Moonwalk – Cover Your Tracks During Linux Exploitation By Leaving Zero Traces On System Logs And Filesystem Timestamps
Cover your tracks during Linux Exploitation / Penetration Testing by leaving zero traces on system logs and filesystem timestamps.
moonwalk is a 400 KB single-binary executable that can clear your traces while penetration testing a Unix machine. It saves the state of system logs pre-exploitation and reverts that state including the filesystem timestamps post-exploitation leaving zero traces of a ghost in the shell.
- Small Executable: Get started quickly with a
curlfetch to your target machine.
- Fast: Performs all session commands including logging, trace clearing, and filesystem operations in under 5 milliseconds.
- Reconnaissance: To save the state of system logs,
moonwalkfinds a world-writable path and saves the session under a dot directory which is removed upon ending the session.
- Shell History: Instead of clearing the whole history file,
moonwalkreverts it back to how it was including the invokation of
- Filesystem Timestamps: Hide from the Blue Team by reverting the access/modify timestamps of files back to how it was using the
$ curl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk
Download the executable from Releases OR Install with
$ cargo install --git https://github.com/mufeedvh/moonwalk.git
Build From Source
- Cargo (Automatically installed when installing Rust)
- A C linker (Only for Linux, generally comes pre-installed)
$ git clone https://github.com/mufeedvh/moonwalk.git $ cd moonwalk/ $ cargo build --release
The first command clones this repository into your local machine and the last two commands enters the directory and builds the source in release mode.
Once you get a shell into the target Unix machine, start a moonwalk session by running this command:
$ moonwalk start
While you’re doing recon/exploitation and messing with any files, get the
touch timestamp command of a file beforehand to revert it back after you’ve accessed/modified it:
$ moonwalk get ~/.bash_history
Post-exploitation, clear your traces and close the session with this command:
$ moonwalk finish
Ways to contribute:
- Suggest a feature
- Report a bug
- Fix something and open a pull request
- Help me document the code
- Spread the word
- Find something I missed which leaves any trace!
Licensed under the MIT License, see LICENSE for more information.