Saturday, August 22, 2020

Tricks To Bypass Device Control Protection Solutions

Preface

As I wrote in a previous blog post, I had an engagement last year where my task was to exfiltrate data from a workstation on some sort of storage media. The twist in that task was Lumension Sanctuary Device Control, and the version was 4.3.2, but I am not sure how newer version work and this seems to be a more general problem with device control solution, for example with Symantec products.

But what is a device control solution? In short, they audit I/O device use and block the attempts to use unauthorized devices. This includes hardware such as USB, PS/2, FireWire, CD/DVD so basically every I/O port of a computer. In my opinion, these are pretty good things and they offer a better looking solution than de-soldering the I/O ports from the motherboards or hot-gluing them, but on the other hand, they can be bypassed.

Bypass

OK, so what is the problem? Well the way these device control solutions work is that they load a few kernel drivers to monitor the physical ports of the machine. However... when you boot up the protected computer in safe mode, depending on the device control solution software, some of these drivers are not loaded (or if you are lucky, none of those modules will be loaded...) and this opens up the possibility to exfiltrate data.

In theory, if you have admin (SYSTEM maybe?) privileges, you might as well try to unload the kernel drivers. Just do not forget, that these device control solutions also have a watchdog process, that checks the driver and automatically loads it back if it is unloaded, so look for that process and stop or suspend it first.

In my case with the Lumension Sanctuary Device Control, I have found that when I boot the Workstation protected by the device control software in Safe Mode where, software's key logger protection module is not running... so I was still unable to use a USB stick, or a storage media, but I could plug in a keyboard for example...hmmm :)

As some of you probably already figured it out, now it is possible to use a pre-programmed USB HID, for example a Teensy! : ) I know about three different project, that uses this trick like these two mentioned in a Hackaday post, or this one. Unfortunately, the site ob-security.info no longer seems to be available (well, at least it is no longer related to infosec :D ), but you can still find the blog post and the files with the Wayback Machine.

For the hardware part, the wiring of the Teensy and the SD card adaptor is the same as I showed in the post on Making a USB flash drive HW Trojan or in the Binary deployment with VBScript, PowerShell or .Net csc.exe compiler post, so I will not copy it here again.

I have to note here that there are other ways to bypass these device control solutions, like the method what Dr. Phil Polstra did with the USB Impersonator, which is basically looks for an authorized device VID/PID and then  impersonates that devices with the VID/PID.

Mitigation

Most probably, you will not need safe mode for the users, so you can just disable it... I mean, it is not that easy, but luckily there is a great blog post on how to do that. BTW, the first page of the post is for Windows XP, but you are not using XP anymore, aren't you? ;)

Alternatively, as I mentioned at the beginning, you might as well use some physical countermeasure (de-soldering/hot-gluing ports). That shit is ugly, but it kinda works.

Conclusion

Next time you will face a device control solution, try out these tricks, maybe they will work, and if they do, well, that's a lot of fun. :)

But don't get me wrong, these device control solutions and similar countermeasures are a good thing and you should use something like this! I know that they make doing business a bit harder as you are not able to plugin whatever USB stick you want, but if you buy a pile of hardware encrypted flash drives, and only allow  those to be plugged in, you are doing it right ;)

Related posts


  1. Pentest Automation Tools
  2. Physical Pentest Tools
  3. Hacking Tools For Games
  4. What Is Hacking Tools
  5. Hacker Tools Software
  6. Hacker Tools Software
  7. Hacking Tools Hardware
  8. Ethical Hacker Tools
  9. Hacking Tools For Kali Linux
  10. Growth Hacker Tools
  11. Hacking Tools
  12. Hack App
  13. Hacker Techniques Tools And Incident Handling
  14. Hackers Toolbox
  15. Hacking Tools Free Download
  16. Hacking Tools
  17. Hacker Security Tools
  18. Hacking Tools Pc
  19. How To Make Hacking Tools
  20. Kik Hack Tools
  21. Hacker Tools Online
  22. Free Pentest Tools For Windows
  23. Hacker Tools Online
  24. Wifi Hacker Tools For Windows
  25. Hacking Tools For Windows Free Download
  26. Hacker Tools For Mac
  27. Pentest Tools Website Vulnerability
  28. Blackhat Hacker Tools
  29. Pentest Tools Tcp Port Scanner
  30. Hack Apps
  31. Pentest Tools Apk
  32. Pentest Recon Tools
  33. How To Install Pentest Tools In Ubuntu
  34. Hacking Tools Download
  35. Hacking Tools For Kali Linux
  36. Github Hacking Tools
  37. Pentest Tools Github
  38. Hacker Tools List
  39. Hack And Tools
  40. Pentest Recon Tools
  41. Hack Tools For Mac
  42. Wifi Hacker Tools For Windows
  43. How To Install Pentest Tools In Ubuntu
  44. Usb Pentest Tools
  45. Hack Tools For Games
  46. Hack Website Online Tool
  47. Nsa Hack Tools Download
  48. Pentest Tools Kali Linux
  49. What Are Hacking Tools
  50. Pentest Tools Website
  51. Hacking Tools Software
  52. Hack Tools 2019
  53. Hacking Tools Hardware
  54. Hack Apps
  55. Android Hack Tools Github
  56. Hackrf Tools
  57. Hack Tools Pc
  58. Black Hat Hacker Tools
  59. Computer Hacker
  60. What Is Hacking Tools
  61. Hackers Toolbox
  62. Hacking Tools 2019
  63. Hacking Tools Name
  64. Tools For Hacker
  65. Hack Tools For Pc
  66. Hacker Tools Free Download
  67. Hack Tools For Games
  68. Hacking Tools Name
  69. Best Hacking Tools 2019
  70. Hacking Tools Windows
  71. Best Hacking Tools 2019
  72. Pentest Tools Alternative
  73. Hacker Security Tools
  74. Pentest Tools Find Subdomains
  75. Hackers Toolbox
  76. Hacking Tools Free Download
  77. Install Pentest Tools Ubuntu
  78. Hacker Tools For Mac
  79. Hacking Tools Name
  80. Kik Hack Tools
  81. What Is Hacking Tools
  82. Hack Tools Github
  83. Hacker Tools 2019
  84. Hacking Tools Pc
  85. Underground Hacker Sites
  86. Pentest Tools Url Fuzzer
  87. Hack Tools
  88. Best Hacking Tools 2020
  89. Hacking Tools Name
  90. Hacking Tools Online
  91. Pentest Tools Alternative
  92. Underground Hacker Sites
  93. Hacking Tools Download
  94. Wifi Hacker Tools For Windows
  95. Nsa Hacker Tools
  96. Pentest Tools Find Subdomains
  97. Hacker Tools For Pc
  98. Hacker Tools List
  99. Pentest Recon Tools
  100. Hacking Tools 2020
  101. Black Hat Hacker Tools
  102. Hacking Tools And Software
  103. Hacking Tools Github
  104. What Are Hacking Tools
  105. Pentest Tools Alternative
  106. Hacker Tools Free Download
  107. Game Hacking
  108. Blackhat Hacker Tools
  109. Hack Tools For Games
  110. Hacker Tools Github
  111. Tools 4 Hack
  112. Hack Tools For Pc
  113. Hack Tools For Pc
  114. Hacker Tools For Mac
  115. Blackhat Hacker Tools
  116. Hacking Tools Software
  117. Hacking Tools Free Download
  118. Hack Tools For Mac
  119. Hacking Tools For Windows
  120. Hacking Tools Name
  121. What Are Hacking Tools
  122. Best Hacking Tools 2019
  123. Hacking Tools For Mac
  124. Pentest Tools Framework
  125. Pentest Tools
  126. Hacking Tools For Kali Linux
  127. World No 1 Hacker Software
  128. Usb Pentest Tools
  129. Hackrf Tools
  130. Hack Website Online Tool
  131. Pentest Tools Nmap
  132. Pentest Tools Framework
  133. Hacking Tools Software
  134. Hacker Tools Online
  135. Pentest Tools Subdomain
  136. Hacker Search Tools
  137. Underground Hacker Sites
  138. Hacking Tools Download
  139. Hacking Tools Download
  140. Pentest Tools
  141. Kik Hack Tools
  142. Hacker Tools Apk Download
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)