Firing the Anti Virus …

Below is a recount of a small, simple and a sweet hack done on a network. Even when they had a firewall installed and used to monitor the network regularly, the hack could take place!

Scene : Target compromised through a User Account having default password. Thanks to Social Engineering πŸ˜€

Cast: Batman and the Joker (The compromised User Account). But the Joker is just an normal employee, not a top manager! Would be difficult to get escalated! (Attacker = Batman, Attacked = Joker)

Motive : Batman wants to plant a Key logger in to the target, but the bloody anti virus detects it as a virus and is deletes it!

Flashback:
Joker: Hey dude, what doing man? Are you free for a few minutes? This f*****g internet doesnt work on my system!! Batman: yeah, let me see. (after a few minutes) You seem to have entered the wrong credentials for the cyberoam! Whats your username …?
Joker: abcdefgh
Batman: … and your password?
Joker: sorry sir, cant give it! (he enters the password)
(Batman then clicks “login” and firefox pops up a message to save the password. Batman saves the password using the keyboard shortcuts w/o Joker knowing!)

To make the long story short, Batman is able to find out the password of Anil for the Cyberoam through the firefox saved password list! It seemed to be a default password set for all the users!!

Present: Batman is still trying to access the drives of the target system to deploy the key logger! No drives are shared and no simple passwords work; tried out all possible combination.

He then remembers the password Anil entered for Cyberoam and it works!! He is able to get into the system and access all the drives and files! Then another idea struck him. He tried the same password for the Admin account; and guess what, it worked too!! Awesome!

Now, the only thing to be done is to install a key logger. No other hacks to be done, strictly; we are good people :P. But, to his dismay, he finds out that a Symantec Anti Virus is installed which is deleting the key logger (bloody, all free key loggers are detected by the anti virus!!) Idea! Go to the Symantec drive and delete all the Symantec anti virus files (other than the ones in use) and your work is done!!! This was really surprising at that time that a high fundu security tool like Symantec could be shut down just by deleting its files!!

Restarted the system using the command “shutdown -r -t 01” (look up the man page). As was expected, Symantec did not run since there were no supporting files/dlls! Using the psexec command from the “pstools“, the key logger was installed remotely, after which a restart was required, which was easily done! Through this we got hold of a lot of sensitive information.

Through this, I was convinced that a successful hack does not require the use of any vulnerability assessment tool or any high fundu tools/scanners; that Social Engineering/Shoulder Surfing/etc is pretty simple and can mar the effect of the best of the networks and learnt one more way of bypassing firewalls.

The biggest learning from this project was about the Anti Virus. A tool which was supposed to safeguard us is vulnerable in such a simple way! The Anti Virus guys could any day afford to add a File Integrity Monitor!! As a friend said “So much so for companies that supposedly pour millions of dollars into R & D!!!

Advertisements

4 Responses to “Firing the Anti Virus …”

  1. Hemant C. Says:

    The best…. kinjal..

  2. Aditya Says:

    i dont think we can do the same with Microsoft security essentials..

    • xpl0it Says:

      I haven’t tried with Microsoft Security Essentials. Will try it out and let you know
      Thanks πŸ™‚


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: