How Hackers can Erase their Tracks

How hackers can erase their tracks after hacking you. hehe

This is for educational purpose only..But u can’t hide from me. hehe Just kidding…

Whenever someone comes in contact with another person, place, or thing, something of that person is left behind. This means that the attacker must disable logging, clear log files, eliminate evidence, plant additional tools, and cover his tracks.

Here are some of the techniques that an attacker can use to cover his tracks:-
(1) Disabling logging – Auditpol was originally included in the NT Resource kit for administrators. It works well for hackers too, as long as they have administrative access.
Just point it at the victim’s system as follows:
C:\>auditpol \\192.168.10 /disable
Auditing Disabled

(2) Clear the log file – The attacker will also attempt to clear the log. Tools, such as Winzapper, evidence Eliminator, or Elsave, can be used. Elsave will remove all entries from the logs, except one entry that shows the logs were cleared.
It is used as follows:

Elsave -s \\192.168.13.10 -1 “Security” -C

(3) Cover their tracks – One way for attackers to cover their tracks is with rootkits. Rootkits are malicious codes designed to allow an attacker to get expanded access and hide his presence. While rootkits were traditionally a Linux tool, they are now starting to make their way into the Windows environment. Tools, such as NTrootkit and AFX Windows rootkits, are available for Windows systems. If you suspect that a computer has been rootkitted, you need to use an MD5 checksum utility or a program, such as Tripwire, to determine the viability of your programs. The only other alternative is to rebuild the computer from known good media.

Another method to hide your trace is by hiding files……….

Let me give u a short brief explanation on how u can do that. Well, various techniques are used by attackers to hide their tools on the compromised computer. Some attackers might just attempt to use the attribute command to hide files, whereas others might place their files in low traffic areas. A more advanced method is to use NTFS alternate data systems. NTFS alternate data systems (ADS) was developed to provide for compatibility outside of the Windows world with structures, such as the Macintosh Hierarchical File System (HFS). These structures uses resource forks to maintain information associated with a file, such as icons, and so on.

ADS is a security concern becoz an attacker can use these streams to hide files on a system. As the streams are almost completely hidden, they represent a near perfect hiding spot on a file system. It allows the attacker the perfect place to hide his tools until he needs to use them at a later date. To delete a stream, its pointer must be deleted first or copy the pointer file to a FAT file system. That will delete the stream, as FAT cannot support ADS.
To create an ADS, issue the following command:-

Type examcram.zip > readme.txt:examcram.zip

This command streamed examcram.zip behind readme.txt. This is all that is required to stream the file. Now the original secret file can be erased.

Erase examcram.zip

All tha hacker must do to retrieve the hidden file is to type tha following:-

Start c:\readme.txt:examcram.zip

This will execute ADS and open the secret file. Some tools that are available to detect streamed files include:-
(1) Sfind – A Foundstone forensic tool for finding streamed files
(2) LNS – Another tool used for finding streamed files, developed by ntsecurity.nu

Note: Linux does not support ADS, although an interesting slack space tool is available called Bmap, which can be downloaded from http://www.securityfocus.com/tools/1359. This Linux tool has the capability to pack data into existing slack space. Anything could be hidden there, as long as it fits within the available space, or is parsed up to meet the existing size requirements.

One final step for tha attacker might well be to gain a command prompt on the victim’s system. This allows the attacker to actually be the owner of the box. Some tools that allow the attacker to have a command prompt on the system include Psexec, Remoxec, and Netcat.

Credits: *** Rani tha ***