Re: : proposition for a new script (how to be a ninja) and about changing killav/getcountermesures

[John Nash <rootsecurityfreak () gmail com>]

Nicee!! I love the idea and killav definitely needs an upgrade.

btw, agree with you on the video series. Coming out to be great. Just
watched the latest one on pivoting and portfwd - definitely the best
explanation and demo I've found online -

http://securitytube.net/Metasploit-Megaprimer-Part-13-%28Post-Exploitation-Pivoting-and-Port-Forwarding%29-video.aspx

I think might be worthwhile adding them to the wiki or your documentation
page. Will be helpful to newbies and intermediate users!

rgds,

JN



On Sat, Sep 11, 2010 at 8:05 PM, Marco Polo <titjow () hotmail com> wrote:

>  ninja's & assasins aka how to be *Keyser Söze...
>
> *HI all!
>
> here is just two propositions of scripts that could help for post
> exploitation:
>
> meterpreter ninja script:
> -----------------------------------
>
>
> 1) stop logging and erase the last 5 min logs
>    i saw the stop login stuff in a script once but i can't find it anymore
> so for this i'll need help
>
> 2) add an option to change the mace times of some files (list of those
> files can be store in a .txt file)
>    this one can be done easily (nearly done in the winenum script)
>
> 3) if wanted (default to false) add the ability to shedule the start of
> logs files again in hh:mm:ss so nobody will notice
>    not sure if it's possible and how it could be done (shedule sc start or
> something like that?) here again i'll need some pointer..
>
>
> because if you really wants to be a ninja, don't clear all the logs, it'll
> obviously show someone broke into the system..
> I think it could be interresting as a post exploitation point of view but
> idk if it'll interest anyone else but me?
> If yes can anyone give me just a few pointers? Even if i'm still a ruby
> n00b and having less free time atm i think i can do it.
>
>
> meterpreter getcountermesure/killav script:
> ----------------------------------------------------------------
>
> 1) search in registry the name of the AV/firewall/IDS... and then in
> program files/anti-virus for any .exe name (results are store in a file)
>
> 2) disable the security center so it won't popup any alert
>
> 3) find via query ex & tasklist /SVC | find /I "name found in 1)" or ruby
> (idk how to do it purely in ruby) the PID of all process and services used
> by the AV .exe's
>
> 4) sc config "services" start= disable & sc stop "services" for all
> services found in 3)
>
> 5) kill all process used by the AV found in 1) and retry sc stop "services"
> if still needed (some of them need the process to be killed before the
> service could stop)
>
> 6) check if all of them have been killed (sometimes one or two are still
> alive) and if not just try a second time to kill them
>    and print the status (all done/half/none)
>
> 7) if wanted (default to false) add the ability to shedule the restart of
> the services and process again in hh:mm:ss so nobody will
>     notice
>
> 8) if wanted (default to false) search & destroy any .log files in program
> files/anti-virus directory
>
> the main advantage using this method is that you don't need an exhaustive
> list which is changing every software updates...
> as windows store the name of the A-V in registry you can easily find all
> .exe in program files and so you won't miss any of them.
>
>
> I could automate what we see in:
>
>
> http://www.securitytube.net/Metasploit-Megaprimer-Part-10-(Post-Exploitation-Log-Deletion-and-AV-Killing)-video.aspx
>
> (great video btw, the serie is nice and clear: all parts +
> metasploit-unleashed and you really see the real power of metasploit :) )*
>
> but if you want it all in ruby i'm afraid i won't be able to do it soon...
>
> the aim of those scripts is to be stealthy.. well at least the most we
> could be...
>
> ofc those scripts will do the same stuff as the other scripts:
>
> -store the logs in opt/.msf3/log/killav or something like that
> -check the platform
> -check if we're admin/system
> -print and logs errors if not enough rights and/or problems with UAC
>
>
> So if any of you is interested in helping me/making the scripts or
> discussing the utility/interest of this method i'd be happy to talk with you
> :)
>
> as always, sorry for my english and thx for this wonderful tool you're
> bringing to us :)
>
> bye!
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework