Hackers Hide with Clever Alternate Data Streams

Поделиться
HTML-код
  • Опубликовано: 1 апр 2024
  • jh.live/crowdsec || Get curated threat intelligence powered by the crowd, and contribute to better cybersecurity defense with CrowdSec: jh.live/crowdsec
    Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com
    📧JOIN MY NEWSLETTER ➡ jh.live/email
    🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
    🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
    🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
    💥 SEND ME MALWARE ➡ jh.live/malware
    🔥RUclips ALGORITHM ➡ Like, Comment, & Subscribe!

Комментарии • 95

  • @oussemabenayech2345
    @oussemabenayech2345 2 месяца назад +60

    everyone is freaked out about the xz backdoor *
    jhon hammond :

    • @UnfiItered
      @UnfiItered 2 месяца назад +1

      Because XZ util hack isn't replicatable anymore. The project has been taken down. Unless someone who has the malicious files were to send John all the files needed, can't replicate.

    • @cmagk
      @cmagk 2 месяца назад

      I was expecting John to cover it too, I guess he's working on it to find things to show us, the whole thing is still being investigated

    • @BillAnt
      @BillAnt 2 месяца назад

      John has hidden XZ in an ADS just for fun. lol

    • @user-iz9vq5rj1o
      @user-iz9vq5rj1o Месяц назад

      ​ت

  • @pranavbanerjee8625
    @pranavbanerjee8625 2 месяца назад +17

    34:32 "was i wrong all along? am i crazy?!".... this is as real as it gets lmao

    • @BillAnt
      @BillAnt 2 месяца назад

      Stump the chump. lol

  • @BPL-Whipster
    @BPL-Whipster 2 месяца назад +4

    A lot of people used to hide truecrypt volumes in alternate data streams back in the day. Great for exfil, unless the customer had a halfway decent DLP solution

  • @neutrino2211_
    @neutrino2211_ 2 месяца назад +32

    We like the rambling John

  • @simbad3311
    @simbad3311 2 месяца назад +1

    Good content John....keep it goin mate.

  • @benjanssens8662
    @benjanssens8662 2 месяца назад

    Thanks for the content John its perfect for students

  • @muizzsiddique
    @muizzsiddique 2 месяца назад +9

    6:30 It is pwsh but you don't have the externally downloaded Powershell, just the one that comes bundled with Windows.

    • @ranitsarkhel652
      @ranitsarkhel652 Месяц назад

      After using pwsh you will still get the externally downloaded powershell or the so called TERMINAL. Just have a look on the initial prompt. If it shows the version of the powershell then It is externally downloaded

  • @PANDACRAFTS1
    @PANDACRAFTS1 2 месяца назад

    Awesome video John, keep up the good work (:

  • @aryanhooshi
    @aryanhooshi 2 месяца назад +2

    Amazing vid, keep it up

  • @timschannel247
    @timschannel247 2 месяца назад

    great contrib bro! I love to get new insights for stuff like this, I was never aware of that this is possible to be honest.

  • @kabaduck
    @kabaduck 2 месяца назад

    That's a recall that some of these commands seem to truncate the input, there was some of these where I had to put a buffer on the front of The command because the front characters of the command were clipped for some reason. Like 14 characters would be missing. Lots of weird stuff in here

  • @luckyloo2228
    @luckyloo2228 2 месяца назад +8

    A lot of love letters will be written like this

  • @N....
    @N.... 2 месяца назад

    7:00 another way is via a symbolic link. Interestingly this can confuse programs that try to obtain their own executable path via Windows APIs, which could lead to additional vulnerabilities - for example, a program that tries to execute itself with arguments can be added as an ADS to an unrelated program executable, and it might launch that unrelated program with those arguments.

  • @Notagamer347
    @Notagamer347 2 месяца назад +10

    10 minute crew

  • @logikaibukfenc4599
    @logikaibukfenc4599 2 месяца назад +2

    @20:55 : you forgot 'wmic process call create" worked in cmd not in PS.

  • @arandomguy9474
    @arandomguy9474 2 месяца назад +3

    john, hope you see this. demonstration on xz when?

  • @socksman669
    @socksman669 2 месяца назад +2

    A few months ago I tried to create a project around locating ADS…I should go back to that.

    • @LoloisKali
      @LoloisKali 2 месяца назад

      Cool bro it be something interesting, you should. I only know python id imagine its c++ im curious on how there detected as well. I was thinking about making a simple script that uses this for data exfill.

  • @darknode4791
    @darknode4791 2 месяца назад +1

    Wouldn't AMSI detect it if it were any malicious script in a suspiciously newly created datastream?

  • @BillAnt
    @BillAnt 2 месяца назад

    Where does the actual data get written when adding a file in ADS mode? Presumably not at the end of the file since the file size doesn't change.
    Also if copying an ADS file from the hard drive to an SDcard, does it take the hidden file with it?

  • @kabaduck
    @kabaduck 2 месяца назад +2

    It's been a while since I played with this stuff, I do remember that sometimes I had to put double slashes between words in the command for it to work for whatever reason; I also found that sometimes I had to load it into a variable in the shell and then pass the variable to the command

  • @farmuelangel6342
    @farmuelangel6342 2 месяца назад

    I can only say that you can find out if a file has something hidden in it's ADS BECAUSE it is a "function" ONLY for the NTFS file system, so you can realize if something is in there if you just try to copy the file to a fat32 file system and windows will complain that this file is going to loose it's properties...!! This means a lot about the file ....it is very suspicious .... but you cannot see the streams only to guess that something is wrong with this file...and do farther investigation on it. Otherwise if it doesn't show at lot and you are not suspicious you will never know.!!! With the above action you can be more suspicious and obviously will know something very strange is going on with this file...

  • @snarkykat
    @snarkykat 2 месяца назад

    So, if someone has something hidden in an alternate stream of the C:\ file system object, then how do you get rid of it without wiping the drive. Also, is it possible to see the alternate stream if C:\ is mounted as a folder, perhaps on another drive?

  • @Freeak6
    @Freeak6 2 месяца назад

    Awesome trick !!!! Could you explain why the ADS on C:\ never shows up ? (Maybe you did but I didn't get it ^^)

  • @andrewdunbar828
    @andrewdunbar828 2 месяца назад

    Until 2013 macOS had the same thing, known as "named forks". This is not just "resource forks" which everybody knows about. APFS seems not to support them but on HFS+ they may merely be deprecated. I haven't been able to access them though through any command or tool, even writing my own code, going back to Mountain Lion. I suspect the OS has blocked some of the ways to access them. Hard to research since hardly anybody knows about them.

  • @monsterlux_1337
    @monsterlux_1337 2 месяца назад

    Please John include the github repos and article links you included in the vid i want to check them out.

  • @jamesgordon3434
    @jamesgordon3434 2 месяца назад

    Not sure because all this is above my pay grade, but did you forget to unhide your calc so then after, when you hid it again the second time, you actually wouldn't have hidden it because it wasn't there to hide, thus you weren't able to find it.

  • @zikkthegreat
    @zikkthegreat 2 месяца назад

    well… crap. now i need to double check and probably tune a bunch of detections 😅

  • @nbreallysry1753
    @nbreallysry1753 2 месяца назад

    Can we hide something even when we factor reset the computer and the folder is still there? @john

  • @natoreus
    @natoreus 2 месяца назад +2

    Hey John, have you seen david bombal's recent video on reverse shell demo? It's very similar to this video.

  • @GustavoPinho89
    @GustavoPinho89 2 месяца назад

    0:10 so you don't have to rename it to Homework too?

  • @deviantmultimedia9497
    @deviantmultimedia9497 2 месяца назад

    17:04 lowercase file path (c:\users\etc)?

  • @atsegboritsetimeyin4934
    @atsegboritsetimeyin4934 2 месяца назад +1

    Please help me out please i flash my phone i lost everything I'm trying to login my email address but i forget the password and I'm not sure i added a contact to the email address please help me out

  • @ThisIsJustADrillBit
    @ThisIsJustADrillBit 2 месяца назад +2

    JOHN HAMMOND FOR PRESIDENT ❤

    • @itzhexen0
      @itzhexen0 2 месяца назад +3

      No, he talks to much and tells everyone everything for no reason. He would be a terrible president.

    • @someoneunknown6894
      @someoneunknown6894 2 месяца назад +1

      ​@@itzhexen0 😂

    • @ThisIsJustADrillBit
      @ThisIsJustADrillBit 2 месяца назад

      A comment in all caps should never be taken seriously. And I doubt he anything for no reason. You just might not like them. 😏

  • @UnfiItered
    @UnfiItered 2 месяца назад

    You should also do your research on DNS data bouncing. Data exfiltrating has never been easier

  • @zeroordie453
    @zeroordie453 2 месяца назад

    Bet if you were using actual forensic tools like Autopsy - you'd find it

    • @BillAnt
      @BillAnt 2 месяца назад

      While hidden, it's still stored somewhere in the file system, so a search with a hex editor of the disk should be able to find it.

  • @DoctorMGL
    @DoctorMGL 2 месяца назад

    if you copy the same file that has the secret stream to another computer would that stream stay in there ?

    • @harald4game
      @harald4game 2 месяца назад

      Depends how you copy. Via windows network operation probably (didn't check). SMB maybe. Zip+Unzip no. Copy to an USB (yes but only if ntfs-file system on USB device).
      It always depends on the program, and it always must go from ntfs to ntfs.

  • @LoloisKali
    @LoloisKali 2 месяца назад

    Bro epic content i think its super cool as well that your able to hide it completly from the user.
    Do you know a way that you can be able to reveal its presence on system?
    It be cool to see this used in a tool for a reverse shell or something like stealthy data exflitration.
    Your able to get command execution but if your sys admin you can do whatever anyways but its a good place to hide any secondary backdoor maybe like i said .
    Thanks hambone!

  • @cyber_space09
    @cyber_space09 2 месяца назад +2

    That's great news right 🤠😁⚡

  • @grishnkrj
    @grishnkrj 2 месяца назад

    Please make video about XZ fiasco.

  • @isheamongus811
    @isheamongus811 2 месяца назад

    0:17 Hidden system files?

  • @timecop1983Two
    @timecop1983Two Месяц назад

    File extension spoofing nice

  • @MAG320
    @MAG320 2 месяца назад

    I don’t need a password to get inside your computer. I just need a telnet, network or serial connection & find out what VPN it is.
    Once I’m inside the host name system, I can configure anything I want there…. According to how bad you pissed me off.

  • @user-xr2dx4xm5b
    @user-xr2dx4xm5b 2 месяца назад +1

    yoh

  • @SamGib
    @SamGib 2 месяца назад +1

    Xz?

  • @tutacat
    @tutacat 2 месяца назад

    way to design a bad file system. it's not even open source.

  • @Zerkbern
    @Zerkbern 2 месяца назад +40

    My goodness you were loud

    • @1hw3
      @1hw3 2 месяца назад +8

      he was normal for me, although i have headphones really low in class lol

    • @GratuityMedia
      @GratuityMedia 2 месяца назад +3

      right on target under stats for nerds 😅

    • @JohnTitor-fw8jr
      @JohnTitor-fw8jr 2 месяца назад +16

      He was using the extra loudness to hide an audio stream that hacks your Alexa devices with radio frequencies

    • @dustinhxc
      @dustinhxc 2 месяца назад

      🤣

    • @alfonzo7822
      @alfonzo7822 2 месяца назад

      🤣 definitely woke me up after the last video I watched

  • @g4mb0
    @g4mb0 2 месяца назад

    second

  • @remy2885
    @remy2885 2 месяца назад

    first

  • @deeal5336
    @deeal5336 2 месяца назад +9

    This video did not have to be almost 40 min

    • @BigFunnyGiant
      @BigFunnyGiant 2 месяца назад +8

      You didn’t have to watch it.

    • @deeal5336
      @deeal5336 2 месяца назад +3

      @@BigFunnyGiant thanks for letting me know boss

    • @socksman669
      @socksman669 2 месяца назад +1

      Yeah it is nice to see John is human and is still learning but this makes it seem like he just rushed to make a video and didn’t know what he was talking about (which isn’t the case obviously). There were too many errors that got annoying.

    • @DeadDad1
      @DeadDad1 2 месяца назад

      I, personally, think it's useful to see how others troubleshoot. Don't like it? RUclips has fast forward.

    • @deeal5336
      @deeal5336 2 месяца назад +2

      @@DeadDad1 another wise guy

  • @samha1513
    @samha1513 2 месяца назад +1

    Nice but could be shorter video length

  • @Dane-dv1ik
    @Dane-dv1ik 2 месяца назад +1

    Sounds very interesting at first, but on close inspection this is called steganography. There are software that can do this in a more sophisticated way. This method is archaic. Not impressed 👎

    • @sebmandal
      @sebmandal 2 месяца назад +3

      It's educational. Everyone knows this is steganography, but for a beginner, it can teach the underlying logic of hiding data. It's not supposed to be groundbreaking, it's supposed to teach.

    • @BillAnt
      @BillAnt 2 месяца назад +1

      Stenography hides data in images or sound files, this one is built into the file system without the need of any helper apps... big difference.

  • @offsecguy
    @offsecguy 2 месяца назад +1

    Technique defeated - C:\>
    md\x&dir\x/r/a

  • @avig2009
    @avig2009 2 месяца назад

    first