Skip to content

How to clean up penetration trace

homepage-banner

Introduction

When performing penetration testing on a system, it is important to be able to remove any trace of your activities afterwards. This is not only a matter of good ethics, but also a legal requirement in many cases. In this blog post, we will discuss how to clean penetration traces in Linux.

Clear history command records

First method

  • Edit the history record file to delete historical commands that do not want to be saved
  • Clear the history command record for the current user

Second method

  • Use vim to delete historical commands
# Open a file with vim
vim test.txt
# Set vim not to record commands, Vim will record command history and save it in the viminfo file.
:set history=0
# Open the command record file .bash_history with vim's split-screen feature, and edit the file to delete historical operation commands
vsp ~/.bash_history
# Clear the saved .bash_history file.
  • Execute commands in vim that you don’t want others to see
:set history=0
:!command

Third method

By modifying the configuration file /etc/profile, the system no longer saves command records.

Fourth method

After logging in, execute the following command to not record the command history(.bash_history)

unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG;
export HISTFILE=/dev/null;
export HISTSIZE=0;
export HISTFILESIZE=0

Clear system log traces

Linux system has multiple log files to record the logs generated during system operation.

/var/log/btmp   Records all login failure information, use the lastb command to view
/var/log/lastlog Records the last login time of all users in the system, use the lastlog command to view
/var/log/wtmp    Records the login and logout information of all users, use the last command to view
/var/log/utmp    Records information about currently logged in users, use commands such as w, who, users to view
/var/log/secure  Records security-related log information
/var/log/message Records information and error logs after the system starts up

First method: Clear log files

Clear records for failed system login:

echo > /var/log/btmp

Clear records for successful system login:

echo > /var/log/wtmp

Clear relevant log information:

# Clear the last login time of the user
echo > /var/log/lastlog

# Clear the current login user information with the lastlog command:
echo > /var/log/utmp

# Clear security log records using commands such as w, who, users:
cat /dev/null > /var/log/secure

# Clear system log records
cat /dev/null > /var/log/message

Second method: Delete/replace some logs

The log file is completely emptied, which is too easy for the administrator to detect. If only some key log information is deleted or replaced, then the attack trace can be perfectly hidden.

# Delete all lines that match the string, such as the current date or your login IP
sed -i '/your IP/'d /var/log/messages
# Global replacement of login IP address
sed -i 's/192.168.166.85/192.168.1.1/g' secure

Clear web intrusion traces

First method: Directly replace the log IP address

sed -i 's/192.168.166.85/192.168.1.1/g' access.log
# Use grep -v to delete our related information
cat /var/log/nginx/access.log | grep -v evil.php > tmp.log
# Overwrite the modified log to the original log file
cat tmp.log > /var/log/nginx/access.log/

File Secure Deletion Tool

shred command

Securely erase data from the hard drive, which is overwritten 3 times by default, and specify the number of data overwrites with -n.

shred -f -u -z -v -n 8 1.txt

shred: 1.txt: pass 1/9 (random)...shred: 1.txt: pass 2/9 (ffffff)...shred: 1.txt: pass 3/9 (aaaaaa)...shred: 1.txt: pass 4/9 (random)...shred: 1.txt: pass 5/9 (000000)...shred: 1.txt: pass 6/9 (random)...shred: 1.txt: pass 7/9 (555555)...shred: 1.txt: pass 8/9 (random)...shred: 1.txt: pass 9/9 (000000)...shred: 1.txt: removingshred: 1.txt: renamed to 00000shred: 00000: renamed to 0000shred: 0000: renamed to 000shred: 000: renamed to 00shred: 00: renamed to 0shred: 1.txt: removed

dd

Can be used to securely clear the contents of a hard drive or partition.

dd if=/dev/zero of=filename bs=size count=write times

wipe

wipe uses a special mode to repeatedly write files to safely erase files from magnetic media.

Secure-Delete

Secure-Delete is a set of toolkits that provide 4 command-line tools for securely deleting files: srm, smem, sfill, sswap.

srm filenamesfill filenameswap /dev/sda1smem

Hide Remote SSH Login Records

Invisible login to the system, will not be detected by commands such as w, who, last, etc.

ssh -T root@192.168.0.1 /bin/bash -i

Do not record ssh public key in the local .ssh directory

ssh -o UserKnownHostsFile=/dev/null -T user@host /bin/bash –i
Feedback







Small world. Big idea!
  • Welcome to visit the knowledge base of SRE and DevOps!
  • License under CC BY-NC 4.0
  • Made with Material for MkDocs and improve writing by generative AI tools
  • Copyright issue feedback me#imzye.com, replace # with @