Wednesday, June 8, 2016

METASPLOIT - Windows XP - Altering content and MACE timestamp of files remotely


- Layout for this exercise:

- One of the interesting post exploitation attacks that Meterpreter can help to perform is altering content and MAC (Modified - Accessed - Created) timestamp of files on the victim's machine. 

- Let's create a new folder called HELLO on the victim:

- Moving inside the folder:

- Meterpreter execute command runs diverse actions, for instance cmd.exe, which spawns a remote shell:

- A new text file is created inside that folder, and some content is added:

- Checking the existence and content of the new text file on the victim :

- Exiting the cmd on Meterpreter:

- The text file is downloaded on the attacker's side to be altered:

- Checking its current content:

- Opening the text file, its content is altered on the attacker's machine:

- Uploading the already altered text file from the attacker to the original folder on the victim:

- The attack has been successful, as can be proved checking on the victim's side the altered content of the text file. 

- Finally, let's alter the MACE attributes of the text file. The current values:

- Meterpreter timestomp command provides some options to alter the MACE attributes. For instance -b option blank the attributes, altering them to random values: