A researcher has shown how easy it is for hackers to steal credentials from locked Windows and Mac OS X computers using a small USB device.
Many users might think that leaving their computer unattended does not pose any security risks as long as the device is locked. However, researcher Rob Fuller has demonstrated that an attacker with physical access to the targeted device can capture its login credentials in just seconds as long as the machine is logged in.
The expert has tested the attack method using USB Armory and Hak5 LAN Turtle, two flash drive-size computers designed for penetration testing and various other security applications.
Fuller demonstrated how either of these devices can be set up to capture credentials from a locked, logged-in system by disguising them as a USB Ethernet adapter. Configuring the USB device to look like a DHCP server tricks the connected computer into communicating with it. These network communications, which include usernames and passwords, can be captured by installing Responder, an open source passive credential gathering tool, on the hacking gadget.
The time it takes to capture a machine’s credentials depends on the targeted system, but the researcher has managed to conduct the attack and obtain the username and password hash in just 13 seconds. The harvested hashes can then either be cracked or downgraded for use in pass-the-hash attacks.
Fuller has successfully reproduced the attack on Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1 and Windows 10. The expert has also conducted attacks against OS X El Capitan and Mavericks, but he has yet to confirm that the method works on other configurations than his own. Linux has not been tested.
The researcher has created a video demonstrating how the attack works against a Windows 10 machine:
“This is dead simple and shouldn’t work, but it does,” Fuller said in a blog post. “Also, there is no possible way that I’m the first one that has identified this, but here it is (trust me, I tested it so many ways to confirm it because I couldn’t believe it was true).”
According to Fuller, both USB Armory, which costs $155, and LAN Turtle, priced at $50, have their advantages. While USB Armory is faster and more versatile, the LAN Turtle is easier to disguise and it offers the possibility to also get a shell on the targeted system. LAN Turtle developers announced that the device is backordered due to increased demands generated by Fuller’s new exploit.
#SecurityTip Don’t leave your workstation logged in, especially overnight, unattended, even if you lock the screen.. 😉
— Rob Fuller (@mubix) September 7, 2016
Related Reading: New Windows Attack Turns Evil Maid into Malicious Butler
Related Reading: Unmodified USB Devices Allow Data Theft From Air-Gapped Systems