If we plug in a device that masks as a USB Ethernet adapter and has a computer on the other end, can we capture credentials from a system, even when locked out (yes, logged in, just locked)?
A Security expert has discovered a unique attack method that can be used to steal the login credentials of a locked computer (but, logged-in). Moreover, this technique (which works on both Windows as well as Mac OS X systems) requires only $50 worth of hardware and takes less than 30 seconds to carry out.
Steal Login Credentials From A Locked Windows/Mac OS X
In his blog post, Rob Fuller, a principal security engineer at R5 Industries, who is better known by his hacker handle mubix, demonstrated and explained how to exploit a USB SoC-based device to turn it into a credential-sniffer that works even on a locked computer or laptop.
The hack works by plugging a flash-sized minicomputer into an unattended computer that’s logged in but currently locked. In about 20 seconds, the USB device will obtain the username and password hash used to log into the computer.
The technique works using both the Hak5 Turtle and USB Armory, both of which are USB-mounted computers that run Linux. Fuller modified the firmware code of USB dongle in such a way that when it is plugged into an Ethernet adapter, the plug-and-play USB device installs and acts itself as the network gateway, DNS server, and Web Proxy Autodiscovery Protocol (WPAD) server for the victim’s machine.
How does the Attack Work?
You might be wondering: Why does this technique work? That is because USB is Plug-and-Play.
“Most PCs automatically install Plug-and-Play USB devices. This means that even if a system is locked out, the device [dongle] still gets installed,” Fuller explains in his blog post. “Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.”
The modified plug-and-play USB Ethernet adapter includes a piece of software, i.e. Responder, which spoofs the network to intercept hashed credentials and then stored them in an SQLite database. The hashed credentials collected by the network exploitation tool can later be easily brute-forced to get clear text passwords.
“The average time for freshly inserting into a locked workstation and obtaining the credentials is about 13 seconds, all depends on the system,” Fuller says.
Here’s a video of Fuller’s Attack in action:
What you see in the video is the Windows 10 lock screen. When the LED goes solid white the Armory has fully shut down because of the watch script, creds achieved!
Fuller successfully tested his attack on Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 (Enterprise and Home), and OS X El Capitan / Mavericks. He’s also planning to test it against several Linux distros.
For more detailed explanation, you can read his blog post here.