Menu
A USB device is all it takes to steal credentials from locked PCs

A USB device is all it takes to steal credentials from locked PCs

Attackers can use rogue USB-to-Ethernet adapters to steal credentials from locked Windows, and possibly OS X, computers

Most users lock their computer screens when they temporarily step away from them. While this seems like a good security measure, it isn't good enough, a researcher demonstrated this week.

Rob Fuller, principal security engineer at R5 Industries, found out that all it takes to copy an OS account password hash from a locked Windows computer is to plug in a special USB device for a few seconds. The hash can later be cracked or used directly in some network attacks.

For his attack, Fuller used a flash-drive-size computer called USB Armory that costs $155, but the same attack can be pulled off with cheaper devices, like the Hak5 LAN Turtle, which costs $50.

The device needs to masquerade as an USB-to-Ethernet LAN adapter in such a way that it becomes the primary network interface on the target computer. This shouldn't be difficult because: 1) operating systems automatically start installing newly connected USB devices, including Ethernet cards, even when they are in a locked state and 2) they automatically configure wired or fast Ethernet cards as the default gateways.

For example, if an attacker plugs in a rogue USB-to-Gigabit-Ethernet adapter into a locked Windows laptop that normally uses a wireless connection, the adapter will get installed and will become the preferred network interface.

Furthermore, when a new network card gets installed, the OS configures it to automatically detect the network settings through the Dynamic Host Configuration Protocol (DHCP). This means that an attacker can have a rogue computer at the other end of the Ethernet cable that acts as a DHCP server. USB Armory is a computer on a stick that's powered via USB and can run Linux, so no separate machine is required.

Once an attacker controls a target computer's network settings via DHCP, he also controls DNS (Domain Name System) responses, can configure a rogue internet proxy through the WPAD (Web Proxy Autodiscovery) protocol and more. He essentially gains a privileged man-in-the-middle position that can be used to intercept and tamper with the computer's network traffic.

According to Fuller, computers in a locked state still generate network traffic, allowing for the account name and hashed password to be extracted. The time it takes for a rogue USB device to capture credentials from a system using this attack is around 13 seconds, he said.

He tested the attack successfully on Windows and OS X. However, he's still working on confirming if OS X is vulnerable by default or if it was his Mac's particular configuration that was vulnerable.

"First off, this is dead simple and shouldn’t work, but it does," the researcher said in a blog post. "Also, there is no possible way that I’m the first one who has identified this, but here it is."

Depending on the Windows version installed on the computer and its configuration, the password hashes will be in NT LAN Manager (NTLM) version 2 or NTLMv1 format. NTLMv2 hashes are harder to crack, but not impossible, especially if the password is not very complex and the attacker has access to a powerful password cracking rig.

There are also some relay attacks against network services where NTLM hashes can be used directly without having to know the user's plaintext password.

The lesson from all this is, as Fuller noted on Twitter: "Don't leave your workstation logged in, especially overnight, unattended, even if you lock the screen."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Brand Post

Featured

Slideshows

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Show Comments