Tricks To Bypass Device Control Protection Solutions

Preface

As I wrote in a previous blog post, I had an engagement last year where my task was to exfiltrate data from a workstation on some sort of storage media. The twist in that task was Lumension Sanctuary Device Control, and the version was 4.3.2, but I am not sure how newer version work and this seems to be a more general problem with device control solution, for example with Symantec products.

But what is a device control solution? In short, they audit I/O device use and block the attempts to use unauthorized devices. This includes hardware such as USB, PS/2, FireWire, CD/DVD so basically every I/O port of a computer. In my opinion, these are pretty good things and they offer a better looking solution than de-soldering the I/O ports from the motherboards or hot-gluing them, but on the other hand, they can be bypassed.

Bypass

OK, so what is the problem? Well the way these device control solutions work is that they load a few kernel drivers to monitor the physical ports of the machine. However... when you boot up the protected computer in safe mode, depending on the device control solution software, some of these drivers are not loaded (or if you are lucky, none of those modules will be loaded...) and this opens up the possibility to exfiltrate data.

In theory, if you have admin (SYSTEM maybe?) privileges, you might as well try to unload the kernel drivers. Just do not forget, that these device control solutions also have a watchdog process, that checks the driver and automatically loads it back if it is unloaded, so look for that process and stop or suspend it first.

In my case with the Lumension Sanctuary Device Control, I have found that when I boot the Workstation protected by the device control software in Safe Mode where, software's key logger protection module is not running... so I was still unable to use a USB stick, or a storage media, but I could plug in a keyboard for example...hmmm :)

As some of you probably already figured it out, now it is possible to use a pre-programmed USB HID, for example a Teensy! : ) I know about three different project, that uses this trick like these two mentioned in a Hackaday post, or this one. Unfortunately, the site ob-security.info no longer seems to be available (well, at least it is no longer related to infosec :D ), but you can still find the blog post and the files with the Wayback Machine.

For the hardware part, the wiring of the Teensy and the SD card adaptor is the same as I showed in the post on Making a USB flash drive HW Trojan or in the Binary deployment with VBScript, PowerShell or .Net csc.exe compiler post, so I will not copy it here again.

I have to note here that there are other ways to bypass these device control solutions, like the method what Dr. Phil Polstra did with the USB Impersonator, which is basically looks for an authorized device VID/PID and then  impersonates that devices with the VID/PID.

Mitigation

Most probably, you will not need safe mode for the users, so you can just disable it... I mean, it is not that easy, but luckily there is a great blog post on how to do that. BTW, the first page of the post is for Windows XP, but you are not using XP anymore, aren't you? ;)

Alternatively, as I mentioned at the beginning, you might as well use some physical countermeasure (de-soldering/hot-gluing ports). That shit is ugly, but it kinda works.

Conclusion

Next time you will face a device control solution, try out these tricks, maybe they will work, and if they do, well, that's a lot of fun. :)

But don't get me wrong, these device control solutions and similar countermeasures are a good thing and you should use something like this! I know that they make doing business a bit harder as you are not able to plugin whatever USB stick you want, but if you buy a pile of hardware encrypted flash drives, and only allow  those to be plugged in, you are doing it right ;)

Related word

1. Hacking Tools For Pc
2. Pentest Tools
3. Tools For Hacker
4. Hacking Tools For Beginners
5. Hacking Apps
6. Hacker Tools 2020
7. Pentest Tools Review
8. What Are Hacking Tools
9. Beginner Hacker Tools
10. Hacker Tools Apk
11. Hack And Tools
12. Pentest Tools Find Subdomains
13. Hacker Hardware Tools
14. Hack Tools For Games
15. How To Make Hacking Tools
16. Hacking Tools Pc
17. Hacking Apps
18. Github Hacking Tools
19. Pentest Tools For Android
20. Hacking Tools Name
21. Pentest Recon Tools
22. Pentest Tools For Ubuntu
23. Hacking Tools Name
24. Hacking Tools For Windows Free Download
25. Hacking Tools Pc
26. What Are Hacking Tools
27. Hacker Tools 2020
28. What Is Hacking Tools
29. Pentest Tools Github
30. Hacker Tools Apk Download
31. Free Pentest Tools For Windows
32. Hacker Tools For Ios
33. Pentest Tools Bluekeep
34. Install Pentest Tools Ubuntu
35. Pentest Tools Nmap
36. Hacking Tools Pc
37. Hacking Tools Software
38. Hack Tools
39. Hacker Techniques Tools And Incident Handling
40. Hack Tools Github
41. Hacking Tools Hardware
42. Hack Tools Download
43. Pentest Tools Github
44. Pentest Tools Nmap
45. Hack Tools
46. Hacker Techniques Tools And Incident Handling
47. Hack Tools For Games
48. Hacking Tools Software
49. Hacker Tools Mac
50. Top Pentest Tools
51. Hack Tools For Mac
52. Pentest Tools Apk
53. Pentest Tools Android
54. Pentest Tools For Ubuntu
55. Pentest Tools Kali Linux
56. Pentest Tools Website
57. Pentest Tools Github
58. Hack Tools Download
59. Kik Hack Tools
60. Hacker Tools Mac
61. Pentest Tools List
62. How To Install Pentest Tools In Ubuntu
63. Pentest Tools List
64. World No 1 Hacker Software
65. Hacking Tools Github
66. Hack Tools For Games
67. Pentest Tools Kali Linux
68. Wifi Hacker Tools For Windows
69. Pentest Recon Tools
70. Hacker Tools Linux
71. Hacking Tools Download
72. New Hacker Tools
73. Hack Tools For Mac
74. Nsa Hacker Tools
75. Hacker Tools For Mac
76. Hack Tools For Mac
77. Hacking Tools Pc
78. Hacker Techniques Tools And Incident Handling
79. New Hack Tools