Covering Tracks of Attacks
In this article, we will learn about the most frequent ways used by attackers to cover their tracks. This will include covering tracks in networks, Windows, Linux, etc. So let's start by seeing how tracks can be covered over networks. Please note that I will cover only ways and a little bit about how the attacker uses them, but this article is not meant to dig deep into technical aspects of each type of attack.
Covering Tracks on Network
In this section we will learn about how tracks can be covered on the network. This section has further use cases as below:
FREE role-guided training plans
-
Using Reverse Http Shells:
In this type of attack, the attacker typically installs reverse HTTP shell on the victim computer. This reverse HTTP shell is programmed to ask the commands from an external moderator who controls this reverse shell at regular intervals. This seems like a normal traffic to an organization network perimeter security device like a firewall, as port 80 is usually opened.
Once the attacker receives the request from the reverse HTTP shell, commands will be issued back that will be executed locally by the victim. This all is seen as HTTP request /response to the network devices. Once the commands get executed, results will be sent out in the next web request. These HTTP reverse shells can also be programmed to bypass any static authentication required by perimeter devices, like a firewall.
-
Using ICMP Tunnels
Because HTTP reverse shells are so famous, some organizations keep a check on what is leaving their network in response to the client's GET request. Some also check what comes as a reply to a GET request and most probably the attacker commands can be detected there. In lieu of this, some carry traffic via covert channels using ICMP packets. This is usually successful because organizations block only incoming ICMP packets and forgot about outgoing ICMP packets. Because of this configuration, an attacker uses ICMP packets to transfer TCP payloads.
First the attacker configures the local client to connect with the victim client. The victim in turn encapsulates the TCP payload in an ICMP ECHO packet and forwards it to the proxy server. The proxy server in turn de-encapsulates the packet and extracts the TCP payload and send to attacker. To the network devices, it seems like a simple ICMP packet.
-
Various tools are available to do this. Some of them are given below:
- Ptunnel
- Loki
- ICMPShell
- PingChat
- ICMPCmd
Using TCP Parameters
How about distributing the attacker's payload via the normal TCP packet instead of the encapsulating protocol? This method is well known and even today can be used to bypass IDS/IPS. The attacker can distribute the payload via the unset parameters of the TCP packet. Some of the interesting fields in TCP packet that can be used to transfer the content are:
-
Client generates a TCP SYN packet with a spoofed source address of the receiving server and destination address of the bounce server. Let's say the initial sequence number is ISNA, which holds the character to be transmitted.
Covering Tracks on OS
-
Windows
Hiding Files in NTFS
A file on an NTFS partition acts a drawer with various shelves, with name of the file as the name of the shelf. There can be any number of data streams associated with a data stream. It should be noted that file streaming applies on the NTFS and not in AT. An attacker can use this property of streaming to hide their files behind normal files on the system. For this we can normally use:
What should you learn next?
From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.-
Windows "type" command, which it has following syntax:
- type file_to_hide > normal_file:stream1
-
To view the stream use "more" with the syntax below:
- more < path to stream (for this you need to know the name of the stream)
-
-
Unix
- Files can be hidden in UNIX by appending a dot(.) in front of them. Each directory in nix contains at least two directories, which are the current directory(.) and parent directory(..). The attacker gives their files similar names like ".. " (there is a space after the dots). Usually files are hidden in /dev, /tmp, /etc .
- Sometimes the attacker edits the log files to cover their tracks. However, sometimes the attacker leave their trail that they edited the log file behind because, when the file is being opened to be edited, the shell will be placed to record that someone edited it. This will keep on happening. Smart attackers overcome this problem by using "kill" to kill the shell and setting the variable HISTSIZE to zero.
That covers the basics of it. In this article, we have seen how nefarious tracks can be covered on the network and OS.
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- Covering Tracks of Attacks
- How to become a hacker? Step-by-step guide to do it right
- The rise of ethical hacking: Protecting businesses in 2024
- How to crack a password: Demo and video walkthrough
- Inside Equifax's massive breach: Demo of the exploit
- Wi-Fi password hack: WPA and WPA2 examples and video walkthrough
- How to hack mobile communications via Unisoc baseband vulnerability
- Top tools for password-spraying attacks in active directory networks
- NPK: Free tool to crack password hashes with AWS
- Tutorial: How to exfiltrate or execute files in compromised machines with DNS
- Top 19 tools for hardware hacking with Kali Linux
- 20 popular wireless hacking tools [updated 2021]
- 13 popular wireless hacking tools [updated 2021]
- Man-in-the-middle attack: Real-life example and video walkthrough
- Decrypting SSL/TLS traffic with Wireshark [updated 2021]
- Dumping a complete database using SQL injection [updated 2021]
- Hacking clients with WPAD (web proxy auto-discovery) protocol [updated 2021]
- Hacking communities in the deep web [updated 2021]
- How to hack Android devices using the StageFright vulnerability [updated 2021]
- Hashcat tutorial for beginners [updated 2021]
- How to hack a phone charger
- What is a side-channel attack?
- Copy-paste compromises
- Hacking Microsoft teams vulnerabilities: A step-by-step guide
- PDF file format: Basic structure [updated 2020]
- 10 most popular password cracking tools [updated 2020]
- Popular tools for brute-force attacks [updated for 2020]
- How quickly can hackers find exposed data online? Faster than you think …
- Hacking the Tor network: Follow up [updated 2020]
- Ethical hacking: TCP/IP for hackers
- Ethical hacking: SNMP recon
- How hackers check to see if your website is hackable
- Ethical hacking: Stealthy network recon techniques
- Ethical hacking: IoT hacking tools
- Ethical hacking: Wireless hacking with Kismet
- Ethical hacking: How to hack a web server
- Ethical hacking: Top 6 techniques for attacking two-factor authentication
- Ethical hacking: Top 10 browser extensions for hacking
- Ethical hacking: Social engineering basics
- Ethical hacking: Breaking windows passwords
- Ethical hacking: Passive information gathering with Maltego
- Ethical hacking: Log tampering 101
- Ethical hacking: Breaking cryptography (for hackers)
- Ethical hacking: Attacking routers
- Linux for ethical hackers 101
- Ethical hacking: Buffer overflow
- Top five remote access trojans
- Covering tracks — Hiding files on Windows/Linux/MacOS
- Top 10 network recon tools
- Nmap evade firewall and scripting [updated 2019]
- Hacking PDF: util.prinf() Buffer Overflow: Part 1 [Updated 2019]
Get certified and advance your career!
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!
