Tricks To Bypass Device Control Protection Solutions

Preface

As I wrote in a previous blog post, I had an engagement last year where my task was to exfiltrate data from a workstation on some sort of storage media. The twist in that task was Lumension Sanctuary Device Control, and the version was 4.3.2, but I am not sure how newer version work and this seems to be a more general problem with device control solution, for example with Symantec products.

But what is a device control solution? In short, they audit I/O device use and block the attempts to use unauthorized devices. This includes hardware such as USB, PS/2, FireWire, CD/DVD so basically every I/O port of a computer. In my opinion, these are pretty good things and they offer a better looking solution than de-soldering the I/O ports from the motherboards or hot-gluing them, but on the other hand, they can be bypassed.

Bypass

OK, so what is the problem? Well the way these device control solutions work is that they load a few kernel drivers to monitor the physical ports of the machine. However... when you boot up the protected computer in safe mode, depending on the device control solution software, some of these drivers are not loaded (or if you are lucky, none of those modules will be loaded...) and this opens up the possibility to exfiltrate data.

In theory, if you have admin (SYSTEM maybe?) privileges, you might as well try to unload the kernel drivers. Just do not forget, that these device control solutions also have a watchdog process, that checks the driver and automatically loads it back if it is unloaded, so look for that process and stop or suspend it first.

In my case with the Lumension Sanctuary Device Control, I have found that when I boot the Workstation protected by the device control software in Safe Mode where, software's key logger protection module is not running... so I was still unable to use a USB stick, or a storage media, but I could plug in a keyboard for example...hmmm :)

As some of you probably already figured it out, now it is possible to use a pre-programmed USB HID, for example a Teensy! : ) I know about three different project, that uses this trick like these two mentioned in a Hackaday post, or this one. Unfortunately, the site ob-security.info no longer seems to be available (well, at least it is no longer related to infosec :D ), but you can still find the blog post and the files with the Wayback Machine.

For the hardware part, the wiring of the Teensy and the SD card adaptor is the same as I showed in the post on Making a USB flash drive HW Trojan or in the Binary deployment with VBScript, PowerShell or .Net csc.exe compiler post, so I will not copy it here again.

I have to note here that there are other ways to bypass these device control solutions, like the method what Dr. Phil Polstra did with the USB Impersonator, which is basically looks for an authorized device VID/PID and then  impersonates that devices with the VID/PID.

Mitigation

Most probably, you will not need safe mode for the users, so you can just disable it... I mean, it is not that easy, but luckily there is a great blog post on how to do that. BTW, the first page of the post is for Windows XP, but you are not using XP anymore, aren't you? ;)

Alternatively, as I mentioned at the beginning, you might as well use some physical countermeasure (de-soldering/hot-gluing ports). That shit is ugly, but it kinda works.

Conclusion

Next time you will face a device control solution, try out these tricks, maybe they will work, and if they do, well, that's a lot of fun. :)

But don't get me wrong, these device control solutions and similar countermeasures are a good thing and you should use something like this! I know that they make doing business a bit harder as you are not able to plugin whatever USB stick you want, but if you buy a pile of hardware encrypted flash drives, and only allow  those to be plugged in, you are doing it right ;)

More articles

1. Best Pentesting Tools 2018
2. Hacker Tools Apk
3. Pentest Tools Linux
4. How To Install Pentest Tools In Ubuntu
5. Hacker Tools Apk Download
6. Hacker
7. Hacking Tools Github
8. Hacking Tools For Games
9. Tools For Hacker
10. Pentest Tools Download
11. Best Pentesting Tools 2018
12. Pentest Tools Download
13. Ethical Hacker Tools
14. Hacker Tools Apk
15. Hacking Tools Pc
16. Top Pentest Tools
17. Hack Tools For Mac
18. Hacking Tools For Kali Linux
19. Pentest Automation Tools
20. Hack Apps
21. Pentest Tools Android
22. Hacking Tools Windows
23. Hacker Tools For Windows
24. Pentest Reporting Tools
25. Hacking Tools Free Download
26. Hacking Tools Mac
27. Hacking Tools For Games
28. Bluetooth Hacking Tools Kali
29. Hack Tools For Windows
30. Hacker Tools For Ios
31. Kik Hack Tools
32. Pentest Tools For Windows
33. Hacking Tools For Mac
34. Hacker Tools For Ios
35. Underground Hacker Sites
36. Nsa Hack Tools
37. Pentest Tools Linux
38. Hacker Security Tools
39. Pentest Tools Tcp Port Scanner
40. Hacker Search Tools
41. Blackhat Hacker Tools
42. Nsa Hacker Tools
43. Pentest Tools Online
44. Pentest Recon Tools
45. Hacker Tools Github
46. Free Pentest Tools For Windows
47. Hack Apps
48. Pentest Tools Online
49. Hacking Tools And Software
50. Termux Hacking Tools 2019
51. Tools Used For Hacking
52. Nsa Hack Tools Download
53. Easy Hack Tools
54. Hacker Tools 2020
55. Hacker Tools Linux
56. Hack App
57. Tools For Hacker
58. Hack Tools For Ubuntu
59. Hack Tools Pc
60. Beginner Hacker Tools
61. Bluetooth Hacking Tools Kali
62. Pentest Automation Tools
63. Hacker Tools Free Download
64. Hack Tool Apk
65. Hacking Tools For Games
66. New Hacker Tools
67. Hacker Tools Apk
68. Hacking Tools Download
69. What Is Hacking Tools
70. Pentest Tools For Android
71. Hacker Tools Apk
72. Hacking Tools Download
73. Hack Tools Github
74. Pentest Box Tools Download
75. Hack Tools Mac
76. Pentest Tools Framework
77. Hacking Tools For Mac
78. Hackers Toolbox
79. Free Pentest Tools For Windows
80. Hack Tools For Windows
81. Hack Tool Apk
82. Pentest Tools Website
83. Pentest Tools Url Fuzzer
84. Best Hacking Tools 2019
85. Pentest Tools For Ubuntu
86. Easy Hack Tools
87. New Hack Tools
88. Hacking Tools Hardware
89. Hacker Security Tools
90. Game Hacking
91. Hack Tools For Pc
92. Hacking Tools For Windows 7
93. Pentest Tools Find Subdomains
94. Hacking Tools Name
95. Hack Tools
96. Hacker Security Tools
97. Hacking Tools For Windows
98. Hacking Tools For Windows 7
99. Pentest Recon Tools
100. Hack Tools Mac
101. Pentest Reporting Tools
102. Pentest Tools Review
103. Hacker Tools Online
104. Hacking Tools For Kali Linux
105. Hack Tools
106. Hacking Tools Mac
107. Hack And Tools
108. Pentest Tools Bluekeep
109. Hacking Tools 2019
110. Hack And Tools
111. Hacker Tools Online
112. Hacking Tools Github
113. Pentest Tools Framework
114. Hackrf Tools
115. Hacking Tools Hardware
116. Hacking Tools Hardware
117. Tools 4 Hack
118. Hacking Tools
119. Hack Tool Apk No Root
120. Hacking Tools Usb
121. Hacker Tools Mac
122. Hacking App
123. Pentest Tools Free
124. Black Hat Hacker Tools
125. Hacking Tools
126. Hacking Tools Windows
127. Hack Tools For Games
128. Hack And Tools
129. Hack Tools For Windows
130. Hack Tools For Ubuntu
131. Pentest Tools Open Source
132. What Are Hacking Tools
133. Hacker Tools Apk
134. Hacking Tools 2020
135. Hacking Tools For Windows
136. Pentest Tools Apk
137. Hacker Tool Kit
138. Hacker Tools Hardware
139. Hacking Tools Usb
140. Pentest Box Tools Download
141. Hacker Tools Apk Download
142. Computer Hacker
143. Hacker Tools For Windows
144. Hacker Tools For Ios
145. Pentest Tools Online