Hiding the traces.

Viewing 7 reply threads
  • Author
    Posts
    • #4443
      twister
      Participant

      Are there any techniques like deletion of logs and connection through the chain of proxies used while performing a penetration test, or it is not necessary in those situations to hide traces ? The question arose, because i’ve never seen in ethical hacking and peneration test books and tutorials something about hiding traces. As well as I failed to find any pre-installed software for those means in the Back|Track distribution.

    • #27943
      unsupported
      Participant

      I am not a pen tester, I only play one online.

      There are techniques to delete logs and connect through a chain of proxies.  Deleting logs usually leaves logs behind saying they were deleted, but there are other methods and tools available.  I do not know them off the top of my head.  For proxies, you can setup netcat relays or TOR.

      However, in a penetration test, I would not really see a reason to perform these steps.  If you are doing an authorized penetration test you would want to leave the traces to show how to identify and clean-up.  If you are in a situation where you are testing an incident response teams effectiveness, then why bother hiding your tracks.

    • #27944
      twister
      Participant

      @unsupported wrote:

      However, in a penetration test, I would not really see a reason to perform these steps.  If you are doing an authorized penetration test you would want to leave the traces to show how to identify and clean-up.  If you are in a situation where you are testing an incident response teams effectiveness, then why bother hiding your tracks.

      That’s what i basically wanted to know ! Thanks a lot for the answer  🙂

    • #27945
      h0les
      Participant

      One situation in which a pentester may use proxies is to

      perform testing that may trip ids/ips alerts that may otherwise cause their network range to become blocked on the target network, this inturn may hinder testing.

      As far as log files go i would of thought if one was performing a pentest over a number of days, deleting the specific log entries may allow you to have a foothold on the target network for a longer period of time, allowing you penetrate the target systems further, than if the incident response team see the logs, figure out what you have done and then kill your access, at which point you have to try and penetrate the network another way.

      just my 2pence

    • #27946
      Ketchup
      Participant

      I second what unsupported said.  I don’t see many reasons to go through log scrubbing during a pen test.  I am not sure what benefit that is for your client.  Some may disagree of course. 

      Also, deleting logs doesn’t really cover your tracks.  For example, on a Windows machine, the amount of forensic registry and file system artifacts you would have to cover is insane.  If you scrub the event log, you still have registry MRUs, prefetch files, etc. 

    • #27947
      twister
      Participant

      It’s all makes sence, thanks for your answers !  8)

    • #27948
      timmedin
      Participant

      It depends on the goal of the Penetration Test. Most of the time the goal is to see 1) see how deep a network can be penetrated and/or 2) find as many issues as possible. The typical penetration test has morphed a bit and typically includes a vulnerability assessment.

      If the a portion of the goal is to test your incident response team and your forensics guys then including “covering your tracks” in to the scope would be a good idea. Always remember that this should be included in the scope (and billable time) and your “get out of jail free card.” Last thing you would want to do is dump the logs for a bunch of systems and you don’t have permissions to do so.

    • #27949
      UNIX
      Participant

      I too would say that there is rarely the need of covering ones track in an authorized penetration test – this may also be the reason, why someone won’t find much information on this subject in those books. Of course there are exceptions, but I think most of the time there is no need for it.

Viewing 7 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?