These programs can scan your entire hard disk in minutes and find all your ADS's, it found all 20ish of the ones i made for testing.

Finally, it must be said that although ADS's can be pretty cool, it still falls under the category of "Security through obscurity," which is obviously not much security at all.

[Lundis]

Are pointers to the ADSs stored in the file or somewhere else?

[Lundis]

I was reading http://gonullyourself.org/zine/index.php?x=4

At the end they expose a rather big security annoyance.

Now, what if we wanted to be a little devilish and hide some executable files? Stay with me on this one.

copy C:\windows\system32\calc.exe C:\folder\calc.exe
type C:\windows\system32\notepad.exe > C:\folder\calc.exe:notepad.exe
start C:\folder\calc.exe:notepad.exe

We simply did here the usual - just copied calc.exe (which is Calculator) to our test folder so we don't mess anything up, and we hid the notepad.exe file (from the system dir) in our copied calc.exe file. We then finally executed our hidden file "notepad.exe," which now is located at "C:\folder\calc.exe:notepad.exe".

I hear you say, "Wow, how lame that is! You just started notepad.exe from a hidden location!" Well, first I'll excuse your ignorant behavior and tell you to go look at your Task Manager and tell me if you found any notepad.exe actually running. Huh, what I can't hear you! Yeah, that's right; you just see calc.exe. See, that's now what I was talking about - you are having notepad.exe running in front of your eyes, but Windows Task Manager doesn't have this feature implemented, so it can't actually tell if you are running another program from an alternate stream. Instead, it just gives you the carrier file name, which in our case would be "calc.exe".