Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

USB Hacking Devices Can Steal Credentials From Locked Computers

A researcher has shown how easy it is for hackers to steal credentials from locked Windows and Mac OS X computers using a small USB device.

A researcher has shown how easy it is for hackers to steal credentials from locked Windows and Mac OS X computers using a small USB device.

Many users might think that leaving their computer unattended does not pose any security risks as long as the device is locked. However, researcher Rob Fuller has demonstrated that an attacker with physical access to the targeted device can capture its login credentials in just seconds as long as the machine is logged in.

The expert has tested the attack method using USB Armory and Hak5 LAN Turtle, two flash drive-size computers designed for penetration testing and various other security applications.

Fuller demonstrated how either of these devices can be set up to capture credentials from a locked, logged-in system by disguising them as a USB Ethernet adapter. Configuring the USB device to look like a DHCP server tricks the connected computer into communicating with it. These network communications, which include usernames and passwords, can be captured by installing Responder, an open source passive credential gathering tool, on the hacking gadget.

The time it takes to capture a machine’s credentials depends on the targeted system, but the researcher has managed to conduct the attack and obtain the username and password hash in just 13 seconds. The harvested hashes can then either be cracked or downgraded for use in pass-the-hash attacks.

Fuller has successfully reproduced the attack on Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1 and Windows 10. The expert has also conducted attacks against OS X El Capitan and Mavericks, but he has yet to confirm that the method works on other configurations than his own. Linux has not been tested.

The researcher has created a video demonstrating how the attack works against a Windows 10 machine:

“This is dead simple and shouldn’t work, but it does,” Fuller said in a blog post. “Also, there is no possible way that I’m the first one that has identified this, but here it is (trust me, I tested it so many ways to confirm it because I couldn’t believe it was true).”

According to Fuller, both USB Armory, which costs $155, and LAN Turtle, priced at $50, have their advantages. While USB Armory is faster and more versatile, the LAN Turtle is easier to disguise and it offers the possibility to also get a shell on the targeted system. LAN Turtle developers announced that the device is backordered due to increased demands generated by Fuller’s new exploit.

Related Reading: New Windows Attack Turns Evil Maid into Malicious Butler

Related Reading: Unmodified USB Devices Allow Data Theft From Air-Gapped Systems

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...