Often in post exploitation activities penetration testers are trying to access files in order to read their contents.However this means that immediately the MACE (Modified-Accessed-Created-Entry) attributes of the file are changing and this is an indication for the administrator or the file owners that someone has read or modified the information that is stored on the file.Metasploit framework provides us with a module that we can change these values in case that we don’t want to leave any marks behind.
Let’s say that we have already obtained a meterpreter session and we have a .doc file with the following attributes:
As we can see the files has created,modified and accessed on January 21 at 11:26:35.In the meterpreter session we can use the timestomp -h in order to see the available options and how to use the timestomp properly.
The -v option is used to display the MACE values of the file.So we will run the following command:
Now we can run the same command 4 times with the following arguments -a -m -e and -c each time along with the date and time of our desire.
We can verify that the file attributes has changed with the -v operator again.
As we can see from the above image we have successfully change the MACE attributes of the .doc file pentestlab.Alternatively we can use the -z option which it will assign the same values to all attributes.However this shall be avoided as realistically a file cannot be created,accessed and modified at the same time.
Leave a Reply