ADS

PRIMARY CATEGORY → WINDOWS PRIVESC

ADS → Alternate Data Stream

It is a Windows NTFS File System Feature

It allows a regular system file to have more than one data stream stored in it

Typically, a file has only one Data Stream, the default, but with the use of ADS, a user can attach additional data streams to store supplementary information or other data without modifying the main content of the file

The Default Data Stream of a file is named $DATA

Check for the Existence of ADS in a file

SMBClient

smbclient --user '<USER>%<PASSWORD>' --command 'allinfo <FILENAME>' //<TARGET>/<SHARED_RESOURCE>

Command Output

altname: FILENAME
create_time:    vie ago  9 01:06:12 2024 CEST
access_time:    vie ago  9 01:06:12 2024 CEST
write_time:     vie ago  9 01:08:17 2024 CEST
change_time:    mié jul 21 20:47:12 2024 CEST
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes

Note that the default data stream has no content (0 bytes), while the ADS size is 15 bytes, so it has some content

Download an ADS from a file

SMBClient

smbclient --user '<USER>%<PASSWORD>' //<TARGET>/<SHARED_RESORCE>

smb: \> get <FILENAME>:<ADS_NAME>

💥Cyb3rBook

Explorer

ADS

PRIMARY CATEGORY → WINDOWS PRIVESC

Check for the Existence of ADS in a file

SMBClient

Download an ADS from a file

SMBClient

Graph View

Table of Contents

Backlinks