Jump to content

How can I make the Ducky kill AV?

shamwow

By shamwow
in Classic USB Rubber Ducky

 Share

Recommended Posts

mreidiv Newbie

mreidiv

Posted
Posted (edited)

Not sure if this is what you want but if you look at the killav.rb script in meterpeter it might give you an idea how to so this.

http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=0CGEQFjAJ&url=http%3A%2F%2Fnull-byte.wonderhowto.com%2Fhow-to%2Fhack-like-pro-kill-and-disable-antivirus-software-remote-pc-0141906%2F&ei=za5xVaGUBo-RyATIm4KgCg&usg=AFQjCNGQhyeNFggKVjwpXTX8qMcN32lQBg&sig2=0uTGDuxyyS9SsUdaNP-4rg

Edited by mreidiv
Link to comment
Share on other sites
Sildaekar Newbie

Sildaekar

Posted
Posted

With the Ducky alone, what you are asking is impossible. What I would do is create a program that shutsdown all AV on the victim, then put it on a mass storage device, have the ducky copy it over and run.

Link to comment
Share on other sites
shamwow Newbie

shamwow

Posted
  • Author
Posted

Maybe I could kill the processes if I am able to get System Admin privleges in a console but how do I become System Admin? I am only Admin and I don't have enough privledges to stop a service or kill an AV process.

Link to comment
Share on other sites
  • 3 weeks later...
MB60893 Newbie

MB60893

Posted
Posted

You need to know the process name (e.g. for Microsoft Security Essentials, process is "msseces.exe" in task manager) and if it requires administrative privileges to kill the task. You can then proceed to do this with the cmd command 

'taskkill /id "msseces.exe" /f /t'
That will kill the given process. If you need admin privileges, you need to make the rubber ducky start cmd with administrator privileges. See examples at USBRubberDucky.com.

NOTE: Some AV's are persistent. It may benefit you trying to open a given AV using the keyboard, then navigating to "Realtime Protection" turning that off, then once the script has executed, turn Realtime Protection back on again.

Link to comment
Share on other sites
shamwow Newbie

shamwow

Posted
  • Author
Posted

You need to know the process name (e.g. for Microsoft Security Essentials, process is "msseces.exe" in task manager) and if it requires administrative privileges to kill the task. You can then proceed to do this with the cmd command

'taskkill /id "msseces.exe" /f /t'
That will kill the given process. If you need admin privileges, you need to make the rubber ducky start cmd with administrator privileges. See examples at USBRubberDucky.com.

NOTE: Some AV's are persistent. It may benefit you trying to open a given AV using the keyboard, then navigating to "Realtime Protection" turning that off, then once the script has executed, turn Realtime Protection back on again.

that didn't work on the current version of avg.

Link to comment
Share on other sites
Rkiver Collaborator

Rkiver

Posted
Posted

that didn't work on the current version of avg.

Of course it wouldn't if you used msseces.exe

However as pointed out, it may not work even if you used the correct process name.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...