Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Challenge: What can you do with funky directory names? - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Challenge: What can you do with funky directory names?

Good day readers!   I've been playing around with creating unusual file names for a while.   ( ,   For example, did you know you can create a ".. "  (dot dot space) directory on Windows just like you can in Linux?   Want to try it?   Open up a command prompt and type this:

That's interesting.   Notice that our ".. " (dot dot space) directory is indistinguishable from the normal parent directory and is easily overlooked.   Attackers have been hiding in the "dot dot space" directory for a long time on the Linux platform.   Now try this from an administrative command prompt:

We created a ". "  (dot space) directory with a ".. " (dot dot space) subdirectory.  Then we put a copy of netcat in it.  (Your path to nc.exe may be different from this example).  As you see from the image above you can still execute netcat without any problems if you use a symbolic link.    Now try and browse to the c:\temp\  directory using the Windows Explorer GUI.   You will notice the SHORTCUT to NC.EXE in our c:\temp directory.    Double click on the ". " (dot space) directory.   You might expect that it take you into a directory containing our ".. " (dot dot space)  directory, but it doesn't!   Instead we are still in the c:\temp directory with our shortcut to nc.exe!   Double click the ". " (dot space) directory again.   This time we DO change to the directory containing ".. " (dot dot space).   Weird!    Now, Double click your ".. " (dot dot space) directory.   Where will that take you?  It takes you to the following error message:

Interesting.  Now try this.  Open your command prompt and change directories to the path "c:\temp\2628~1\45AA~1\" and do a directory listing.  This strange directory name has been consistent in my limited testing.  Is it the same for you?  There is your copy of nc.exe!   What the heck is that?

Your mission, should you choose to accept it, is to tell me what you can do with this.   What causes this behavior?  Post a comment!

HEY! I'm teaching SANS SEC560 BOOTCAMP Style in Augusta GA June 11th - 16th.   Sign up today!



81 Posts
ISC Handler
Microsoft has many issues with paths. I remember when people where using the device names.
Another good one is, on a Citrix server where there is no access to C: - Just launch your cygwin Bash, and using the POSIX subsystem you can access C without any trouble.
Povl H.

70 Posts Posts
c:\temp\2628~1\45AA~1\ here. Quite consistent behavior on WinXP.

The interesting part is that you can set NTFS short name by using fsutil:

C:\temp>copy c:\windows\system32\ipconfig.exe .
C:\temp>ren ipconfig.exe ipconfig.txt
C:\temp>fsutil file setshortname ipconfig.txt i.exe

2011.03.25 11:27 55.808 ipconfig.txt

Windows IP Configuration

The good part that setting of the short name requires high privileges, and can be disabled altogether by use of fsutil or corresponding registry key.

4 Posts Posts
C:\temp\02E2~1\7173~1 actually. sorry for copy-paste errors :(

4 Posts Posts
02e2~1 and 7173~1 :)

4 Posts Posts
forgive me for my ignorance but what is 2628~1? it looks like a Nibble with ~1 on the end as a flag i am guessing?


15 Posts Posts
Tomas is on the trail... 2e is hex for ascii ".".

42 Posts Posts
@Matthew. Good question. What is that 2628~1? The ~1 is usually used to indicate the use of the backwards compatible 8.3 naming convention. No idea where the 2628 comes from. I'm hoping our readers will tell me.

@Stephen. The directory names created for me didn't seem to be related to ASCII in any way. Additionally, the same directory name ". " (dot space) seem to produce different directory names.

81 Posts Posts
ISC Handler
Just a quick note:
C:\temp>dir /x (shows the short name for the dir)
C:\temp>dir /s (still works to show you the subdirectories)
~Of course, these can be combined in to a single command...

10 Posts Posts
One more note: wikipedia have good summary on 8dot3 name generation at

~1 is not actually the indication of 8.3 name, but rather index in case long name shortened to the same 8.3 name

4 Posts Posts
Perhaps I missed something, but where did the relative path "2628~1\45AA~1\" come from? As someone else posted above, I had the same instinct to consider that the values are ASCII hex (i.e. & ( E ª), though I don't see an obvious correlation here. Back in the DOS days, we used to hide directories in a similar fashion. We would create a directory with the name being a space only using alt +ASCII decimal value on the keypad. It was a great place to hide things, especially without Windows or file browsing utilities :)
It's also easy to use similar file name tricks to make your malicious binary appear to be Microsoft signed. Name your malware file "svchost.exe " (note trailing space) and put it in the same folder as the legitimate file. Attempted reads of your malicious file will "miss" your file and instead hit the legitimate (and signed) binary. (This is because win32 will auto-remove the trailing space.)

The nice thing about CreateProcess is that it launches the malicious process just fine. ;-)

Sign Up for Free or Log In to start participating in the conversation!