Introduction
In the shadowy corridors of cyberspace, the savvy hacker knows the endgame is all about the exit strategy. It’s not just about breaking in; it’s about vanishing without a trace. That means scrubbing every digital footprint, every log that whispers of your presence. For those who play the long game, ghosting from the system is non-negotiable, especially if you plan to lurk around for future escapades.
So, here’s the lowdown: we’ll snag a target, and then I’ll break down the cloak-and-dagger ops for wiping Bash history and logs, leaving the system none the wiser. Dive into the nitty-gritty with our Unix Web Lab visual declassified dossier or leap straight into the covert ops playbook below.
Compromising the Target
First up in the hacker’s playbook is the initial breach — we finesse our way past defenses using command injection, turning the server’s commands against itself to pop a shell. But why stop at a basic shell when we can amp it up? We’re talking full interactive mode, unlocking the power of tab completion and a rich terminal history to dance around the system like a digital puppet master.
Then comes the power play: privilege escalation. We elevate ourselves to the root, grabbing the digital master key. It’s not just about access; it’s about moving through the system shadows, invisible, undetectable, and in full control.
Setting Up for Stealth
With root privileges in hand, we set up a hidden directory as a discreet hub for our files and scripts. Crafting a hidden directory post-root conquest is basic tradecraft. It’s your covert ops base within the filesystem, a place to stow your toolkit. Sure, it’s not going to throw off a seasoned sysadmin, but it adds a smidge of stealth to your step.
You kick things off by scouting for writable directories — these will be your hideout’s potential locales. Just wield the find command to unveil these spots, and then it’s just a matter of carving out your secret nook with a simple mkdir, shrouded from plain sight by a dot prefix.
To unearth directories with write permissions for all users, deploy the command:
find / -perm -222 -type d 2>/dev/null /tmp /tmp/.Test-unix /tmp/systemd-private-e76bb6944bb64c4b910d2af90735c0ee-systemd-timesyncd.service-NvWN9v/tmp /tmp/.X11-unix /tmp/systemd-private-e76bb6944bb64c4b910d2af90735c0ee-systemd-logind.service-BGTj7f/tmp /tmp/.XIM-unix /tmp/.font-unix /tmp/systemd-private-e76bb6944bb64c4b910d2af90735c0ee-systemd-resolved.service-gv6Xkb/tmp /tmp/.ICE-unix /var/tmp /var/tmp/systemd-private-e76bb6944bb64c4b910d2af90735c0ee-systemd-logind.service-gdrb2u/tmp /var/tmp/systemd-private-e76bb6944bb64c4b910d2af90735c0ee-systemd-timesyncd.service-MV0q1R/tmp /var/tmp/systemd-private-e76bb6944bb64c4b910d2af90735c0ee-systemd-resolved.service-wSXHJq/tmp /var/crash /dev/mqueue /dev/shm /run/lock
It’s a reconnaissance mission, stealthily scanning through the file system, ignoring any noise and errors, and pinpointing just the spots where you can read, write, and execute your master plan.
To craft a hidden directory, wield the `mkdir` command and cloak it with a dot:
Peering into `/dev/shm` with `ls -l`, this secret chamber will stay invisible to the casual observer:
total 0
This stealthy maneuver ensures that your clandestine directory remains off the radar, a ghost in the machine.
The hidden directory reveals itself only with the `-a` flag, an insider’s handshake for the initiated:
And when the mission’s complete, vanishing is as simple as `rmdir`, leaving no trace in the shadows of `/dev/shm`:
With this, your secret hideout in the system is swept clean, as if it never existed.
Erasing Digital Footprints
In Bash, a record of session commands is held in memory. Clearing this history is crucial to maintaining stealth. Use the `history` command to inspect the current command log.
history 1 reset 2 find / -perm -222 -type d 2>/dev/null 3 mkdir /dev/shm/.secret 4 ls -l /dev/shm/ 5 ls -la /dev/shm/ 6 rmdir /dev/shm/.secret/ 7 history
Commands get logged in the `HISTFILE` variable, typically stored in `.bash_history`. To reveal its path, just run `echo $HISTFILE`.
/root/.bash_history
The `unset` command can be employed to eliminate the variable.
After unsetting the variable, echoing it again will display nothing, indicating the variable has been successfully removed.
To prevent command history from being saved, redirect it to `/dev/null`:
# or so
export HISTFILE=/dev/null
Verify with `echo $HISTFILE`, and it should display `/dev/null`. Additionally, set the session’s command storage limit to zero:
You can also adjust the session’s command storage limit using `export`:
Limit the history file’s line count with `HISTFILESIZE`:
# or
export HISTFILESIZE=0
Use `set` to toggle shell options. Disable history with:
Re-enable it using:
To modify shell options with `shopt`, disable history with:
Re-enable it using:
Avoid saving specific commands by prefixing them with a space:
Clear the history with the `-c` switch:
Write changes to disk with `-w`:
For a clean exit, ensuring history is cleared:
cat /dev/null > ~/.bash_history && history -c && exit
To exit without saving history:
Clear the Log Files
To stay under the radar, it’s crucial to clean out log files in addition to Bash history. Key logs to focus on include:
- `/var/log/auth.log` for authentication events - `/var/log/cron.log` for cron job records - `/var/log/maillog` for email server logs - `/var/log/httpd` or here - `/var/log/apache2` for Apache web server logs
Instead of outright deleting logs with `rm`, which can raise suspicions, opt to empty them. Use `truncate -s 0` to reduce the file size to zero, or simply overwrite the file with an empty string using `echo ” >` or `>`. Redirecting content to `/dev/null` with `cat /dev/null >` is another stealthy method to clear logs without leaving obvious traces.
To avoid suspicion, it’s advisable to empty log files rather than delete them. Use the `truncate` command to reduce file size to zero:
truncate -s 0 /var/log/auth.log
If `truncate` isn’t available, achieve the same effect by overwriting the file with an empty string:
echo '' > /var/log/auth.log
To empty a log file without drawing attention, you can use redirection:
> /var/log/auth.log
Alternatively, send its contents to the abyss of `/dev/null`:
cat /dev/null > /var/log/auth.log
Alternatively, the `tee` command can be utilized:
true | tee /var/log/auth.log
For a more low-level approach, the `dd` command can zero out the log:
dd if=/dev/null of=/var/log/auth.log
To obliterate a log file’s contents, employ the `shred` command:
shred /var/log/auth.log
For deeper covertness, add `-zu` to truncate and zero-fill the file, concealing the shred:
shred -zu /var/log/auth.log
Automating Cleanup
To boost the likelihood of undetected activity on the target, leveraging a tool like Covermyass can be invaluable. This script automates tasks such as wiping log files and disabling Bash history, streamlining the erasure process.
You can acquire the script via `curl` from GitHub, provided the target has internet access; if not, manual transfer is necessary.
Download the Covermyass script from GitHub:
Navigate to a directory with write permissions and make the script executable:
Begin with an analysis using the `covermyass` tool to identify potential log files:
This initial scan won’t erase anything but will list files like `/var/log/lastlog`, `/var/log/btmp`, `/var/log/wtmp`, and `/var/log/faillog`, indicating their sizes and permissions. It provides a quick overview of what’s writable and what’s not, setting the stage for the next steps in covering your digital tracks.
After reviewing the analysis, proceed to securely erase the identified files:
This command will shred the listed log files 100 times, ensuring their destruction.
root
./covermyass --write -n 100
You can also specify paths to exclude certain files from being erased:
The `–zero` flag in `covermyass` is used to overwrite files with zeros instead of random data, effectively wiping them clean:
The `–help` option in `covermyass` displays a help message that lists all available commands and their descriptions, guiding how to use the tool effectively:
Introduction to Secure Data Deletion:
Secure data deletion is the process of permanently removing sensitive information from storage devices to prevent unauthorized access. This practice is essential to protect privacy and confidentiality, especially when disposing of or repurposing storage media. Secure data deletion methods ensure that deleted data cannot be recovered using standard file recovery tools, providing peace of mind that sensitive information remains confidential.
To install the “srm” (Secure Remove) utility on Ubuntu, you can follow these steps:
- Open a terminal window by searching for “Terminal” in the Ubuntu Dash or pressing `Ctrl + Alt + T` on your keyboard.
- Update the package index to ensure you have the latest information about available packages by running the following command:
The command for updating packages for RPM distributions Red Hat and Centos:
- Once the update is complete, you can install the “srm” package using the following command:
The command for installing the secure-delete package for RPM distributions Red Hat and Centos:
- During the installation process, you may be prompted to confirm whether you want to continue. Type “Y” and press Enter to proceed with the installation.
- The `srm` command securely deletes files, ensuring that they cannot be recovered using file recovery tools. It overwrites the file contents before removing them, making it impossible to retrieve the original data. The basic syntax for using `srm` is:
Here are some common options used with `srm`:
- `-r, -R, --recursive`: Recursively remove directories and their contents. - `-s, --simple`: Overwrite the file with random data. - `-z, --zero`: Overwrite the file with zeroes. - `-v, --verbose`: Show verbose output. - `-f, --force`: Ignore nonexistent files and never prompt. - `-i, --interactive`: Prompt before any removal.
To securely delete a file named `example.txt` with `srm`, you would run:
To recursively remove a directory and its contents, use the `-r` option:
Keep in mind that using `srm` irreversibly deletes files and directories, so use it with caution.
Wrapping Up
In this journey, we’ve delved into a realm of techniques essential for stealth and anonymity in the shadows of a compromised system. From obliterating the breadcrumb trail of our actions by purging Bash history to sanitizing log files of any incriminating evidence, we’ve wielded the Covermyass tool with finesse to ensure our digital footprints vanish without a trace. While there are alternative methods like leveraging Metasploit, crafting intricate shell scripts, or navigating the labyrinth of a compromised Windows system, the arsenal we’ve uncovered here arms you with the fundamentals for safeguarding your exploits on a basic Linux platform.
Ensure your projects run smoothly and securely by setting up a server with us. Contact us now for expert assistance and reliable service!