Preface
As I wrote in a previous blog post, I had an engagement last year where my task was to exfiltrate data from a workstation on some sort of storage media. The twist in that task was Lumension Sanctuary Device Control, and the version was 4.3.2, but I am not sure how newer version work and this seems to be a more general problem with device control solution, for example with Symantec products.
But what is a device control solution? In short, they audit I/O device use and block the attempts to use unauthorized devices. This includes hardware such as USB, PS/2, FireWire, CD/DVD so basically every I/O port of a computer. In my opinion, these are pretty good things and they offer a better looking solution than de-soldering the I/O ports from the motherboards or hot-gluing them, but on the other hand, they can be bypassed.
Bypass
OK, so what is the problem? Well the way these device control solutions work is that they load a few kernel drivers to monitor the physical ports of the machine. However... when you boot up the protected computer in safe mode, depending on the device control solution software, some of these drivers are not loaded (or if you are lucky, none of those modules will be loaded...) and this opens up the possibility to exfiltrate data.
In theory, if you have admin (SYSTEM maybe?) privileges, you might as well try to unload the kernel drivers. Just do not forget, that these device control solutions also have a watchdog process, that checks the driver and automatically loads it back if it is unloaded, so look for that process and stop or suspend it first.
In theory, if you have admin (SYSTEM maybe?) privileges, you might as well try to unload the kernel drivers. Just do not forget, that these device control solutions also have a watchdog process, that checks the driver and automatically loads it back if it is unloaded, so look for that process and stop or suspend it first.
In my case with the Lumension Sanctuary Device Control, I have found that when I boot the Workstation protected by the device control software in Safe Mode where, software's key logger protection module is not running... so I was still unable to use a USB stick, or a storage media, but I could plug in a keyboard for example...hmmm :)
As some of you probably already figured it out, now it is possible to use a pre-programmed USB HID, for example a Teensy! : ) I know about three different project, that uses this trick like these two mentioned in a Hackaday post, or this one. Unfortunately, the site ob-security.info no longer seems to be available (well, at least it is no longer related to infosec :D ), but you can still find the blog post and the files with the Wayback Machine.
For the hardware part, the wiring of the Teensy and the SD card adaptor is the same as I showed in the post on Making a USB flash drive HW Trojan or in the Binary deployment with VBScript, PowerShell or .Net csc.exe compiler post, so I will not copy it here again.
I have to note here that there are other ways to bypass these device control solutions, like the method what Dr. Phil Polstra did with the USB Impersonator, which is basically looks for an authorized device VID/PID and then impersonates that devices with the VID/PID.
Mitigation
Most probably, you will not need safe mode for the users, so you can just disable it... I mean, it is not that easy, but luckily there is a great blog post on how to do that. BTW, the first page of the post is for Windows XP, but you are not using XP anymore, aren't you? ;)
Alternatively, as I mentioned at the beginning, you might as well use some physical countermeasure (de-soldering/hot-gluing ports). That shit is ugly, but it kinda works.
Conclusion
Next time you will face a device control solution, try out these tricks, maybe they will work, and if they do, well, that's a lot of fun. :)
But don't get me wrong, these device control solutions and similar countermeasures are a good thing and you should use something like this! I know that they make doing business a bit harder as you are not able to plugin whatever USB stick you want, but if you buy a pile of hardware encrypted flash drives, and only allow those to be plugged in, you are doing it right ;)
More info
- Hack Tools For Games
- Hackers Toolbox
- Hacker
- Tools Used For Hacking
- Pentest Tools Free
- Pentest Tools Open Source
- Pentest Tools Github
- What Is Hacking Tools
- How To Install Pentest Tools In Ubuntu
- Hacking Tools For Windows
- Tools For Hacker
- Termux Hacking Tools 2019
- Hacking Tools Pc
- Pentest Tools Tcp Port Scanner
- What Are Hacking Tools
- Pentest Tools Online
- Hacker Tools Online
- Hacker Tools Software
- New Hack Tools
- Hacker Tools List
- Hackrf Tools
- Pentest Tools Bluekeep
- Hacker Tools For Ios
- Pentest Tools
- Hacker Tools For Ios
- Easy Hack Tools
- Easy Hack Tools
- Kik Hack Tools
- Black Hat Hacker Tools
- Pentest Tools Subdomain
- Hacking Tools For Beginners
- Pentest Tools Framework
- Hacker Tools
- Physical Pentest Tools
- Ethical Hacker Tools
- Hak5 Tools
- Hack Tools Online
- Hacker Tools
- Hacker Hardware Tools
- Hacker Tools Windows
- Hacker Tools Apk
- Underground Hacker Sites
- Hacker Tools
- Hacker Tools Linux
- Best Pentesting Tools 2018
- Pentest Tools Nmap
- Nsa Hacker Tools
- Hack Tools For Games
- Hacker Tools For Windows
- Best Pentesting Tools 2018
- Pentest Tools Github
- Pentest Tools Find Subdomains
- Underground Hacker Sites
- Hack Tools Download
- Bluetooth Hacking Tools Kali
- Hacking Tools For Pc
- Hacker Techniques Tools And Incident Handling
- Hacker Tool Kit
- Pentest Tools Website
- What Is Hacking Tools
- Hacking Tools For Windows Free Download
- World No 1 Hacker Software
- Hack Tool Apk No Root
- Hacker Tools Github
- Hacker Hardware Tools
- Physical Pentest Tools
- Blackhat Hacker Tools
- Hacking Tools Software
- Pentest Reporting Tools
- Hacking Tools For Beginners
- Pentest Tools Online
- Pentest Tools For Ubuntu
- Hack Rom Tools
- Hack Tools For Games
- Hack Tools Pc
- Hacking Tools For Mac
- Hacking Tools Mac
- Pentest Tools For Windows
- Hacking Tools Online
- Hack Tool Apk
- Best Pentesting Tools 2018
- How To Make Hacking Tools
- Hacker Tool Kit
- Hacking App
- Pentest Box Tools Download
- Pentest Tools Linux
- Pentest Tools Open Source
- Hacking Tools Online
- Hacking App
- Hacker Tools 2020
- Hacks And Tools
- Hack Tools Online
- Best Hacking Tools 2019
- Pentest Tools Download
- Hacking Tools For Games
- Hacker Tools Online
- Hacker Tools 2019
- Hack Tools For Mac
- Game Hacking
- Hack Tools Online
- Hacking Tools Pc
- Nsa Hacker Tools
- Tools For Hacker
- Hacking Tools Github
- Pentest Reporting Tools
- Pentest Tools Nmap
- Best Pentesting Tools 2018
- Hacker Techniques Tools And Incident Handling
- Hacker Tools For Ios
- Best Hacking Tools 2019
- Pentest Tools Review
- Hacking Tools 2020
- Pentest Tools Apk
- Hacker Tools Free
- Hacking Tools For Windows 7
- Hack Tools Download
- Hack Tools For Pc
- Pentest Recon Tools
- Hackers Toolbox
- Hack Tools Pc
- Pentest Tools Download
- Pentest Tools Framework
- Pentest Tools Port Scanner
- Hack Tools For Windows
- Hacker Tools Apk Download
- Best Hacking Tools 2020
- Tools Used For Hacking
- Hacker Tools For Pc
- Pentest Tools For Ubuntu
- Nsa Hack Tools Download
- Hak5 Tools
- Pentest Tools Framework
- Hacking Tools For Mac
- Computer Hacker
- Easy Hack Tools
- Wifi Hacker Tools For Windows
- Tools Used For Hacking
- Hack Tools
- Wifi Hacker Tools For Windows
- Hacker Tools Software
- Hack Tool Apk
- Hacker Techniques Tools And Incident Handling
- Usb Pentest Tools
- Hacker Tools Mac
- Pentest Tools Tcp Port Scanner
- Pentest Tools Nmap
- Hacking Apps
- Hacking Tools Windows 10
- Hack Tools 2019
- Hacker Tools Hardware
- Pentest Tools Tcp Port Scanner
- New Hacker Tools
- Pentest Tools Github
- Usb Pentest Tools
- Hacking Tools 2019
- Pentest Tools For Windows
- Pentest Tools Url Fuzzer
- Pentest Tools Apk
- Hak5 Tools
- Hacker Tools Apk
- Hacking Tools Github
- Hacking Tools Github
- Hacker Hardware Tools
- Pentest Tools Bluekeep
- Hacking Tools For Windows
- Hack Tools Online
No comments:
Post a Comment