Monday, 24 August 2020

Tricks To Bypass Device Control Protection Solutions

Preface

As I wrote in a previous blog post, I had an engagement last year where my task was to exfiltrate data from a workstation on some sort of storage media. The twist in that task was Lumension Sanctuary Device Control, and the version was 4.3.2, but I am not sure how newer version work and this seems to be a more general problem with device control solution, for example with Symantec products.

But what is a device control solution? In short, they audit I/O device use and block the attempts to use unauthorized devices. This includes hardware such as USB, PS/2, FireWire, CD/DVD so basically every I/O port of a computer. In my opinion, these are pretty good things and they offer a better looking solution than de-soldering the I/O ports from the motherboards or hot-gluing them, but on the other hand, they can be bypassed.

Bypass

OK, so what is the problem? Well the way these device control solutions work is that they load a few kernel drivers to monitor the physical ports of the machine. However... when you boot up the protected computer in safe mode, depending on the device control solution software, some of these drivers are not loaded (or if you are lucky, none of those modules will be loaded...) and this opens up the possibility to exfiltrate data.

In theory, if you have admin (SYSTEM maybe?) privileges, you might as well try to unload the kernel drivers. Just do not forget, that these device control solutions also have a watchdog process, that checks the driver and automatically loads it back if it is unloaded, so look for that process and stop or suspend it first.

In my case with the Lumension Sanctuary Device Control, I have found that when I boot the Workstation protected by the device control software in Safe Mode where, software's key logger protection module is not running... so I was still unable to use a USB stick, or a storage media, but I could plug in a keyboard for example...hmmm :)

As some of you probably already figured it out, now it is possible to use a pre-programmed USB HID, for example a Teensy! : ) I know about three different project, that uses this trick like these two mentioned in a Hackaday post, or this one. Unfortunately, the site ob-security.info no longer seems to be available (well, at least it is no longer related to infosec :D ), but you can still find the blog post and the files with the Wayback Machine.

For the hardware part, the wiring of the Teensy and the SD card adaptor is the same as I showed in the post on Making a USB flash drive HW Trojan or in the Binary deployment with VBScript, PowerShell or .Net csc.exe compiler post, so I will not copy it here again.

I have to note here that there are other ways to bypass these device control solutions, like the method what Dr. Phil Polstra did with the USB Impersonator, which is basically looks for an authorized device VID/PID and then  impersonates that devices with the VID/PID.

Mitigation

Most probably, you will not need safe mode for the users, so you can just disable it... I mean, it is not that easy, but luckily there is a great blog post on how to do that. BTW, the first page of the post is for Windows XP, but you are not using XP anymore, aren't you? ;)

Alternatively, as I mentioned at the beginning, you might as well use some physical countermeasure (de-soldering/hot-gluing ports). That shit is ugly, but it kinda works.

Conclusion

Next time you will face a device control solution, try out these tricks, maybe they will work, and if they do, well, that's a lot of fun. :)

But don't get me wrong, these device control solutions and similar countermeasures are a good thing and you should use something like this! I know that they make doing business a bit harder as you are not able to plugin whatever USB stick you want, but if you buy a pile of hardware encrypted flash drives, and only allow  those to be plugged in, you are doing it right ;)

Continue reading

  1. Hacker Tools For Mac
  2. Pentest Tools Port Scanner
  3. Hacker Tools Online
  4. Underground Hacker Sites
  5. Hack Tools Online
  6. Pentest Tools Review
  7. Hacking Tools Download
  8. Hack Tools Download
  9. Easy Hack Tools
  10. Hacker Tools Linux
  11. Usb Pentest Tools
  12. Hack Tools Online
  13. Pentest Tools Review
  14. Underground Hacker Sites
  15. Best Hacking Tools 2019
  16. Hacking Tools Hardware
  17. Pentest Tools
  18. Hacker Security Tools
  19. Pentest Tools Android
  20. Hack Tools For Ubuntu
  21. Hacker Hardware Tools
  22. Best Pentesting Tools 2018
  23. Hacking Tools Download
  24. Hack Tools Download
  25. Pentest Reporting Tools
  26. Pentest Tools
  27. Hacking Tools
  28. Hacker Tools Free
  29. Hacker Tools Apk Download
  30. Free Pentest Tools For Windows
  31. Hacking Tools Hardware
  32. Hacker Tool Kit
  33. Blackhat Hacker Tools
  34. Hackers Toolbox
  35. Hacking Tools Online
  36. Pentest Tools Framework
  37. Hacker Tools Hardware
  38. Hacking Tools 2019
  39. Hacking Tools For Pc
  40. Underground Hacker Sites
  41. Hacking Apps
  42. Hacking Tools Pc
  43. Pentest Tools Open Source
  44. Pentest Tools For Windows
  45. Computer Hacker
  46. Hacking Tools For Games
  47. Hacking Tools Windows 10
  48. Computer Hacker
  49. Hacker Tools Online
  50. Pentest Tools Bluekeep
  51. Blackhat Hacker Tools
  52. Hack Tools Mac
  53. Best Hacking Tools 2019
  54. Hacker Tools Windows
  55. Hacking Tools Windows
  56. How To Make Hacking Tools
  57. Hacking Tools For Windows Free Download
  58. Hack Tools For Ubuntu
  59. Hacker Tools
  60. Pentest Reporting Tools
  61. Hacking Tools For Pc
  62. Hacking Tools For Windows Free Download
  63. Hack Tools 2019
  64. Hacker Tools Windows
  65. Pentest Tools Review
  66. Pentest Tools Find Subdomains
  67. What Is Hacking Tools
  68. Growth Hacker Tools
  69. Pentest Tools Free
  70. Pentest Tools Review
  71. Pentest Tools Port Scanner
  72. Kik Hack Tools
  73. Pentest Automation Tools
  74. Hacking Tools Windows
  75. Pentest Tools Apk
  76. Hack Tools Download
  77. Hacker Tools Online
  78. Hacker
  79. Hacker Tools Free Download
  80. Hack Tools For Pc
  81. Hacker Tools Linux
  82. Hacker Tools For Ios
  83. Hacking Tools For Windows Free Download
  84. Best Pentesting Tools 2018
  85. Pentest Box Tools Download
  86. Hacker Tools Windows
  87. Bluetooth Hacking Tools Kali
  88. Pentest Tools Subdomain
  89. Hacking Apps
  90. Hacking Tools For Games
  91. Hack Tools Mac
  92. Hacking Tools Pc
  93. Hack Tools 2019
  94. Hackers Toolbox
  95. Hack Tools Pc
  96. Hacker Tools Apk Download
  97. Hacking Tools For Mac
  98. Tools For Hacker
  99. Hacking Tools Kit
  100. Pentest Tools Open Source
  101. Hack Rom Tools
  102. Tools For Hacker
  103. Hacker Tools Github
  104. Pentest Tools Tcp Port Scanner
  105. Best Hacking Tools 2019
  106. Hacking Tools For Pc
  107. Hacker Tools For Ios
  108. Hacking Tools Kit
  109. Pentest Tools Open Source
  110. Hacking Tools For Mac
  111. How To Hack
  112. Hacking Tools Online
  113. Hacking Tools 2019
  114. Pentest Tools Linux
  115. Pentest Tools
  116. Hack Rom Tools
  117. Hacking Tools Github
  118. Hacker Security Tools
  119. Bluetooth Hacking Tools Kali
  120. Hack Tools
  121. Physical Pentest Tools
  122. Github Hacking Tools
  123. Hacking Tools Free Download
  124. Hack Tools Pc
  125. Top Pentest Tools
  126. Hacker Tool Kit
  127. Hacking Tools Free Download
  128. Best Hacking Tools 2020
  129. Pentest Tools For Windows
  130. Hacking Tools For Kali Linux
  131. New Hacker Tools
  132. Game Hacking
  133. Pentest Tools Url Fuzzer
  134. Hacker Tools Apk Download
  135. Hacker Tools Apk Download
  136. Pentest Tools Github
  137. Hack Tools Online
  138. What Are Hacking Tools
  139. Hacker Hardware Tools
  140. Hacker Tools Mac
  141. Hack Tools
  142. Hack Tools Pc
  143. Pentest Tools Kali Linux
  144. Hacker Tools For Pc
  145. Hack App
  146. Black Hat Hacker Tools
  147. What Is Hacking Tools
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)