{"id":13496629,"url":"https://github.com/mufeedvh/moonwalk","last_synced_at":"2025-05-16T11:04:59.399Z","repository":{"id":40262044,"uuid":"439844650","full_name":"mufeedvh/moonwalk","owner":"mufeedvh","description":"Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps.","archived":false,"fork":false,"pushed_at":"2022-10-08T05:05:36.000Z","size":35,"stargazers_count":1439,"open_issues_count":4,"forks_count":130,"subscribers_count":21,"default_branch":"master","last_synced_at":"2025-05-07T21:40:19.990Z","etag":null,"topics":["cve","exploit","exploitation","infosec","infosectools","linux","privilege-escalation","red-teaming","redteam","redteam-tools","security","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mufeedvh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-12-19T11:24:00.000Z","updated_at":"2025-05-07T02:00:18.000Z","dependencies_parsed_at":"2023-01-19T15:45:36.509Z","dependency_job_id":null,"html_url":"https://github.com/mufeedvh/moonwalk","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mufeedvh%2Fmoonwalk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mufeedvh%2Fmoonwalk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mufeedvh%2Fmoonwalk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mufeedvh%2Fmoonwalk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mufeedvh","download_url":"https://codeload.github.com/mufeedvh/moonwalk/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254518384,"owners_count":22084374,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve","exploit","exploitation","infosec","infosectools","linux","privilege-escalation","red-teaming","redteam","redteam-tools","security","security-tools"],"created_at":"2024-07-31T19:01:53.591Z","updated_at":"2025-05-16T11:04:59.344Z","avatar_url":"https://github.com/mufeedvh.png","language":"Rust","readme":"\u003cdiv align=\"center\"\u003e\n  \u003ch1\u003e\u003ccode\u003emoonwalk\u003c/code\u003e\u003c/h1\u003e \n  \u003cp\u003e\u003cstrong\u003e\u003cem\u003eCover your tracks during Linux Exploitation / Penetration Testing by leaving zero traces on system logs and filesystem timestamps.\u003c/em\u003e\u003c/strong\u003e\u003c/p\u003e\n  \u003cimg height=\"90\" width=\"90\" src=\"https://user-images.githubusercontent.com/26198477/146671442-78bb6781-b283-4f43-8754-d1d3b62ae627.gif\"\u003e\n  \u003cimg height=\"90\" width=\"90\" src=\"https://user-images.githubusercontent.com/26198477/146671305-5ffc26b4-1e0e-4436-9a1e-1e0dfc81f40e.gif\"\u003e\n\u003c/div\u003e\n\n---\n\n## 📖 Table of Contents\n\n- [Introduction](#%E2%84%B9%EF%B8%8F-introduction)\n- [Features](#features)\n- [Installation](#installation)\n- [Usage](#usage)\n- [Contribution](#contribution)\n- [License](#license)\n\n## ℹ️ Introduction\n\n**moonwalk** is a 400 KB single-binary executable that can clear your traces while penetration testing a **Unix** machine. It saves the state of system logs pre-exploitation and reverts that state including the filesystem timestamps post-exploitation leaving zero traces of a _ghost in the shell_.\n\n⚠️ **NOTE:** This tool is open-sourced to assist solely in [**Red Team**](https://en.wikipedia.org/wiki/Red_team) operations and in no means is the author liable for repercussions caused by any prohibited use of this tool. Only make use of this in a machine you have permission to test.\n\n## Features\n\n- **Small Executable:** Get started quickly with a `curl` fetch to your target machine.\n- **Fast:** Performs all session commands including logging, trace clearing, and filesystem operations in under 5 milliseconds.\n- **Reconnaissance:** To save the state of system logs, `moonwalk` finds a world-writable path and saves the session under a dot directory which is removed upon ending the session.\n- **Shell History:** Instead of clearing the whole history file, `moonwalk` reverts it back to how it was including the invokation of `moonwalk`.\n- **Filesystem Timestamps:** Hide from the Blue Team by reverting the access/modify timestamps of files back to how it was using the [`GET`](#usage) command.\n\n## Installation\n\n```\n$ curl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk\n```\n\n(`AMD x86-64`)\n\n**OR**\n\nDownload the executable from [**Releases**](https://github.com/mufeedvh/moonwalk/releases) OR Install with `cargo`:\n\n    $ cargo install --git https://github.com/mufeedvh/moonwalk.git\n    \n[Install Rust/Cargo](https://rust-lang.org/tools/install)\n\n## Build From Source\n\n**Prerequisites:**\n\n* [Git](https://git-scm.org/downloads)\n* [Rust](https://rust-lang.org/tools/install)\n* Cargo (Automatically installed when installing Rust)\n* A C linker (Only for Linux, generally comes pre-installed)\n\n```\n$ git clone https://github.com/mufeedvh/moonwalk.git\n$ cd moonwalk/\n$ cargo build --release\n```\n\nThe first command clones this repository into your local machine and the last two commands enters the directory and builds the source in release mode.\n\n## Usage\n\n\u003cdiv align=\"center\"\u003e\n  \u003ctable\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cimg height=\"300\" width=\"400\" src=\"https://user-images.githubusercontent.com/26198477/146672354-9db1e7e5-bb8a-43e5-8b64-b2d1bbea547e.png\"\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n  \u003c/table\u003e\n\u003c/div\u003e\n\nOnce you get a shell into the target Unix machine, start a moonwalk session by running this command:\n\n    $ moonwalk start\n    \nWhile you're doing recon/exploitation and messing with any files, get the `touch` timestamp command of a file beforehand to revert it back after you've accessed/modified it:\n\n    $ moonwalk get ~/.bash_history\n    \nPost-exploitation, clear your traces and close the session with this command:\n\n    $ moonwalk finish\n    \nThat's it!\n\n## Contribution\n\nWays to contribute:\n\n- Suggest a feature\n- Report a bug\n- Fix something and open a pull request\n- Help me document the code\n- Spread the word\n- Find something I missed which leaves any trace!\n\n## License\n\nLicensed under the MIT License, see \u003ca href=\"https://github.com/mufeedvh/moonwalk/blob/master/LICENSE\"\u003eLICENSE\u003c/a\u003e for more information.\n","funding_links":[],"categories":["Rust","security-tools"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmufeedvh%2Fmoonwalk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmufeedvh%2Fmoonwalk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmufeedvh%2Fmoonwalk/lists"}