Cover your tracks during Linux Exploitation / Penetration Testing by leaving zero traces on system logs and filesystem timestamps.
moonwalk-back is a 400 KB single-binary executable that can clear your traces while penetration testing a Unix machine. It saves the state of system logs pre-exploitation and reverts that state including the filesystem timestamps post-exploitation leaving zero traces of a ghost in the shell.
- Small Executable: Get started quickly with a
curl
fetch to your target machine. - Fast: Performs all session commands including logging, trace clearing, and filesystem operations in under 5 milliseconds.
- Reconnaissance: To save the state of system logs,
moonwalk-back
finds a world-writable path and saves the session under a dot directory which is removed upon ending the session. - Shell History: Instead of clearing the whole history file,
moonwalk-back
reverts it back to how it was including the invocation ofmoonwalk-back
. - Filesystem Timestamps: Hide from the Blue Team by reverting the access/modify timestamps of files back to how it was using the
GET
command.
$ curl -L https://github.com/aditya-dom/moonwalk-back/releases/download/v1.0.0/moonwalk-back_linux -o moonwalk-back
(AMD x86-64
)
OR
Download the executable from Releases OR Install with cargo
:
$ cargo install --git https://github.com/aditya-dom/moonwalk-back.git
Prerequisites:
- Git
- Rust
- Cargo (Automatically installed when installing Rust)
- A C linker (Only for Linux, generally comes pre-installed)
$ git clone https://github.com/aditya-dom/moonwalk-back.git
$ cd moonwalk-back/
$ cargo build --release
The first command clones this repository into your local machine and the last two commands enters the directory and builds the source in release mode.
Once you get a shell into the target Unix machine, start a moonwalk session by running this command:
$ moonwalk-back start
While you're doing recon/exploitation and messing with any files, get the touch
timestamp command of a file beforehand to revert it back after you've accessed/modified it:
$ moonwalk-back get ~/.bash_history
Post-exploitation, clear your traces and close the session with this command:
$ moonwalk-back finish
That's it!
Ways to contribute:
- Suggest a feature
- Report a bug
- Fix something and open a pull request
- Help me document the code
- Spread the word
- Find something I missed which leaves any trace!
Licensed under the MIT License, see LICENSE for more information.