Ethical hacking: Log tampering 101 by Blackhat pakistan
Getting caught is exactly what every hacker doesn’t want.in Ethical hacking They want to be able to break into a system and then quickly retreat to the safety of the internet cafe they’re probably hacking from. Logs are designed to record almost everything that occurs on a system, including hacking attempts, and can be the determining factor in catching hackers after their crime has been committed.
Ethical hacking[Hackers] must understand how hackers manipulate logs because it is a common practice for hackers. This article details the basics of log manipulation for ethical hackers, including disabling auditing, clearing logs, editing logs, and clearing command history. Windows and Linux protocols will be emphasized as they are the most used by organizations.
Please note that this article is intended as an introduction to log manipulation for ethical hacking purposes only.
A little about logs[Ethical hacking]
As analogies go, hacking is kind of like stealing cookies from a cookie jar. Every cookie thief or hacker wants to be able to get in there and do their dirty deeds before they get caught.
Now imagine this cookie jar surrounded by fresh snow covering everything around it. It would be impossible to even get to the cookie jar without leaving a trail—just as it would be impossible to gain entry to the system without being detected. Log manipulation is the equivalent of covering up these obvious clues that administrators use to catch hackers.
Also read:Contemporary UEFI Bootkits by Blackhat Pakistan 2023
Process
There’s a four-step process to cover your tracks by stuffing logs that hackers know like their shoes. These steps are:
- Disable auditing
- Clearing logs
- Editing logs
- Clearing command history
- Disable auditing
Disabling auditing is a smart first step for hackers because if logging is turned off, no evidence remains.
On Windows systems, hackers can use a popular command line, Auditpol, which not only allows the hacker to disable auditing, but also allows the hacker to see the logging level set by the organization’s system administrator. Knowing this will help a hacker see what is being recorded. This is important because if possible, hackers like to turn off or change only the logging that caught their activity, making it harder to track them.
- Clearing logs
Since logs store evidence of hacking activities, clearing logs is a logical next step for ethical hackers to learn about.
How to Clear Logs in Windows
There are several ways to clear logs on Windows systems. Below are the best ways to perform this track cleaning tactic.
Clearlogs.exe
One way is to use the clearlogs.exe file found here. Once the target Windows system is accessed, the file needs to be installed and then run to clear the security logs. To run the file, type the following at the command line:
clearlogs.exe – sec
This will clear the security logs on the target system. To verify that this worked, open Event Viewer and check the security logs. Voila!
Please note – if the hacker does not delete clearlogs.exe, it will serve as solid evidence of log tampering. If this happens on Windows 10 or Windows Server 2016, event ID 1102(S) will show up as an event, and overlooking this is a common mistake made by many novice hackers.
Meter
Originally created by Metasploit and Matt “Skape” Miller in 2004, this advanced payload is a type of shell that, without getting too technical, will help clear all logs on Windows in newer versions of Meterpreter. After compromising your system with Metasploit, use the Meterpreter command line and enter the following command:
Meterpreter > clearev
This will show the ethical hacker a window stating that all security, application and system logs have been cleared.
Windows Event Viewer
Even if auditing has been disabled, it’s still smart to clear the logs in the Windows Event Viewer because an action like disabling auditing will show up as an event. To perform this simple task, first go to Event Viewer under Windows Logs in the folder tree. In the left pane, right-click the type of logs you want to clear and select Clear All Events. Boom! Done.
Linux systems
Linux systems have their own log clearing process. To do this, you want to use the Shred tool. To shred and clear the log file on the target system, run the following bash command:
Shred -vfzu auth.log
Likewise, with a single command, your recorded tracks were erased in Linux.
- Modification of logs
Knowing is half the battle and knowing where the logs are on your target system is essential for any hacker.
Since you are an ethical hacker working on behalf of your organization, you will already know their location. Inexperienced hackers don’t have to, causing wasted time and an increased chance of detection. In some cases, a text editor may be needed to edit the logs; regardless, it’s as easy as editing a Word file.
- Deleting orders
The thing with bash is that it keeps a history of bash commands entered, so if you don’t clear it, the admin will see that the Shred command above was entered. The preserved history of bash commands is located in the file ~/.bash_history.
Conclusion
Log manipulation is a common hacking practice as hackers will always want to cover their tracks from the prying eyes of an organization administrator. It is important for an organization to understand how malicious hackers will operate in practice, so if a hacker breach is detected, manipulating the log file may be one of their first actions on your systems.
Organizations should store their system logs centrally as much as possible to help confuse malicious hackers, preferably using a SIEM solution.
Sources
- How to Cover Your Tracks & Leave No Trace Behind on the Target System, WonderHowTo
- Covering Your Tracks and Erasing Evidence, CEH: Certified Ethical Hacker
- 1102(S): The audit log was cleared., Microsoft
- How to effectively clear your bash history, TechRepublic
- How To Clear Tracks & Logs On Linux, Hackersploit
