Menu
A USB device is all it takes to steal credentials from locked PCs

A USB device is all it takes to steal credentials from locked PCs

Attackers can use rogue USB-to-Ethernet adapters to steal credentials from locked Windows, and possibly OS X, computers

Most users lock their computer screens when they temporarily step away from them. While this seems like a good security measure, it isn't good enough, a researcher demonstrated this week.

Rob Fuller, principal security engineer at R5 Industries, found out that all it takes to copy an OS account password hash from a locked Windows computer is to plug in a special USB device for a few seconds. The hash can later be cracked or used directly in some network attacks.

For his attack, Fuller used a flash-drive-size computer called USB Armory that costs $155, but the same attack can be pulled off with cheaper devices, like the Hak5 LAN Turtle, which costs $50.

The device needs to masquerade as an USB-to-Ethernet LAN adapter in such a way that it becomes the primary network interface on the target computer. This shouldn't be difficult because: 1) operating systems automatically start installing newly connected USB devices, including Ethernet cards, even when they are in a locked state and 2) they automatically configure wired or fast Ethernet cards as the default gateways.

For example, if an attacker plugs in a rogue USB-to-Gigabit-Ethernet adapter into a locked Windows laptop that normally uses a wireless connection, the adapter will get installed and will become the preferred network interface.

Furthermore, when a new network card gets installed, the OS configures it to automatically detect the network settings through the Dynamic Host Configuration Protocol (DHCP). This means that an attacker can have a rogue computer at the other end of the Ethernet cable that acts as a DHCP server. USB Armory is a computer on a stick that's powered via USB and can run Linux, so no separate machine is required.

Once an attacker controls a target computer's network settings via DHCP, he also controls DNS (Domain Name System) responses, can configure a rogue internet proxy through the WPAD (Web Proxy Autodiscovery) protocol and more. He essentially gains a privileged man-in-the-middle position that can be used to intercept and tamper with the computer's network traffic.

According to Fuller, computers in a locked state still generate network traffic, allowing for the account name and hashed password to be extracted. The time it takes for a rogue USB device to capture credentials from a system using this attack is around 13 seconds, he said.

He tested the attack successfully on Windows and OS X. However, he's still working on confirming if OS X is vulnerable by default or if it was his Mac's particular configuration that was vulnerable.

"First off, this is dead simple and shouldn’t work, but it does," the researcher said in a blog post. "Also, there is no possible way that I’m the first one who has identified this, but here it is."

Depending on the Windows version installed on the computer and its configuration, the password hashes will be in NT LAN Manager (NTLM) version 2 or NTLMv1 format. NTLMv2 hashes are harder to crack, but not impossible, especially if the password is not very complex and the attacker has access to a powerful password cracking rig.

There are also some relay attacks against network services where NTLM hashes can be used directly without having to know the user's plaintext password.

The lesson from all this is, as Fuller noted on Twitter: "Don't leave your workstation logged in, especially overnight, unattended, even if you lock the screen."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise

Ingram Micro completed its nationwide roadshow in Auckland last month, kicking off its Innovation Hour series with Hewlett Packard Enterprise. Uncovering the latest in storage, networking and servers, the event outlined key market trends for resellers in 2016 and beyond.

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise
IN PICTURES: FireEye celebrates channel at 2016 Partner Conference

IN PICTURES: FireEye celebrates channel at 2016 Partner Conference

FireEye welcomed 143 channel partners and distributors to FireEye's 2016 annual Partner Conference, FireEye A/NZ Momentum - held at Establishment in Sydney. Delegates heard from senior trans-Tasman channel leaders, marketing and the product divisions in the morning, with FireEye customers, incident responders and threat intelligence analysts sharing knowledge during the afternoon.

IN PICTURES: FireEye celebrates channel at 2016 Partner Conference
​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​

​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​

With New Zealand businesses now open to innovation, the industry sits on the cusp of significant disruption in the data centre. Driven by software-defined networking, the future of the data centre is fast becoming reality, as the channel seeks to keep up, keep innovating and keep growing. APC by Schneider Electric, Lenovo and key partners outlined how the channel can capitalise at The Grill restaurant in Auckland.

​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​
Show Comments