Hacking rule #1: Don't get caught
Installing antivirus software on your computer
is an excellent way to deter hackers. Conversely,
disabling antivirus software is an excellent
way to totally exploit a system until nothing
is left, while making sure we don’t leave a
trace. If a hacker can somehow get in a system
under the antivirus’s nose it is very likely that
he\she will get caught if the antivirus scans
the system for malicious files and connections.
Protecting oneself is more important than
exploiting the victim.
Meterpreter gives us complete control over the
system. We can send commands to install a
keylogger, jump to other computers on the
network, look through all the files and
directories, start and close programs at our will
and tons more. Here, we’ll be looking at the
commands we can use to disable antivirus
protection.
If you have an antivirus on your computer, try
to close it from the tray icon or the GUI. You’ll
see that it asks you to confirm your action.
Now open up task manager and try to kill the
antivirus process file (something like avg.exe),
(usually) you’ll find that now no questions are
asked and the antivirus process is killed
instantly. That’s because the admin has more
control over the system than the antivirus,
which is exactly what we’ll use to carry out this
hack.
Again, this tutorial is assuming that you’ve
already embedded a Meterpreter listener on the
victim’s computer.
First of all, we need to escalate our privileges.
Usually, when we hook up a listener
(Meterpreter) on the victim’s system, the listener
have the same privileges as the user.
Nowadays, more and more operating softwares
(Windows 8, for example) give reduced privileges
to a user, by default. This is to make sure that
the user cannot tamper with important files
(such as those in the system32 folder) and to
add another layer of protection from hacking.
To carry out this hack we need admin (or
sysadmin) privileges.
Step 1: Get the user ID
Before attempting to increase our privileges,
let’s check to see if we’re already the admin.
Why? Because, sometimes being lazy and
efficient are the same. It’s unlikely, but on the
off chance that we do turn out to be admin, we
can get straight to the hack. Type:
meterpreter > getuid
Now this should return the ID of the user
currently logged in. Depending on the OS this
statement gives different results. What we’re
looking for are the keywords “admin”,
“sysadmin”, “authority”, “system”. These are
bound to be associated with an account with
admin privileges. Chances are that we’ll get
something that’s not like this. In the next step
we take care of that.
Step 2: Escalate Privileges
This is quite easy. Just one command:
meterpreter > getsystem
One of the most common returns to the getuid
after this command is
Server username : NT Authority\System
This is what we’re looking for ideally. But if
you get any of the above keywords, that’s just
fine as well. You’ll notice that Metasploit
responds with something like “…got system
(with technique 1)”if everything went as
planned. There are multiple in built functions
that metasploit uses to try to increase privileges
when ‘getsystem’ command is sent. It simply
tries out all of them to see which one works.
Step 3: Kill the antivirus
Now we have the power of the admin. What do
we want next? More power, of course.
Metasploit has a Ruby script called killav.rb
which looks for any antivirus process that are
running and shuts them down. It works on
almost all of the antiviruses so we can be
reasonably sure that it’ll do the job. (If it
doesn’t, we could alternatively look for running
processes and try to kill them manually). Let’s
run the script by typing:
meterpreter > run killav.rb
You should see an output like “Killing
antivirus…” and we’re done, the antivirus is
taken care of and can no longer interfere with
our further activities. Ideally, you want to
make sure that you’re hidden before trying out
any hacks.
0 Comments