Methods to Avoid Command History

A common thing to do during post exploitation is to cover your tracks by deleting shell history or unsetting the HISTFILE variable to not record history at all. Mubix lists multiple methods to do this at https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List#tracks, which I will also list:

“Avoiding history filesmys

  • export HISTFILE=
    or
  • unset HISTFILE

This next one might not be a good idea, because a lot of folks know to check for tampering with this file, and will be suspicious if they find out.

However if you happen to be on an account that was originally inaccessible, if the .bash_history file is available (ls -a ~), viewcating its contents can provide you with a good deal of information about the system and its most recent updates/changes.
clear all history in ram

  • history -c
  • rm -rf ~/.bash_history && ln -s ~/.bash_history /dev/null (invasive)
  • touch ~/.bash_history (invasive)
  • history -c (using a space before a command)
  • zsh% unset HISTFILE HISTSIZE
  • tcsh% set history=0
  • bash$ set +o history
  • ksh$ unset HISTFILE
  • find / -type f -exec {} (forensics nightmare)

Note that you’re probably better off modifying or temporary disabling rather than deleting history files, it leaves a lot less traces and is less suspect.

In some cases HISTFILE and HISTFILESIZE are made read-only; get around this by explicitly clearing history (history -c) or by kill -9 $$’ing the shell. Sometimes the shell can be configured to run ‘history -w’ after every command; get around this by overriding ‘history’ with a no-op shell function. None of this will help if the shell is configured to log everything to syslog, however.”

As Mubix mentions, many security conscious systems will alert when these commands are run across a network or when the files are tampered with. To that end, it seems like a good method to avoid writing to history is by appending the start of each command with a space. This avoids writing to history altogether. For example, appending a space to “ls” resulted in the command not being recorded.

history_avoidance

Leave a Reply

Your email address will not be published. Required fields are marked *