More On Metasploit Meterpreter & Timestomp

Exploits:

News

Latest Security News

More On Metasploit Meterpreter & Timestomp

font size: decrease font size increase font size
Rate this article
View Comments
Related content

click to see full-size image

Well, probably "more" I honestly didn't look.So there is blurb on the metasploit unleashed course on use using timestomp. Unfortunately it leads you to believe that blanking the MACE values on a file or whole directory is better than hiding in plain sight. I suppose this can be debated (so feel free).But... timestomp has a few other options worth discussing, notably setting MACE times from a file or individually setting attributes or setting all four attributes at once to a MACE time of your choosing.meterpreter > timestomp Usage: timestomp file_path OPTIONS OPTIONS: -a Set the "last accessed" time of the file -b Set the MACE timestamps so that EnCase shows blanks -c Set the "creation" time of the file -e Set the "mft entry modified" time of the file -f Set the MACE of attributes equal to the supplied file -h Help banner -m Set the "last written" time of the file -r Set the MACE timestamps recursively on a directory -v Display the UTC MACE values of the file -z Set all four attributes (MACE) of the fileCheck our current valuesmeterpreter > timestomp C:\boot.ini -vModified : Wed Aug 12 18:12:39 -0400 2009Accessed : Thu Oct 29 16:13:12 -0400 2009Created : Wed Aug 12 11:06:54 -0400 2009 Entry Modified: Wed Aug 12 18:23:34 -0400 2009Set the Modified time to 11/11/2011 at 11:11:11meterpreter > timestomp C:\boot.ini -m "11/11/2011 11:11:11" [*] Setting specific MACE attributes on C:boot.iniDid it work?meterpreter > timestomp C:\boot.ini -vModified : Fri Nov 11 11:11:11 -0500 2011Accessed : Thu Oct 29 16:13:12 -0400 2009 Created : Wed Aug 12 11:06:54 -0400 2009 Entry Modified: Wed Aug 12 18:23:34 -0400 2009Set them all to 11/11/2011 at 11:11:11 meterpreter > timestomp C:\boot.ini -z "11/11/2011 11:11:11" [*] Setting specific MACE attributes on C:boot.iniDid it work? meterpreter > timestomp C:\boot.ini -vModified : Fri Nov 11 11:11:11 -0500 2011 Accessed : Fri Nov 11 11:11:11 -0500 2011 Created : Fri Nov 11 11:11:11 -0500 2011 Entry Modified: Fri Nov 11 11:11:11 -0500 2011From a filemeterpreter > timestomp C:\update.exe -v Modified : Fri Apr 30 05:59:36 -0400 2004 Accessed : Fri Oct 23 20:28:36 -0400 2009 Created : Thu Apr 29 22:33:55 -0400 2004 Entry Modified: Fri Apr 30 06:22:35 -0400 2004 meterpreter > timestomp C:\update.exe -f C:\boot.ini[*] Setting MACE attributes on C:update.exe from C:boot.ini meterpreter > timestomp C:\update.exe -vModified : Fri Apr 30 05:59:36 -0400 2004Accessed : Sat Oct 24 05:34:03 -0400 2009Created : Thu Apr 29 22:33:55 -0400 2004Entry Modified: Fri Apr 30 06:22:35 -0400 2004 meterpreter > timestomp C:\boot.ini -vModified : Fri Apr 30 05:59:36 -0400 2004Accessed : Sat Oct 24 05:34:03 -0400 2009Created : Thu Apr 29 22:33:55 -0400 2004Entry Modified: Fri Apr 30 06:22:35 -0400 2004Happy Hiding in plain site.-CG

Well, probably "more" I honestly didn't look.

So there is blurb on the metasploit unleashed course on use using timestomp. Unfortunately it leads you to believe that blanking the MACE values on a file or whole directory is better than hiding in plain sight. I suppose this can be debated (so feel free).

But... timestomp has a few other options worth discussing, notably setting MACE times from a file or individually setting attributes or setting all four attributes at once to a MACE time of your choosing.

meterpreter > timestomp

Usage: timestomp file_path OPTIONS

OPTIONS:
-a Set the "last accessed" time of the file
-b Set the MACE timestamps so that EnCase shows blanks
-c Set the "creation" time of the file
-e Set the "mft entry modified" time of the file
-f Set the MACE of attributes equal to the supplied file
-h Help banner
-m Set the "last written" time of the file
-r Set the MACE timestamps recursively on a directory
-v Display the UTC MACE values of the file
-z Set all four attributes (MACE) of the file

Check our current values

meterpreter > timestomp C:\\boot.ini -v
Modified : Wed Aug 12 18:12:39 -0400 2009
Accessed : Thu Oct 29 16:13:12 -0400 2009
Created : Wed Aug 12 11:06:54 -0400 2009
Entry Modified: Wed Aug 12 18:23:34 -0400 2009

Set the Modified time to 11/11/2011 at 11:11:11

meterpreter > timestomp C:\\boot.ini -m "11/11/2011 11:11:11"
[*] Setting specific MACE attributes on C:\boot.ini

Did it work?

meterpreter > timestomp C:\\boot.ini -v
Modified : Fri Nov 11 11:11:11 -0500 2011
Accessed : Thu Oct 29 16:13:12 -0400 2009
Created : Wed Aug 12 11:06:54 -0400 2009
Entry Modified: Wed Aug 12 18:23:34 -0400 2009

Set them all to 11/11/2011 at 11:11:11

meterpreter > timestomp C:\\boot.ini -z "11/11/2011 11:11:11"
[*] Setting specific MACE attributes on C:\boot.ini

Did it work?

meterpreter > timestomp C:\\boot.ini -v
Modified : Fri Nov 11 11:11:11 -0500 2011
Accessed : Fri Nov 11 11:11:11 -0500 2011
Created : Fri Nov 11 11:11:11 -0500 2011
Entry Modified: Fri Nov 11 11:11:11 -0500 2011

From a file

meterpreter > timestomp C:\\update.exe -v
Modified : Fri Apr 30 05:59:36 -0400 2004
Accessed : Fri Oct 23 20:28:36 -0400 2009
Created : Thu Apr 29 22:33:55 -0400 2004
Entry Modified: Fri Apr 30 06:22:35 -0400 2004

meterpreter > timestomp C:\\update.exe -f C:\\boot.ini
[*] Setting MACE attributes on C:\update.exe from C:\boot.ini

meterpreter > timestomp C:\\update.exe -v
Modified : Fri Apr 30 05:59:36 -0400 2004
Accessed : Sat Oct 24 05:34:03 -0400 2009
Created : Thu Apr 29 22:33:55 -0400 2004
Entry Modified: Fri Apr 30 06:22:35 -0400 2004

meterpreter > timestomp C:\\boot.ini -v
Modified : Fri Apr 30 05:59:36 -0400 2004
Accessed : Sat Oct 24 05:34:03 -0400 2009
Created : Thu Apr 29 22:33:55 -0400 2004
Entry Modified: Fri Apr 30 06:22:35 -0400 2004

Happy Hiding in plain site.

-CG

Read Full Article

Written on Thursday, 29 October 2009 08:48 by

Viewed 36 times so far.
Like this? Tweet it to your followers!

Published in Subscribe to the RSS feed of Network Security & Hacking News Network Security & Hacking News / Subscribe to the RSS feed of Latest Security News Latest Security News

Like this? Let your friends know now!

Rate this article

Latest articles from

Google Wave Invite Nominations posted on Saturday, 21 November 2009 14:29
This is what it looks like when you finally get to nominate folks to join…
The C Programming Language (Paperback) newly tagged "programming" posted on Saturday, 21 November 2009 13:37
The C Programming Language (Paperback)By Brian W. Kernighan 5 used and new from $19.41 Customer…
C Programming Language (Paperback) newly tagged "programming" posted on Saturday, 21 November 2009 13:39
C Programming Language (Paperback)By Brian W. Kernighan Click for more info Customer Rating: First tagged…
Officials Investigate Threat on Fort Benning posted on Saturday, 21 November 2009 10:57
It's being reported that on Thursday a solider at Fort Benning discovered a suspicious package…
Hackers steal confidential global warming data posted on Saturday, 21 November 2009 08:04
1,079 emails and 3,800 documents

Latest 'tweets' from GovernmentSecurity

News Update: Cyber war is coming, the impact could be huge: CBS News reports that cyber.. http://bit.ly/1tx1kr | #Security Link Monday, 09 November 2009 07:35
News Update: Tenable Network #Security Podcast - Episode 11: Welcome to the Tenable Netw.. http://bit.ly/2Iqd6G | Security Link Monday, 09 November 2009 07:35
News Update: Consent will be required for cookies in Europe: EDITORIAL: A law that dema.. http://bit.ly/3JYgip | #Security Link Monday, 09 November 2009 07:35
News Update: CBS 60 Minutes tackles cyber-terrorism: Could hackers get into the compute.. http://bit.ly/2d5Y21 | #Security Link Monday, 09 November 2009 07:35
Blog Update: We have launched the new GovernmentSecurity.org: We decided to launch th.. http://bit.ly/2G1SSF | #Security Link Saturday, 07 November 2009 17:38

blog comments powered by Disqus

back to top

Rate this article

Latest articles from

Latest 'tweets' from GovernmentSecurity

Site Search

Login Form

Disqus Tools