Clearing Your Tracks & Logs On Linux
Why is it important?
Covering tracks/clearing tracks is the final stage of the penetration testing process, before report writing. It involves clearing or wiping all the activity of the attacker, so as to avoid detection.
So it is vitally important in the penetration testing cycle, now from a defensive point of view it can really test incident handlers and the blue team and test their ability to discover an attacker and find anything that the attacker may have forgotten to clear.
This is commonly the biggest mistake vector of an attacker and is where the professionals are sorted from the amateurs.
From an attackers perspective, he/she needs to evade detection by the IDS, therefore preventing any incident response and needs to clear any logs or backdoors that can be discovered by a forensic team.
What an attacker will and should do
- Clear logs
- Modify registry or clear
- Removing any files you created
I am going to be covering the fundamentals, but more so for Linux systems as that is where my knowledge and experience is, however, I will look in making some for windows.
Clearing your tracks will also depend on the privileges you have on the system ( if you are remotely attacking it).
Log files are stored in the /var/log directory
– Editing the files will be really stupid, what I would recommend is using a tool called shred to delete or modify the file.
What is shred
Shred is a tool that allows to delete a file or data permanently , and prevents the recovery of the data, because it overwrites the file multiple times with 1’s and 0s (when you delete a file on your computer, it really isn’t deleted, it is simply marked as space where data can be written to)
Shred is very popular when erasing hard drives etc, I have used it many times before disposing or selling my drives.
Options When Using the Shred Command
Use the Shred command to overwrite the specified files repeatedly and make it difficult or impossible for even expensive hardware or software to recover the data. Available options include:
- -f changes permissions to allow writing if needed
- -n (iterations=N) overwrites N times instead of the default, which is three times
- -s (size=N) specifies the number of bytes to shred
- -u truncates and removes files after overwriting
- -v shows verbose information about the progress
- -x does not round file sizes up to the next full block
- -z adds a final overwrite with zeros to hide shredding
- -u removes the file after overwriting
Common log files and what data they contain
/var/log/auth.log : Authenication logs
/var/log/kern.log : Kernel logs
/var/log/cron.log : Crond logs (cron job)
/var/log/maillog : Mail server logs
/var/log/httpd/ : Apache access and error logs directory
/var/log/boot.log : System boot log
To shred and erase the file
Shred -vfzu auth.log
The bash history keeps a record of all commands executed by a user on the Linux command line.
Stored in: /home/user/.bash_history
Root user example: /root/.bash_history
>.bash_history – Essentially clears the file with null redirect