RSS

Tag Archives: metasploit framework

Using Timestomp To Change The MACE Values Of A File

Often in post exploitation activities penetration testers are trying to access files in order to read their contents.However this means that immediately the MACE (Modified-Accessed-Created-Entry) attributes of the file are changing and this is an indication for the administrator or the file owners that someone has read or modified the information that is stored on the file.Metasploit framework provides us with a module that we can change these values in case that we don’t want to leave any marks behind.

Let’s say that we have already obtained a meterpreter session and we have a .doc file with the following attributes:

MACE Attributes - Doc

MACE Attributes – Doc

 

As we can see the files has created,modified and accessed on January 21 at 11:26:35.In the meterpreter session we can use the timestomp -h in order to see the available options and how to use the timestomp properly.

timestomp - help banner

timestomp – help banner

 

The -v option is used to display the MACE values of the file.So we will run the following command:

Display MACE values

Display MACE values

 

Now we can run the same command 4 times with the following arguments -a -m -e and -c each time along with the date and time of our desire.

Changing the MACE values

Changing the MACE values

 

We can verify that the file attributes has changed with the -v operator again.

Verify the MACE changes

Verify the MACE changes

 

As we can see from the above image we have successfully change the MACE attributes of the .doc file pentestlab.Alternatively we can use the -z option which it will assign the same values to all attributes.However this shall be avoided as realistically a file cannot be created,accessed and modified at the same time.

 

 
Leave a comment

Posted by on January 22, 2013 in Post Exploitation

 

Tags: , , , , , ,

 
Follow

Get every new post delivered to your Inbox.

Join 656 other followers