Anti-Virus Software in penetration testing

I recently tested a project and encountered anti-virus software during Elevation of Privilege. N multiple tools were killed, even though they all succeeded in Elevation of Privilege, however, more or less, it may cause a lot of trouble for us to escalate permissions. In particular, Cain sniffing is used after the elevation of permissions is successful, and Cain is killed in seconds. Here we will summarize the two anti-virus software that I encountered during the process of elevation of permission, and summarize how to disable the two anti-virus software after the elevation of permission.

1. Disable trend-free anti-virus software without Password

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE \ SOFTWARE \ TrendMicro \ PC-cillinntcorp \ CurrentVersion \ Misc.] "nopwdprotect" = DWORD: 00000001 "allow Uninstall" = DWORD: 00000001; ["nopwdprotect" = DWORD: 00000001] indicates the exit trend. Change [0] to restore and release the password; ["allow Uninstall" = DWORD: 00000001] indicates the uninstall trend. Change it to [0] to restore it. Uninstall the password.

Save the preceding content as waitalone. Reg, and double-click the import button to exit the trend-free antivirus software.

 

 

 

2. crack the password of the McAfee antivirus software

The password for unlocking the McAfee antivirus software user interface is saved in the following registry path:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Mcafee \ protected topprotection

In fact, the sub-key UIP is the password to be unlocked on the anti-virus software user interface. It is the MD5 ciphertext. You can directly decrypt the sub-key on iis5. If the sub-key cannot be parsed, you can generate a replacement.

 

 

Bytes ---------------------------------------------------------------------------------------

 

If the user's unlock password on the McAfee VirusScan console is forgotten, the following solutions can be taken:

Restart your computer, enter security mode, open the registry, find HKEY_LOCAL_MACHINE \ SOFTWARE \ Mcafee \ topics topprotection in the registry, find the UIP subkey, delete the subkey, and restart.
Or
The password is forgotten and cannot be unlocked. You can see on the Internet that deleting HKEY_LOCAL_MACHINE \ SOFTWARE \ Mcafee \ topics topprotection \ UIP in Safe Mode

Without that condition, we can try to change the original one to a known one.

Admin: 19a2854144b63a8f7617a6f225019b12

If you do not want to modify it, try the ice blade. If not, call the data center to reinstall the system.

 

Anti-Virus Software in penetration testing