: proposition for a new script (how to be a ninja) and about changing killav/getcountermesures

[Marco Polo <titjow () hotmail com>]

ninja's & assasins aka how to be Keyser Söze...

HI all!

here is just two propositions of scripts that could help for post exploitation:

meterpreter ninja script:
-----------------------------------


1) stop logging and erase the last 5 min logs
   i saw the stop login stuff in a script once but i can't find it anymore so for this i'll need help

2) add an option to change the mace times of some files (list of those files can be store in a .txt file)
   this one can be done easily (nearly done in the winenum script)

3) if wanted (default to false) add the ability to shedule the start of logs files again in hh:mm:ss so nobody will 
notice
   not sure if it's possible and how it could be done (shedule sc start or something like that?) here again i'll need 
some pointer..


because if you really wants to be a ninja, don't clear all the logs, it'll obviously show someone broke into the 
system..
I think it could be interresting as a post exploitation point of view but idk if it'll interest anyone else but me?
If yes can anyone give me just a few pointers? Even if i'm still a ruby n00b and having less free time atm i think i 
can do it.


meterpreter getcountermesure/killav script:
----------------------------------------------------------------

1) search in registry the name of the AV/firewall/IDS... and then in program files/anti-virus for any .exe name 
(results are store in a file)

2) disable the security center so it won't popup any alert

3) find via query ex & tasklist /SVC | find /I "name found in 1)" or ruby (idk how to do it purely in ruby) the PID of 
all process and services used by the AV .exe's

4) sc config "services" start= disable & sc stop "services" for all services found in 3)

5) kill all process used by the AV found in 1) and retry sc stop "services" if still needed (some of them need the 
process to be killed before the service could stop)

6) check if all of them have been killed (sometimes one or two are still alive) and if not just try a second time to 
kill them
   and print the status (all done/half/none)

7) if wanted (default to false) add the ability to shedule the restart of the services and process again in hh:mm:ss so 
nobody will
    notice

8) if wanted (default to false) search & destroy any .log files in program files/anti-virus directory

the main advantage using this method is that you don't need an exhaustive list which is changing every software 
updates...
as windows store the name of the A-V in registry you can easily find all .exe in program files and so you won't miss 
any of them.


I could automate what we see in:

http://www.securitytube.net/Metasploit-Megaprimer-Part-10-(Post-Exploitation-Log-Deletion-and-AV-Killing)-video.aspx

(great video btw, the serie is nice and clear: all parts + metasploit-unleashed and you really see the real power of 
metasploit :) )*

but if you want it all in ruby i'm afraid i won't be able to do it soon...

the aim of those scripts is to be stealthy.. well at least the most we could be...

ofc those scripts will do the same stuff as the other scripts:

-store the logs in opt/.msf3/log/killav or something like that
-check the platform
-check if we're admin/system
-print and logs errors if not enough rights and/or problems with UAC


So if any of you is interested in helping me/making the scripts or discussing the utility/interest of this method i'd 
be happy to talk with you :)

as always, sorry for my english and thx for this wonderful tool you're bringing to us :)

bye!

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework