Does not clear tracks with bash debug traps

mufeedvh / moonwalk

Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps.

MIT License

1.36k stars 123 forks source link

Does not clear tracks with bash debug traps #4

Open ariary opened 2 years ago

ariary commented 2 years ago

moonwalk does not seem to clear track in bash session when it used in bash session which contains trap with DEBUG mode

Step to reproduce

Put the command logger in ~/.bashrc:

#!/bin/sh
debug_poc() {
  echo "$USER($UID:$GROUPS) ran $BASH_COMMAND" >> /tmp/commands.log
}
trap debug_poc DEBUG

And try moonwalk in a bash session:

$ sudo moonwalk start
$ echo "in mw"
$ sudo moonwalk finish

Now let's see if our tracks were cleared:


$ cat /tmp/commands.log
kali(1000:1000) ran sudo moonwalk start
kali(1000:1000) ran echo "in mw"
kali(1000:1000) ran sudo moonwalk finish

mufeedvh commented 2 years ago

This is an interesting case. Is this the same behaviour when moonwalk is invoked without sudo? I would guess so because it handles modified files and doesn't track redirection or non listed files.

On a cursory glance, the only way to prevent this is to make moonwalk it's own shell runtime (actively monitoring system events just like trap does). Also I've never seen bash debug traps implemented as a security feature / alternative logging approach. Is it something you've seen commonly implemented? Please let me know, if it is, moonwalk gotta ship as a shell runtime for the next release!

Thanks! :raised_hands:

ariary commented 2 years ago

In fact, to counter this logging trick just exec trap with no argument => it will clear all trap listener

I don't really know if it is used in real system. But I think it could be interesting for moonwalk to have the widest arsenal possible.

They are several logging "tricks" like this which could be easily detected and avoided (see).For the most common/real ones moonwalk could help to avoid them

ariary commented 2 years ago

Another point, for stealthiness

Moonwalk aim is to hide/clear tracks after a shell session, but in real world command are logged and send to a SIEM in real time. So clear tracks is not sufficient

As you said having a shell runner to obfuscate command ran is a good point. I don't know if it is exactly in the scope

I would like to help, but I have zero knowledge in rust

Eventually, I could to try to develop this idea as a sidecar (as It is simple I think)

ariary commented 2 years ago

Eventually, I could to try to develop this idea as a sidecar (as It is simple I think)

volana is the "sidecar" that I think is a good complement for moonwalk. Don't knwo if it is what you had in mind.