Installing antivirus software on your computer is an excellent way to deter hackers. Conversely, disabling antivirus software is an excellent way to totally exploit a system until nothing is left, while making sure we donât leave a trace. If a hacker can somehow get in a system under the antivirusâs nose it is very likely that he\she will get caught if the antivirus scans the system for malicious files and connections. Protecting oneself is more important than exploiting the victim.
Meterpreter gives us complete control over the system. We can send commands to install a keylogger, jump to other computers on the network, look through all the files and directories, start and close programs at our will and tons more. Here, weâll be looking at the commands we can use to disable antivirus protection.
If you have an antivirus on your computer, try to close it from the tray icon or the GUI. Youâll see that it asks you to confirm your action. Now open up task manager and try to kill the antivirus process file (something like avg.exe), (usually) youâll find that now no questions are asked and the antivirus process is killed instantly. Thatâs because the admin has more control over the system than the antivirus, which is exactly what weâll use to carry out this hack.
Again, this tutorial is assuming that youâve already embedded a Meterpreter listener on the victimâs computer.
First of all, we need to escalate our privileges. Usually, when we hook up a listener (Meterpreter) on the victimâs system, the listener have the same privileges as the user. Nowadays, more and more operating softwares (Windows 8, for example) give reduced privileges to a user, by default. This is to make sure that the user cannot tamper with important files (such as those in the system32 folder) and to add another layer of protection from hacking. To carry out this hack we need admin (or sysadmin) privileges.
Step 1: Get the user ID
Before attempting to increase our privileges, letâs check to see if weâre already the admin. Why? Because, sometimes being lazy and efficient are the same. Itâs unlikely, but on the off chance that we do turn out to be admin, we can get straight to the hack. Type:
meterpreter > getuid
Now this should return the ID of the user currently logged in. Depending on the OS this statement gives different results. What weâre looking for are the keywords âadminâ, âsysadminâ, âauthorityâ, âsystemâ. These are bound to be associated with an account with admin privileges. Chances are that weâll get something thatâs not like this. In the next step we take care of that.
Step 3: Escalate Privileges
This is quite easy. Just one command:
meterpreter > getsystem
One of the most common returns to the getuid after this command is
Server username : NT Authority\System
This is what weâre looking for ideally. But if you get any of the above keywords, thatâs just fine as well. Youâll notice that Metasploit responds with something like ââŠgot system (with technique 1)âif everything went as planned. There are multiple in built functions that metasploit uses to try to increase privileges when âgetsystemâ command is sent. It simply tries out all of them to see which one works.
Step 5: Kill the antivirus
Now we have the power of the admin. What do we want next? More power, of course. Metasploit has a Ruby script called killav.rb which looks for any antivirus process that are running and shuts them down. It works on almost all of the antiviruses so we can be reasonably sure that itâll do the job. (If it doesnât, we could alternatively look for running processes and try to kill them manually). Letâs run the script by typing:
meterpreter > run killav.rb
You should see an output like âKilling antivirusâŠâ and weâre done, the antivirus is taken care of and can no longer interfere with our further activities. Ideally, you want to make sure that youâre hidden before trying out any hacks.
It's only fair to share...
EmoticonEmoticon