I recently did a CTF involving a file on a samba share which had a password in an alternate data stream. To read it I had to connect using Windows, but I'm curious if there's any way to read ADS from linux, either using SMBclient or another tool.
2 Answers
Found a way to do this without mounting the drive.
smbclient -U USER //IP/Share -c 'allinfo "ADS_FILE"' followed by get "ADS_FILE:PASSWORD:$DATA" downloads the file.
Reading Alternate Data Streams (ADS) is possible when usingntfs-3g:
3NTFS stores all data in streams. Every file has exactly one unnamed data stream and can have many named data streams. The size of a file is the size of its unnamed data stream. By default, ntfs-3g will only read the unnamed data stream.
By using the options "streams_interface=windows", with the ntfs-3g driver (not possible with lowntfs-3g), you will be able to read any named data streams, simply by specifying the stream's name after a colon. For example:
cat some.mp3:artistNamed data streams act like normal files, so you can read from them, write to them and even delete them (using rm). You can list all the named data streams a file has by getting the "ntfs.streams.list" extended attribute.
