Challenge: What can you do with Funky Directory Names (Part 2)

Published: 2012-04-16. Last Updated: 2012-04-16 13:11:02 UTC
by Mark Baggett (Version: 1)
10 comment(s)

Following up on last weeks challenge I'd like to add a new element to the challenge, then review some of the EXCELLENT  comments we received from our readers.     First lets add a new element to the challenge and see how you can creatively make use of symbolic links on Windows.    I'll throw a few things out there to get the ball rolling.

1) Using Infinitely recursive directories to defeat directory searching scripts:   As described in this excellent presentation on "Offensive Countermeasures"  by my friends John Strand and Paul Asodoorian, you can create symbolic links to the current working directory to cause directory searches to get stuck in an infinite loop.      They begin talking about it at the 25 minute mark  in this video ::http://www.youtube.com/watch?v=p0gWAbMjg1U     In short you can create symbilic link directories to the current directory and cause anyone searching your hard drive (including malware and antivirus scans)  to get caught in an infinite loop.

2)   Create links to devices such as boot sector and  to alternate data streams:

You can use symbolic links to access items in alternate data streams and items in disk partitions that are normally not easily accessed.   For example, if you have a separate boot partition you can use symbolic links to access it and even hide files in It.

http://pauldotcom.com/2010/10/windows-7-symbolic-links-and-h.html

 

3)    Symbolic links to Volume Shadow Copies:

Windows Volume shadows copies automatically maintain backups of the last 5-15 percent of all changes on your computer.   It is a bit like Apple's time machine without the fancy GUI or the offline storage.    This link shows you how to step back in time and see exactly what was on your systems a few days ago.   Oh,  You thought you deleted those files?  You might want to check this out.

http://computer-forensics.sans.org/blog/2011/06/09/vscs-logparser

Interesting, you can also stage malware in volume shadow copes and then execute the malware directly from the shadow copy.

http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows

 

So there you go.   What can you do with Symbolic links?    We still don't have an explanation for the error message or strange behavior noted in the last challenge.     What can you tell us about them?    POST A COMMENT or SEND ME AN EMAIL!      If you missed them here are some of the great comments we got from readers of the last challenge:

 Original Comments and challenge are here: https://isc.sans.edu/diary/Challenge+What+can+you+do+with+funky+directory+names+/12958

Readers comments:  Add space to filename to bypass Digital signatures on Microsoft policies.    

This was a very interesting comment from reader Aaron.    It seems that Aaron had some success bypassing digital signature checks.   He reports that the process that checks a digital signature may ignore spaces at the end of the file causing windows to check the actual file with a good signature.  The result is that malware named "svchost.exe " (svchost.exe with a space at the end) may appear to be digitally signed to some apps.   That's all I'll say about that one. 

 

Reader comments:  Creating Extended character directory names with the alt key/numeric keypads.

As you probably know, we can use the ALT key and the Numeric keypad to type extended ASCII characters.   Combine that with the ability to create files and directories with normally prohibited characters and you've got some PRETTY directories on your hands.    Create smiley fact, hearts, diamonds and other interesting directories on your windows systems.  

http://alt-codes.org/laptop/

 

Reader comments:   Still no answer for the strange 8.3 names given to files/directories   

We had several excellent comments and emails on the strange 8.3 directory names created when you create a directory or file with a character in its name that is prohibited by the normal  file/directory creation process.     Normally 8.3 shortnames are only given to files or directories that are longer than 8 characters in length.    In this case, the 8.3 names are assigned seemingly at random to these files event though they are not more than 8 characters long.  

HEY! I'm teaching SANS SEC560 BOOTCAMP Style in Augusta GA June 11th - 16th.   Sign up today!  http://www.sans.org/community/event/sec560-augusta-jun-2012

 

Keywords: challenge
10 comment(s)

Comments

Man this is gonna be the biggest shakedown of Windows Security in a long time. Until it's all over, bust out Cygwin & friends. The UNIX tools handle this junk just fine.

Joshua

Apr 16th 2012
1 decade ago

If you'd like a laugh:
My Windows creates this stuff right away since the first install.
And yes, it's an original cd. A real one. No fake black edition bshit :)

I once stumbled upon it going c:\Users\%username%\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\Anwendungsdaten\.....
and one or two other folders I guess.

Windows is still able to show me a new bug every day - even with W7. Speaks for itself !

Kugelfisch

Apr 16th 2012
1 decade ago

You forgot to mention with the shortnames the fact that if you preceed the directory name with a ~ the shortname has the ~ at the front such that "~. " = ~59EC~1 where as ". " = 2628~1

John

Apr 16th 2012
1 decade ago

John,
My apologies. I did intend to mention what you had found, but I forgot. Indeed it is very interesting that if you create a file name with a ~ as a first character that character makes its way into the otherwise random shortname. Excellent find. Thanks

Mark

Apr 16th 2012
1 decade ago

there's always the fun you can have with "other" chars too

md no(ALT155)

null works at the end of dir strings as well.
(welcome to DOS circa 1986-ish)

Cbob

Apr 16th 2012
1 decade ago

While not directly related, it sort of is, reminds me of a time when I found a buffer overflow and it turns out the buffer was to store a filename and the only thing the program checked before making the function call was whether the file existed or not...so was able to:

C:\{directory that exists}\{shellcode}\..\{file that exists}, do a fixup in the shellcode to jump over the first part that was of fixed length and thank you drive through...

Hopefully that comment makes it...(guessing the path maybe caused problems?)

nowhey

Apr 17th 2012
1 decade ago

This will cause problems. Try this on your unix/linux boxes: mkdir " " or vi " "

jono

Apr 17th 2012
1 decade ago

I'm guessing Windows is generating a short name for any filename that has "unusual" characters in it, as a way to allow MS-DOS software to access files with Unicode names.

Orv

Apr 18th 2012
1 decade ago

Fun with streams! I had an interesting idea after seeing the first post of this story. I wondered if one could use an alternate stream on a directory. Sure enough, you can:

md Foo
echo foobar > Foo:altstream
sort < Foo:altstream
rd Foo
sort < Foo:altstream

Thus, one can hide arbitrary data in a directory (not in a file in a directory, but in the directory itself effectively). As in echo foobar > C:\WINDOWS:altstream.

Of course, the SysInternals streams.exe will find it, but it's still kind of cool. Personally, I've actually found streams to be useful before in scenarios where I need to record meta-data about a file in the file itself (for instance, in a generated PDF file to record what config was used to generate the PDF file so I know whether it needs to be regenerated or not).

Anonymous

Apr 18th 2012
1 decade ago

The weird 8+3 names are simply because the proper names are actually unicode character not in the OEM character set. They can't be translated so Windows has to invent a string from nothing.

BTW: You can enter unicode characters directly if you set HKCU\Control Panel\Input Method\EnableHexNumpad with type REG_SZ to value 1

Then hold down the Alt key press number pad Plus followed by the hex code of your unicode character.

ALT + 2603

is a pretty good one (Windows 7 only though).

Robert

Apr 25th 2012
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives