Kali Linux

Moonwalk : Cover Your Tracks During Linux Exploitation By Leaving Zero Traces

moonwalk is a 400 KB single-binary executable that can clear your traces while penetration testing a Unix machine. It saves the state of system logs pre-exploitation and reverts that state including the filesystem timestamps post-exploitation leaving zero traces of a ghost in the shell.

Features

  • Small Executable: Get started quickly with a curl fetch to your target machine.
  • Fast: Performs all session commands including logging, trace clearing, and filesystem operations in under 5 milliseconds.
  • Reconnaissance: To save the state of system logs, moonwalk finds a world-writable path and saves the session under a dot directory which is removed upon ending the session.
  • Shell History: Instead of clearing the whole history file, moonwalk reverts it back to how it was including the invocation of moonwalk.
  • Filesystem Timestamps: Hide from the Blue Team by reverting the access/modify timestamps of files back to how it was using the GET command.

Installation

$ curl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk

(AMD x86-64)

OR

Download the executable from Releases OR Install with cargo:

Build From Source

Prerequisites

  • Git
  • Rust
  • Cargo (Automatically installed when installing Rust)
  • A C linker (Only for Linux, generally comes pre-installed)

$ git clone https://github.com/mufeedvh/moonwalk.git
$ cd moonwalk/
$ cargo build –release

The first command clones this repository into your local machine and the last two commands enters the directory and builds the source in release mode.

Usage

Once you get a shell into the target Unix machine, start a moonwalk session by running this command:

$ moonwalk start

While you’re doing recon/exploitation and messing with any files, get the touch timestamp command of a file beforehand to revert it back after you’ve accessed/modified it:

$ moonwalk get ~/.bash_history

Post-exploitation, clear your traces and close the session with this command:

$ moonwalk finish

R K

Recent Posts

How to Install Docker on Ubuntu (Step-by-Step Guide)

Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…

11 hours ago

Uninstall Docker on Ubuntu

Docker is one of the most widely used containerization platforms. But there may come a…

12 hours ago

Admin Panel Dorks : A Complete List of Google Dorks

Introduction Google Dorking is a technique where advanced search operators are used to uncover information…

1 day ago

Log Analysis Fundamentals

Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…

3 days ago

Networking Devices 101: Understanding Routers, Switches, Hubs, and More

What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…

3 days ago

Sock Puppets in OSINT: How to Build and Use Research Accounts

Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…

3 days ago