background image

264

Chapter 17

Notice above that we are still not at root. A local privilege exploit will 

further compromise the system and give full root access. We won’t tell you 
the answer here; use what you’ve learned in this book to gain root privileges 
successfully on the Metasploitable system. One hint is that you can find the 
exploit at Exploits Database (

http://www.exploit-db.com

/). Try getting a root 

Linux/Meterpreter shell on the system on your own.

Covering Your Tracks

Having completed our attacks, our next step is to return to each exploited 
system to erase our tracks and clean up any mess we’ve left behind. Remnants 
of a Meterpreter shell or some other pieces of malware should be removed to 
avoid exposing the system further. For example, when we used the 

PUT

 com-

mand to compromise the Apache Tomcat instance, an attacker could use the 
exploit code left behind to compromise the system.

Sometimes, you will need to cover your tracks—for example, when test-

ing the forensics analysis of a compromised system or an incident response 
program. In such cases, your goal is to thwart any forensics analysis or IDS. 
It’s often difficult to hide all your tracks, but you should be able to manipu-
late the system to confuse the examiner and make it almost impossible to 
identify the extent of the attack.

In most cases, when forensics analysis is performed, if you can mangle 

the system so that it renders the majority of the examiner’s work almost 
unreadable and inconclusive, he will most likely identify the system as having 
been infected or compromised and might not understand how much infor-
mation you were able to extract from the system. The best way to thwart 
forensic analysis is to wipe the system completely and rebuild it, removing all 
traces, but this is rare during a penetration test.

One benefit discussed in a number of chapters is the ability for Meter-

preter to reside purely in memory. Often, you’ll find it challenging to detect 
and react to Meterpreter in memory space. Although research often suggests 
ways to detect a Meterpreter payload, the Metasploit crew typically responds 
with a new way to hide Meterpreter.

This is the same cat-and-mouse game that antivirus software vendors play 

with new releases of Meterpreter. When a new encoder or method for obfus-
cating a payload is released, vendors can take several months to detect the 
issues and update their product signatures to catch them. In most cases, it’s 
relatively difficult for most forensics analysts to identify a purely memory-
resident attack vector from Metasploit.

We won’t offer in-depth information about covering your tracks, but a cou-

ple of Metasploit features are worth mentioning: 

timestomp

 and 

event_manager

Timestomp

 is a Meterpreter plug-in that allows you to modify, erase, or set cer-

tain attributes on files. Let’s run 

timestomp

 first:

meterpreter > 

timestomp

Usage: timestomp file_path OPTIONS