USB credential stealing while Windows/Mac OS X screen is locked in just 13 seconds
A Security researcher has discovered a unique attack method that can be used to steal credentials from a locked computer (but, logged-in) and works on both Windows as well as Mac OS X systems.
Security expert Rob Fuller demonstrated and explained how to exploit a USB SoC-based device to turn it into a credential-sniffer that works even on a locked computer or laptop.
Fuller modified the firmware code of USB dongle in such a way that when it is plugged into an Ethernet adapter, the plug-and-play USB device installs and acts itself as the network gateway, DNS server, and Web Proxy Auto-discovery Protocol (WPAD) server for the victim's machine.
The attack is possible because most PCs automatically install Plug-and-Play USB devices, meaning "even if a system is locked out, the device [dongle] still gets installed."
"Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list."
Why your computer automatically share Windows credentials with any connected device?
That is because of the default behavior of Microsoft Window’s name resolution services, which can be abused to steal authentication credentials.
The modified plug-and-play USB Ethernet adapter includes a piece of software, i.e. Responder (available at github), which spoofs the network to intercept hashed credentials and then stored them in an SQLite database.
USB Armory ($155)
Debian/Jessie - https://github.com/inversepath/usbarmory/wiki/Starting#preparing-your-own-microsd-card
Kali on USB Armory - http://docs.kali.org/kali-on-arm/kali-linux-on-usb-armory
Resizing the SD partition - http://base16.io/?p=61
Hak5 Turtle ($49.99)
Turtle video guides and wiki: https://lanturtle.com/wiki/#!videos.md
The hashed credentials collected by the network exploitation tool can later be easily brute-forced to get clear text passwords.
If you watch Mr. Robot Season 2 Episode 9 USB Rubber Duckie is similar to this method with Angela venturing onto the FBI floor of the Evil Corp offices to plant the exploit-laced femtocell.
Apparently, to conduct this attack, attackers would require physical access to a target computer, so that they can plug in the evil USB Ethernet adapter. However, Fuller says the average time required for a successful attack is just 13 seconds.
Watch the video demonstration below that shows Fuller's attack in action.
Fuller successfully tested his attack against Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 Enterprise and Home (but not Windows 8), as well as OS X El Capitan and OS X Mavericks. He’s also planning to test it against several Linux distros.
Fuller tuts explains in his blog post.
Security expert Rob Fuller demonstrated and explained how to exploit a USB SoC-based device to turn it into a credential-sniffer that works even on a locked computer or laptop.
Fuller modified the firmware code of USB dongle in such a way that when it is plugged into an Ethernet adapter, the plug-and-play USB device installs and acts itself as the network gateway, DNS server, and Web Proxy Auto-discovery Protocol (WPAD) server for the victim's machine.
The attack is possible because most PCs automatically install Plug-and-Play USB devices, meaning "even if a system is locked out, the device [dongle] still gets installed."
"Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list."
Why your computer automatically share Windows credentials with any connected device?
That is because of the default behavior of Microsoft Window’s name resolution services, which can be abused to steal authentication credentials.
The modified plug-and-play USB Ethernet adapter includes a piece of software, i.e. Responder (available at github), which spoofs the network to intercept hashed credentials and then stored them in an SQLite database.
USB Armory ($155)
Debian/Jessie - https://github.com/inversepath/usbarmory/wiki/Starting#preparing-your-own-microsd-card
Kali on USB Armory - http://docs.kali.org/kali-on-arm/kali-linux-on-usb-armory
Resizing the SD partition - http://base16.io/?p=61
Hak5 Turtle ($49.99)
Turtle video guides and wiki: https://lanturtle.com/wiki/#!videos.md
The hashed credentials collected by the network exploitation tool can later be easily brute-forced to get clear text passwords.
If you watch Mr. Robot Season 2 Episode 9 USB Rubber Duckie is similar to this method with Angela venturing onto the FBI floor of the Evil Corp offices to plant the exploit-laced femtocell.
Apparently, to conduct this attack, attackers would require physical access to a target computer, so that they can plug in the evil USB Ethernet adapter. However, Fuller says the average time required for a successful attack is just 13 seconds.
Watch the video demonstration below that shows Fuller's attack in action.
Fuller successfully tested his attack against Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 Enterprise and Home (but not Windows 8), as well as OS X El Capitan and OS X Mavericks. He’s also planning to test it against several Linux distros.
Fuller tuts explains in his blog post.
No comments
Post a Comment