Well, probably "more" I honestly didn't look.So there is blurb on the metasploit unleashed course on use using timestomp. Unfortunately it leads you to believe that blanking the MACE values on a file or whole directory is better than hiding in plain sight. I suppose this can be debated (so feel free).But... timestomp has a few other options worth discussing, notably setting MACE times from a file or individually setting attributes or setting all four attributes at once to a MACE time of your choosing.meterpreter > timestomp Usage: timestomp file_path OPTIONS OPTIONS: -a Set the "last accessed" time of the file -b Set the MACE timestamps so that EnCase shows blanks -c Set the "creation" time of the file -e Set the "mft entry modified" time of the file -f Set the MACE of attributes equal to the supplied file -h Help banner -m Set the "last written" time of the file -r Set the MACE timestamps recursively on a directory -v Display the UTC MACE values of the file -z Set all four attributes (MACE) of the fileCheck our current valuesmeterpreter > timestomp C:\boot.ini -vModified : Wed Aug 12 18:12:39 -0400 2009Accessed : Thu Oct 29 16:13:12 -0400 2009Created : Wed Aug 12 11:06:54 -0400 2009 Entry Modified: Wed Aug 12 18:23:34 -0400 2009Set the Modified time to 11/11/2011 at 11:11:11meterpreter > timestomp C:\boot.ini -m "11/11/2011 11:11:11" [*] Setting specific MACE attributes on C:boot.iniDid it work?meterpreter > timestomp C:\boot.ini -vModified : Fri Nov 11 11:11:11 -0500 2011Accessed : Thu Oct 29 16:13:12 -0400 2009 Created : Wed Aug 12 11:06:54 -0400 2009 Entry Modified: Wed Aug 12 18:23:34 -0400 2009Set them all to 11/11/2011 at 11:11:11 meterpreter > timestomp C:\boot.ini -z "11/11/2011 11:11:11" [*] Setting specific MACE attributes on C:boot.iniDid it work? meterpreter > timestomp C:\boot.ini -vModified : Fri Nov 11 11:11:11 -0500 2011 Accessed : Fri Nov 11 11:11:11 -0500 2011 Created : Fri Nov 11 11:11:11 -0500 2011 Entry Modified: Fri Nov 11 11:11:11 -0500 2011From a filemeterpreter > timestomp C:\update.exe -v Modified : Fri Apr 30 05:59:36 -0400 2004 Accessed : Fri Oct 23 20:28:36 -0400 2009 Created : Thu Apr 29 22:33:55 -0400 2004 Entry Modified: Fri Apr 30 06:22:35 -0400 2004 meterpreter > timestomp C:\update.exe -f C:\boot.ini[*] Setting MACE attributes on C:update.exe from C:boot.ini meterpreter > timestomp C:\update.exe -vModified : Fri Apr 30 05:59:36 -0400 2004Accessed : Sat Oct 24 05:34:03 -0400 2009Created : Thu Apr 29 22:33:55 -0400 2004Entry Modified: Fri Apr 30 06:22:35 -0400 2004 meterpreter > timestomp C:\boot.ini -vModified : Fri Apr 30 05:59:36 -0400 2004Accessed : Sat Oct 24 05:34:03 -0400 2009Created : Thu Apr 29 22:33:55 -0400 2004Entry Modified: Fri Apr 30 06:22:35 -0400 2004Happy Hiding in plain site.-CG
Well, probably "more" I honestly didn't look.
So there is blurb on the metasploit unleashed course on use using timestomp. Unfortunately it leads you to believe that blanking the MACE values on a file or whole directory is better than hiding in plain sight. I suppose this can be debated (so feel free).
But... timestomp has a few other options worth discussing, notably setting MACE times from a file or individually setting attributes or setting all four attributes at once to a MACE time of your choosing.
meterpreter > timestomp
Usage: timestomp file_path OPTIONS
OPTIONS:
-a
-b Set the MACE timestamps so that EnCase shows blanks
-c
-e
-f
-h Help banner
-m
-r Set the MACE timestamps recursively on a directory
-v Display the UTC MACE values of the file
-z
Check our current values
meterpreter > timestomp C:\\boot.ini -v
Modified : Wed Aug 12 18:12:39 -0400 2009
Accessed : Thu Oct 29 16:13:12 -0400 2009
Created : Wed Aug 12 11:06:54 -0400 2009
Entry Modified: Wed Aug 12 18:23:34 -0400 2009
Set the Modified time to 11/11/2011 at 11:11:11
meterpreter > timestomp C:\\boot.ini -m "11/11/2011 11:11:11"
[*] Setting specific MACE attributes on C:\boot.ini
Did it work?
meterpreter > timestomp C:\\boot.ini -v
Modified : Fri Nov 11 11:11:11 -0500 2011
Accessed : Thu Oct 29 16:13:12 -0400 2009
Created : Wed Aug 12 11:06:54 -0400 2009
Entry Modified: Wed Aug 12 18:23:34 -0400 2009
Set them all to 11/11/2011 at 11:11:11
meterpreter > timestomp C:\\boot.ini -z "11/11/2011 11:11:11"
[*] Setting specific MACE attributes on C:\boot.ini
Did it work?
meterpreter > timestomp C:\\boot.ini -v
Modified : Fri Nov 11 11:11:11 -0500 2011
Accessed : Fri Nov 11 11:11:11 -0500 2011
Created : Fri Nov 11 11:11:11 -0500 2011
Entry Modified: Fri Nov 11 11:11:11 -0500 2011
From a file
Modified : Fri Apr 30 05:59:36 -0400 2004
Accessed : Fri Oct 23 20:28:36 -0400 2009
Created : Thu Apr 29 22:33:55 -0400 2004
Entry Modified: Fri Apr 30 06:22:35 -0400 2004
meterpreter > timestomp C:\\update.exe -f C:\\boot.ini
[*] Setting MACE attributes on C:\update.exe from C:\boot.ini
meterpreter > timestomp C:\\update.exe -v
Modified : Fri Apr 30 05:59:36 -0400 2004
Accessed : Sat Oct 24 05:34:03 -0400 2009
Created : Thu Apr 29 22:33:55 -0400 2004
Entry Modified: Fri Apr 30 06:22:35 -0400 2004
meterpreter > timestomp C:\\boot.ini -v
Modified : Fri Apr 30 05:59:36 -0400 2004
Accessed : Sat Oct 24 05:34:03 -0400 2009
Created : Thu Apr 29 22:33:55 -0400 2004
Entry Modified: Fri Apr 30 06:22:35 -0400 2004
Happy Hiding in plain site.
-CG
