Welcome to this new article, today I am going to show you how to clean your traces of a hacked computer, to be able to operate without your commands or your actions within the system are recorded in the system logs.
To demonstrate this I will use two tools, one is created for use in Linux systems, created in Rust, and finally another tool created for use in Windows, created in Powershell.
This type of tool is very useful because if you do not use these tools you leave traces everywhere and logically it is very dangerous for a forensic to start detecting your steps and find you.
https://github.com/mufeedvh/moonwalk?source=post_page-----658b3334b804--------------------------------
And this is the description from this tool: (you can see in readme.md file in the repository)
moonwalk is a 400 KB single-binary executable that can clear your traces while penetration testing a Unix machine. It saves the state of system logs pre-exploitation and reverts that state including the filesystem timestamps post-exploitation leaving zero traces of a ghost in the shell.
And this are the features:
This is the repository:
And this is the description from this tool:
MrKaplan is a tool aimed to help red teamers to stay hidden by clearing evidence of execution. It works by saving information such as the time it ran, snapshot of files and associate each evidence to the related user.
This tool is inspired by MoonWalk, a similar tool for Unix machines.
And this are the features:
The first step is to execute this command:
curl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk
Or:
cargo install --git https://github.com/mufeedvh/moonwalk.git
We give it permissions of execution with the command chmod +x and we execute the tool:
This is help menu, now it’s moment to start, if you see the last screenshot you can see only need add start in last command:
./moonwalk start
Now we could execute all the commands that we wanted so that they would not be saved.
At the moment of finishing it is necessary to execute this command:
./moonwalk stop
The first step is open Powershell Shell in the system.
And now you need transfer MrKaplan.ps1 file, you can found the file in Github Repository.
To do this you can use python server in your Kali machine and certutil.exe in victim machine:
Now it’s moment to execute the script:
MrKaplan.ps1 begin
You may see some errors, but it works perfectly anyway.
To finish:
MrKaplan.ps1 end
And Done!
To demonstrate this I will use two tools, one is created for use in Linux systems, created in Rust, and finally another tool created for use in Windows, created in Powershell.
This type of tool is very useful because if you do not use these tools you leave traces everywhere and logically it is very dangerous for a forensic to start detecting your steps and find you.
MoonWalk
This is the first tool, this is the one that is for use on Linux systems and that is created in Rust. This is the repository:https://github.com/mufeedvh/moonwalk?source=post_page-----658b3334b804--------------------------------
And this is the description from this tool: (you can see in readme.md file in the repository)
moonwalk is a 400 KB single-binary executable that can clear your traces while penetration testing a Unix machine. It saves the state of system logs pre-exploitation and reverts that state including the filesystem timestamps post-exploitation leaving zero traces of a ghost in the shell.
And this are the features:
- Small Executable: Get started quickly with a curl fetch to your target machine.
- Fast: Performs all session commands including logging, trace clearing, and filesystem operations in under 5 milliseconds.
- Reconnaissance: To save the state of system logs, moonwalk finds a world-writable path and saves the session under a dot directory which is removed upon ending the session.
- Shell History: Instead of clearing the whole history file, moonwalk reverts it back to how it was including the invokation of moonwalk.
- Filesystem Timestamps: Hide from the Blue Team by reverting the access/modify timestamps of files back to how it was using the GET command.
MrKaplan
This is the second tool, this is the one used to hide your trace in windows system, you could think that it would be an exe or something similar, but no, in this case it is created in Powershell, that seems to be very good to create scripts, soon you will have things with Powershell.This is the repository:
https://github.com/Idov31/MrKaplan?source=post_page-----658b3334b804--------------------------------
And this is the description from this tool:
MrKaplan is a tool aimed to help red teamers to stay hidden by clearing evidence of execution. It works by saving information such as the time it ran, snapshot of files and associate each evidence to the related user.
This tool is inspired by MoonWalk, a similar tool for Unix machines.
And this are the features:
- Stopping event logging.
- Clearing files artifacts.
- Clearing registry artifacts.
- Can run for multiple users.
- Can run as user and as admin (Highly recommended to run as admin).
- Can save timestamps of files.
- Can exclude certian operations and leave artifacts to blue teams.
Linux
Perfect now I am going to show you how to use this tool on Linux systems so you can see how simple it is.The first step is to execute this command:
curl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk
Or:
cargo install --git https://github.com/mufeedvh/moonwalk.git
We give it permissions of execution with the command chmod +x and we execute the tool:
This is help menu, now it’s moment to start, if you see the last screenshot you can see only need add start in last command:
./moonwalk start
Now we could execute all the commands that we wanted so that they would not be saved.
At the moment of finishing it is necessary to execute this command:
./moonwalk stop
Windows
Well, now we will do the same but on a Windows platform and with the Mr Kaplan tool:The first step is open Powershell Shell in the system.
And now you need transfer MrKaplan.ps1 file, you can found the file in Github Repository.
To do this you can use python server in your Kali machine and certutil.exe in victim machine:
Now it’s moment to execute the script:
MrKaplan.ps1 begin
You may see some errors, but it works perfectly anyway.
To finish:
MrKaplan.ps1 end
And Done!
