(Data Hiding: Lesson 1)

{ Hiding Data in Slack Space using bmap }

Section 0. Background Information

What is the scenario?
- Have you ever heard of Cyber Espionage where a spy was able to hide data and go virtually un-noticed? The following lesson demonstrates how easy it is for a person to hide data in a file's slack space.
bmap
- Bmap is a data hiding tool that can utilize slack space in blocks to hide data.
- It can perform lots of functions interesting to the computer forensics community and the computer security community.
Slack Space
- Blocks are specific sized containers used by file system to store data. Blocks can also be defined as the smallest pieces of data that a file system can use to store information. Files can consist of a single or multiple blocks/clusters in order to fulfill the size requirements of the file. When data is stored in these blocks two mutually exclusive conditions can occur; The block is completely full, or the block is partially full. If the block is completely full then the most optimal situation for the file system has occurred. If the block is only partially full then the area between the end of the file the end of the container is referred to as slack space.
Lab Notes
- In this lab we will do the following:
  1. Download bmap
  2. Compile bmap
  3. Hide a secret message into a file that contains slack space
Legal Disclaimer
- As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
- In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
- In addition, this is a teaching website that does not condone malicious behavior of any kind.
- You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
- © 2013 No content replication of any kind is allowed without express written permission.

Section 1: Start Up the BackTrack5R1 VM

Start Up VMWare Player
- Instructions:
  1. Click the Start Button
  2. Type Vmplayer in the search box
  3. Click on Vmplayer
Open a Virtual Machine
- Instructions:
  1. Click on Open a Virtual Machine
Open the BackTrack5R1 VM
- Instructions:
  1. Navigate to where the BackTrack5R1 VM is located
  2. Click on on the BackTrack5R1 VM
  3. Click on the Open Button
Edit the BackTrack5R1 VM
- Instructions:
  1. Select BackTrack5R1 VM
  2. Click Edit virtual machine settings
Edit Virtual Machine Settings
- Instructions:
  1. Click on Network Adapter
  2. Click on the Bridged Radio button
  3. Click on the OK Button
Play the BackTrack5R1 VM
- Instructions:
  1. Click on the BackTrack5R1 VM
  2. Click on Play virtual machine
Login to BackTrack
- Instructions:
  1. Login: root
  2. Password: toor or <whatever you changed it to>.
Bring up the GNOME
- Instructions:
  1. Type startx
Start up a terminal window
- Instructions:
  1. Click on the Terminal Window
Obtain the IP Address
- Instructions:
  1. ifconfig -a
  2. Record your IP Address (See Picture)
- Note(FYI):
  - My IP address 192.168.1.139.
  - In your case, it will probably be different.
  - This is the machine that will be use to attack the victim machine (Metasploitable).

Section 2: Download bmap

Create bmp folder
- Instructions:
  1. cd /opt
  2. mkdir bmap
  3. cd bmap
Open Firefox Web Browser
- Instructions:
  1. Applications --> Internet --> Firefox Web Browser
Navigate to bmap
- Instructions:
  1. In your Firefox browser navigate to the following address
    - http://dl.packetstormsecurity.net/linux/security/bmap-1.0.17.tar.gz
  2. Select the Save File Radio Button
  3. Click the OK Button
Save bmap
- Instructions:
  1. Click on File System
  2. Navigate to /opt/bmap
  3. Click Save
Unzip and Untar bmap
- Instructions:
  1. cd /opt/bmap
  2. ls -l
  3. gunzip bmap-1.0.17.tar.gz
  4. tar xovf bmap-1.0.17.tar
make bmap
- Instructions:
  1. cd /opt/bmap/bmap-1.0.17
  2. make
    - The purpose of the make utility is to determine automatically which pieces of a large program need to be recompiled, and issue the commands to recompile them.
- Note(FYI):
  1. You will see a lot of warnings. However, make will compile bmap.
make bmap
- Instructions:
  1. ln -s /opt/bmap/bmap-1.0.17/bmap /sbin/bmap
    - "ln -s", makes a link to the bmap command in the /sbin.
    - /sbin is typically a default directory found in the $PATH variable.
  2. which bmap
  3. bmap -help

Section 3: Create Test File

Create Test File
- Instructions:
  1. cd /var/tmp
  2. echo "This is a test file" > test.txt
  3. cat test.txt

Section 4: Using bmap to hide text in slack space

Show Slack Space
- Instructions:
  1. bmap --mode slack test.txt
  2. ls -l test.txt
- Note(FYI):
  1. The test.txt file is using 20 bytes of disk space.
  2. The test.txt file has 4076 bytes of "unused" slack space.
Hide Data in Slack Space
- Instructions:
  1. echo "Top Secret Data Goes Here" | bmap --mode putslack test.txt
  2. ls -l test
    - Notice the 20 byte size did not change after test was added to its slack space.
  3. cat test.txt
    - Notice the secret message is not present.
  4. strings test.txt
    - Not even strings can reach into the slack space of test.txt.

Section 5: Proof of Lab

Proof of Lab
- Note(FYI):
  - The following commands will be placed in the lower terminal window.
- Instructions
  1. rm test.txt
  2. ls -l test.txt
  3. echo "This is a test file" > test.txt
  4. bmap --mode slack test.txt
    - Notice the secret message was still present after the file was deleted and re-created.
  5. echo "Your Name"
    - Replace the string "Your Name" with your actual name.
    - e.g., echo "John Gray"
- Proof Of Lab Instructions:
  1. Do a PrtScn of the below commands
  2. Paste into a word document
  3. Upload to Moodle