Tricks To Bypass Device Control Protection Solutions

Preface

As I wrote in a previous blog post, I had an engagement last year where my task was to exfiltrate data from a workstation on some sort of storage media. The twist in that task was Lumension Sanctuary Device Control, and the version was 4.3.2, but I am not sure how newer version work and this seems to be a more general problem with device control solution, for example with Symantec products.

But what is a device control solution? In short, they audit I/O device use and block the attempts to use unauthorized devices. This includes hardware such as USB, PS/2, FireWire, CD/DVD so basically every I/O port of a computer. In my opinion, these are pretty good things and they offer a better looking solution than de-soldering the I/O ports from the motherboards or hot-gluing them, but on the other hand, they can be bypassed.

Bypass

OK, so what is the problem? Well the way these device control solutions work is that they load a few kernel drivers to monitor the physical ports of the machine. However... when you boot up the protected computer in safe mode, depending on the device control solution software, some of these drivers are not loaded (or if you are lucky, none of those modules will be loaded...) and this opens up the possibility to exfiltrate data.

In theory, if you have admin (SYSTEM maybe?) privileges, you might as well try to unload the kernel drivers. Just do not forget, that these device control solutions also have a watchdog process, that checks the driver and automatically loads it back if it is unloaded, so look for that process and stop or suspend it first.

In my case with the Lumension Sanctuary Device Control, I have found that when I boot the Workstation protected by the device control software in Safe Mode where, software's key logger protection module is not running... so I was still unable to use a USB stick, or a storage media, but I could plug in a keyboard for example...hmmm :)

As some of you probably already figured it out, now it is possible to use a pre-programmed USB HID, for example a Teensy! : ) I know about three different project, that uses this trick like these two mentioned in a Hackaday post, or this one. Unfortunately, the site ob-security.info no longer seems to be available (well, at least it is no longer related to infosec :D ), but you can still find the blog post and the files with the Wayback Machine.

For the hardware part, the wiring of the Teensy and the SD card adaptor is the same as I showed in the post on Making a USB flash drive HW Trojan or in the Binary deployment with VBScript, PowerShell or .Net csc.exe compiler post, so I will not copy it here again.

I have to note here that there are other ways to bypass these device control solutions, like the method what Dr. Phil Polstra did with the USB Impersonator, which is basically looks for an authorized device VID/PID and then  impersonates that devices with the VID/PID.

Mitigation

Most probably, you will not need safe mode for the users, so you can just disable it... I mean, it is not that easy, but luckily there is a great blog post on how to do that. BTW, the first page of the post is for Windows XP, but you are not using XP anymore, aren't you? ;)

Alternatively, as I mentioned at the beginning, you might as well use some physical countermeasure (de-soldering/hot-gluing ports). That shit is ugly, but it kinda works.

Conclusion

Next time you will face a device control solution, try out these tricks, maybe they will work, and if they do, well, that's a lot of fun. :)

But don't get me wrong, these device control solutions and similar countermeasures are a good thing and you should use something like this! I know that they make doing business a bit harder as you are not able to plugin whatever USB stick you want, but if you buy a pile of hardware encrypted flash drives, and only allow  those to be plugged in, you are doing it right ;)

More articles


  1. Pentest Tools Tcp Port Scanner
  2. Hacker Tools Mac
  3. Hacking Tools Software
  4. Pentest Tools Subdomain
  5. Hacker Tools For Mac
  6. Hackrf Tools
  7. What Are Hacking Tools
  8. Hacking Tools For Pc
  9. Hack Tools Pc
  10. Hacker Tools 2019
  11. Hack And Tools
  12. How To Make Hacking Tools
  13. Pentest Tools Kali Linux
  14. Hacker Tool Kit
  15. Ethical Hacker Tools
  16. Hacking Tools Free Download
  17. Hacking Tools Mac
  18. Computer Hacker
  19. Pentest Tools Review
  20. Hacker Tools Apk Download
  21. Github Hacking Tools
  22. Hacking Tools Windows
  23. Pentest Tools Open Source
  24. Nsa Hack Tools Download
  25. Hack App
  26. Usb Pentest Tools
  27. Pentest Automation Tools
  28. Hacking Tools And Software
  29. Kik Hack Tools
  30. Hacker Tools For Windows
  31. Hacking Tools Windows
  32. Free Pentest Tools For Windows
  33. Pentest Tools List
  34. Hacking Tools Windows 10
  35. Hacking Tools Github
  36. Pentest Tools For Windows
  37. Hacking Tools Github
  38. Physical Pentest Tools
  39. Hacker Tools Online
  40. Hacker Tools Free Download
  41. Hack Tools For Mac
  42. Nsa Hack Tools Download
  43. Hacker Tools Free Download
  44. Hacking Apps
  45. Hack Tools For Mac
  46. Hack Tool Apk No Root
  47. Hacking Tools For Games
  48. How To Hack
  49. Top Pentest Tools
  50. Hacking Tools 2020
  51. Hacking Tools Online
  52. Hacker
  53. Hacker Tools Github
  54. Hacking Tools Download
  55. Hack Tool Apk No Root
  56. Hacker Tool Kit
  57. Pentest Tools Website
  58. Hack Tools Github
  59. Pentest Automation Tools
  60. Hacking Tools For Windows
  61. Hack Rom Tools
  62. Pentest Tools Github
  63. Blackhat Hacker Tools
  64. Hack Tools For Pc
  65. Pentest Tools Github
  66. Tools Used For Hacking
  67. Hacking Tools Software
  68. Hacking Tools For Kali Linux
  69. Hack And Tools
  70. Hack Tools For Games
  71. Hacking Tools Download
  72. Hacking Tools 2020
  73. Hacking Tools For Windows
  74. Pentest Tools Github
  75. Hacking Tools Download
  76. Hacker Tools For Mac
  77. Pentest Box Tools Download
  78. Pentest Recon Tools
  79. Hacking Tools Pc
  80. Pentest Box Tools Download
  81. Computer Hacker
  82. Pentest Tools Review
  83. Hack Tools For Mac
  84. Hacking Tools 2019
  85. Hacker Tools Windows
  86. Usb Pentest Tools
  87. Pentest Tools Find Subdomains
  88. Hack Rom Tools
  89. Hacking Apps
  90. Pentest Tools Download
  91. Hacking Tools 2019
  92. Hack Rom Tools
  93. Hack Website Online Tool
  94. Pentest Tools Website
  95. New Hacker Tools
  96. Hacking Tools
  97. Hacking Tools Software
  98. Hacking Tools Mac
  99. Best Pentesting Tools 2018
  100. Hacker Tools For Ios
  101. Kik Hack Tools
  102. Hack Tools Online
  103. Pentest Tools Subdomain
  104. Pentest Tools Windows
  105. Hacking Tools For Windows
  106. Hack And Tools
  107. Hacking Tools For Mac
  108. Hack Tool Apk No Root
  109. Underground Hacker Sites
  110. Wifi Hacker Tools For Windows
  111. Pentest Tools Online
  112. Pentest Tools Online
  113. Hacking Tools Hardware
  114. Pentest Tools Alternative
  115. Top Pentest Tools
  116. Pentest Tools Bluekeep
  117. Hacking Tools Mac
  118. Hack Tools Download
  119. Physical Pentest Tools
  120. Hacking Tools For Games
  121. Bluetooth Hacking Tools Kali
  122. Hacking Tools Github

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)