Hiding of digital footprints is the final stage of penetration testing. Ethical hackers cover their tracks to maintain their connection in the system and to avoid detection by incident response teams or forensics teams. This article will focus on four main ways that an ethical hacker can evade detection during an ethical hack.
1. Using Reverse HTTP Shells
A shell is a code or program that executes user commands in a device like a server or mobile device. The ethical hacker installs reverse HTTP shells on the victim computer and uses it to send communications to the network’s server. The reverse shell is designed in a way that the target device will always return commands. This is possible since port 80 is always open, and therefore, these commands are not flagged by the network’s perimeter security devices like firewalls. Firewalls will read these as benign HTTP traffic in the network and, therefore, will allow communication between the devices. The hacker can now gain any information from the server undetected leaving no footprint behind since all they did was send HTTP commands.
2. Using ICMP Tunnels
The Internet Control Message Protocol (ICMP) is used by a network device to test connectivity. Unlike TCP or UDP protocols, which are used to transfer data, ICMP only transfers echo requests. Ethical hackers encapsulate these echo requests with TCP payloads and forward them to the proxy server. This request is then de-capsulated by the proxy server, which extracts the payload and sends it to the hacker. The network’s security devices read this communication as simple ICMP packet transfer hence facilitating the hacker in covering their tracks.
3. Clearing Event Logs
Another way in which ethical hackers hide their tracks during ethical hacking is by clearing event logs in a windows machine. Event logs can be cleared in different ways; one of them is by using Metasploit’s Meterpreter. First, the hacker must exploit a network using Metasploit. After a successful exploit, the ethical hacker uses the Meterpreter command prompt and uses the script “clearev” which clears all the event logs in the windows machine. Event logs can also be cleared using the clearlog.exe file. The hacker installs the program file into the system or uploads it using TFTP and uses it to delete logs. After deleting the event logs, the hacker removes the clearlog.exe file from the system since its mere presence could raise suspicion. Event logs in Linux systems can also be deleted using text editors such as “kWrite”. Logs in Linux systems are stored in the “/var/logs” directory. By opening “kwrite/var/log/messages”, the ethical hacker can view and delete event logs to cover their tracks.
4. Erasing or Shredding Command History
If the hacker is in a hurry and does not have time to go through all the event logs, they could cover their tracks by erasing and shredding the command history. Since a bash shell could save up to five hundred commands, ethical hackers delete their bash history by resetting its size to zero. This is done using the command “export HISTSIZE=0”. The history file could also be shredded using the command “shred -zuroot/bash_history”.
How to Become an Ethical Hacker
Becoming a Certified Ethical Hacker (CEH) is certainly nothing to take lightly. This course will immerse you into the Hacker Mindset so that you will be able to defend against future attacks. Upon completion of the Certified Ethical Hacker training, you will have scanned, tested, hacked, and secured your own networks and systems. With this knowledge, you can bring peace of mind to an organization knowing their network is more secure from today’s biggest and toughest cybercriminals.