8 - Clearing Tracks

Windows

The exploitation and post-exploitation phases of a penetration test involves actively engaging with target systems and the data that is stored on these systems. As a result, you may be required to clear/undo any changes you have made to the target systems you have compromised based on the guidelines specified in the rules of engagement.

If you have transferred any files to the target systems you have compromised, keep track of where they have been saved so that you can remove them when done.

A good practice is to store all your scripts, exploits and binaries in the C:/Temp directory on Windows and the /tmp directory on Linux. This has 2 main benefits:

  1. everything you upload will be in a single centralized location, so you don't need to remember wher you saved everything

  2. that specific directory, in both OS, is not frequently accessed, meaning it will be harder for the victim to busted your malicious activities

The content of the tmp and Temp directory is deleted at every reboot of the machine, so do keep that in mind!

It is also important to consider the exploitation framework you are using, an example of this is MSF, which is notorious for generating and storing artifacts on the target system when using exploit or post modules.

Some well designed MSF modules provide you with instructions on where the artifacts are stored and how they can be removed. Even better, sometimes they will provide you with a resource script that automatically cleans up everything.

To run a resource script, you need to be on the target system and then just run the command

resource <path/to/resource/script>

Anyway, do always try to understand what any modules do, so you don't go against the rules of engagement signed with the client.

Check the advanced options of a msf module for a better understanding of its functionality.

In the context of Windows, a typical post-exploitation technique pertinent to clearing your tracks is to delete the Windows Event Log. This is something that should be avoided during a penetration test as the Windows Event Log stores a lot of data that is important to the client you are performing the penetration test for.

Linux

Usually in the home directory there's a file called .bash_history, which saves the commands history of all your sessions.

# This is an example .bash_history file
ls
cd Documents/
mkdir notes
cd notes/
nano todo.txt
ls -l
grep "important" todo.txt
rm todo.txt
ls

Whenever you open a Bash shell, the history for that session will be empty. When you type commands, they are stored in RAM and appended to the session's history which can be consulted via the command history.

root@attackdefense:~# history 
    1  history 
    2  echo "ciao"
    3  history 
    4  exit
    5  cat .bash_history 
    6  cat .bash_history 
    7  history

When you close the shell, the list of commands you see running the command history, will be written to disk and appended to ~/.bash_history. The content of this file is updated only when the shell is killed.

To clear the current session history

history -c

To clear the ~/.bash_history

cat /dev/null > ~/.bash_history
Previous7 - PivotingNextSocial Engineering

Last updated