Linux Basics for Hackers

Download 1,43 Mb.

bet	15/18
Sana	22.08.2022
Hajmi	1,43 Mb.
	#847523

1 ... 10 11 12 13 14 15 16 17 18

Bog'liq
(2)Linux Basics For Aspiring Hackers 2018

Removing Evidence

Remaining Stealthy

Once you’ve compromised a Linux system, it’s useful to disable logging and remove any evidence of your intrusion in the log files to reduce the chances of detection. There are many ways to do this, and each carries its own risks and level of reliability.

Removing Evidence

First, you’ll want to remove any logs of your activity. You could simply open the log files and precisely remove any logs detailing your activity, line by line, using the file deletion techniques you learned in Chapter 2. However, this could be time-consuming and leave time gaps in the log files, which would look suspicious. Also, deleted files can generally be recovered by a skilled forensic investigator.
A better and more secure solution is to shred the log files. With other file deletion systems, a skilled investigator is still able to recover the deleted files, but suppose there was a way to delete the file and overwrite it several times, making it much harder to recover. Lucky for us, Linux has a built-in command, appropriately named shred, for just this purpose.
To understand how the shred command works, take a quick look at the help screen by entering the following command:

kali >shred --help
Usage: shred [OPTION]...FILE...
Overwrite the specified FILE(s) repeatedly in order to make it harder
for even very expensive hardware probing to recover data --snip--

As you can see from the full output on your screen, the shred command has many options. In its most basic form, the syntax is simple:

shred

On its own, shred will delete the file and overwrite it several times— by default, shred overwrites four times. Generally, the more times the file is overwritten, the harder it is to recover, but keep in mind that each overwrite takes time, so for very large files, shredding may become time-consuming.
Two useful options to include are the -f option, which changes the permissions on the files to allow overwriting if a permission change is necessary, and the –n option, which lets you choose how many times to overwrite the files. As an example, we’ll shred the log files in /var/log/auth.log 10 times using the following command:

kali >shred -f -n 10 /var/log/auth.log.*

We need the –f option to give us permission to shred auth files, and we follow the –n option with the desired number of times to overwrite. After the path of the file we want to shred, we include the wildcard asterisk so we’re shredding not just the auth.log file, but also any logs that have been created with logrotate, such as auth.log.1, auth.log.2, and so on.
Now try to open a log file:

kali >leafpad /var/log/auth.log.1

Once you’ve shredded a file, you’ll see that the contents are indecipherable gibberish, as shown in Figure 11-1.

Figure 11-1: A shredded log file
Now if the security engineer or forensic investigator examines the log files, they will find nothing of use because none of it is recoverable!

Download 1,43 Mb.

Do'stlaringiz bilan baham:

1 ... 10 11 12 13 14 15 16 17 18