Moonwalk - Cover Your Tracks During Linux Exploitation By Leaving Zero Traces On System Logs And Filesystem Timestamps
Cover your tracks during Linux Exploitation / Penetration Testing by leaving zero traces on system logs and filesystem timestamps.
Introduction
moonwalk is a 400 KB single-binary executable that can clear your traces while penetration testing a Unix machine. It saves the state of system logs pre-exploitation and reverts that state including the filesystem timestamps post-exploitation leaving zero traces of a ghost in the shell.
Features
- Small Executable: Get started quickly with a
curl
fetch to your target machine. - Fast: Performs all session commands including logging, trace clearing, and filesystem operations in under 5 milliseconds.
- Reconnaissance: To save the state of system logs,
moonwalk
finds a world-writable path and saves the session under a dot directory which is removed upon ending the session. - Shell History: Instead of clearing the whole history file,
moonwalk
reverts it back to how it was including the invokation ofmoonwalk
. - Filesystem Timestamps: Hide from the Blue Team by reverting the access/modify timestamps of files back to how it was using the
GET
command.
Installation
$ curl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk
(AMD x86-64
)
OR
Download the executable from Releases OR Install with cargo
:
$ cargo install --git https://github.com/mufeedvh/moonwalk.git
Build From Source
Prerequisites:
- Git
- Rust
- Cargo (Automatically installed when installing Rust)
- A C linker (Only for Linux, generally comes pre-installed)
$ git clone https://github.com/mufeedvh/moonwalk.git $ cd moonwalk/ $ cargo build --release
The first command clones this repository into your local machine and the last two commands enters the directory and builds the source in release mode.
Usage
Once you get a shell into the target Unix machine, start a moonwalk session by running this command:
$ moonwalk start
While you're doing recon/exploitation and messing with any files, get the touch
timestamp command of a file beforehand to revert it back after you've accessed/modified it:
$ moonwalk get ~/.bash_history
Post-exploitation, clear your traces and close the session with this command:
$ moonwalk finish
That's it!
Contribution
Ways to contribute:
- Suggest a feature
- Report a bug
- Fix something and open a pull request
- Help me document the code
- Spread the word
- Find something I missed which leaves any trace!
License
Licensed under the MIT License, see LICENSE for more information.