Installing antivirus software on your computer is an excellent way to deter hackers. Conversely, disabling antivirus software is an excellent way to totally exploit a system until nothing is left, while making sure we don’t leave a trace. If a hacker can somehow get in a system under the antivirus’s nose it is very likely that he\she will get caught if the antivirus scans the system for malicious files and connections. Protecting oneself is more important than exploiting the victim.
Meterpreter gives us complete control over the system. We can send commands to install a keylogger, jump to other computers on the network, look through all the files and directories, start and close programs at our will and tons more. Here, we’ll be looking at the commands we can use to disable antivirus protection.
If you have an antivirus on your computer, try to close it from the tray icon or the GUI. You’ll see that it asks you to confirm your action. Now open up task manager and try to kill the antivirus process file (something like avg.exe), (usually) you’ll find that now no questions are asked and the antivirus process is killed instantly. That’s because the admin has more control over the system than the antivirus, which is exactly what we’ll use to carry out this hack.
Again, this tutorial is assuming that you’ve already embedded a Meterpreter listener on the victim’s computer.
First of all, we need to escalate our privileges. Usually, when we hook up a listener (Meterpreter) on the victim’s system, the listener have the same privileges as the user. Nowadays, more and more operating softwares (Windows 8, for example) give reduced privileges to a user, by default. This is to make sure that the user cannot tamper with important files (such as those in the system32 folder) and to add another layer of protection from hacking. To carry out this hack we need admin (or sysadmin) privileges.
Step 1: Get the user ID
Before attempting to increase our privileges, let’s check to see if we’re already the admin. Why? Because, sometimes being lazy and efficient are the same. It’s unlikely, but on the off chance that we do turn out to be admin, we can get straight to the hack. Type:
meterpreter > getuid
Now this should return the ID of the user currently logged in. Depending on the OS this statement gives different results. What we’re looking for are the keywords “admin”, “sysadmin”, “authority”, “system”. These are bound to be associated with an account with admin privileges. Chances are that we’ll get something that’s not like this. In the next step we take care of that.
Step 3: Escalate Privileges
This is quite easy. Just one command:
meterpreter > getsystem
One of the most common returns to the getuid after this command is
Server username : NT Authority\System
This is what we’re looking for ideally. But if you get any of the above keywords, that’s just fine as well. You’ll notice that Metasploit responds with something like “…got system (with technique 1)”if everything went as planned. There are multiple in built functions that metasploit uses to try to increase privileges when ‘getsystem’ command is sent. It simply tries out all of them to see which one works.
Step 5: Kill the antivirus
Now we have the power of the admin. What do we want next? More power, of course. Metasploit has a Ruby script called killav.rb which looks for any antivirus process that are running and shuts them down. It works on almost all of the antiviruses so we can be reasonably sure that it’ll do the job. (If it doesn’t, we could alternatively look for running processes and try to kill them manually). Let’s run the script by typing:
meterpreter > run killav.rb
You should see an output like “Killing antivirus…” and we’re done, the antivirus is taken care of and can no longer interfere with our further activities. Ideally, you want to make sure that you’re hidden before trying out any hacks.