Wednesday, August 26, 2020

Tricks To Bypass Device Control Protection Solutions

Preface

As I wrote in a previous blog post, I had an engagement last year where my task was to exfiltrate data from a workstation on some sort of storage media. The twist in that task was Lumension Sanctuary Device Control, and the version was 4.3.2, but I am not sure how newer version work and this seems to be a more general problem with device control solution, for example with Symantec products.

But what is a device control solution? In short, they audit I/O device use and block the attempts to use unauthorized devices. This includes hardware such as USB, PS/2, FireWire, CD/DVD so basically every I/O port of a computer. In my opinion, these are pretty good things and they offer a better looking solution than de-soldering the I/O ports from the motherboards or hot-gluing them, but on the other hand, they can be bypassed.

Bypass

OK, so what is the problem? Well the way these device control solutions work is that they load a few kernel drivers to monitor the physical ports of the machine. However... when you boot up the protected computer in safe mode, depending on the device control solution software, some of these drivers are not loaded (or if you are lucky, none of those modules will be loaded...) and this opens up the possibility to exfiltrate data.

In theory, if you have admin (SYSTEM maybe?) privileges, you might as well try to unload the kernel drivers. Just do not forget, that these device control solutions also have a watchdog process, that checks the driver and automatically loads it back if it is unloaded, so look for that process and stop or suspend it first.

In my case with the Lumension Sanctuary Device Control, I have found that when I boot the Workstation protected by the device control software in Safe Mode where, software's key logger protection module is not running... so I was still unable to use a USB stick, or a storage media, but I could plug in a keyboard for example...hmmm :)

As some of you probably already figured it out, now it is possible to use a pre-programmed USB HID, for example a Teensy! : ) I know about three different project, that uses this trick like these two mentioned in a Hackaday post, or this one. Unfortunately, the site ob-security.info no longer seems to be available (well, at least it is no longer related to infosec :D ), but you can still find the blog post and the files with the Wayback Machine.

For the hardware part, the wiring of the Teensy and the SD card adaptor is the same as I showed in the post on Making a USB flash drive HW Trojan or in the Binary deployment with VBScript, PowerShell or .Net csc.exe compiler post, so I will not copy it here again.

I have to note here that there are other ways to bypass these device control solutions, like the method what Dr. Phil Polstra did with the USB Impersonator, which is basically looks for an authorized device VID/PID and then  impersonates that devices with the VID/PID.

Mitigation

Most probably, you will not need safe mode for the users, so you can just disable it... I mean, it is not that easy, but luckily there is a great blog post on how to do that. BTW, the first page of the post is for Windows XP, but you are not using XP anymore, aren't you? ;)

Alternatively, as I mentioned at the beginning, you might as well use some physical countermeasure (de-soldering/hot-gluing ports). That shit is ugly, but it kinda works.

Conclusion

Next time you will face a device control solution, try out these tricks, maybe they will work, and if they do, well, that's a lot of fun. :)

But don't get me wrong, these device control solutions and similar countermeasures are a good thing and you should use something like this! I know that they make doing business a bit harder as you are not able to plugin whatever USB stick you want, but if you buy a pile of hardware encrypted flash drives, and only allow  those to be plugged in, you are doing it right ;)

Related news

  1. Hack Tools For Pc
  2. Pentest Box Tools Download
  3. Pentest Tools For Ubuntu
  4. Pentest Automation Tools
  5. Hacking Tools Software
  6. Hack Tools
  7. Hacking Tools And Software
  8. New Hacker Tools
  9. Hacking Tools Online
  10. Android Hack Tools Github
  11. Pentest Tools Free
  12. Pentest Automation Tools
  13. How To Make Hacking Tools
  14. Hacker Tools Software
  15. Hacking Tools For Windows
  16. Hacking Tools Download
  17. Hack Tool Apk No Root
  18. Hacking Tools For Kali Linux
  19. Pentest Tools Online
  20. What Is Hacking Tools
  21. Pentest Tools Url Fuzzer
  22. Hacking Tools
  23. Pentest Tools Linux
  24. Hacker Tools Software
  25. Hack Tools
  26. Hacker Tools Software
  27. Tools For Hacker
  28. Hacker Tools
  29. Bluetooth Hacking Tools Kali
  30. Pentest Tools Free
  31. Hacking Tools
  32. Pentest Tools Subdomain
  33. Pentest Tools Android
  34. Hack Tools For Games
  35. New Hack Tools
  36. Best Hacking Tools 2020
  37. Physical Pentest Tools
  38. Hacker Tool Kit
  39. How To Hack
  40. Tools 4 Hack
  41. Hacking Tools Windows
  42. Hacker Tools For Ios
  43. Bluetooth Hacking Tools Kali
  44. Hacking Tools For Windows 7
  45. Tools For Hacker
  46. Termux Hacking Tools 2019
  47. Hack Tools Mac
  48. Pentest Tools Apk
  49. Hackers Toolbox
  50. Pentest Tools Alternative
  51. Hacking App
  52. Pentest Tools Url Fuzzer
  53. Free Pentest Tools For Windows
  54. Pentest Tools Framework
  55. Best Pentesting Tools 2018
  56. Hack Tools
  57. Hacking Tools Windows
  58. Hack Tool Apk No Root
  59. Bluetooth Hacking Tools Kali
  60. Pentest Tools Alternative
  61. Pentest Tools Subdomain
  62. Termux Hacking Tools 2019
  63. Pentest Tools Framework
  64. Hacker Tools For Ios
  65. Free Pentest Tools For Windows
  66. Pentest Recon Tools
  67. Hacking Tools And Software
  68. Hacking Tools For Mac
  69. Tools For Hacker
  70. Hacker Tools For Windows
  71. Hack Tools For Windows
  72. Pentest Tools Framework
  73. Hacker Tools Apk
  74. Best Hacking Tools 2019
  75. World No 1 Hacker Software
  76. Pentest Tools Download
  77. Game Hacking
  78. Growth Hacker Tools
  79. Hacking Tools For Windows
  80. Install Pentest Tools Ubuntu
  81. Pentest Tools Find Subdomains
  82. Hack Tools Pc
  83. Hack Tools For Pc
  84. Pentest Tools Alternative
  85. Pentest Tools Tcp Port Scanner
  86. Hak5 Tools
  87. Top Pentest Tools
  88. Hacker Tools Software
  89. Pentest Tools For Ubuntu
  90. Hacker Tools Software
  91. Hacking Tools Usb
  92. Hacker Tools For Windows
  93. Hack And Tools
  94. Hacking Tools For Pc
  95. Pentest Tools Free
  96. Hacker Tools For Pc
  97. Hack Tool Apk No Root
  98. Hacker Tool Kit
  99. Hacker Tools Windows
  100. How To Make Hacking Tools
  101. Hacking Tools Kit
  102. World No 1 Hacker Software
  103. Hack App
  104. Hack Apps
  105. Hacking Tools For Games
  106. Pentest Tools Windows
  107. Pentest Tools Port Scanner
  108. How To Make Hacking Tools
  109. Physical Pentest Tools
  110. World No 1 Hacker Software
  111. Free Pentest Tools For Windows
  112. Hacks And Tools
  113. Pentest Tools Linux
  114. Pentest Tools
  115. Pentest Tools Framework
  116. Pentest Tools Website
  117. Pentest Tools Linux
  118. Pentest Automation Tools
  119. Pentest Tools Online
  120. Pentest Box Tools Download
  121. Hack Tools For Pc
  122. Nsa Hack Tools Download
  123. New Hacker Tools
  124. What Are Hacking Tools
  125. Usb Pentest Tools
  126. Hack Tools Github
  127. Hacker Tools For Ios
  128. Hacker Tools Free
  129. How To Make Hacking Tools
  130. Hack Apps
  131. Hacking Tools Github
  132. Hack Apps
  133. Growth Hacker Tools
  134. Hacker Tools 2019
  135. Hack Tools 2019

No comments:

Post a Comment