Forum Thread: My Hacking Stealth Script

In legal Consequences of hacking OWT was kind enough to help me with some information. He asked me to post a script that will put your system into Stealth mode. The goal of the script will be to stop all logging and history files then restore them after you no longer need to be stealthy :)

I will do this thread pretty much the same way as I did the "My first Hack". I will probably do it in 2 to three comments so you all can have the code in sections and customize it the way you need, and even for doing other things. I know I will use it as a base code..

Below is my StealthMode script outline it has been tested and runs.:

#! /usr/bin/perl
print "hello Master\n";
# I love that part my computer calls me master
print " I am will be handeling Stealth Mode for you\n";
print "what process do you wish to run, options = pre or post\n";
$name = <STDIN>;
chomp $name;
if ($name eq pre){
print "yes Master setting up Stealth\n";
}
#system (incert first command here) testing and debuging before I #acutally run a bash command
elsif ($name eq post){
print "yes Master exiting stealth mode resetting system\n";
}
#systm (1'st bash here)}
else {
print "Oh my fat fingered Master #try again\n";
}
#I will add a loop here to the first If, have to sudy it tho
#not worried about exiting the loop and contol c will do it

16 Responses

oops had a saving error, change the else to this
else {
print "Oh my fat fingered Master #try again\n";
}

Ok I am stuck. When I run
/etc/init.d/rsyslog stop
then check it with
/etc/init.d/rsyslog status

it states the service is still running. :\

What am I doing wrong?

I don't need help with the below just presenting an outline

since kali does not have Zeitgeist installed I am not gonna worry about stopping those logs

I am looking into moving history to a tmps in ram or my my flash drive, those files maybe interesting to review when exiting stealth mode.

Ok other Noobs (Noobs unite),

As per OWT's request I have finished my little perl script. I will add features as I gain more skills and knowledge, but to the best of what I know now this should put you in stealth mode. In other words hiding most all your actions. instead of the hist=0 I set an option for shredding (it's commented out in-case someone runs the script without thinking) the file as I may want to review the file myself.

I know its kinda messy but this is the best I can do until OWT does some more tut's. I still have concerns of the syslog but hope to get them clarified as I gain skills.

#! /usr/bin/perl
print "hello Master\n";
# I love that part my computer calls me master
print " I will be handeling Stealth Mode for you\n";
print "what process do you wish to run, options = pre or post\n";
$name = <STDIN>;
chomp $name;
if ($name eq pre){
print "yes Master going into Stealth\n";
system ("ifconfig wlan0 down\n");
system ("iwconfig wlan0 mode monitor\n");
#you need to be in monitor mode before mac change for it to effect #it and i am #setting it up in case I use aircrack
system ("machchanger --mac 11:22:33:44:55 wlan0\n");

system ("sudo ifconfig wlan0 up\n");
system ("ifconfig eth0 192.168.1.115\n");
system ("/etc/init.d/rsyslog stop\n");

#at this point i often have to disconnect and reconnect my wifi for my browser to work, if it becomes an issure will do it from here.

}

elsif ($name eq post){
print "yes Master exiting Stealth resetting system\n";

print "do you wish me to shred history\n";
$input = <STDIN>;
chomp $input;
if ($input eq yes){
#system ("shred -zu root/.bashhistory\n");
system ("more ~/.bash
history\n");
system ("/etc/init.d/rsyslog start\n");
}}

#I will probably add things like rebooting options to clear memory

else {
print "Sorry my fat fingered Master try again\n";
}
#I will add a loop here to the first If, have to study it tho
#not worried about exiting the loop and can contol c exit

This is really much pretier in my editor but this comment section has moved all lines to the left, I will try to get a screenshot of it as the format is in proper coding but for you all to be able to cut and paste it I have to do it this way.

enjoy.

the idea of creating a script that puts you in a stealth mode is very interesting.
the thing is, in your script you only change your MAC and stop the logging done true rsyslog.
I am not sure as to which logs are controlled by rsyslog, but i know that linux has so many of them.

Also, i noticed that when you leave the stealth mode you offer the option to shred bashhistory which is a good last resort solution, but not a stealth solution. if anyone analyzes the bash history after its shredding he will notice that it has been shreded. this is why, i think it would be better to simply change the HISTSIZE variable value to 0 when we start the stealth mode and return to normal (500) when we finish. This way the bash-history will appear like nothing happened during that time.

List of logs:

/var/log/lastlog
/var/log/telnetd
/var/run/utmp
/var/log/secure
/root/.kshhistory
/root/.bash
history
/root/.bashlogut
/var/log/wtmp
/etc/wtmp
/var/run/utmp
/etc/utmp
/var/log
/var/adm
/var/apache/log
/var/apache/logs
/usr/local/apache/log
/usr/local/apache/logs
/var/log/acct
/var/log/xferlog
/var/log/messages
/var/log/proftpd/xferlog.legacy
/var/log/proftpd.access
log
/var/log/proftpd.xferlog
/var/log/httpd/errorlog
/var/log/httpd/access
log
/etc/httpd/logs/accesslog
/etc/httpd/logs/error
log
/var/log/httpsd/ssl.accesslog
/var/log/httpsd/ssl
log
/var/log/httpsd/ssl.accesslog
/etc/mail/access
/var/log/qmail
/var/log/smtpd
/var/log/samba
/var/log/samba-log.%m
/var/lock/samba
/root/.Xauthority
/var/log/poplog
/var/log/news.all
/var/log/spooler
/var/log/news
/var/log/news/news
/var/log/news/news.all
/var/log/news/news.crit
/var/log/news/news.err
/var/log/news/news.notice
/var/log/news/suck.err
/var/log/news/suck.notice
/var/spool/tmp
/var/spool/errors
/var/spool/logs
/var/spool/locks
/usr/local/www/logs/thttpd
log
/var/log/thttpdlog
/var/log/ncftpd/misclog.txt
/var/log/ncftpd.errs
/var/log/auth

Thanks sou,

I really appreciate your input.

My script also spoofs your ip address. I will probably add an option for setting hist=0 as you recommended. I do like the idea of being able to read my own actions for review should I need too. Hummmm perhaps setup a key-logger that I would have more control over might be an answer.

To the best of my knowledge the rsyslog daemon handles all logging which includes what you have listed above, although I am sure I am still missing something on it. I might have to edit the rsyslog.config.

I am going to work today on setting up a proxy route for the spoofed ip.

There is an option for macchanger to use a random mac address that I will probably change to.

Going to look into having a automatic dynamic ip address for spoofing.

I am sure its needless to say that one should have this script on a thumb drive not on his hard drive. And should not leave it pluged into his computer, in other words only used when needed and hidden away in some dark deep vault.

humm testing the script and now
/etc/init.d/rsyslog stop works
/etc/init.d/rsyslog status says
rsyslogd is not running ... failed

:/

but I am thinking I may need to add
chmod -x /etc/init.d/rsyslog to make it more stable

got it, rsyslog needs to be run in root for Kali. When I was testing the script at first I did it as a user. :)

woohoo found where the screen shots are. they are saved to root in case anyone needs to know.

Try to setup your file like that.

O.K. Sweet I got the last part I need I installed Tor and stopped it from auto starting as I am on measured bandwidth. I purchased a Data hub when I read that the FEDs can actually get information from a lan service provider within a certain area who types "hack, hacking ect" in their browser. So don't go next door to the coffee shop to hack. Well there are many cell providers and makes it much harder to track a location when most cities only have a few lan providers. Anyways I digress.

I added
system ("./etc/init.d/tor start\n")
and
system ("./etc/init.d/tor stop\n")

Now I only need to type. proxychains nikto -h <my target>

If you have tor installed proxychains comes with Kali and is setup default for Tor.

Tomorrow I will work on setting up a freenet and i2p options in my script using proxychains or a equivalent.

O.k. I am starting to feel pretty stealthy now.

Thought I would do a quick update. Proxying all traffic through Tor is slow so I will make an option for it. I think spoofing the mac and Ip address is fine for light scanning and day to day use. But not for unauthorized pen testing. Found out about DNS leaking and how to fix that which I will include in the script.

ok I think I am done with this been testing the heck out of it. I am going to make a professional tut for the How To section. I will actually make it myself not have someone do it for me.

give me a few days :) Yes stealth mode can be yours.

Hey Jon,
I was wondering were you are on this stealth mode script??

I found the idea very interesting, and if you are interested, i would like it if we could engage in a discussion about your script (and more if you like).

I always liked learning by exchange, it helps discover other people views and our own limitations.
Best regards

Ok soul I have decided to do this in two parts. An opening script and then a closing one. The opening one I think I have all the bases covered.

#! /usr/bin/perl

START:
print "are you sure you want to go into stealth mode Press 1 for yes \n";
$input = <STDIN>;
chomp $input;
if ($input eq 1){
}
else{
print "You did not press 1 for yes please try again or press control c to exit\n";
goto START;
}
print "Going into Stealth\n";
#so keystrokes are no longer recorded
system ("HISTSIZE=0\n");
#turns of syslog
system ("/etc/init.d/rsyslog stop\n");
sleep(.2);
#taking down the network
system ("service network-manager stop\n");
#taking down wlan0 (wlan0 is my connections use yours)
system ("ifconfig wlan0 down\n");
sleep(1) ;
#-e option creates a random mac but keeps the factory identifers.
system ("macchanger -e wlan0\n");
sleep(.2);
#while its down might as well kick up my tx power.
system ("iw reg set BO\n");
system ("iwconfig wlan0 txpower 30 \n");
system ("ifconfig wlan0 up\n");
sleep(.2);
system ("service network-manager start\n");
sleep(1) ;
#setting up proxy service
system ("service tor start\n");
sleep(10) ;
#to stop dns leaks I created another resolv file, then I check to make sure it takes.
system ("cp /etc/resolv2.conf /etc/resolv.conf\n");
#I use gedit, use your own editor if you dont have it.
system ("gedit /etc/resolv.conf\n");
sleep(1) ;
# enter your new non logging dns from below
system ("iceweasel http://www.opennicproject.org\n");
sleep(10) ;

Last thing I well need to work on is automatically turning use proxy in network manager to manual. This way all traffic from the computer will go through proxychains and then through the netmanager proxy settings..

If you want to work on getting netmanager to turn on proxy and then switching it to manual through terminal that would be great.

You should make this into a github project so we can all work on it and view the source code :D

you are viewing the source code.

I got a few questions on the script, thought I would share it here,

Now concerning the code, let me start with the following question; what is the role of the sleep function in your code?? You use it different time with different sleeping time values (from 0.2 to 10).

Also, you stop the network manager using service while rsyslog is stopped using etc/init.d , I know that the 2 can be used; but what's the actual difference? From what I searched service runs in a predictable environment while etc/init.d doesn't necessarily. Aside from that, I couldn't find much and I don't know how this will impact your code.

Also, you are using wlan0 so I assume that u tend to connect using your wifi. Your code should be more versatile though, you should be able to choose what interface you want to use (in case u don't connect using wifi). So it should go like:

START:
print "what interface do you want to stop?";
$interface = <STDIN>;
chomp $interface;
if ($interface eq eth0 || wlan0 || any other interface available on the system){
}
else{
print "You did not specify any available interface";
goto START;
}

If you actually apply what I just recommended, then the boosting of your wlan0 should be dependent on the use of wlan0 for the $interface (simple if($interface eq wlan0) should do it), and obviously all references to wlan0 shall be replaced by $interface .

Finally, what do you actually have in your resolv2.conf. From what I understood in the code you modify the resolv.conf . or is it a simple copy of the resolv so that you can go back??

Sorry for the looong post
Best
Soulei1990
Jon Masters
Delete

LOL, wow lots to cover :)

As far as learning to hack, here is what I have been doing which has really helped. I read the different hacks that metasploit offers. This increases my programming skills and shows me how the pro's do it. Why reinvent the wheel when I can gain enough skills with different hacks to change them in a way that I need.

The script was written for my own use and the purpose of it is to streamline the process with as little questions as possible. Although I am thinking of putting an option in for tx power change.

The sleep's are to give time for the functions to complete and make the program more stable and reliable. Although most are probably not necessary I like to have control over my programs. The sleep 10 is to give time for my wifi to reconnect before opening the webpage so I don't get a non connect error.

I created a rosolv2.conf with nameservers listed on the website that have no logging. This way I just copy it in and don't have to type it each time. I bring up the resovl.conf to make sure that it has been changed and not listing the ISP DNS, this is to confirm I am not doing a dns leak.

Resolv.conf changes back to the isp dns automatically each time the network is brought down.

Phew, did I get it all :)

Share Your Thoughts

  • Hot
  • Active