Friday, July 13, 2012

Messin' with bash history

     Alrighty, it's been a while since my last post. I'm a little hesitant to write about anti forensic techniques because I personally feel that they don't aid red team very much and hurt blue team quite a bit. The focus of this post today will be for cases where you legitimately need to manipulate the bash history, or execute commands that you don't necessarily want written to bash.

     The main ways to manipulate the bash history fall into a few categories. 1) Preventing the session's history to be written, 2) Removing entries already written into .bash_history, and 3) Executing commands in a way that won't be written to bash.

1) Preventing the session's history to be written


     Ok, so let's assume you've gone and acidentally typed your password into the command prompt and hit enter...it happens. Well, if we don't want that password to be in history and we don't care about any of the other activities we've done in our session we can kill bash and prevent it from closing out gracefully. You see, it's not until bash has closed gracefully that it writes everything to the .bash_history file. There are many ways to do this, but my personal preference is to just type "kill -9 $$". This command will force the bash process to close itself. You'll lose your session (locally your terminal will close, remotely you'll be disconnected), but when you reconnect your history won't be written. This can also be accomplished by setting the HISTFILE variable to /dev/null.

     In some distributions of linux you can actually run commands without the fear of it being written simply by putting a space in front of the command you want to run. If your distribution doesn't do it by default setting the HISTCONTROL variable to ignorespace will allow you to do this as well.

2) Removing entries already written into .bash_history


     So let's say you didn't know about method #1 and you already closed out the session gracefully...no worries. Since bash writes its history to .bash_history we can go ahead and just edit the .bash_history file and remove what we want. Combining #1 and #2 you can edit what you want out and not have anything in .bash_history showing that you edited it.

     Another fun way to manipulate the bash history would be to grep out (using grep -v) the commands you wanted to have disappear to another file and then you can pipe the contents of that file to overwrite the .bash_history file. You'll leave a file behind with the grep'd contents, but you avoid writing anything in .viminfo.

3) Executing commands in a way that won't be written to bash


     When executing commands on a remote machine, you can actually put your commands in as part of the ssh connection by adding your commands between some quotes. For example, if you wanted to simply echo hello on a remote machine you would type ssh username@machine "echo hello". This command won't be written to the bash history at all.

Of course blowing the bash history away is always an option, but I won't be covering that in this post.

I didn't include pictures in this post. If I get enough requests for them I can add some for clarification.