Challenge: What can you do with funky directory names?
Good day readers! I've been playing around with creating unusual file names for a while. (http://vimeo.com/9484706 , http://pauldotcom.com/2011/12/looking-for-stealth-ads-stream.html) For example, did you know you can create a ".. " (dot dot space) directory on Windows just like you can in Linux? Want to try it? Open up a command prompt and type this:
.jpg)
That's interesting. Notice that our ".. " (dot dot space) directory is indistinguishable from the normal parent directory and is easily overlooked. Attackers have been hiding in the "dot dot space" directory for a long time on the Linux platform. Now try this from an administrative command prompt:
.jpg)
We created a ". " (dot space) directory with a ".. " (dot dot space) subdirectory. Then we put a copy of netcat in it. (Your path to nc.exe may be different from this example). As you see from the image above you can still execute netcat without any problems if you use a symbolic link. Now try and browse to the c:\temp\ directory using the Windows Explorer GUI. You will notice the SHORTCUT to NC.EXE in our c:\temp directory. Double click on the ". " (dot space) directory. You might expect that it take you into a directory containing our ".. " (dot dot space) directory, but it doesn't! Instead we are still in the c:\temp directory with our shortcut to nc.exe! Double click the ". " (dot space) directory again. This time we DO change to the directory containing ".. " (dot dot space). Weird! Now, Double click your ".. " (dot dot space) directory. Where will that take you? It takes you to the following error message:
.jpg)
Interesting. Now try this. Open your command prompt and change directories to the path "c:\temp\2628~1\45AA~1\" and do a directory listing. This strange directory name has been consistent in my limited testing. Is it the same for you? There is your copy of nc.exe! What the heck is that?
.jpg)
Your mission, should you choose to accept it, is to tell me what you can do with this. What causes this behavior? Post a comment!
HEY! I'm teaching SANS SEC560 BOOTCAMP Style in Augusta GA June 11th - 16th. Sign up today! http://www.sans.org/community/event/sec560-augusta-jun-2012
Comments
Another good one is, on a Citrix server where there is no access to C: - Just launch your cygwin Bash, and using the POSIX subsystem you can access C without any trouble.
PHP
Apr 11th 2012
1 decade ago
The interesting part is that you can set NTFS short name by using fsutil:
C:\temp>copy c:\windows\system32\ipconfig.exe .
C:\temp>ren ipconfig.exe ipconfig.txt
C:\temp>fsutil file setshortname ipconfig.txt i.exe
C:\temp>dir
[...]
2011.03.25 11:27 55.808 ipconfig.txt
C:\temp>i
Windows IP Configuration
[...]
The good part that setting of the short name requires high privileges, and can be disabled altogether by use of fsutil or corresponding registry key.
tomas
Apr 11th 2012
1 decade ago
tomas
Apr 11th 2012
1 decade ago
tomas
Apr 11th 2012
1 decade ago
Thanks,
http://mjddesign.wordpress.com
Matthew
Apr 11th 2012
1 decade ago
Steven
Apr 11th 2012
1 decade ago
@Stephen. The directory names created for me didn't seem to be related to ASCII in any way. Additionally, the same directory name ". " (dot space) seem to produce different directory names.
@MarkBaggett
Apr 11th 2012
1 decade ago
C:\temp>dir /x (shows the short name for the dir)
C:\temp>dir /s (still works to show you the subdirectories)
~Of course, these can be combined in to a single command...
John
Apr 11th 2012
1 decade ago
~1 is not actually the indication of 8.3 name, but rather index in case long name shortened to the same 8.3 name
tomas
Apr 12th 2012
1 decade ago
theinfinitenigma
Apr 12th 2012
1 decade ago