Often in post exploitation activities penetration testers are trying to access files in order to read their contents.However this means that immediately the MACE (Modified-Accessed-Created-Entry) attributes of the file are changing and this is an indication for the administrator or the file owners that someone has read or modified the information that is stored on the file.Metasploit framework provides us with a module that we can change these values in case that we don’t want to leave any marks behind.

Let’s say that we have already obtained a meterpreter session and we have a .doc file with the following attributes:

MACE Attributes - Doc
MACE Attributes – Doc

 

As we can see the files has created,modified and accessed on January 21 at 11:26:35.In the meterpreter session we can use the timestomp -h in order to see the available options and how to use the timestomp properly.

timestomp - help banner
timestomp – help banner

 

The -v option is used to display the MACE values of the file.So we will run the following command:

Display MACE values
Display MACE values

 

Now we can run the same command 4 times with the following arguments -a -m -e and -c each time along with the date and time of our desire.

Changing the MACE values
Changing the MACE values

 

We can verify that the file attributes has changed with the -v operator again.

Verify the MACE changes
Verify the MACE changes

 

As we can see from the above image we have successfully change the MACE attributes of the .doc file pentestlab.Alternatively we can use the -z option which it will assign the same values to all attributes.However this shall be avoided as realistically a file cannot be created,accessed and modified at the same time.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s