Post Exploitation – Disable Firewall and Kill Antivirus

06APR
One of the most important parts while performing a penetration test is too able to work undetected.A firewall may block you and an antivirus software may detect your activities.If an antivirus detects your activities the penetration test will not look so professional in the eyes of your client.
So one of the first things that you may want to try when you have exploited the remote system is to disable any antivirus solution and firewall.For this article we will use the Windows Firewall and the AVG 2012 as an antivirus.
Lets say that we have exploited the remote machine which in this scenario is running Windows XP as an operating system.
Exploiting the target
 
We will instruct meterpreter to give us a shell to the remote system with the command shell.
Obtain a remote shell
 
Now we need to check if the remote system has the Firewall enabled.We will use the command: netsh firewall show opmode
Check if the Windows Firewall is enabled
 
As we can see the firewall is enabled.In order to disabled it we will use the command: netsh firewall set opmode mode=disable

Disable the Windows Firewall
 
We can check the remote system in order to see if the firewall has been disabled successfully.
Proof that the firewall has been disabled
 
The firewall has been disabled and now it is time to kill the antivirus.So we will return back to the meterpreter session and we will run the command killav.
Killav Meterpreter script
 
We can see that this script that meterpreter has it killed some services including the avgrsx.exe.We may assume that the AVG antivirus is now disabled but the reality is different.Lets have a look first at the source code of the killav script in order to understand what it actually does.
 
As you can see there is a list with names of processes of well-known antivirus.So when we run the killav script it actually tried to match the existing processes on the list with the processes on the remote host in order to find the antivirus and kill it.Now lets try to investigate the processes on the remote target after we have executed the killav script.
Tasklist on the remote computer
 
As you can see from the next image there are still some avg processes that are running.So the meterpreter script it didn’t work as expected.
Processes of the remote system
 
Now we will try to categorize these processes in order to see in which service they belong.The command that we are going to use is the tasklist /svc
Categorize the services
 
We are interesting only for the avg services and their processes so we will use the command tasklist /svc | find /I “avg” in order to discover them.So in this way we have instruct the remote system to give us a result with the services that have image name that starts with avg.
Discovery of the AVG services
 
These are the processes that we need to kill it.However if we try to do we will notice that it will not have any affect because the services avgwd and AVGIDSAgent will restart these processes once they get killed.So lets try to examine these two services and their attributes.
 
As you can see from the image above these two services cannot be stopped and cannot be paused.So how you are supposed to disable an antivirus which have services that cannot be stopped or paused?The only solution valid solution is to try to disable the services so with the next reboot of the target these services will not start.We can achieve that by executing the following commands that you can see in the image below.
We will reboot the remote target through the meterpreter
Reboot the remote target
 
Now that the system has restarted it is time to examine if there are any avg processes that are still running.

Find the running processes of AVG after the reboot
 
We have notice from this output that there are 3 processes instead of 5 and the two processes that correspond to avgwd and AVGIDSAgent services are missing.This is because we have disable them before the reboot.So we can now kill these 3 processes safely.
Kill the remaining AVG processes
 
The antivirus is now disabled on the remote target and we can now continue our work without any fear of being interrupted and discovered by an antivirus or a firewall.
The last thing that we may want to try is to clear the system log files.We can run the command clearev in the meterpreter in order to delete all records from the event viewer.
Clear the log files
 
The next screenshot is the proof that the log files have been deleted and there are no records.

No records in the Event Viewer
 
Conclusion
Every penetration tester needs to know how to disable a firewall or an antivirus remotely.This is very essential for his penetration testing activities.However as we saw the meterpreter script didn’t manage to disable the antivirus.This is a proof that a penetration test is not an automatic process and it requires also the human factor.
Except of that the main disadvantage was that this method required to reboot the remote target in order to disable the antivirus so if someone was working at the system he would have noticed that something is going wrong besides the fact that it would have affection to his work.However in a system that nobody is working it is an effective method.

What Do You Think on This ? Say Here