One of the most important parts while performing a penetration test is too able to work undetected.A firewall may block you and an antivirus software may detect your activities.If an antivirus detects your activities the penetration test will not look so professional in the eyes of your client.
So one of the first things that you may want to try when you have exploited the remote system is to disable any antivirus solution and firewall.For this article we will use the Windows Firewall and the AVG 2012 as an antivirus.
Lets say that we have exploited the remote machine which in this scenario is running Windows XP as an operating system.
We will instruct meterpreter to give us a shell to the remote system with the command shell.
Now we need to check if the remote system has the Firewall enabled.We will use the command: netsh firewall show opmode
As we can see the firewall is enabled.In order to disabled it we will use the command: netsh firewall set opmode mode=disable
We can check the remote system in order to see if the firewall has been disabled successfully.
The firewall has been disabled and now it is time to kill the antivirus.So we will return back to the meterpreter session and we will run the command killav.
We can see that this script that meterpreter has it killed some services including the avgrsx.exe.We may assume that the AVG antivirus is now disabled but the reality is different.Lets have a look first at the source code of the killav script in order to understand what it actually does.
As you can see there is a list with names of processes of well-known antivirus.So when we run the killav script it actually tried to match the existing processes on the list with the processes on the remote host in order to find the antivirus and kill it.Now lets try to investigate the processes on the remote target after we have executed the killav script.
As you can see from the next image there are still some avg processes that are running.So the meterpreter script it didn’t work as expected.
Now we will try to categorize these processes in order to see in which service they belong.The command that we are going to use is the tasklist /svc
We are interesting only for the avg services and their processes so we will use the command tasklist /svc | find /I “avg” in order to discover them.So in this way we have instruct the remote system to give us a result with the services that have image name that starts with avg.
These are the processes that we need to kill it.However if we try to do we will notice that it will not have any affect because the services avgwd and AVGIDSAgent will restart these processes once they get killed.So lets try to examine these two services and their attributes.
As you can see from the image above these two services cannot be stopped and cannot be paused.So how you are supposed to disable an antivirus which have services that cannot be stopped or paused?The only solution valid solution is to try to disable the services so with the next reboot of the target these services will not start.We can achieve that by executing the following commands that you can see in the image below.
We will reboot the remote target through the meterpreter
Now that the system has restarted it is time to examine if there are any avg processes that are still running.
We have notice from this output that there are 3 processes instead of 5 and the two processes that correspond to avgwd and AVGIDSAgent services are missing.This is because we have disable them before the reboot.So we can now kill these 3 processes safely.
The antivirus is now disabled on the remote target and we can now continue our work without any fear of being interrupted and discovered by an antivirus or a firewall.
The last thing that we may want to try is to clear the system log files.We can run the command clearev in the meterpreter in order to delete all records from the event viewer.
The next screenshot is the proof that the log files have been deleted and there are no records.
Every penetration tester needs to know how to disable a firewall or an antivirus remotely.This is very essential for his penetration testing activities.However as we saw the meterpreter script didn’t manage to disable the antivirus.This is a proof that a penetration test is not an automatic process and it requires also the human factor.
Except of that the main disadvantage was that this method required to reboot the remote target in order to disable the antivirus so if someone was working at the system he would have noticed that something is going wrong besides the fact that it would have affection to his work.However in a system that nobody is working it is an effective method.
So as a Pentester you are trying to be stealthy.
As it is XP with the Firewall on you probably had to compromise the machine with some user interaction. Nobody, especially the user sat at the machine, would notice the reboot?
Also how would you get a backdoor on the machine, without detection from the AV, to ensure you can connect back to the machine without further interaction?
You don’t need the user interaction in order to exploit a Windows XP machine that is running a firewall.In this article I have exploited the vulnerability in the netapi.
If you read again the conclusion you will see that I have report that the reboot is a drawback in this method.
Finally before you place your backdoor you have to encode it first to avoid the detection.For this specific tutorial I haven’t used a backdoor in order to connect back to the machine.After the reboot I just exploited again with the same exploit.
The reboot isn’t the end of the world, invoke a BSOD, nobody would suspect a thing :-). It would be good to be able to tell Windows not to monitor the status of the Anti-virus and the Firewall, any idea how to do that prior to disabling the AV it so you don’t get that pop-up warning appearing in the System Tray?
These notifications are controlled by the Windows Security Center so you need to find a way to stop the service wscsvc in order to avoid these pop-up messages.
Good doc. Thanks.
Cool, so just a simple “sc config wscsvc start= disabled” at the point you are disabling the AVG services, thanks.
Thanks for sharing. It would be unwise to reboot a compromised system without first maintaining persistence. You are assuming that after reboot, the malicious payload will be executed again which is by a longshot.
Your article will be more complete if you include a portion on how to maintain persistence.
You have a point phi but I was thinking that in systems that you have an antivirus you need to create an undetectable backdoor in order to maintain persistence because as you saw and from this article some of the antivirus services cannot be disabled without the reboot.Maintain persistence is a topic by itself which I will cover it separately. 🙂
Now its not necessary to reboot the victim pc
we can just exclude the directory or partition that we put our payloads in from the antivirus