Covering Your Tracks


The ability to remain stealth during a penetration exercise is what separates a sophisticated hacker from a script kitty. The phrase “The Quieter You Become, The More You Are Able to Hear” holds true, especially in the field of hacking. Being able to perform Ani-forensics and avoid detection is critical to the success of hacking and penetration testing and understanding these methods is beneficial, even for white hat hackers, as there will be times in a penetration where the system is already compromised. In such cases, understanding what the attacker is doing in order to cover their tracks can help determine the sophistication of the attack or bring prosecution to the attacker.
All hacks begin with system enumeration and nmap is one of the best tools to use during this discovery phase. However, as I explained in Scanning With nmap blog, port scanning a bunch of IP Addresses or every port on a target system is noisy and can cause denial of service conditions (very bad if you are contracting with company for this test). Doing an aggressive scan with -A or fast scan with high numbers of -T (i.e. -T5 which is the fastest) is also risky. To avoid detection of Firewalls and IPS/IDS devices, use slower scan rates (-T0) and SYN scans (-sS). An example is given below:
Nmap -sS -T0 scanme.nmap.org
-T0 may be a little too slow (-T3 may be better in some cases) but if you are black box testing a highly secure network, it may be best to gather as much information as possible upfront and then use that information to perform stealth scan against specific targets overnight. The -T tag slows the rate of packets getting sent and the -sS flag does a half-open scan and does not complete the TCP handshake (e.g. if the port is open it’ll instead send a RST packet instead of a ACK packet to make it look as if the connection is dropped). From a stealth scan (-sS) ports are determined to be in 3 states: open, closed, or filtered (firewall). Of course, stealth scans can also be picked up by IDS/IPS systems so an entire chapter from nmap on how to determine Firewall rules and avoid detection is provided below:
https://nmap.org/book/firewalls.html
Being able to avoid getting detected while enumerating targets is important but avoiding log detection is just as important. Once a connection is established to a port and/or access is gained to shell it is important to realize that somewhere (not necessarily on the compromised computer itself) your actions are getting logged. Tightly secured networks likely have very verbose logging that is sent to a log server making it difficult for a hacker to cover his tracks.
  1. On Linux, once shell access is gained there are two important file locations to keep in mind:   /root/.bash_history
  2.  /var/log/
These two locations contain log files and if no log files appear in these locations then they are likely getting stored on a log server. The easiest log file to change is the hidden file .bash_history in the /root folder. It’s best to copy this file first before executing any shell commands, though this can be impassible in the cases where privilege escalation is needed (e.g. log access requires root or sudo provileges). Once command execution is complete the hacker can clean up any recently used commands in the copied log file and use the touch -a command to change the files access time and then replace the original log file with the copied one. When executed correctly it can be very difficult for an administrator to tell if the log file was changed. The /var/log/ file location contains log files for applications such as Apache server and these same techniques can be used.
Unfortunately for Windows it is impossible to modify the Event Logs. If a hacker wants to cover her tracks in Windows, it’s best to just blast it away with wevutil. Cybrary has (or had) a great course on how to do this, though a google search on wevutil will also do the trick.
Of course, even after performing all of these techniques explained above, all of your activities can still be detected by a forensic analyst (hacker’s cousins and sometimes arch enemies). Be aware that every action done on a system traverse memory or the registry at some point. Forensic Analysts worth their salt can load the registry or a process dump using tools such as RegEdit and Volatility respectively can see which commands were executed, links that were clicked on, etc. This discussion deserves its own blog and requires some additional research so for now the links provided below should give a nice introduction into this topic:
https://resources.infosecinstitute.com/penetration-testing-covering-tracks/#gref
https://www.volatilityfoundation.org/
Understanding that everything you do on a system gets recorded somewhere, and generally in multiple locations, is key to becoming a sophisticated hacker. Anyone can load a script, drop a piece of malware into a folder, or scan ports; but sophisticated hackers can jack identities, make processes look legitimate, and make it appear as if they were never in the system in the first place. Understanding these techniques is great for both defense and offense (I think it was Sun Tzu that said “know your enemy”?). I will try to follow up with another blog on more advanced anti-forensics techniques but for now, spin up a virtual machine of Kali Linux, target some poor other virtual machine (legally please) of ubuntu and practice scanning that machine, gaining root access and avoiding getting caught. Essentially, play both the hacker and system admin; have fun and happy hacking!       

Comments

Post a Comment

Popular posts from this blog

Covering Your Tracks - Anti-forensics for the Cloud - Introduction

Image
Before delving into cloud forensics there are some concepts that need to be explained. The cloud consisted of two entities, provider (companies that host cloud technologies) and tenants (companies that use cloud technologies from the providers). The cloud generally consists of three service models:  Infrastructure-as-a-Service (IaaS) where the provider provides the hardware and network. Platform-as-a-Service (PaaS) where the provider provides all the components to a tenant's application. Software-as-a-Service (SaaS) where the provider supplies the software and the components to run it and the tenant uses and at most configures the application. Chris Brenton gives a great overview of the cloud and the challenges it poses in the link below: https://www.sans.org/blog/pen-testing-in-the-cloud/ Surprisingly there is not a lot of coverage out on the web for cloud forensics and this makes sense. Cloud forensics analysts, especially for tenants, may be somewhat limited on acc
Read more

Cross-Site Scripting (XSS) Introduction

Image
  Cross-Site Scripting (XSS) Introduction Note** The following examples utilize Web for Penetration Testers which I do not own any rights to. These examples provide solutions to the live image of Web for Pentester 1 which can be downloaded at https://pentesterlab.com/exercises/web_for_pentester/course . Please attempt these exercises on your own before reviewing my solutions to gain maximum benefit.   Introduction XSS is an often-overlooked vulnerability. The generic “Hello World” example of XSS (e.g. <script>alert(“XSS”);</script>) is an overly benign example. Once an XSS vulnerability is discovered it becomes possible for attackers to modify the webpage to re-direct users to malicious site, steal a user’s session or cookie, or bypass a log in. Because XSS is such a huge topic, a series will be developed with exploitations to follow. For this blog article, XSS detection will be focused on. Eventually this series will cover JSON, XML, XPath, JQuery, and other typ
Read more