WINDOWS XP - REMOTE ALTERATION OF FILE CONTENT AND MAC TIMESTAMPS
- Layout for this exercise:
- One of the interesting post exploitation attacks that Meterpreter can help to perform is altering content and MAC (Modified - Accessed - Created) timestamp of files on the victim's machine.
- Let's create a new folder called HELLO on the victim:
- Moving inside the folder:
- Meterpreter execute command runs diverse actions, for instance cmd.exe, which spawns a remote shell:
- A new text file is created inside that folder, and some content is added:
- Checking the existence and content of the new text file on the victim :
- Exiting the cmd on Meterpreter:
- The text file is downloaded on the attacker's side to be altered:
- Checking its current content:
- Opening the text file, its content is altered on the attacker's machine:
- Uploading the already altered text file from the attacker to the original folder on the victim:
- The attack has been successful, as can be proved checking on the victim's side the altered content of the text file.
- Finally, let's alter the MACE attributes of the text file. The current values:
- Meterpreter timestomp command provides some options to alter the MACE attributes. For instance -b option blank the attributes, altering them to random values:
