To show you the basics of covering your tracks, we'll compromise a target first, then explore some techniques used to delete Bash history, clear logs, and remain hidden after exploiting a Linux system. You can check out our Cyber Weapons Lab video below that outlines my guide or skip below to get right to the written steps.
You probably know about using the up and down arrow keys to scroll through your Bash history, but did you know that there's a lot more to Bash history than just repeating commands? There is much more to the story. Or, should that be much more to the history? In either case, the history command is one of those obscure commands that is powerful and handy to know on at least a basic level. This article will take the mystery out of Bash history to make it a more friendly sysadmin tool.
Hiding Your Tracks: Bash History
The HISTFILE variable holds the name and location of your Bash history file. HISTFILESIZE is how many commands can be stored in the .bash_history file. HISTSIZE is the number of cached commands. Once you reach 1000 commands, the oldest commands will be discarded as new ones are saved.
Each user, including root, has these variables and sizes assigned by default. If you want to change these variables, edit the .bashrc file in your home directory. For example, if you want to change the size variables to 500 commands, edit the .bashrc file and use the following entries:
The problem with Bash history is that it's not written to the .bash_history file until you log off. This makes it impossible to use the history command for scripting. For example, say you're teaching a Linux class, and you want to check to see if students have run a particular command to copy their files to a mounted external drive. If the student stays logged onto the system, you won't be able to determine if the copy has been performed because your script uses their history file (/home/student/.bash_history) to check if the command has run.
This writes all current session command history to the HISTFILE. And now your check script can easily find if the command has been run. You also have to trust that the student will run the history command.
The bash history feature is a commonly used feature that can save you a lot of time when repeating commands or issuing commands nearly identical to those you've entered previously. Still, some of the capabilities the history feature may not be obvious to the casual user. Let's look a little more deeply into how history works and how you might be able to get even more out of it.First, a rehash of how history works. History uses both a command buffer and a history file to track commands that you enter during your login session. If you type pwd, cal, date, who and ls after logging in, all five commands will be stored in your history buffer. When you log off, those commands will also be added to your history file. If you enter a subshell by typing /bin/bash and then enter commands, those command will be added to your history file before the commands you entered prior to starting the second shell. They'll be added when you exit the second shell and other commands (such as starting the subshell) will be added when you log out.The important variables for working with command history are:
For bash options, the set -o turns an option on and set +o turns it off. This just something you have to get used to. So, use set +o history to turn it off and then set -o history to turn it back on.If you issue the history command after you turn history off, you will still see commands that you entered prior to turning history off, but new commands will not be added -- except for the set +o history command iself. That will go into your history file. So, if you're thinking ofmanipulating history settings as a way of covering your tracks, keep in mind that you won't be covering the fact that you're covering them -- at least not without some additional steps.If you really want to cover your tracks, you can turn off history by adding the set +o history command to your .bash_profile file and then clean up your .bash_history file on your next login. But keep in mind this is only cleaning up your history file. This isn't necessarily hiding your activity as other tools may be tracking system activity.You can send command history to a different file by changing the setting of the HISTFILE variable to something else though, as with most other settings, the change won't survive a logout unless you add the command to one of your "dot files" (such as /.bash_profile).
If you issue an unset HISTFILE command, the commands you type will not be added to your history file (/.bash_history or /.history) or to any file, but commands you enter will still go into your history buffer. If you put this command in your .bash_profile file, you will only see commands entered in your current login session any time you type history.If you set HISTFILE to a different file, you will still see the commands you've just typed when you type "history" or press up arrow key, but your commands will go to that other file when you log off.
History is meant to help Unix users from having to do a lot of typing. By repeating and editing commands, they may enter a fraction of the text they might otherwise have to enter. The history feature is not, however, meant to provide any serious form of command auditing. As you can see from this post, there are far too many ways to control what goes into your history file, so it should be considered completely unreliable for any serious security work.
The thing with bash is that it retains the history of entered bash commands, so unless you clear it, the administrator will be able to see that the Shred command above was entered. The retained history of bash commands is found in the file /.bash_history.
Of course, users will still be able to change the HIST... variables, but this will show up in the .bash_history. You will be able to check if they were doing things like using a different HISTFILE to cover their tracks.
then proceed with your sneaky doings. Setting the histfile to /dev/null will be logged to the history file, yet this entry will be readily deleted and no traces (at least in the history file) will be shown.
As mentioned by Doodad in comments, unset HISTFILE does this nicely, but in case you also want to also delete some history, do echo $HISTFILE to get the history file location (usually /.bash_history), unset HISTFILE, and edit /.bash_history (or whatever HISTFILE was - of course it's now unset so you can't read it).
For individual commands, you can prefix the command with a space and it won't be saved in the history file. Note that this requires you have the ignorespace value included in the $HISTCONTROL environment variable (man bash and search for ignorespace for more details).
Apart from that, your bash history is also very important. Even a normal Linux user can guess what someone has done looking at the file, so make sure you delete that as well. You can delete that with shred also but I am not going to do it with shred this time.
Now you know how to check your incognito history, clear your DNS cache, and even how to delete your incognito history on mobile and desktop devices. For comprehensive privacy online, use a dedicated secure and private browser.
Traces of your incognito activity may remain behind on your computer in your DNS records, which even a powerful browser cleaning tool may not be able to flush. Luckily, there are ways to delete your incognito history via DNS cache.
Using a VPN (Virtual Private Network) combined with incognito mode is safer than going incognito alone. Incognito mode prevents your device from recording your browsing history, but you need a VPN to fully encrypt internet activity and prevent web tracking. Connect to a VPN for PC first, then go incognito for better web safety.
Yes, you can see incognito history on your iPhone if you use third-party apps, like iOS parental control apps that can retrieve iPhone incognito history. Some of these apps create browser history reports and even collect keystroke records that can be viewed and deleted later.
Enter Full Screen enters full screen state, occupying the entire display and hiding the Audacity menu bar and window buttons and the Dock. This is the same as clicking the green window button top left of the Audacity title bar. To leave Full Screen, hover your mouse at the top of the monitor to show the menu bar and window buttons then access View > Exit Full Screen or click the green window button.
On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called /.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.
where N is the number of lines (or commands) you want to delete, but now the history file shows this last command and thats not very smart if you're trying to cover your stuff. So the question is:How can I give the last code line and make sure this doesn't get recorded?
If you want to delete only certain parts of your command log then the above methods are just fine. If you want to stop command logging for a particular bash session, then issue the command
what makes it less noticeable is if one does a ls -ratl, the /.bash_history will eventually disappear in the rattle of the directory listing. It will not show up as a link which would attract unnecessary attention. Most people do not do a -a on their root, which is useful when emulation is desired.
The downside to this approach is you lose your ability to go back and retrieve your history. the actual /.bash_history file could also end up at the top of a directory listing, since it may end up with a really old modification date over time, which in itself might lead to discovery that something is amiss. 2ff7e9595c
Comments