Tricks To Bypass Device Control Protection Solutions

Preface

As I wrote in a previous blog post, I had an engagement last year where my task was to exfiltrate data from a workstation on some sort of storage media. The twist in that task was Lumension Sanctuary Device Control, and the version was 4.3.2, but I am not sure how newer version work and this seems to be a more general problem with device control solution, for example with Symantec products.

But what is a device control solution? In short, they audit I/O device use and block the attempts to use unauthorized devices. This includes hardware such as USB, PS/2, FireWire, CD/DVD so basically every I/O port of a computer. In my opinion, these are pretty good things and they offer a better looking solution than de-soldering the I/O ports from the motherboards or hot-gluing them, but on the other hand, they can be bypassed.

Bypass

OK, so what is the problem? Well the way these device control solutions work is that they load a few kernel drivers to monitor the physical ports of the machine. However... when you boot up the protected computer in safe mode, depending on the device control solution software, some of these drivers are not loaded (or if you are lucky, none of those modules will be loaded...) and this opens up the possibility to exfiltrate data.

In theory, if you have admin (SYSTEM maybe?) privileges, you might as well try to unload the kernel drivers. Just do not forget, that these device control solutions also have a watchdog process, that checks the driver and automatically loads it back if it is unloaded, so look for that process and stop or suspend it first.

In my case with the Lumension Sanctuary Device Control, I have found that when I boot the Workstation protected by the device control software in Safe Mode where, software's key logger protection module is not running... so I was still unable to use a USB stick, or a storage media, but I could plug in a keyboard for example...hmmm :)

As some of you probably already figured it out, now it is possible to use a pre-programmed USB HID, for example a Teensy! : ) I know about three different project, that uses this trick like these two mentioned in a Hackaday post, or this one. Unfortunately, the site ob-security.info no longer seems to be available (well, at least it is no longer related to infosec :D ), but you can still find the blog post and the files with the Wayback Machine.

For the hardware part, the wiring of the Teensy and the SD card adaptor is the same as I showed in the post on Making a USB flash drive HW Trojan or in the Binary deployment with VBScript, PowerShell or .Net csc.exe compiler post, so I will not copy it here again.

I have to note here that there are other ways to bypass these device control solutions, like the method what Dr. Phil Polstra did with the USB Impersonator, which is basically looks for an authorized device VID/PID and then  impersonates that devices with the VID/PID.

Mitigation

Most probably, you will not need safe mode for the users, so you can just disable it... I mean, it is not that easy, but luckily there is a great blog post on how to do that. BTW, the first page of the post is for Windows XP, but you are not using XP anymore, aren't you? ;)

Alternatively, as I mentioned at the beginning, you might as well use some physical countermeasure (de-soldering/hot-gluing ports). That shit is ugly, but it kinda works.

Conclusion

Next time you will face a device control solution, try out these tricks, maybe they will work, and if they do, well, that's a lot of fun. :)

But don't get me wrong, these device control solutions and similar countermeasures are a good thing and you should use something like this! I know that they make doing business a bit harder as you are not able to plugin whatever USB stick you want, but if you buy a pile of hardware encrypted flash drives, and only allow  those to be plugged in, you are doing it right ;)

More info

1. Hacker Techniques Tools And Incident Handling
2. Pentest Tools Alternative
3. Pentest Tools Open Source
4. Hacking Tools 2019
5. Hackers Toolbox
6. Hacker Tools Apk
7. Kik Hack Tools
8. Hack Website Online Tool
9. Black Hat Hacker Tools
10. Hacker Tools For Mac
11. Hacking Tools Windows
12. Best Hacking Tools 2019
13. Usb Pentest Tools
14. Hacking Tools Software
15. Best Pentesting Tools 2018
16. Hacker Techniques Tools And Incident Handling
17. New Hacker Tools
18. Hacker Tool Kit
19. Blackhat Hacker Tools
20. Hack Tools For Games
21. Bluetooth Hacking Tools Kali
22. Hack Tools Github
23. Hacking Tools 2019
24. Hacker Tools Linux
25. Hacker Tools Linux
26. Android Hack Tools Github
27. Hacker Tools List
28. New Hack Tools
29. Pentest Tools Port Scanner
30. Wifi Hacker Tools For Windows
31. Hacker Tools Apk
32. Hack Tool Apk
33. Hacker
34. Hack Tools 2019
35. Hacking Tools Name
36. Growth Hacker Tools
37. Hackrf Tools
38. Hacker Hardware Tools
39. Hack Tools Online
40. Hacking Tools 2020
41. Free Pentest Tools For Windows
42. Hack Tools
43. Nsa Hack Tools
44. Hacker Security Tools
45. Tools Used For Hacking
46. Hacking Tools For Pc
47. Github Hacking Tools
48. Hack Tools
49. How To Install Pentest Tools In Ubuntu
50. Bluetooth Hacking Tools Kali
51. Ethical Hacker Tools
52. Easy Hack Tools
53. Pentest Tools Subdomain
54. Pentest Tools Download
55. Black Hat Hacker Tools
56. Hacker Tools Free
57. Hackers Toolbox
58. Computer Hacker
59. Hacking Apps
60. Hacks And Tools
61. Hacking Tools Kit
62. Pentest Tools Website Vulnerability
63. Hacking Tools Online
64. Android Hack Tools Github
65. Hacker Tools Software
66. Pentest Tools Framework
67. Hacker Tools Apk
68. Hacker Tools Mac
69. Usb Pentest Tools
70. Hacker Security Tools
71. Ethical Hacker Tools
72. Hack Tool Apk No Root
73. Pentest Tools Kali Linux
74. Pentest Tools Tcp Port Scanner
75. Hacking Tools Software
76. Hacking App
77. Hacker Security Tools
78. Hacking Tools Download
79. Github Hacking Tools
80. Hacker Tools Apk Download
81. Hacking Tools Kit
82. Pentest Tools Kali Linux
83. Beginner Hacker Tools
84. Black Hat Hacker Tools
85. Hacker Tools
86. Hacking Tools Github
87. Best Hacking Tools 2019
88. Pentest Tools Url Fuzzer
89. Hack Tools Github
90. Pentest Tools Review
91. Hacking Tools For Mac
92. Pentest Tools For Windows
93. Growth Hacker Tools
94. Game Hacking
95. Pentest Tools Website
96. Nsa Hacker Tools
97. Pentest Tools Tcp Port Scanner
98. Hacking Tools Online
99. Hack Tools Online
100. Hacker Tools Github
101. What Are Hacking Tools
102. Hacking Tools For Windows
103. Hacking Tools For Windows
104. Hacking Tools Usb
105. Hack Rom Tools
106. Hacker Search Tools
107. Pentest Tools Kali Linux
108. Blackhat Hacker Tools
109. Pentest Tools For Android
110. Hack Tools
111. Hack Tools Pc
112. Hacker Tools Free
113. Pentest Tools Website Vulnerability
114. Hacking Tools 2020
115. Growth Hacker Tools
116. Hacking Tools Name
117. Pentest Tools For Mac
118. Pentest Tools Free
119. Hack Tool Apk
120. Hackers Toolbox
121. Wifi Hacker Tools For Windows
122. Hacking Tools Pc
123. Hacker Tools Github
124. Hacking Tools Windows 10
125. Hacking Tools For Beginners
126. Hacking Tools 2019
127. Pentest Tools Online
128. Best Hacking Tools 2020
129. Game Hacking
130. Pentest Recon Tools
131. Tools Used For Hacking
132. Growth Hacker Tools
133. Hacking Tools For Windows 7
134. Hacking Tools
135. Tools For Hacker
136. Hacking Tools Windows
137. Hacker Tools For Pc
138. Hacking Tools For Mac
139. Pentest Tools Bluekeep
140. Pentest Reporting Tools
141. Hacking Tools Kit
142. Hack Tool Apk
143. Hacker Tools For Ios
144. Pentest Recon Tools
145. Hacker
146. Pentest Tools List
147. Nsa Hacker Tools
148. Hacks And Tools
149. Pentest Tools Subdomain
150. Hacker Tools Github
151. Hacking Tools Name
152. Nsa Hacker Tools
153. Growth Hacker Tools
154. Hacking Tools And Software
155. Hacking Tools For Windows
156. Hack Tools Github
157. Pentest Tools Website Vulnerability
158. Pentest Tools Find Subdomains
159. Hacking Tools For Games
160. Hacker
161. Pentest Reporting Tools
162. Hacking Tools And Software
163. Hacker Tools 2019
164. Hacking Tools 2019