Metasploit Megaprimer Part 10 (Post Exploitation Log Deletion And Av Killing)
Description:
This is Part 10 of the Metasploit Megaprimer series.
Please begin this series by starting by watching Part 1 of the Metasploit Megaprimer series, if you have not already done so.In this video, we will learn about AV killing and Log Deletion as a post exploitation exercise. What you will notice that the Killav meterepreter script does not work as desired as the latest version of AVG has many more processes, and a new watchdog service which cannot be killed easily. Everytime we kill the watchdog, it gets started automatically. This service also cannot be stopped by simply issuing a "net stop avg9wd" or a "sc stop avg9wd" as this is a NOT_STOPPABLE service. Join me, as I explore how to stop this unstoppable service :)
Would request you all to leave your feedback in the comments section below the video!
In the next video, we will learn about how to collect interesting data on the victim machine, post exploitation. Part 11 of the Megaprimer is now available!!Please watch this video in FULL SCREEN mode.
Tags: tools ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Comments:
super.. i am eagerly waiting for scenario based attack tutorials...
It's great, but is valid for the version 9 of AVG if you try to do the same with the latest version (2011 Free) the names of the processes are different and also their characters, unfortunately AVGIDSAgent and avgwd services are (NOT_STOPPABLE, NOT_PAUSABLE , ACCEPTS_SHUTDOWN)
You can disable them, but dependent processes can not kill with taskkill, I tried the same procedure as you indicate, but I think it is not possible with the latest version of AVG ...
Any recommendations?
Thank you very much!
Great videos! Thanks a lot Vivek!
Let me post here the sollutions for AVG 2011. It's pretty blunt, but it deffinitely works. On the victim's mashine you need to upload\download the AVG removal tool from this page http://www.avg.com/ww-en/download-tools (attention! it is OS specific! x86 won't work on an x64 Win) and run it from the console with the following parameters: /silent /norestart
AVG squeals anyway about its beeng turned off but dies imidiately. You are good to go with further exploitation!
The same programs exist for almost any antivirus, yet some if them now have some further protection from anauthorized use like CAPTCHAs. Let's hope AVG won't use the same thing =)
Acually it kinda works... if you issue a reboot from the meterpreter, waits until it rebooted and then issue the taskkill with AVG 2011 it works.
The drawback being you have to reboot..
Vivek, is it possible to solve this without rebooting? Any other "secret" command? =)
If you want to completely freeze any process (including AV processes), there's a really easy way. I stumbled across a DLL called Suspender via Mubix [http://room362.com] that is injected into a process and after a certain wait period determined by it's filename, suspends the process. This works wonderfully for suspending AV processes like AVG to avoid detection, even if you aren't SYSTEM or Administrator. You can completely incapacitate any AV (as far as I've seen in my testing) this way, without having to remove it. More here: [http://www.room362.com/blog/2011/5/30/remote-dll-injection-with-meterpreter.html]
An update to my previous post: it appears access levels do matter. I thought I was suspending a process running as SYSTEM, but I was actually suspending a process running as the current user. I tried to suspend a SYSTEM process but failed (access denied). So it appears that Suspender isn't the superweapon that I made it out to be, but it's still extremely useful for disabling an AV as I was able to suspend parts of AVG and run a payload that was being detected and stopped previously. Sorry for my mistake, but do try Suspender out, it's very useful.
Vivek, wonderful as always. The comments are bits of gold as well. Thanks everyone.
Great video! The comments are awesome as well. Thanks everyone.
A lot to take in if you haven't messed around with AV bypass. Great work again!
Another great megaprimer! Thanks for sharing all of this! o/
Another great tutorial! Thank you again!
Thanks for the effort Vivek !!
Thanks for all the comments guys! We have launched a SecurityTube Metasploit Framework Expert Certification today:
http://www.securitytube.net/smfe
The first 25 signups will receive discounted seats! Please hurry :)
Dear Vivek
I am floored and appreciate your efforts to offer such useful videos for free.
I had some doubt while watching this one which is "clearev" deletes all the logs from the system.
Does not it may be looked upon as a suspicious activity by the owner of the remote system ?
Is there any possible way to delete the logs selectively ?
With regards
BB
Para conhecer o metasploit mais a fundo visite o fórum Amantes do Metasploit, lá você vai encontrar muito material em português
http://www.amantesdometasploit.com.br
Fantastic work! I appreciate how you shared all the issues you run into in the real world. Even your battery dying! You communicate that it is not simple to exploit and control a box. You show that you must have knowledge of systems and networks and that you must think on your feet. Great job Vivek!
The video stoped in 7.46 minutes while watching it don't know what the problem?
Thanks so many for this nice video Vivik! but the thing is clearev kill all events which is totally suspicious , how we can selectively delete the events?!
thanks Vivik, great work.
i try every thing in this video and stop at this code { taskkill /F /IM "avg*" } nothimg kill
but after rebot the victum pc and use { run killav } all avg process kill, any idea how to kill it without need to reboot the victum pc ?!!
i use avg 2012
thanks