Anti-Forensics: Hiding Activities in UNIX Environment
By Boris Loza, PhD, CISSP
Introduction
When you learn UNIX security, you must realize that anything you do on the system could possibly be recorded and reviewed by a system administrator or trigger an IDS alarm. Running sniffers and other tools will trigger alert on your unauthorized “learning” activities. To make things worse, the system will also log your progress (e.g., history and log files).
Here are some suggestions for what could be done to hide your presence on the system, while at the same time continuing your self education:
Using vi Editor
One way around this, is to use your friend the vi editor. Type only vi without a file name at the command line to get into the editor. Execute commands from vi. This will prevent commands from being logged. If you use X Window, you can run vi, execute another xterm, and run vi again in that window to prevent key stroke logging possibilities pointed at the existing terminal.
To execute a command from vi, type the following. For example, to see the list of all process on the system, type:
<ESC>:r!ps –elf
This will display a list of all system process in your vi window. The vi buffer now acts as your system notepad showing the output of all commands you run from it. Append all command output into one vi buffer, executing them one after another. For example:
<ESC>:r!find / -name *history –exec cat {} \; (will find all history files and cat them to the vi session)
<ESC>:r!netstat –nav (will list all open network sockets)
And so on.
You can always save the output to a floppy or tape drive. For example:
<ESC>:w /mnt/projects/my_file
Note: You can use the same trick using other text editors.
Configuring “Stealth” Sniffer
Snoop is a great Solaris tool for capturing all network traffic. Unfortunately, the people who are responsible for the system security could see that you started snoop on one of the networked machines, may classify this activities as illegal and may cease your activities, or even simply disconnect you from the network. One of the tricks you can use to hide the “snooping” activity from any network user, is to use an undocumented feature of snoop(1M).
To run the “unseen” sniffer, unplug the network interface (in our example le0. You may have another network interface on your system. Do “ifconfig –a” to see all interfaces) and start the sniffer:
# ifconfig le0 unplumb
# snoop –d le0
Running ifconfig won’t detect any network interface. The machine will be unreachable from the network (nether ICMP ping or other tools will detect the machine). Now, you can capture all network traffic from your IP segment and nobody will detect you doing this!
To “put things back”, do:
# ifconfig le0 plumb
# ifconfig le0 192.168.2.1 netmask 255.255.255.0 up
This will bring back your network interface.
I’ve found those and many other tricks in new Boris Loza’s book UNIX, Solaris and Linux: A Practical Security Cookbook. You can preview it at www.mobilehackerproof.com.
Just remember that it is pretty hard to hide all your learning activities from sysadmins’ eyes. So, be careful and don’t do anything illegal!
Conclusion
Use your own system to learn UNIX. You may install VM in your home lab environment. Never use a production or a company’s environment for any unauthorized or illegal activity.
