After achieving and maintaining access, it's time to exit the system. Lisa Bock takes a look at a couple of ways of cleaning up any evidence and covering any tracks or traces of activity on a Linux machine by using Metasploit meterpreter and clear everything. In addition, take a look at event log on Windows to clear any activity.
- [Voiceover] After achieving and maintaining access, it's time to exit the system. Keep in mind, other devices on the network may have picked up unusual activity, but are truly difficult to remove log files from every device. Any good hacker will clean up any trace of their activity. If there is any evidence that they were in the system, a forensic team might be able to trace the activity back to the hacker. Before leaving, we'll take a look at couple of ways of cleaning up any evidence, and covering any tracks of activity on the machine.
On a Linux machine, we can clean up evidence using the Metasploit meterpreter. And in this case we would just say "Clear everything." Also on a Linux system, you can take a look at an open log files that are stored in the var/log messages file, and we can use kwrite /var/log/messages. Now remember we've probably entered some commands, so we'll want to go back in there and erase the command history, and set it back to zero, so that there's no trace that I was there. Just go in and export HISTSIZE=0.
No that'll go back through and erase any of the history and set it back to zero. We can even go to the extent and shred the history file. And this command will shred it completely. And don't forget that there's log files on Windows, so make sure you clean up any evidence on Windows. Let's take a look at some of the logging in event log and security logs on Windows. I'm in Windows Server 2000, and over here you can see the Event Viewer on the right hand side.
Let's drop this down. Now in the Application log, there's just a lot of information, here's how I can say "Clear log." I don't wanna save it, I just wanna clear it. Now don't worry, within minutes there'll be more activity in there. But let's take a look at the security log. There's a lot of information in here. Oh, look here, audit policy change. Well I don't want them to know that I did that, so I'm going to clear the log.
I'm gonna simply clear it, I'm not going to save and clear it, just clear. And it's gone. Other things, Setup, System, you could possible do these, but again they'll be populated fairly soon afterwards. So give it a minute and it will start populating again. So as you can see, once you're completely done with the system, before you leave, make sure you clean up
These tutorials, along with the other courses featured in the Ethical Hacking series, will prepare students to pass the Certified Ethical Hacker exam and start a career in this in-demand field. Find out more about the exam at https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/.
- Acquiring passwords
- Generating rainbow tables
- Understanding where passwords are stored
- Defending against privilege escalation
- Understanding spyware
- Protecting against keylogging
- Detecting steganography
- How hackers cover their tracks