1
I recently did a CTF involving a file on a samba share which had a password in an alternate data stream. To read it I had to connect using Windows, but I'm curious if there's any way to read ADS from linux, either using SMBclient or another tool.
Jammy Dodger
Posted 2020-01-26T10:38:50.007
Reputation: 137
1
Found a way to do this without mounting the drive.
smbclient -U USER //IP/Share -c 'allinfo "ADS_FILE"' followed by get "ADS_FILE:PASSWORD:$DATA" downloads the file.
Jammy Dodger
Posted 2020-01-26T10:38:50.007
Reputation: 137
0
Reading Alternate Data Streams (ADS) is possible when using ntfs-3g:
NTFS stores all data in streams. Every file has exactly one unnamed data stream and can have many named data streams. The size of a file is the size of its unnamed data stream. By default, ntfs-3g will only read the unnamed data stream.
By using the options "streams_interface=windows", with the ntfs-3g driver (not possible with lowntfs-3g), you will be able to read any named data streams, simply by specifying the stream's name after a colon. For example:
cat some.mp3:artistNamed data streams act like normal files, so you can read from them, write to them and even delete them (using rm). You can list all the named data streams a file has by getting the "ntfs.streams.list" extended attribute.
harrymc
Posted 2020-01-26T10:38:50.007
Reputation: 306 093
This looks like what I need. But is it possible to use this to mount over a network? – Jammy Dodger – 2020-01-26T11:56:27.683
If you can mount it using ntfs-3g, then it should work. – harrymc – 2020-01-26T12:08:10.303
It didn't accept //IP/Share as a valid mount image – Jammy Dodger – 2020-01-26T12:10:08.773
$DATAis the file data. ADS is not required here - this is what you get if you just open the file. – harrymc – 2020-01-26T12:09:27.053Well this gave me what I needed, whereas just downloading the file was empty. – Jammy Dodger – 2020-01-26T12:10:56.513
I think there was a problem in the Samba configuration, but that's another subject. – harrymc – 2020-01-26T12:14:30.870