Anonymity is a very big issue for a Hacker to save his ass from the Authority/Victim. If a hacker can somehow get in a system under the antivirus’s nose it is very likely that S/he will get caught if the antivirus scans the system for malicious files and connections. Protecting oneself is more important than exploiting the victim. So Let’s learn to Disable Antivirus In Remote PC.
As Installing Antivirus Software on the computer is an excellent way to deter Hackers, Conversely, Disabling Antivirus Software is an excellent way to exploit a system without leaving any Footprint.
Why To Disable Antivirus In Remote PC ??
Disabling Antivirus and Firewall in victim’s PC are the necessary tasks for any Hacker to take care of because the next time the system is scanned by the victim’s antivirus software, it’s likely to detect our listener and disable it, so we need to take preemptive action to disable it before it can disable us.
Logic Behind Disabling Antivirus
Antivirus Software’s are designed in the way that nobody can shut it down by simply closing it from the tray icon or by it’s GUI. If you have an antivirus on your computer, try to close it from the tray icon or the GUI. You’ll see that it asks you to confirm your action. Now open up task manager and try to kill the antivirus process file (something like avg.exe), you’ll find that now no questions are asked and the antivirus process is killed instantly. That’s because the admin has more control over the system than the antivirus, which is exactly what we’ll use to carry out this hack.
How To Disable Antivirus In Remote PC ??
Meterpreter is the utility which gives us complete control over the system. We can send commands to install a keylogger, jump to other computers on the network, look through all the files and directories, start and close programs at our will and tons more. Here, we’ll focus on the commands to Disable Antivirus Protection.
Steps To Disable Antivirus In Remote PC
Step 1# Getting Started: First of all, we need to escalate our privileges. Usually, when we hook up a listener (Meterpreter) on the victim’s system, the listener have the same privileges as the user. Nowadays, By default, all the latest operating system’s are giving reduced privileges to the user to make sure that the user cannot tamper with important files/folders (like system32) and to add another layer of protection from Hackers. To carry out this hack we need admin (or sysadmin) privileges.
Remember! Writing this tutorial we assumed that you’ve already embedded a Meterpreter Listener on the victim’s computer.
Step 2# Get the user ID: Before attempting to increase our privileges, let’s check to see if we’re already the admin. so that we can get straight to the Hack.
Type: meterpreter > getuid
Now this should return the ID of the user currently logged in. Depending on the OS this statement gives different results but we’re looking for are the keywords like “admin”, “sysadmin”, “authority”, “system”. These are bound to be associated with an account with admin privileges. Chances are that we’ll get something else not similar to this so, in the next step, we’ll take care of that.
Step 3# Escalate Privileges: Metasploit and its Meterpreter make it simple to escalate privileges to the sysadmin.
Type: meterpreter > getsystem
You’ll notice that Metasploit responds with something like “…got system (with technique 1)” if everything went as planned. There are multiple inbuilt functions that Metasploit uses to try to increase privileges when ‘getsystem’ command is sent. It simply tries out all of them to see which one works.
Step 4# Check That Are we Sysadmin: Now that Metasploit has told us that it has escalated our privileges to sysadmin, let’s make sure.
Type: meterpreter > getuid
One of the most common returns to the getuid after this command is Server username: NT Authority\System and this is what we’re looking for ideally. But if you get any of the above keywords, that’s just fine as well.
Step 5# Kill The Antivirus: Now as we have the power of admin. Let’s kill the antivirus of the victim. And For that purpose, Metasploit has a Ruby script called “killav.rb“ which looks for any antivirus process that is running to shuts them down. It works on almost all of the antiviruses so we can be reasonably sure that it’ll do the job. (If it doesn’t, we could alternatively look for running processes and try to kill them manually).
Type: meterpreter > run killav.rb
You should see an output like “Killing Antivirus…”
We’re Done. . .The antivirus is taken care of and can no longer interfere with our further activities. Ideally, you want to make sure that you’re hidden before trying out any hacks.
Note: – This guide is only for knowledge purpose and shouldn’t be used for any illegal activities as we are not responsible for anything happens with this.
So, we hope that our readers will maintain their anonymity and stay safe. And if you like this article then don’t forget to share it with your friends and always feel free to drop a comment below if you have any query or feedback.