Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. And welcome to the episode number 26 of the beakers Erasing your tracks. My name is Alejandro Gonna and I'll be instructor for today's session.
00:11
The Learning Operatives off this session is to understand the concepts
00:15
behind this techniques on applied some concepts to implement this technique.
00:21
So let's get down to business, shall we?
00:25
First of all,
00:28
we can gain well, really, just quickly gain a matter predator shell. But to, um,
00:35
to a Windows machine
00:37
with the well known already by this a love this beauteous bsx sec module
00:45
here.
00:46
By the way, I already lifted the previews. Fire will A settings so we can actually reach directly to our Windows expert machine.
00:58
So just his model
01:02
set more host.
01:06
All right,
01:07
that's it.
01:08
I will get, you know, a matter pressure shell back to us. And the first thing I would like to show you it's has how to quickly, really easily and raise your tracks or erase every every, um,
01:23
possible trays or lock. Let me just
01:26
dr the Issing here. Oh, by the way. Okay, that's fine.
01:30
Um,
01:32
let me just go Thio
01:34
contra Bino.
01:37
I mean, straight of tools and then you can see Ah, Vandana, your been viewer. That's it. That's the same. And you can see all the traces. And we have a lot off, you know, application system, Internet. You know,
01:53
we have a lot of entries and information about about us hacking the system. And, you know, maybe we change the credential and would change something. And let me just cancel that and just
02:05
drag this out in here
02:07
so you can actually see calm Alicia's. It could be. So it is a C C. As just typing in a matter of shredder shell. Just clear evidence.
02:19
And Brian it Okay, Racing, wiping 51 records from application wiping 20 cents 100 training records from
02:27
system wiping from security. And if I go here and drag it, just show you again and double click in that application has zero
02:37
things to report system as well. I mean, you know, has been clear out. I mean, we, the system administrator, cannot actually raise those. See those events? Needless to say, ah, season, um,
02:53
sister administrator will see that as an alert and some CMEs
02:58
or some system information and even management, um,
03:02
we'll have use cases come figure to actually launch on alert whenever these logs are cleared. So you know, this is how you can raise your tracks. I mean, maybe it will. It will tell that you were in the machine, or you will tell that you were present in the machine.
03:19
But, you know, or someone was present in the machine, but it will not. They will not be able to track down your tractor tractor activity activity back to you.
03:28
Uh, however, I will not always get a medal. Bread or shell. You know, Major Predator is all well and good until we cannot actually gain one of those. So we can always download I. You know,
03:42
Dina, that download a subway or tools to clear Little ox, for example. You can use the clear locks that's execute herbal. I already downloaded s so I can just uploaded to Thio the victim's machine.
03:58
I'm just going here, and I hope I've done loud it already, but I guess I raised that. Now let me just go in here and just type it, um,
04:06
kill locks, that exit download
04:12
and, you know yeah, you can see that I already downloaded so you can actually download this and you can upload it to our victim machine, and it will perform. I will not bother to show you. What's that? The results from this, but it already perform the exact same thing. So you can just set up load
04:31
as we have a matter prettier shell route,
04:34
um, downloads.
04:36
And I guess it was just clear locks.
04:40
And he will re upload this to To To the machine. Let me just show doing here.
04:45
Um
04:48
and you can just executed that, you know, just type it in a shell as it is, and I don't want to bother
04:56
do with the eggs at the end, it will perform the same thing. And on top of that, we don't have any locks to clear on our windows machine. So, you know, that's pretty neat. You can actually achieve that by using the clear, deaf tool in the matter prayer shell. You can also download tools like the clear locks that that's the exit.
05:15
You actually achieve the same as we did with the clear
05:18
have in the MSF console.
05:21
Um,
05:24
but, you know, what about Linux operating system? Yeah, we you know, I know, I know. You guys are thinking that windows are the most easy to hack, but that depends. I have seen some Windows machine, you know, with all the updates,
05:39
with all the good practices in place. So hacking the windows machine was sec attacking other linens machines that were not, you know, using memory and an anti virus, or we're not using the good practices over it. We're not up to date,
05:54
you know, for me hacking Elinor's machine machines have been proven to be easier than a Windows machine. I don't know why. Maybe that's because I have a lot of experience with Shell. Ah, but yeah, I'm just
06:05
telling you every year right now. So what about, uh, Lena's upper every systems? Yeah. Um, the locked files are stored hay. Let me just exiting here.
06:18
Ah, in this location,
06:23
As you can see, we have a lot of logs. Save these locations, some of them directly on this location. And some of them have have the run folders so we can go deeper. Um, let me just given. Except, for example,
06:40
apart. Let's choose Apache.
06:42
The axis. Look, it will tell us all of the access that we could, you know, actually, gain something or see something from specific. I don't know. Operator system and all the access that we have seen so far. So this spring, it, um
06:59
we can actually and raise that. I mean, you can, you know, just use the word remove or something like that. If you have
07:05
route permissions remembered. This is something that you have all the privileges to actually do that? Um, yeah. You know, you can clear wherever you want. You are just a clear one line, or, you know, I don't know that That depends on when you're approaching the, and also in the time you have
07:24
because most of the time, or sometimes you will not have a cz Muchas.
07:28
So much time to actually clear deluxe. Because when you're actually trying to clear the tracks, it means that you're living the system Or, you know that someone, someone already suspicious, that you're inside the system so sometimes you will not have enough time to actually clear just one activity. So there's that. Yeah. You know,
07:46
finally, before we leave a compromise Linux system, we want to make you know, sir, obtains that our common history is raised because, yeah, we can restructure its but, you know, even our commands to actually racetracks are saved
08:03
in a specific file or file. But law
08:07
Ah, that you know, it's safe, Oliver activities. So let me just show doing here copy paste, because again, I'm too lazy to write it down
08:16
and you can see all of the command we have type. It's a fart. Which there are a lot.
08:22
Yeah, a lot. I love the look commands.
08:24
We need to make sure that we cleared that out. Because at the end, um, system administrator can actually checkout activity and see that we actually create cleared logs or something like that. So you will get us into trouble with that.
08:43
Also, the side of the history you can actually enter before you start typing some something you can actually a determined or said the side of the history by setting the environment by available uh, his hissed side. Let me just happening here.
09:03
Or a list copy paste,
09:07
which again are 1000 man's.
09:09
Ah, pretty big to my taste. You know you can
09:13
I don't say said something like them yet that now that I have it here like I would not do that. But you can. I'm sorry. Export and equal zero, for example, So it can limit what, Uh, the choir commands are saved in that history.
09:31
Uh, and sometimes we wouldn't have enough time to raise the history file or change the history sides bearable, or we're just in a hurry as I told you before. So we can just Fred,
09:45
um,
09:46
the
09:50
the history bash history.
09:52
Um, you know, the free command with the Z you switches will overwrite the history with zeroes. There's there's something called zeer ization. Oh, army leads have hair it this way. Military great race.
10:11
What this means is that
10:13
when you're actually erasing something or clearing something reduced or eliminated in eliminating a file, all you're doing is eliminated the pointer to thy file. But the file is still present in the hard drive. So the military grade or his ear ization, it just means overwrite all of this with a bunch of zeros.
10:33
I mean, yeah, that means that you cannot recover something a bit with forensic techniques
10:39
because I have seen tools. I don't want to mention any brand here, but, for example, up and text hasn't really cool tools are forensic tools. Remember specific F decay Another another brand that you can actually take a look at.
10:56
They can actually graph or export or check whenever every possible recoverable file that you can actually think of. So serious stations, that technique just overwriting all of that with zeros.
11:11
And as always, you can weigh already said I'd be at this point, I can. I believe you can imagine that you can create your own pearl or python or bash a script to automate this. Maybe Aramaic
11:26
with just executing you will raise the history. You will raise a ll the logs you will erase. I don't know whatever you're thinking up, he can. He can. He can possible be achieved by a python or Pearl or Masha script.
11:39
Adam made this task. And you can also google something like that. I mean, I do believe
11:46
I do Bet that, um,
11:50
you can actually find some good scripts. D'oh! Automate this racing for erasing your tracks. Both in the windows in a UNIX are Linux operating system.
12:03
What is the command to easily clear all the locks? The matter, Freder, clear f clear evidence is the commander you can easily use to clear all the evidence. Are all the files all the locks in the window's environment?
12:18
What is saved in the bash on the score history? Well, it saved all the commands that you have type so far
12:26
by the fall, this is the Hazar size of 1000 I believe.
12:30
A recall? Yeah, 1000. Um and it will save all the commands you have, So yeah, you can You can actually limit that by sending the environment environment, but bearable to zero. So he cannot say we will not say any of your commands
12:46
in this video. We learned the concepts behind this technique, and we implemented some tools and commands to execute this technique. And we also saw how militia it can be
12:56
supplemental materials once again that the hacker playbook and every possible source you can find in Google and YouTube
13:05
and looking forward in the next video, we'll see some techniques to avoid on anti virus. Awkward.
13:11
Well, that's it for today, folks. I hope in your deberia and tutti soon

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor