Post-exploitation tool to cover your tracks on a compromised machine (beta)
 
 
Go to file
Raphaël fec4de7b27
docs: readme
update examples
2023-02-01 11:58:48 +04:00
.github chore: create FUNDING.yml 2022-12-07 16:23:30 +04:00
bin add bin folder 2022-11-01 14:28:11 +04:00
build init v2 project 2022-10-31 14:20:17 +04:00
cmd refactor: put output pkg in root 2023-01-22 15:18:12 +04:00
lib refactor: put output pkg in root 2023-01-22 15:18:12 +04:00
logs test: logs pkg 2023-01-03 14:46:12 +04:00
mocks feat: add progress bar for shredding operations 2023-01-22 15:05:58 +04:00
output refactor: put output pkg in root 2023-01-22 15:18:12 +04:00
test test: root cmd 2023-01-03 14:57:22 +04:00
.gitignore add bin folder 2022-11-01 14:28:11 +04:00
.goreleaser.yml ci: attempt to fix gpg signing 2022-12-05 13:03:46 +04:00
CODEOWNERS init v2 project 2022-10-31 14:20:17 +04:00
LICENSE docs: readme 2022-11-29 15:40:50 +04:00
Makefile chore: update mockery to 2.16.0 2023-01-22 15:05:42 +04:00
README.md docs: readme 2023-02-01 11:58:48 +04:00
go.mod feat: add progress bar for shredding operations 2023-01-22 15:05:58 +04:00
go.sum feat: add progress bar for shredding operations 2023-01-22 15:05:58 +04:00
main.go init v2 project 2022-10-31 14:20:17 +04:00

README.md

build status Coverage Status Go Report Card GitHub all releases

Introduction

Covermyass is a post-exploitation tool to cover your tracks on various operating systems. It was designed for penetration testing "covering tracks" phase, before exiting the compromised server. At any time, you can run the tool to find which log files exists on the system, then run again later to erase those files. The tool will tell you which file can be erased with the current user permissions. Files are overwritten repeatedly with random data, in order to make it harder for even very expensive hardware probing to recover the data.

It supports the three major operating systems (Linux, macOS, Windows) and a few smaller ones (FreeBSD, OpenBSD).

Current status

This tool is still in beta. Upcoming versions might bring breaking changes. For now, we're focusing Linux and Darwin support, Windows may come later.

Installation

Download the latest release :

curl -sSL https://github.com/sundowndev/covermyass/releases/latest/download/covermyass_linux_amd64 -o ./covermyass
chmod +x ./covermyass

Verify digital signatures

covermyass releases are signed using PGP key (rsa4096) with ID E5BC23488DA8C7AC and fingerprint 1A662C679AD91F549A77CD96E5BC23488DA8C7AC. Our key can be retrieved from common keyservers.

  1. Download binary, checksums and signature
curl -L https://github.com/sundowndev/covermyass/releases/latest/download/covermyass_linux_amd64 -o covermyass_linux_amd64 && \
curl -L https://github.com/sundowndev/covermyass/releases/latest/download/covermyass_SHA256SUMS -o covermyass_SHA256SUMS && \
curl -L https://github.com/sundowndev/covermyass/releases/latest/download/covermyass_SHA256SUMS.gpg -o covermyass_SHA256SUMS.gpg
  1. Import key
gpg --keyserver https://keys.openpgp.org --recv-keys 0xE5BC23488DA8C7AC
  1. Verify signature (optionally trust the key from gnupg to avoid any warning)
gpg --verify covermyass_SHA256SUMS.gpg covermyass_SHA256SUMS
  1. Verify checksum
sha256sum --ignore-missing -c covermyass_SHA256SUMS

Usage

$ covermyass -h

Usage:
  covermyass [flags]

Examples:

Overwrite log files 5 times with a final overwrite with zeros to hide shredding
covermyass --write -z -n 5


Flags:
  -f, --filter strings   File paths to ignore (supports glob patterns)
  -h, --help             help for covermyass
  -n, --iterations int   Overwrite N times instead of the default (default 3)
  -l, --list             Show files in a simple list format. This will prevent any write operation
      --no-read-only     Exclude read-only files in the list. Must be used with --list
  -v, --version          version for covermyass
      --write            Erase found log files. This WILL shred the files!
  -z, --zero             Add a final overwrite with zeros to hide shredding

First, run an analysis. This will not erase anything.

$ covermyass

Loaded known log files for linux
Scanning file system...

Found the following files
/var/log/lastlog (29.5 kB, -rw-rw-r--)
/var/log/btmp (0 B, -rw-rw----)
/var/log/wtmp (0 B, -rw-rw-r--)
/var/log/faillog (3.2 kB, -rw-r--r--)

Summary
Found 4 files (4 read-write, 0 read-only) in 27ms

When you acknowledged the results, erase those files.

$ whoami
root
$ covermyass --write -n 100

Loaded known log files for linux
Scanning file system...

Found the following files
/var/log/lastlog (29.5 kB, -rw-rw-r--)
/var/log/btmp (0 B, -rw-rw----)
/var/log/wtmp (0 B, -rw-rw-r--)
/var/log/faillog (3.2 kB, -rw-r--r--)

Summary
Found 4 files (4 read-write, 0 read-only) in 27ms

⣾ Shredding files... (3.1 MB, 1.3 MB/s) [2s] 

Successfully shredded 4 files 100 times

Filter out some paths :

$ covermyass -f '/foo/**/*.log' -f '/bar/foo.log'

License

Covermyass is licensed under the MIT license. Refer to LICENSE for more information.

Sponsorship