A researcher, Rob Fuller has proved that it is quite easy for hackers to steal credentials from locked Windows and Mac OS X computers using a small USB device. 20 seconds of physical access to with a $50 device is all it takes to log into the locked computer. Attackers can use rogue USB-to-Ethernet adapters to capture login credentials as long as the machine is logged in.
Fuller, a principal security engineer at R5 Industries explained that the hack works by plugging a flash-sized minicomputer into an unattended computer that's logged in but currently locked. Within seconds, the USB device which disguises itself as a USB Ethernet adapter will obtain the username and password hash used to log into the computer. Configuring the USB device to look like a Dynamic Host Configuration Protocol (DHCP) server tricks the connected computer into communicating with it. These network communications, which include usernames and passwords, can be captured by installing Responder, an open source passive credential gathering tool, on the hacking gadget. The hash can later be cracked or used directly in some network attacks.
In the process, the machine which runs an older version of Windows, the returned NTLMv1 hash can be converted to NTLM format no matter how complex the underlying plaintext password is. An NTLMv2 hash used by newer versions of Windows would require more work. In Fuller's tests, hashes returned by even a fully up-to-date El Capitan Mac were able to be downgraded to a susceptible NTLMv1 hash.
Fuller, who is better known by his hacker handle, mubix said the technique works using both the Hak5 Turtle which is worth $50 and USB Armory which is worth $155, both of which are USB-mounted computers that run Linux. Mubix reports that some people have gotten a similar setup to work on a RaspberriPi Zero, making the cost of this hack $5 and about 10 minutes of configuration setup.
The process is way simpler because operating systems automatically start installing newly connected USB devices, including ethernet cards, even when they are in a locked state and they automatically configure wired or fast ethernet cards as the default gateways.
Furthermore, when a new network card gets installed, the OS configures it to automatically detect the network settings through the DHCP. This means that an attacker can have a rogue computer at the other end of the ethernet cable that acts as a DHCP server.
The time it takes to capture a machine’s credentials depends on the targeted system, but the researcher has managed to conduct the attack and obtain the username and password hash in just 13 seconds.
Fuller has successfully reproduced the attack on Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1 and Windows 10. The expert has also conducted attacks against OS X El Capitan and Mavericks, but he has yet to confirm that the method works on other configurations than his own. Linux has not been tested.
Fuller is working on a follow-up post suggesting ways to prevent the attack.
The lesson from all this is, as Fuller noted on Twitter: “Don’t leave your workstation logged in, especially overnight, unattended, even if you lock the screen.”