Disabling AV and firewall by meterpreter before reverse connection

[ivo14]

Hello

Please, can you help me to solve this problem:

I have antivirus and firewall on the target machine with Windows XP SP2. I encoded meterpreter/reverse_tcp payload by msfencode to bypass AV. That works great - antivirus didn't catch anything. But the problem is firewall. Firewall is configured to ask user for all inbound and outbound network traffic. So when meterpreter tries to connect back to attacker, it will display a window to user and ask him to allow or deny communication. And if user decides to deny communication, no meterpreter session will be opened.

Is it possible to execute meterpreter script killav.rb after exploitation and before connecting back to attacker ? Ot is there any other way to bypass the firewall ?

Thaks

[Archangel-Amael]

Turn the firewall off. Problem solved.

[Onemajorflaw]

Turn the firewall off. Problem solved.

Hm. Your advice seemed to work for me...

[ivo14]

It would be too easy... This is just a model situation. Let's say, I don't have physical access to the target computer. I only have remote access.

[Archangel-Amael]

It would be too easy... This is just a model situation. Let's say, I don't have physical access to the target computer. I only have remote access.

Well then hypothetically I would say you could be doing something that we won't discuss here. I would also say both hypothetically and literally, you should read up more about what you are doing.

[KMDave]

It would be too easy... This is just a model situation. Let's say, I don't have physical access to the target computer. I only have remote access.

Well it is too easy.
But if you are relying just on some "stupid scripts" making your "model situation" too easy you are out of luck.

I as well doubt what you have in mind here.

[lupin]

Easy fixed, your initial payload just needs to make the necessary configuration changes to disable the firewall, or add a rule to allow the traffic you want to allow. Details of how this can be achieved will be firewall specific. Once you know how to do this, simply code something up in the appropriate format to make the change and run it as part of your exploit payload - either as part of the initial shellcode, or perhaps with something otherwise bound within the initial exploit file which can then be extracted and run. The options you have available will depend on the exploit you are using. Looks like you have some research ahead of you....

You could also try something like this. Or you could make use of a program thats already allowed to communicate out via the Firewall... *hint* reverse_http *hint*

[ivo14]

Easy fixed, your initial payload just needs to make the necessary configuration changes to disable the firewall, or add a rule to allow the traffic you want to allow. Details of how this can be achieved will be firewall specific. Once you know how to do this, simply code something up in the appropriate format to make the change and run it as part of your exploit payload - either as part of the initial shellcode, or perhaps with something otherwise bound within the initial exploit file which can then be extracted and run. The options you have available will depend on the exploit you are using. Looks like you have some research ahead of you....

You could also try something like this. Or you could make use of a program thats already allowed to communicate out via the Firewall... *hint* reverse_http *hint*

It sounds useful I'll try it...

Thanks .