Post Exploitation – Disable Firewall and Kill Antivirus
One of the most important parts while performing a penetration test is too able to work undetected.A firewall may block you and an antivirus software may detect your activities.If an antivirus detects your activities the penetration test will not look so professional in the eyes of your client.
So one of the first things that you may want to try when you have exploited the remote system is to disable any antivirus solution and firewall.For this article we will use the Windows Firewall and the AVG 2012 as an antivirus.
Lets say that we have exploited the remote machine which in this scenario is running Windows XP as an operating system.
We will instruct meterpreter to give us a shell to the remote system with the command shell.
Now we need to check if the remote system has the Firewall enabled.We will use the command: netsh firewall show opmode
As we can see the firewall is enabled.In order to disabled it we will use the command: netsh firewall set opmode mode=disable
We can check the remote system in order to see if the firewall has been disabled successfully.
The firewall has been disabled and now it is time to kill the antivirus.So we will return back to the meterpreter session and we will run the command killav.
We can see that this script that meterpreter has it killed some services including the avgrsx.exe.We may assume that the AVG antivirus is now disabled but the reality is different.Lets have a look first at the source code of the killav script in order to understand what it actually does.
As you can see there is a list with names of processes of well-known antivirus.So when we run the killav script it actually tried to match the existing processes on the list with the processes on the remote host in order to find the antivirus and kill it.Now lets try to investigate the processes on the remote target after we have executed the killav script.
As you can see from the next image there are still some avg processes that are running.So the meterpreter script it didn’t work as expected.
Now we will try to categorize these processes in order to see in which service they belong.The command that we are going to use is the tasklist /svc
We are interesting only for the avg services and their processes so we will use the command tasklist /svc | find /I “avg” in order to discover them.So in this way we have instruct the remote system to give us a result with the services that have image name that starts with avg.
These are the processes that we need to kill it.However if we try to do we will notice that it will not have any affect because the services avgwd and AVGIDSAgent will restart these processes once they get killed.So lets try to examine these two services and their attributes.
As you can see from the image above these two services cannot be stopped and cannot be paused.So how you are supposed to disable an antivirus which have services that cannot be stopped or paused?The only solution valid solution is to try to disable the services so with the next reboot of the target these services will not start.We can achieve that by executing the following commands that you can see in the image below.
We will reboot the remote target through the meterpreter
Now that the system has restarted it is time to examine if there are any avg processes that are still running.
We have notice from this output that there are 3 processes instead of 5 and the two processes that correspond to avgwd and AVGIDSAgent services are missing.This is because we have disable them before the reboot.So we can now kill these 3 processes safely.
The antivirus is now disabled on the remote target and we can now continue our work without any fear of being interrupted and discovered by an antivirus or a firewall.
The last thing that we may want to try is to clear the system log files.We can run the command clearev in the meterpreter in order to delete all records from the event viewer.
The next screenshot is the proof that the log files have been deleted and there are no records.
Every penetration tester needs to know how to disable a firewall or an antivirus remotely.This is very essential for his penetration testing activities.However as we saw the meterpreter script didn’t manage to disable the antivirus.This is a proof that a penetration test is not an automatic process and it requires also the human factor.
Except of that the main disadvantage was that this method required to reboot the remote target in order to disable the antivirus so if someone was working at the system he would have noticed that something is going wrong besides the fact that it would have affection to his work.However in a system that nobody is working it is an effective method.