Thursday, 12 May 2016

CleanTracks - MSF Auxiliary For Anti-Forensics

Hello everyone, Hope everyone's fine :) Today, im gonna discuss about a Anti-Forensics module in metasploit coded by r00t 3xp10it - SSA

We often hacks our targets using metasploit but after we completes the exploitation do we notice that if the victim could call forensics guys to get the attacker ?

Metasploit doesn't has any module to do anti forensics job, CleanTracks is designed to remove traces often left by attacker in victim system and completes job without leaving any string leading to attacker :)

-- [IDEA]

As metasploit framework long time user i realized that in actual database does not exist any module that covers your tracks efficiently (in a forensic data breach investigation) after a successfully exploitation. Looking at the actual database we can only find two 'meterpreter' modules that help us in your task: 'clearev' that clears the Applications, System and Security logs on a Window system (event viewer) and 'timestomp' to manipulate the MACE (Modified, Accessed, Changed) times of a file/appl (windows systems)...

-- [ So, Basically  how does clean tracks works ? ]

Actually CleanTracks removes all logs in windows system stage by stage and also uses timestomp modules to change last accessed of files like cmd.exe , rundll32.exe , USER32.exe.
CleanTracks is simple to use and is used like all the other modules by setting required credentials like session id. In metasploit db there are only 2 modules (clearev , timestomp) which currently supports anti-forensics but not in much critical level like Cleantracks do.

-- [Advanced Options]

-- [ Different Functions In CleanTracks To Remove All Traces ]

1. Prevent : Will elevate the privilege to "Administrator" and will get you the privilege of
                  NT AUTHORITY\SYSTEM to the backdoor or payload. Also it'll prevent creation of                         footprints on victim system. By adding some regedit keys to it.


2. Cleaner : clear temp/prefetch folders, flushdns cache, clear eventlogs, shellbags, lnk, tmp, dat, etc,                     this module should be run befor leaving the current session

3. timestomp : This step won't be working as like timestomp in normal msf :) actually its just                                       automatically change the last modified and created dates of some files like cmd.exe
                        but it won't be changing the last accessed/used date and time because cmd is            
                        constantly used by cleantracks to execute commands by attacker.

4. getsys : getprivs API call to elevate current session to nt authority/system, its advice to run it                            before running any of the stages describe above.

5.  Mace Blank MACE values in target inputed directory OR sysmace blank MACE values in target system32 directory, this option will change the MACE attributes of all files to null values inside the sellected directory


6. revert : Revert regedit policies to default values, this option will reverse all registry keys added by CleanTracks.rb stage1 option.


7. logoff : logoff target machine (optional, more effective).



for ubuntu/debian users save file in /opt/metasploit-framework/modules/auxiliary/analyze/ :) and in CleanTracks.rb change class MetasploitModule to  Metasploit3 :) otherwise some compatibility issue may rise while reloading all modules :)) (i've experienced it) :P
Download clean tracks from here

 meterpreter > background
 msf exploit(handler) > reload_all
 msf exploit(handler) > use auxiliary/analyze/CleanTracks
 msf post(CleanTracks) > info
 msf post(CleanTracks) > show options
 msf post(CleanTracks) > show advanced options
 msf post(CleanTracks) > set [option(s)]
 msf post(CleanTracks) > exploit


Stage 1 :

 msf post(CleanTracks) > set getsys true
 msf post(CleanTracks) > set prevent true
 msf post(CleanTracks) > exploit

Before using prevent function ....

Prevent successfully launched :)

Regedit keys changed ;)

Stage2 :

 msf post(CleanTracks) > unset getsys
 msf post(CleanTracks) > set cleaner true
 msf post(CleanTracks) > exploit

Cleaner successfully launched ;)

timestomp :

 msf post(CleanTracks) > unset getsys
 msf post(CleanTracks) > unset cleaner
 msf post(CleanTracks) > set  dirmace Path_to_folder
 msf post(CleanTracks) > exploit

Before using function

Function executed Successfully

Proof Of Concept ;)

                                                         CleanTracks - Anti-forensics auxiliary
                                                     Supporters : Betto Avalos [debugging],
                                                        Chaitanya [debugging], Spirit [debugging]