How to clean up penetration trace
Introduction
When performing penetration testing on a system, it is important to be able to remove any trace of your activities afterwards. This is not only a matter of good ethics, but also a legal requirement in many cases. In this blog post, we will discuss how to clean penetration traces in Linux.
Clear history command records
First method
- Edit the
historyrecord file to delete historical commands that do not want to be saved - Clear the
historycommand record for the current user
Second method
- Use
vimto delete historical commands
# Open a file with vim
vim test.txt
# Set vim not to record commands, Vim will record command history and save it in the viminfo file.
:set history=0
# Open the command record file .bash_history with vim's split-screen feature, and edit the file to delete historical operation commands
vsp ~/.bash_history
# Clear the saved .bash_history file.
- Execute commands in vim that you don’t want others to see
:set history=0
:!command
Third method
By modifying the configuration file /etc/profile, the system no longer saves command records.
Fourth method
After logging in, execute the following command to not record the command history(.bash_history)
unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG;
export HISTFILE=/dev/null;
export HISTSIZE=0;
export HISTFILESIZE=0
Clear system log traces
Linux system has multiple log files to record the logs generated during system operation.
/var/log/btmp Records all login failure information, use the lastb command to view
/var/log/lastlog Records the last login time of all users in the system, use the lastlog command to view
/var/log/wtmp Records the login and logout information of all users, use the last command to view
/var/log/utmp Records information about currently logged in users, use commands such as w, who, users to view
/var/log/secure Records security-related log information
/var/log/message Records information and error logs after the system starts up
First method: Clear log files
Clear records for failed system login:
echo > /var/log/btmp
Clear records for successful system login:
echo > /var/log/wtmp
Clear relevant log information:
# Clear the last login time of the user
echo > /var/log/lastlog
# Clear the current login user information with the lastlog command:
echo > /var/log/utmp
# Clear security log records using commands such as w, who, users:
cat /dev/null > /var/log/secure
# Clear system log records
cat /dev/null > /var/log/message
Second method: Delete/replace some logs
The log file is completely emptied, which is too easy for the administrator to detect. If only some key log information is deleted or replaced, then the attack trace can be perfectly hidden.
# Delete all lines that match the string, such as the current date or your login IP
sed -i '/your IP/'d /var/log/messages
# Global replacement of login IP address
sed -i 's/192.168.166.85/192.168.1.1/g' secure
Clear web intrusion traces
First method: Directly replace the log IP address
sed -i 's/192.168.166.85/192.168.1.1/g' access.log
Second method: Clear some related logs
# Use grep -v to delete our related information
cat /var/log/nginx/access.log | grep -v evil.php > tmp.log
# Overwrite the modified log to the original log file
cat tmp.log > /var/log/nginx/access.log/
File Secure Deletion Tool
shred command
Securely erase data from the hard drive, which is overwritten 3 times by default, and specify the number of data overwrites with -n.
shred -f -u -z -v -n 8 1.txt
shred: 1.txt: pass 1/9 (random)...shred: 1.txt: pass 2/9 (ffffff)...shred: 1.txt: pass 3/9 (aaaaaa)...shred: 1.txt: pass 4/9 (random)...shred: 1.txt: pass 5/9 (000000)...shred: 1.txt: pass 6/9 (random)...shred: 1.txt: pass 7/9 (555555)...shred: 1.txt: pass 8/9 (random)...shred: 1.txt: pass 9/9 (000000)...shred: 1.txt: removingshred: 1.txt: renamed to 00000shred: 00000: renamed to 0000shred: 0000: renamed to 000shred: 000: renamed to 00shred: 00: renamed to 0shred: 1.txt: removed
dd
Can be used to securely clear the contents of a hard drive or partition.
dd if=/dev/zero of=filename bs=size count=write times
wipe
wipe uses a special mode to repeatedly write files to safely erase files from magnetic media.
Secure-Delete
Secure-Delete is a set of toolkits that provide 4 command-line tools for securely deleting files: srm, smem, sfill, sswap.
srm filenamesfill filenameswap /dev/sda1smem
Hide Remote SSH Login Records
Invisible login to the system, will not be detected by commands such as w, who, last, etc.
ssh -T root@192.168.0.1 /bin/bash -i
Do not record ssh public key in the local .ssh directory
ssh -o UserKnownHostsFile=/dev/null -T user@host /bin/bash –i