Thursday, October 29, 2009

More On Metasploit Meterpreter & Timestomp

Well, probably "more" I honestly didn't look.

So there is blurb on the metasploit unleashed course on using timestomp. Unfortunately it leads you to believe that blanking the MACE values on a file or whole directory is better than hiding in plain sight. I suppose this can be debated (so feel free).

But... timestomp has a few other options worth discussing, notably setting MACE times from a file or individually setting attributes or setting all four attributes at once to a MACE time of your choosing.

meterpreter > timestomp

Usage: timestomp file_path OPTIONS


OPTIONS:

-a Set the "last accessed" time of the file

-b Set the MACE timestamps so that EnCase shows blanks

-c Set the "creation" time of the file
-e Set the "mft entry modified" time of the file
-f
Set the MACE of attributes equal to the supplied file
-h Help banner

-m
Set the "last written" time of the file
-r Set the MACE timestamps recursively on a directory

-v Display the UTC MACE values of the file

-z
Set all four attributes (MACE) of the file

Check our current values

meterpreter > timestomp C:\\boot.ini -v
Modified : Wed Aug 12 18:12:39 -0400 2009
Accessed : Thu Oct 29 16:13:12 -0400 2009
Created : Wed Aug 12 11:06:54 -0400 2009
Entry Modified: Wed Aug 12 18:23:34 -0400 2009

Set the Modified time to 11/11/2011 at 11:11:11

meterpreter > timestomp C:\\boot.ini -m "11/11/2011 11:11:11"
[*] Setting specific MACE attributes on C:\boot.ini


Did it work?

meterpreter > timestomp C:\\boot.ini -v
Modified : Fri Nov 11 11:11:11 -0500 2011
Accessed : Thu Oct 29 16:13:12 -0400 2009
Created : Wed Aug 12 11:06:54 -0400 2009

Entry Modified: Wed Aug 12 18:23:34 -0400 2009

Set them all to 11/11/2011 at 11:11:11

meterpreter > timestomp C:\\boot.ini -z "11/11/2011 11:11:11"

[*] Setting specific MACE attributes on C:\boot.ini


Did it work?

meterpreter > timestomp C:\\boot.ini -v

Modified : Fri Nov 11 11:11:11 -0500 2011
Accessed : Fri Nov 11 11:11:11 -0500 2011

Created : Fri Nov 11 11:11:11 -0500 2011

Entry Modified: Fri Nov 11 11:11:11 -0500 2011


From a file

meterpreter > timestomp C:\\update.exe -v
Modified : Fri Apr 30 05:59:36 -0400 2004
Accessed : Fri Oct 23 20:28:36 -0400 2009
Created : Thu Apr 29 22:33:55 -0400 2004
Entry Modified: Fri Apr 30 06:22:35 -0400 2004

meterpreter > timestomp C:\\update.exe -f C:\\boot.ini
[*] Setting MACE attributes on C:\update.exe from C:\boot.ini

meterpreter > timestomp C:\\update.exe -v
Modified : Fri Apr 30 05:59:36 -0400 2004
Accessed : Sat Oct 24 05:34:03 -0400 2009
Created : Thu Apr 29 22:33:55 -0400 2004
Entry Modified: Fri Apr 30 06:22:35 -0400 2004

meterpreter > timestomp C:\\boot.ini -v
Modified : Fri Apr 30 05:59:36 -0400 2004
Accessed : Sat Oct 24 05:34:03 -0400 2009
Created : Thu Apr 29 22:33:55 -0400 2004
Entry Modified: Fri Apr 30 06:22:35 -0400 2004



Happy Hiding in plain sight.

-CG

No comments: