shamwow Posted June 4, 2015 Share Posted June 4, 2015 Can anyone tell me how I can use the USB Rubber Ducky to kill an Antivirus like AVG without getting Access Denied errors? Quote Link to comment Share on other sites More sharing options...
shamwow Posted June 4, 2015 Author Share Posted June 4, 2015 I want it to kill my AV and then run Webbrowser Passview.exe Quote Link to comment Share on other sites More sharing options...
mreidiv Posted June 5, 2015 Share Posted June 5, 2015 (edited) Not sure if this is what you want but if you look at the killav.rb script in meterpeter it might give you an idea how to so this. http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=0CGEQFjAJ&url=http%3A%2F%2Fnull-byte.wonderhowto.com%2Fhow-to%2Fhack-like-pro-kill-and-disable-antivirus-software-remote-pc-0141906%2F&ei=za5xVaGUBo-RyATIm4KgCg&usg=AFQjCNGQhyeNFggKVjwpXTX8qMcN32lQBg&sig2=0uTGDuxyyS9SsUdaNP-4rg Edited June 5, 2015 by mreidiv Quote Link to comment Share on other sites More sharing options...
Sildaekar Posted June 6, 2015 Share Posted June 6, 2015 With the Ducky alone, what you are asking is impossible. What I would do is create a program that shutsdown all AV on the victim, then put it on a mass storage device, have the ducky copy it over and run. Quote Link to comment Share on other sites More sharing options...
shamwow Posted June 12, 2015 Author Share Posted June 12, 2015 Not sure if this is what you want but if you look at the killav.rb script in meterpeter it might give you an idea how to so this. http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=0CGEQFjAJ&url=http%3A%2F%2Fnull-byte.wonderhowto.com%2Fhow-to%2Fhack-like-pro-kill-and-disable-antivirus-software-remote-pc-0141906%2F&ei=za5xVaGUBo-RyATIm4KgCg&usg=AFQjCNGQhyeNFggKVjwpXTX8qMcN32lQBg&sig2=0uTGDuxyyS9SsUdaNP-4rg Maybe I could kill the processes if I am able to get System Admin privleges in a console but how do I become System Admin? I am only Admin and I don't have enough privledges to stop a service or kill an AV process. Quote Link to comment Share on other sites More sharing options...
MB60893 Posted July 1, 2015 Share Posted July 1, 2015 You need to know the process name (e.g. for Microsoft Security Essentials, process is "msseces.exe" in task manager) and if it requires administrative privileges to kill the task. You can then proceed to do this with the cmd command 'taskkill /id "msseces.exe" /f /t' That will kill the given process. If you need admin privileges, you need to make the rubber ducky start cmd with administrator privileges. See examples at USBRubberDucky.com.NOTE: Some AV's are persistent. It may benefit you trying to open a given AV using the keyboard, then navigating to "Realtime Protection" turning that off, then once the script has executed, turn Realtime Protection back on again. Quote Link to comment Share on other sites More sharing options...
shamwow Posted July 4, 2015 Author Share Posted July 4, 2015 You need to know the process name (e.g. for Microsoft Security Essentials, process is "msseces.exe" in task manager) and if it requires administrative privileges to kill the task. You can then proceed to do this with the cmd command 'taskkill /id "msseces.exe" /f /t' That will kill the given process. If you need admin privileges, you need to make the rubber ducky start cmd with administrator privileges. See examples at USBRubberDucky.com.NOTE: Some AV's are persistent. It may benefit you trying to open a given AV using the keyboard, then navigating to "Realtime Protection" turning that off, then once the script has executed, turn Realtime Protection back on again. that didn't work on the current version of avg. Quote Link to comment Share on other sites More sharing options...
Rkiver Posted July 4, 2015 Share Posted July 4, 2015 that didn't work on the current version of avg. Of course it wouldn't if you used msseces.exe However as pointed out, it may not work even if you used the correct process name. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.