Introduction
Welcome to this new article, today I am going to show you how to clean your traces of a hacked computer, to be able to operate without your commands or your actions within the system are recorded in the system logs.
To demonstrate this I will use two tools, one is created for use in Linux systems, created in Rust, and finally another tool created for use in Windows, created in Powershell.
This type of tool is very useful because if you do not use these tools you leave traces everywhere and logically it is very dangerous for a forensic to start detecting your steps and find you.
MoonWalk
This is the first tool, this is the one that is for use on Linux systems and that is created in Rust. This is the repository:
GitHub — mufeedvh/moonwalk: Cover your tracks during Linux Exploitation by leaving zero traces on…
moonwalk is a 400 KB single-binary executable that can clear your traces while penetration testing a Unix machine. It…
And this is the description from this tool: (you can see in readme.md file in the repository)
moonwalk is a 400 KB single-binary executable that can clear your traces while penetration testing a Unix machine. It saves the state of system logs pre-exploitation and reverts that state including the filesystem timestamps post-exploitation leaving zero traces of a ghost in the shell.
And this are the features:
- Small Executable: Get started quickly with a
curlfetch to your target machine. - Fast: Performs all session commands including logging, trace clearing, and filesystem operations in under 5 milliseconds.
- Reconnaissance: To save the state of system logs,
moonwalkfinds a world-writable path and saves the session under a dot directory which is removed upon ending the session. - Shell History: Instead of clearing the whole history file,
moonwalkreverts it back to how it was including the invokation ofmoonwalk. - Filesystem Timestamps: Hide from the Blue Team by reverting the access/modify timestamps of files back to how it was using the
GETcommand.