Wednesday, November 19, 2008

Metasploit Anti-Forensics Project (MAFIA) - Slacker.exe

One of the tools in the Metasploit arsenal is slacker.exe, which allows an attacker to hide data in the slack space of NTFS. Recently, I've been playing with this scary awesome tool, and wanted to share what I found:

When a file system allocates space for a file, it allocates that space in a predetermined size data container, referred to as “blocks on Linux/Unix systems, and clusters on Windows systems.” (http://www.wikistc.org/wiki/Slack_space_data) As a file is written, blocks or clusters will be allocated to store the contents of the file, and each block or cluster will either be completely full or partially full. However, the size of most files will not be an even multiple of the block or cluster size. For example, a 1KB file is created and written to a file system with a 4KB block or cluster size. The file system can not allocate anything less than 4KB, thus when the file is written, 3KBs of the block or cluster is left unused. This unused space is referred to as slack space. Since this slack space is allocated but unused, it presents an appealing target for attackers to hide data.

As part of the Metasploit Anti-Forensic Investigation Arsenal (MAFIA), the Slacker tool is the first “tool that allows you to hide files within the slack space of the NTFS file system.” (http://www.metasploit.net/research/projects/antiforensics/) Slacker is a command line tool, here’s the help menu:



To hide a file with slacker.exe, one must choose a directory structure within which to select files to hide the data in ( {path} ), how deep to descend into the directory tree ( {levels} ), a file to store metadata for tracking information ( {metadata} ), a password to encrypt the metadata file ( {password} ), and options for how slack space is selected, data is obfuscated or not, and if you wish to use a file as an XOR key. For the purposes of the following example, the file to be stored in slack space was Salary.xls, a directory containing JPEG image files was used as slack space files (C:\Demo), a high resolution JPEG was used as the metadata file (C:\image.jpg), and the password used was “hide”:



To reverse the process, point slacker.exe at the metadata image file (in this case, C:\image.jpg) and supply the password and a filename for the extracted data:



Md5sum shows the extracted file and the original to be identical:



Looking at one of the files that were used for slack space to store the data and the original file, md5sum shows them to appear as identical as well:



which is the expected behavior, since slacker.exe will reset the file pointer to the original location after it completes it’s work. The same applies to the metadata file:



The only attribute that noticeably changes on either the slack space file or the metadata file is the “Date Modified” attribute, which can be reverted back using another tool in the MAFIA toolkit, timestomp.exe, discussed later. The data stored in the slack space files is unencrypted, but the metadata file information is stored in the slack space encrypted, thus preventing a forensic analysis from easily locating and retrieving the list of files that slacker.exe wrote the data out to. Without a tool that can read raw disk sectors, this type of data hiding would be easily missed, and with such a tool, tedious and very time consuming to locate.

Labels: , , ,

5 Comments:

At 1:53 PM, Blogger tim said...

I have tried on multiple files - *.doc .jpg and random files and have yet to reproduce the md5 portion of your document. The program is great but the reproduced file from slackspace is never the same in my test

 
At 1:54 PM, Blogger tim said...

hidden.xls hash
01685A628B1C08AFB2D4D615665A4625

xlsoutput1.xls
11F5630D7FCE35DF123E4478E726A262

 
At 2:23 PM, Blogger tim said...

So I found the reason for my MD5 hashed not matching - I was using a random files slackspace to hold my hidden file -

When I changed it a folder with only *.jpg files it resulted in a matched hash files

If you would like to ensure a matched hash - I would suggest to only use .jpg files to hide your data since using a location like a downloads directory will not return an exact match.

 
At 1:22 PM, Blogger Jo said...

Man Please Help, i get an error msg. 3 errors to be exact

1. Error: CreateFile<> When opening the D volume. 5
2. GetClusterAndSectorSize<> error 5
3. StoreFile<> in main<>

What am i doin wrong?

 
At 11:48 PM, Blogger Unknown said...

Links need updates and screenshot is missed.

 

Post a Comment

Links to this post:

Create a Link

<< Home