in , , , ,

Moonwalk-back – Leaving Zero Traces On System Logs And Filesystem Timestamps

Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps.

moonwalk-back is a 400 KB single-binary executable that can clear your traces while penetration testing a Unix machine. It saves the state of system logs pre-exploitation and reverts that state including the filesystem timestamps post-exploitation leaving zero traces of a ghost in the shell.

⚠️ NOTE: This tool is open-sourced to assist solely in Red Team operations and in no means is the author liable for repercussions caused by any prohibited use of this tool. Only make use of this in a machine you have permission to test.


  • Small Executable: Get started quickly with a curl fetch to your target machine.
  • Fast: Performs all session commands including logging, trace clearing, and filesystem operations in under 5 milliseconds.
  • Reconnaissance: To save the state of system logs, moonwalk-back finds a world-writable path and saves the session under a dot directory which is removed upon ending the session.
  • Shell History: Instead of clearing the whole history file, moonwalk-back reverts it back to how it was including the invokation of moonwalk-back.
  • Filesystem Timestamps: Hide from the Blue Team by reverting the access/modify timestamps of files back to how it was using the GET command.


$ curl -L -o moonwalk-back

(AMD x86-64)


Download the executable from Releases OR Install with cargo:

$ cargo install --git

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

What do you think?

Posted by Prapattimynk

CryptPad – Collaborative Office Suite | End-to-End Encrypted

AI Collection – Collection of Awesome Generative AI Applications