BaSs_HaXoR

Removing history/+logs on Hacked Boxes

Nov 24th, 2016
237
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.62 KB | None | 0 0
  1. #################################################################################################################################################
  2. ################################################################################################################################################################################
  3. If we're successful in owning a target system, we'll then want to make certain that the system administrator doesn't know we were there, and that he or she cannot track us.
  4.  
  5. In this guide, I'll show you a few ways that we can cover our tracks, making it VERY difficult for a system admin, forensic investigator, or law enforcement agent to track our malicious activities.
  6.  
  7. Log files are the most common technique for a system admin to determine what has taken place on their system. Every unsuccessful login, successful login, and security event is logged into the log files. So, the first thing we need to do is to make certain there is no trace of our malicious activities in those log files.
  8. ################################################################################################################################################################################
  9. #################################################################################################################################################
  10. Step 1) Clearing Event Logs with the Meterpreter
  11. In newer versions of Metasploit's meterpreter, there's a script called clearev to clear all event logs. This program will go into the event logs on a Windows system and clear out ALL of the logs. This might look a little suspicious to the vigilant system admin, but most system admins are NOT vigilant.
  12. At the very least, it will remove our connection and/or attempted connection from the log files. Of course, there may be other evidence left behind such as router logs and IDS logs, but we'll deal with those in a future tutorial.
  13. First, use Metasploit to compromise the system and get a meterpreter command prompt.
  14. Once we get a meterpreter on a system, we can simply type:
  15. meterpreter > clearev
  16.  
  17. As we can see in this screenshot above, all of the event logs from Application, System, and Security have been cleared from the log files on the victim system.
  18. #################################################################################################################################################
  19. Step 2) Clearing Event Logs on Windows Machines
  20. Another way to clear the log files on Windows systems is to use the clearlogs.exe file. You can download it from here.
  21. If we have physical access to the system, we can simply install it and then run clearlogs. We can choose to clear the Security, Application, or Security logs. To clear the security logs, type:
  22. clearlogs.exe -sec
  23.  
  24. We can then go to the Event Viewer and click on Security events, where we can see that all the security events have been cleared! There is no trace we had been there!
  25. If we have remote access to the system, we can simply upload it to the system with TFTP and then run it on the system.
  26. Don't forget to remove clearlogs.exe before leaving the system as the mere presence of the clearlogs file will be telltale evidence that someone has compromised their system.
  27. #################################################################################################################################################
  28. Step 3) Clearing Event Logs on Linux Computers
  29. In Linux systems, log files are stored in the /var/log directory. We can open and view that plain text file containing log messages by opening with any text editor (I'm using KWrite in BackTrack).
  30. kwrite /var/log/messages
  31.  
  32. Before we leave the compromised system, we'll want to open this file in our favorite text editor and simply delete ALL of the entries, or if we have time, carefully go through and delete any entries related specifically to our compromise of the system.
  33. #################################################################################################################################################
  34. Step 4) Erasing the Command History
  35. Finally, before we leave the compromised Linux system, we want to make certain that our command history is erased. Remember, the bash shell we're typing in will save our last 500 commands. A system admin could track all of our commands and detect and decipher our activities on the system and potentially use them as evidence.
  36. To see our history, we can use the more command:
  37. more ~/.bash_history
  38.  
  39. The size of our history file is determined by the environment variable HISTSIZE. We can check the size of the HISTSIZE variable by typing:
  40. echo $HISTSIZE
  41.  
  42. We could then set it to zero by typing:
  43. export HISTSIZE=0
  44.  
  45. Now, our shell will not store any of our history! If you remember, change it to zero before beginning the hack and none of your commands will be stored, but if you've already written some commands, remember to log out and log back in to clear your history after setting the HISTSIZE to zero.
  46. #################################################################################################################################################
  47. Step 5) Shredding the History File
  48. Sometimes we won't have enough time to erase the history file or change the HISTSIZE variable. In a hurry, we can simply shred our history file by typing:
  49. shred -zu root/.bash_history
  50. The shred command with the -zu switches will overwrite the history with zeros and delete the file.
  51.  
  52. To check to see if our history has been shredded, we can view the history file by typing:
  53. more /root/.bashhistory
  54.  
  55. //SOURCE: http://null-byte.wonderhowto.com/how-to/hack-like-pro-cover-your-tracks-leave-no-trace-behind-target-system-0148123/
Add Comment
Please, Sign In to add comment