Covering Your Tracks


The ability to remain stealth during a penetration exercise is what separates a sophisticated hacker from a script kitty. The phrase “The Quieter You Become, The More You Are Able to Hear” holds true, especially in the field of hacking. Being able to perform Ani-forensics and avoid detection is critical to the success of hacking and penetration testing and understanding these methods is beneficial, even for white hat hackers, as there will be times in a penetration where the system is already compromised. In such cases, understanding what the attacker is doing in order to cover their tracks can help determine the sophistication of the attack or bring prosecution to the attacker.
All hacks begin with system enumeration and nmap is one of the best tools to use during this discovery phase. However, as I explained in Scanning With nmap blog, port scanning a bunch of IP Addresses or every port on a target system is noisy and can cause denial of service conditions (very bad if you are contracting with company for this test). Doing an aggressive scan with -A or fast scan with high numbers of -T (i.e. -T5 which is the fastest) is also risky. To avoid detection of Firewalls and IPS/IDS devices, use slower scan rates (-T0) and SYN scans (-sS). An example is given below:
Nmap -sS -T0 scanme.nmap.org
-T0 may be a little too slow (-T3 may be better in some cases) but if you are black box testing a highly secure network, it may be best to gather as much information as possible upfront and then use that information to perform stealth scan against specific targets overnight. The -T tag slows the rate of packets getting sent and the -sS flag does a half-open scan and does not complete the TCP handshake (e.g. if the port is open it’ll instead send a RST packet instead of a ACK packet to make it look as if the connection is dropped). From a stealth scan (-sS) ports are determined to be in 3 states: open, closed, or filtered (firewall). Of course, stealth scans can also be picked up by IDS/IPS systems so an entire chapter from nmap on how to determine Firewall rules and avoid detection is provided below:
https://nmap.org/book/firewalls.html
Being able to avoid getting detected while enumerating targets is important but avoiding log detection is just as important. Once a connection is established to a port and/or access is gained to shell it is important to realize that somewhere (not necessarily on the compromised computer itself) your actions are getting logged. Tightly secured networks likely have very verbose logging that is sent to a log server making it difficult for a hacker to cover his tracks.
  1. On Linux, once shell access is gained there are two important file locations to keep in mind:   /root/.bash_history
  2.  /var/log/
These two locations contain log files and if no log files appear in these locations then they are likely getting stored on a log server. The easiest log file to change is the hidden file .bash_history in the /root folder. It’s best to copy this file first before executing any shell commands, though this can be impassible in the cases where privilege escalation is needed (e.g. log access requires root or sudo provileges). Once command execution is complete the hacker can clean up any recently used commands in the copied log file and use the touch -a command to change the files access time and then replace the original log file with the copied one. When executed correctly it can be very difficult for an administrator to tell if the log file was changed. The /var/log/ file location contains log files for applications such as Apache server and these same techniques can be used.
Unfortunately for Windows it is impossible to modify the Event Logs. If a hacker wants to cover her tracks in Windows, it’s best to just blast it away with wevutil. Cybrary has (or had) a great course on how to do this, though a google search on wevutil will also do the trick.
Of course, even after performing all of these techniques explained above, all of your activities can still be detected by a forensic analyst (hacker’s cousins and sometimes arch enemies). Be aware that every action done on a system traverse memory or the registry at some point. Forensic Analysts worth their salt can load the registry or a process dump using tools such as RegEdit and Volatility respectively can see which commands were executed, links that were clicked on, etc. This discussion deserves its own blog and requires some additional research so for now the links provided below should give a nice introduction into this topic:
https://resources.infosecinstitute.com/penetration-testing-covering-tracks/#gref
https://www.volatilityfoundation.org/
Understanding that everything you do on a system gets recorded somewhere, and generally in multiple locations, is key to becoming a sophisticated hacker. Anyone can load a script, drop a piece of malware into a folder, or scan ports; but sophisticated hackers can jack identities, make processes look legitimate, and make it appear as if they were never in the system in the first place. Understanding these techniques is great for both defense and offense (I think it was Sun Tzu that said “know your enemy”?). I will try to follow up with another blog on more advanced anti-forensics techniques but for now, spin up a virtual machine of Kali Linux, target some poor other virtual machine (legally please) of ubuntu and practice scanning that machine, gaining root access and avoiding getting caught. Essentially, play both the hacker and system admin; have fun and happy hacking!       

Comments

Post a Comment

Popular posts from this blog

LDAP Vulnerabilities

Image
Note** The following examples utilize Web for Penetration Testers which I do not own any rights to. These examples provide solutions to the live image of Web for Pentester 1 which can be downloaded at https://pentesterlab.com/exercises/web_for_pentester/course . Please attempt these exercises on your own before reviewing my solutions to gain maximum benefit.   Web for Penetration Testers Example 1 Lightweight Directory Access Protocol (LDAP) can be thought of as a hierarchical directory structure. Using the live iso of Web for Pentester 1 lab we can find that Open LDAP service is running by running performing a nmap scan from our kali box (attacking machine): Figure 1 Using the ldapsearch command with the -b (base dn [top of hierarchy in this case]) -LLL (print responses in LDIF format without comments or version) and -x (simple authentication) flags (-h specifies the host) from our kali box (see Figure 2), we see that there are three common names (cn) entries: admin, ...
Read more

Setting Up a Proxy to Protect Your Public IP (An Introduction to Proxies)

Image
I recently purchased a static IP address. While this is great for setting up VPNs, websites, and other major benefits it bothered me that I normally visit CTFs and sites that contain malicious code to accomplish these CTF challenges. There had to be a way I could better protect my public IP from direct exposure in the event I did something stupid while surfing the web. This is where a proxies come into play. A proxy is exactly the same thing meant in the English language; think if computer A who set up the proxy wants to talk to computer C. An intermediary could be introduced (Proxy Server B) so that when computer C talks to computer A it has to go through Proxy Server B. Thus Computer C thinks its talking to Proxy Server B and only sees that IP address; when in reality all traffic is getting forwarded to computer A and vise versa. This creates a layer of abstraction. There are many types of proxies such as reverse proxies which is used mainly for public facing web sites. We are strict...
Read more