Noteable Posts

Loading...

Tuesday, August 25, 2020

Tricks To Bypass Device Control Protection Solutions

Preface

As I wrote in a previous blog post, I had an engagement last year where my task was to exfiltrate data from a workstation on some sort of storage media. The twist in that task was Lumension Sanctuary Device Control, and the version was 4.3.2, but I am not sure how newer version work and this seems to be a more general problem with device control solution, for example with Symantec products.

But what is a device control solution? In short, they audit I/O device use and block the attempts to use unauthorized devices. This includes hardware such as USB, PS/2, FireWire, CD/DVD so basically every I/O port of a computer. In my opinion, these are pretty good things and they offer a better looking solution than de-soldering the I/O ports from the motherboards or hot-gluing them, but on the other hand, they can be bypassed.

Bypass

OK, so what is the problem? Well the way these device control solutions work is that they load a few kernel drivers to monitor the physical ports of the machine. However... when you boot up the protected computer in safe mode, depending on the device control solution software, some of these drivers are not loaded (or if you are lucky, none of those modules will be loaded...) and this opens up the possibility to exfiltrate data.

In theory, if you have admin (SYSTEM maybe?) privileges, you might as well try to unload the kernel drivers. Just do not forget, that these device control solutions also have a watchdog process, that checks the driver and automatically loads it back if it is unloaded, so look for that process and stop or suspend it first.

In my case with the Lumension Sanctuary Device Control, I have found that when I boot the Workstation protected by the device control software in Safe Mode where, software's key logger protection module is not running... so I was still unable to use a USB stick, or a storage media, but I could plug in a keyboard for example...hmmm :)

As some of you probably already figured it out, now it is possible to use a pre-programmed USB HID, for example a Teensy! : ) I know about three different project, that uses this trick like these two mentioned in a Hackaday post, or this one. Unfortunately, the site ob-security.info no longer seems to be available (well, at least it is no longer related to infosec :D ), but you can still find the blog post and the files with the Wayback Machine.

For the hardware part, the wiring of the Teensy and the SD card adaptor is the same as I showed in the post on Making a USB flash drive HW Trojan or in the Binary deployment with VBScript, PowerShell or .Net csc.exe compiler post, so I will not copy it here again.

I have to note here that there are other ways to bypass these device control solutions, like the method what Dr. Phil Polstra did with the USB Impersonator, which is basically looks for an authorized device VID/PID and then  impersonates that devices with the VID/PID.

Mitigation

Most probably, you will not need safe mode for the users, so you can just disable it... I mean, it is not that easy, but luckily there is a great blog post on how to do that. BTW, the first page of the post is for Windows XP, but you are not using XP anymore, aren't you? ;)

Alternatively, as I mentioned at the beginning, you might as well use some physical countermeasure (de-soldering/hot-gluing ports). That shit is ugly, but it kinda works.

Conclusion

Next time you will face a device control solution, try out these tricks, maybe they will work, and if they do, well, that's a lot of fun. :)

But don't get me wrong, these device control solutions and similar countermeasures are a good thing and you should use something like this! I know that they make doing business a bit harder as you are not able to plugin whatever USB stick you want, but if you buy a pile of hardware encrypted flash drives, and only allow  those to be plugged in, you are doing it right ;)

Read more


  1. Hacking Tools For Windows
  2. Hacking Tools For Windows 7
  3. Pentest Tools Open Source
  4. Hacking Tools Windows
  5. Nsa Hacker Tools
  6. Hacking Tools 2019
  7. Hacking Tools Usb
  8. Wifi Hacker Tools For Windows
  9. Hacks And Tools
  10. Hacking Tools Software
  11. Pentest Tools Find Subdomains
  12. Hacking Tools Windows
  13. Pentest Tools Url Fuzzer
  14. Hacking Tools Github
  15. Pentest Box Tools Download
  16. Hacking Tools For Games
  17. Pentest Reporting Tools
  18. Hack Website Online Tool
  19. Hack Tool Apk No Root
  20. Hack Tools Download
  21. Hacker Tools Free
  22. Pentest Tools Kali Linux
  23. Hacker Tools Github
  24. Hacker Tools For Pc
  25. Hack App
  26. Hack Tools Online
  27. Hackrf Tools
  28. Hacking Tools And Software
  29. New Hack Tools
  30. Hack Tools
  31. Hacker Tools Mac
  32. Best Pentesting Tools 2018
  33. Hacker Tools For Ios
  34. Pentest Tools For Android
  35. Hacker Tool Kit
  36. Hack Tool Apk No Root
  37. Pentest Tools Open Source
  38. Pentest Tools Download
  39. Hacking Tools Windows 10
  40. Blackhat Hacker Tools
  41. Free Pentest Tools For Windows
  42. Pentest Tools Website
  43. Bluetooth Hacking Tools Kali
  44. Hacking Tools Windows 10
  45. Black Hat Hacker Tools
  46. Kik Hack Tools
  47. Game Hacking
  48. What Is Hacking Tools
  49. Hack Tool Apk
  50. Pentest Tools Kali Linux
  51. Kik Hack Tools
  52. Hacking Apps
  53. Hacking App
  54. Pentest Tools
  55. Computer Hacker
  56. Hack Tools For Ubuntu
  57. Bluetooth Hacking Tools Kali
  58. Pentest Reporting Tools
  59. Growth Hacker Tools
  60. Hacker Tools For Pc
  61. Hacking Tools For Kali Linux
  62. Physical Pentest Tools
  63. Hacker Tools For Ios
  64. Hacking Tools Hardware
  65. Hacker Techniques Tools And Incident Handling
  66. New Hacker Tools
  67. Hack Tools Pc
  68. Hacker Hardware Tools
  69. Hacker Tools Online
  70. Hack Tools Online
  71. Pentest Tools Open Source
  72. Hacking Tools For Pc
  73. Hacker Tools Mac
  74. Hack Tools For Games
  75. Pentest Tools Online
  76. Hacking Tools For Pc
  77. Hacker Tools Apk Download
  78. Pentest Tools Website
  79. Physical Pentest Tools
  80. Kik Hack Tools
  81. Pentest Tools Review
  82. Hack Tools 2019
  83. Tools For Hacker
  84. Hack Apps
  85. Hacker Tools Linux
  86. Pentest Tools Framework
  87. Pentest Tools Website Vulnerability
  88. Pentest Tools Nmap
  89. Pentest Tools For Mac
  90. Hacker Tools For Windows
  91. Termux Hacking Tools 2019
  92. Pentest Tools Online
  93. Pentest Box Tools Download
  94. Pentest Tools Port Scanner
  95. Best Pentesting Tools 2018
  96. Hack Tools Github
  97. Hacker Tools For Pc
  98. Hacker Tools Free
  99. Hacking Tools Github
  100. Hacker Tools Online
  101. Pentest Tools Subdomain
  102. Install Pentest Tools Ubuntu
  103. Hack Apps
  104. Hacker Tools Free
  105. Pentest Tools Review
  106. Top Pentest Tools
  107. Hack Tools Github
  108. Hacking Tools For Windows
  109. Hack Apps
  110. Hacking Tools Download
  111. Hacker Tools Linux
  112. Hack Rom Tools
  113. Top Pentest Tools
  114. Hacking Tools Github
  115. Pentest Recon Tools
  116. Github Hacking Tools
  117. Pentest Tools Online
  118. Hacker Search Tools
  119. What Is Hacking Tools
  120. Hack Tools
  121. Hacker Tools Software
  122. Pentest Tools
  123. Hacking Tools For Mac
  124. Hacking Tools Free Download
  125. Beginner Hacker Tools
  126. Hacker Tools 2020
  127. Best Pentesting Tools 2018
  128. Pentest Tools Online
  129. Hacker Tools Github

Posted by Shongshoptok at 7:13 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)