Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Aditya-dom/moonwalk-back

Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps.
https://github.com/Aditya-dom/moonwalk-back

exploit linux security testing

Last synced: about 2 months ago
JSON representation

Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps.

Awesome Lists containing this project

README 

        


  
moonwalk-back
 

  
Cover your tracks during Linux Exploitation / Penetration Testing by leaving zero traces on system logs and filesystem timestamps.


  

  




---



## 📖 Table of Contents



- [Introduction](#%E2%84%B9%EF%B8%8F-introduction)

- [Features](#features)

- [Installation](#installation)

- [Usage](#usage)

- [Contribution](#contribution)

- [License](#license)



## ℹī¸ Introduction



**moonwalk-back** is a 400 KB single-binary executable that can clear your traces while penetration testing a **Unix** machine. It saves the state of system logs pre-exploitation and reverts that state including the filesystem timestamps post-exploitation leaving zero traces of a _ghost in the shell_.



⚠ī¸ **NOTE:** This tool is open-sourced to assist solely in [**Red Team**](https://en.wikipedia.org/wiki/Red_team) operations and in no means is the author liable for repercussions caused by any prohibited use of this tool. Only make use of this in a machine you have permission to test.



## Features



- **Small Executable:** Get started quickly with a `curl` fetch to your target machine.

- **Fast:** Performs all session commands including logging, trace clearing, and filesystem operations in under 5 milliseconds.

- **Reconnaissance:** To save the state of system logs, `moonwalk-back` finds a world-writable path and saves the session under a dot directory which is removed upon ending the session.

- **Shell History:** Instead of clearing the whole history file, `moonwalk-back` reverts it back to how it was including the invocation of `moonwalk-back`.

- **Filesystem Timestamps:** Hide from the Blue Team by reverting the access/modify timestamps of files back to how it was using the [`GET`](#usage) command.



## Installation



```

$ curl -L https://github.com/aditya-dom/moonwalk-back/releases/download/v1.0.0/moonwalk-back_linux -o moonwalk-back

```



(`AMD x86-64`)



**OR**



Download the executable from [**Releases**](https://github.com/aditya-dom/moonwalk-back/releases) OR Install with `cargo`:



    $ cargo install --git https://github.com/aditya-dom/moonwalk-back.git

    

[Install Rust/Cargo](https://rust-lang.org/tools/install)



## Build From Source



**Prerequisites:**



* [Git](https://git-scm.org/downloads)

* [Rust](https://rust-lang.org/tools/install)

* Cargo (Automatically installed when installing Rust)

* A C linker (Only for Linux, generally comes pre-installed)



```

$ git clone https://github.com/aditya-dom/moonwalk-back.git

$ cd moonwalk-back/

$ cargo build --release

```



The first command clones this repository into your local machine and the last two commands enters the directory and builds the source in release mode.



## Usage





  

    

      

    

  




Once you get a shell into the target Unix machine, start a moonwalk session by running this command:



    $ moonwalk-back start

    

While you're doing recon/exploitation and messing with any files, get the `touch` timestamp command of a file beforehand to revert it back after you've accessed/modified it:



    $ moonwalk-back get ~/.bash_history

    

Post-exploitation, clear your traces and close the session with this command:



    $ moonwalk-back finish

    

That's it!



## Contribution



Ways to contribute:



- Suggest a feature

- Report a bug

- Fix something and open a pull request

- Help me document the code

- Spread the word

- Find something I missed which leaves any trace!



## License



Licensed under the MIT License, see LICENSE for more information.