Learn which Meterpreter module – Core, Priv, Stdapi, or Browser – is used to modify file access and modified times to hide changes made while setting up a persistent backdoor on a compromised Windows machine. Understand how to cover your tracks as a penetration tester or ethical hacker.
Table of Contents
Question
You have compromised a Windows workstation using Metasploit and have injected the Meterpreter payload into the svchost process. After modifying some files to set up a persistent backdoor you realize that you will need to change the modified and access times of the files to ensure that the administrator can’t see the changes you made. Which Meterpreter module would you need to load in order to do this?
A. Core
B. Priv
C. Stdapi
D. Browser
Answer
C. Stdapi
Explanation
When you have compromised a Windows machine using Metasploit and are interacting with it through a Meterpreter session, the Stdapi module provides a range of useful post-exploitation capabilities, including the ability to manipulate file attributes like timestamps.
Specifically, the Stdapi module includes the “timestomp” command which allows you to change the Modified, Accessed, and Created (MAC) times of files on the target system. This is critical for covering your tracks after making changes like installing a persistent backdoor.
For example, to change the timestamps of a modified file to match those of a legitimate system file, you could use:
timestomp -v c:\malicious_file.exe -f c:\windows\system32\calc.exe
This sets the MAC times of malicious_file.exe to be identical to calc.exe.
The other modules mentioned do not provide timestamp modification functionality:
- Core: Provides core Meterpreter features like help, background sessions, etc.
- Priv: Used for privilege escalation and user impersonation
- Browser: Enables browser manipulation like URL redirection
So in summary, to stealthily modify file timestamps on a compromised Windows host, load the Stdapi Meterpreter module and use the timestomp command. This is an essential step in many post-exploitation scenarios.
GIAC GPEN certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the GIAC GPEN exam and earn GIAC GPEN certification.