How To Steal Login Credentials From A Locked Windows/Mac OS X

How To Steal Login Credentials From A Locked Windows/Mac OS X

If we plug in a device that masks as a USB Ethernet adapter and has a computer on the other end, can we capture credentials from a system, even when locked out (yes, logged in, just locked)?

A Security expert has discovered a unique attack method that can be used to steal the login credentials of a locked computer (but, logged-in). Moreover, this technique (which works on both Windows as well as Mac OS X systems) requires only $50 worth of hardware and takes less than 30 seconds to carry out.

Steal Login Credentials From A Locked WindowsMac OS X (2)

Steal Login Credentials From A Locked Windows/Mac OS X

In his blog post, Rob Fuller, a principal security engineer at R5 Industries, who is better known by his hacker handle mubix, demonstrated and explained how to exploit a USB SoC-based device to turn it into a credential-sniffer that works even on a locked computer or laptop.

The hack works by plugging a flash-sized minicomputer into an unattended computer that’s logged in but currently locked. In about 20 seconds, the USB device will obtain the username and password hash used to log into the computer.

The technique works using both the Hak5 Turtle and USB Armory, both of which are USB-mounted computers that run Linux. Fuller modified the firmware code of USB dongle in such a way that when it is plugged into an Ethernet adapter, the plug-and-play USB device installs and acts itself as the network gateway, DNS server, and Web Proxy Autodiscovery Protocol (WPAD) server for the victim’s machine.

How does the Attack Work?

You might be wondering: Why does this technique work? That is because USB is Plug-and-Play.

“Most PCs automatically install Plug-and-Play USB devices. This means that even if a system is locked out, the device [dongle] still gets installed,” Fuller explains in his blog post. “Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.”

Steal Login Credentials From A Locked WindowsMac OS X (1)

The modified plug-and-play USB Ethernet adapter includes a piece of software, i.e. Responder, which spoofs the network to intercept hashed credentials and then stored them in an SQLite database. The hashed credentials collected by the network exploitation tool can later be easily brute-forced to get clear text passwords.

“The average time for freshly inserting into a locked workstation and obtaining the credentials is about 13 seconds, all depends on the system,” Fuller says.

Here’s a video of Fuller’s Attack in action:

What you see in the video is the Windows 10 lock screen. When the LED goes solid white the Armory has fully shut down because of the watch script, creds achieved!

Fuller successfully tested his attack on Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 (Enterprise and Home), and OS X El Capitan / Mavericks. He’s also planning to test it against several Linux distros.

For more detailed explanation, you can read his blog post here.


girl using his cellphone
Tech Tips

5 Most Effective Content Writing Tips for Small Businesses

There are over 409 million users visiting blogs on WordPress every month. If you are not writing and publishing content about your business online, you’re …

movie stream

The 15 Best Movie Streaming Sites: Watch Movies Online

There’s nothing like relaxing after a long day with a good movie. Movies are what keep us entertained, especially in the post-pandemic era where digital …

personal safety apps

27 of the Best Personal Safety Apps For Your Smartphone for 2021

This article is about the best personal safety apps., and student safety apps, most of them free, and a few paid, but, fear not (no …

home workout

5 Best Home Workout Apps

Despite the likelihood of Toronto entering the grey zone of the reopening framework this February, most businesses that are recreational in nature such as gyms …

wi-fi password cracker

7 Best Wi-Fi Password Cracker Software Tools for Windows

For many, an internet connection is the most basic of human necessities – for some, maybe even more important than food and water (I’m kidding, …

Computer, phone and external hard drive
Tech Tips

4 Ways to Recover Digital Media Files from MAC Drive

Most Mac users get confused when they lose their Mac Operating System media files. The main reason they are in trouble is that Apple does …