Top 3 Anti-Forensic OpSec Tips for Linux & A New Dead Man’s Switch

For the love of pwn, no .bash_history!

What do I usually do when first on a box, well of course it’s check out .bash_history, I can’t tell you how many times you will find gold there, never overlook history or log files, ever.

[user@box ~]$ echo 'set +o history' >> ~/.bashrc

Disable system wide…

[root@box ~]$ echo 'set +o history' >> /etc/profile

Change that MAC, Mac or they’ll grab ya!

The only types of MACs that are any good are Big Mac’s or Mac’N’Cheese, otherwise that bloody MAC that all our kit comes with is like a pesky id flag that follows one around, time to kill that little shite.

Scripts taken from: https://we.riseup.net/opsec/anonymity-and-privacy-for-advanced-linux-users

[root@box ~]$ vim /etc/init/macchanger.conf
[root@box ~]$ vim /etc/network/if-post-down.d/random-mac
[root@box ~]$ chmod +x /etc/network/if-post-down.d/random-mac
[root@box ~]$ service network-manager restart

Clear all the Logs, all the Time

Logs are for sysadmins and trouble makers, we are super 1337 and don’t want to give anyone more help than they deserve, 0.

[root@box ~]$ vim /root/clearlogs
[root@box ~]$ chmod +x /root/clearlogs
[root@box ~]$ crontab -e
* * * * * /root/clearlogs

The line above means our clearlog script will run every minute. If we run it once we see the following.

root@kali:~# ./clearlogs 
Log /var/log/*** has been cleared
Log /var/log/*** has been cleared
Log /var/log/*** has been cleared
Log /var/log/*** has been cleared
Log /var/log/*** has been cleared
...

Dead Mans Switch

A dead man’s switch (for other names, see alternative names) is a switch that is designed to be activated if the human operator becomes incapacitated, such as through death, loss of consciousness, or being bodily removed from control.

Some examples exist, however I don’t think they are maintained well enough or have what we need…in the mean time check them out…

https://github.com/0xPoly/Centryhttps://github.com/qnrq/panic_bcasthttps://github.com/defuse/swatdhttps://github.com/redpois0n/usbwatcherhttps://github.com/hephaest0s/usbkillhttps://github.com/ncatlin/lockwatcher

However I suggest if you want an effective dead man’s switch you star/follow this account as I will be releasing a new dead man’s switch with decentralised protocols to make it more resilient.

https://github.com/int0x33/GuardianAngel