encoding

ACL Steganography

Posted on Updated on

This post concentrates on fairly recent and unique steganography technique developed by Michael Perklin. When I stumbled across Perklins Defcon presentation about this development project I was amazed by its simplicity, ingenuity and unique flair, therefore I decided to create this post to shed more light on the underlying technology of this steganography technique. The practical demonstration of this post will utilise ACLEncode and TrueCrypt. I strongly recommend that you read ACLEncode README.txt, if you plan on using this technique as it has serious consequences and drawbacks. It’s also assumed that you know how to create, mount and dismount TrueCrypt containers.

Watch Michael Perklin’s DefCon presentation
Download original slides from the presentation by Michael Perklin
Download ACLEncode by Michael Perklin
Download TrueCrypt

NTFS SECURITY BASICS
Access Control List steganography encodes files that a user wants to hide, as Access Control Entries within Access Control Lists of multiple files that a user randomly chooses. Right Click > Properties > Security on any random file or a directory so you can see Access Control Lists and their Access Control Entries when you click on each user.

File Permissions Example arr

There are many more permissions than just Read, Write and Execute that a user can set, in fact there are 22 permissions that are available in advanced security settings. These permissions use 14-bits in a 32-bit field. The remaining 18-bits presumably serve for future expansion of permissions in NTFS.

How is it possible that 22 permissions are stored in 14-bits of information?

That is because some of the permissions are reused depending on if it’s a file or a directory e.g. you don’t view contents of a file or execute a directory therefore they are the same bit.

Access Control Entries are stored using a 68-byte number called Security Identifier (SID) along with a bunch of other information, but that’s beyond the scope of this post. Names of users correspond to SIDs also. If a user requests Security Properties, Windows looks up friendly names such as Agent Smith or Administrator and consequently the SIDs belonging to these users. If a user is removed, Windows will display the corresponding SID to screen, since it doesn’t have a name belonging to that particular SID.

Example of a Security Identifier

S-1-5-21-1180699209-877415012-3182924384-1004

ACL ENCODING
ACL Steganography is able to use any file on NTFS system as a medium to hide information. The encoding generates Security Identifiers for a file or files, where the bits of an encoded file will reside as unlikely permissions within Access Control Entries. Let’s try it.

This demonstration uses two small sized text files (12.4 KB in total) that reside within an encrypted TrueCrypt container.

files we want to encode

Next it is required to create multiple files that will provide the Access Control List space for the encoding. Here are 20 random files of various types and sizes that we’ll use as containers for the Security Identifiers. Every single one of these files contain the same users and their permissions as illustrated in the first figure of this post.

Container files

Turn on ACLEncode and you will be presented with this screen. The program will ask you for Target File and File List.

ACLEncode welcoming screen

Target File
The file you want to encode within the list of files of your choice. In this case it is the encrypted TrueCrypt volume containing two small text files.

File List
A text file containing paths to files to which you want to encode the TrueCrupt volume. This file is automatically generated if you follow these instructions:

1. Press Create FileList button.
2. Choose multiple files and click Open.
3. Choose the name for the File List and where you want it to reside.
4. Click Save.

FileList generated by this process.
File list generated

Click Encode. This should take a second if you are encoding small files, however it will take forever if you are encoding large files. Once the encoding is finished a message appears at the bottom of the window.

Click ENcode arr

At this point, the security settings of the files from the FileList contain random Security Identifiers as well as names of genuine users of this computer. These Security Identifiers contain Access Control Entries where the TrueCrypt volume resides.

Example 1
Encoded message

Example 2
Encoded message 2

ACL DECODING
To reverse the process it is required to specify the Target File as a type of a file you are expecting to get out of decoding —in this case it is Hidden.tc. The FileList is the same that was created at the encoding stage.

Click Decode after the required fields have been entered. A message should appear at the bottom of the window.

Click decode arr

A TrueCrypt file appears on the Desktop.
Drsktop Appear

Enter password to mount Hidden.tc.
TrueCrypt Mounting

Files successfully decoded.
files we want to encode

This entry was posted in Extra Stuff and tagged , , , , , , , , .