And it works on Windows and OSX!


The security researcher Rob Fuller has discovered a new attack method that can be used to steal credentials from a locked computer (but, with the user logged in) and works on both Windows and OS X systems, using USB SoC-based device modified to be a credential sniffer.

The firmware code of USB dongle was modified in such a way that when it is plugged in, the device is installed and configured (most PC/Mac automatically install Plug-and-Play USB devices also when the system is locked) and acts itself as the network gateway, DNS server, and Web Proxy Auto-discovery Protocol (WPAD) server for the victim’s machine.

Weird, right? Such a thing should not be possible, and if the vulnerability will confirmed it will make necessary urgent patches from the vendors:

First off, this is dead simple and shouldn’t work, but it does. Also, there is no possible way that I’m the first one that has identified this, but here it is (trust me, I tested it so many ways to confirm it because I couldn’t believe it was true)


How does the Attack Work?


The hacked USB dongle (a USB Armory) includes a software (Responder) that spoofs the network to intercept hashed credentials and then stored them in an SQLite database.

The collected credentials can later be decrypted with a bruteforce attack to get clear text passwords.

From Rob Fuller’s article:

  1. Because USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed. Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.
  2. Computers are constantly creating traffic, even if you don’t have any browsers or applications open, and most computers trust their local network for some reason (I know the technical bits on ‘why’, just complaining…)
  3. Network preference when there are more than gateway or network connection is based on “metrics” on Windows and a combination of metrics and “preference” on OSX, but by default “wired” and “newer/faster” always win out.

This means that by plugging in the device it quickly becomes the gateway, DNS server, WPAD server and others thanks to Responder.

The average time for freshly inserted into a locked workstation and by the time I have creds is about 13 seconds, all depends on the system.

The attack was successfully tested on a lot of systems:

  • Windows 98 SE
  • Windows 2000 SP4
  • Windows XP SP3
  • Windows 7 SP1
  • Windows 10 (Enterprise and Home)
  • OSX El Capitan / Mavericks

Here a video of the script tested on a Windows 10 system:

[embed]https://www.youtube.com/watch?v=Oplubg5q7ao[/embed]

For more information and technical details about the USB Dongle configuration, read the original article on Rob Fuller’s website:

[embed]https://room362.com/post/2016/snagging-creds-from-locked-machines/[/embed]