Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mufeedvh/moonwalk

Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps.
https://github.com/mufeedvh/moonwalk

cve exploit exploitation infosec infosectools linux privilege-escalation red-teaming redteam redteam-tools security security-tools

Last synced: 5 days ago
JSON representation

Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps.

Awesome Lists containing this project

README 

        


  
moonwalk
 

  
Cover your tracks during Linux Exploitation / Penetration Testing by leaving zero traces on system logs and filesystem timestamps.


  

  




---



## 📖 Table of Contents



- [Introduction](#%E2%84%B9%EF%B8%8F-introduction)

- [Features](#features)

- [Installation](#installation)

- [Usage](#usage)

- [Contribution](#contribution)

- [License](#license)



## ℹī¸ Introduction



**moonwalk** is a 400 KB single-binary executable that can clear your traces while penetration testing a **Unix** machine. It saves the state of system logs pre-exploitation and reverts that state including the filesystem timestamps post-exploitation leaving zero traces of a _ghost in the shell_.



⚠ī¸ **NOTE:** This tool is open-sourced to assist solely in [**Red Team**](https://en.wikipedia.org/wiki/Red_team) operations and in no means is the author liable for repercussions caused by any prohibited use of this tool. Only make use of this in a machine you have permission to test.



## Features



- **Small Executable:** Get started quickly with a `curl` fetch to your target machine.

- **Fast:** Performs all session commands including logging, trace clearing, and filesystem operations in under 5 milliseconds.

- **Reconnaissance:** To save the state of system logs, `moonwalk` finds a world-writable path and saves the session under a dot directory which is removed upon ending the session.

- **Shell History:** Instead of clearing the whole history file, `moonwalk` reverts it back to how it was including the invokation of `moonwalk`.

- **Filesystem Timestamps:** Hide from the Blue Team by reverting the access/modify timestamps of files back to how it was using the [`GET`](#usage) command.



## Installation



```

$ curl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk

```



(`AMD x86-64`)



**OR**



Download the executable from [**Releases**](https://github.com/mufeedvh/moonwalk/releases) OR Install with `cargo`:



    $ cargo install --git https://github.com/mufeedvh/moonwalk.git

    

[Install Rust/Cargo](https://rust-lang.org/tools/install)



## Build From Source



**Prerequisites:**



* [Git](https://git-scm.org/downloads)

* [Rust](https://rust-lang.org/tools/install)

* Cargo (Automatically installed when installing Rust)

* A C linker (Only for Linux, generally comes pre-installed)



```

$ git clone https://github.com/mufeedvh/moonwalk.git

$ cd moonwalk/

$ cargo build --release

```



The first command clones this repository into your local machine and the last two commands enters the directory and builds the source in release mode.



## Usage





  

    

      

    

  




Once you get a shell into the target Unix machine, start a moonwalk session by running this command:



    $ moonwalk start

    

While you're doing recon/exploitation and messing with any files, get the `touch` timestamp command of a file beforehand to revert it back after you've accessed/modified it:



    $ moonwalk get ~/.bash_history

    

Post-exploitation, clear your traces and close the session with this command:



    $ moonwalk finish

    

That's it!



## Contribution



Ways to contribute:



- Suggest a feature

- Report a bug

- Fix something and open a pull request

- Help me document the code

- Spread the word

- Find something I missed which leaves any trace!



## License



Licensed under the MIT License, see LICENSE for more information.