1
00:00:00,710 --> 00:00:06,440
Now, after you complete your penetration test, your next step should be to clean up the mess behind

2
00:00:06,440 --> 00:00:06,620
you.

3
00:00:08,140 --> 00:00:14,620
So long as there's no forensics and event response purpose that the clients planned, you should erase

4
00:00:14,620 --> 00:00:15,850
and cover your tracks.

5
00:00:17,190 --> 00:00:23,370
So although my interpreter resides in the memory during a test, you might add, users create back doors,

6
00:00:23,370 --> 00:00:28,260
routings, registry entries, etc, etc., the list could go on.

7
00:00:29,470 --> 00:00:31,480
All of them should be cleared.

8
00:00:33,350 --> 00:00:41,780
So for this kind of stuff, MSF has two features, the command clearance and the interpreter script

9
00:00:42,230 --> 00:00:43,730
event manager.

10
00:00:45,430 --> 00:00:49,240
Now you can use both so that you don't leave anything behind.

11
00:00:50,710 --> 00:00:55,420
However, you can only run them with an admin level session.

12
00:00:56,750 --> 00:00:57,880
So let me show you how to use them.

13
00:00:59,610 --> 00:01:05,730
So I already have a system level session and I'm going to conduct cleaning from this session.

14
00:01:07,000 --> 00:01:10,570
But first, I want to show you the event logs on Métis Voidable three.

15
00:01:11,710 --> 00:01:13,270
So open minds voidable three.

16
00:01:14,320 --> 00:01:19,000
And from start type event viewer.

17
00:01:20,100 --> 00:01:21,000
And cook it.

18
00:01:22,470 --> 00:01:26,100
Now go to the Windows log's section.

19
00:01:27,410 --> 00:01:30,680
And here are the different categories of log's.

20
00:01:31,930 --> 00:01:35,980
Now, probably what you've done a while ago was logged by windows.

21
00:01:37,230 --> 00:01:44,400
And now I'll assume that there is no forensic purpose of your penetration testing, so it means that

22
00:01:44,400 --> 00:01:48,510
you can clear the logs and all that you've done on the system.

23
00:01:49,810 --> 00:01:56,080
So this action is more or less offensive, but it will be very handy so that you.

24
00:01:57,350 --> 00:02:01,220
You can escape any detection from any of the system administrators.

25
00:02:02,250 --> 00:02:04,050
So let's go back to the maturity session.

26
00:02:05,320 --> 00:02:08,130
And just type clear of.

27
00:02:10,570 --> 00:02:11,620
And that's all.

28
00:02:12,700 --> 00:02:18,550
You just clear the event logs, so let's see what you did from the target.

29
00:02:20,010 --> 00:02:25,200
Refresh the screen from the action menu or click Windows logs again.

30
00:02:26,490 --> 00:02:28,970
Nothing, just a few new ones.

31
00:02:30,390 --> 00:02:35,070
So the second flavor is an interpretive script called event manager.

32
00:02:36,900 --> 00:02:38,610
So run event manager.

33
00:02:39,800 --> 00:02:42,710
Without any parameter, it will display the help menu.

34
00:02:44,830 --> 00:02:46,670
Now, open minds voidable three again.

35
00:02:47,740 --> 00:02:51,670
By the way, I return from the snapshot to show you the logs.

36
00:02:52,760 --> 00:02:55,580
So go to event viewer from the start.

37
00:02:57,970 --> 00:03:04,150
And under Windows logs, you can see how many entries are in log categories.

38
00:03:05,810 --> 00:03:07,790
Then go back to the materialisation.

39
00:03:08,860 --> 00:03:12,580
Type in run event manager.

40
00:03:13,820 --> 00:03:15,110
See the help menu again?

41
00:03:16,210 --> 00:03:20,260
Now, this time, run event manager with the sea parameter.

42
00:03:21,640 --> 00:03:22,430
See, that's very good.

43
00:03:22,450 --> 00:03:23,830
It just deleted the locks.

44
00:03:25,680 --> 00:03:30,060
So let's open Métis Boydell three to see what the script did.

45
00:03:32,060 --> 00:03:34,910
Perfect, you see, it really did delete all the logs.