Sterling login credentials from a locked PC or Mac just got easier | Ars Technica

http://arstechnica.com/security/2016/09/stealing-login-credentials-from-a-locked-pc-or-mac-just-got-easier/

Plug in $50 tiny Linux computer to Windows computer USB port and get login access credentials in 20 seconds.

4 Comments

  1. Tomi Engdahl says:

    Modified USB Ethernet Adapter Can Steal Windows and Mac Credentials
    Possibly Linux creds too, but yet untested

    Read more: http://news.softpedia.com/news/modified-usb-ethernet-adapter-can-steal-windows-and-mac-credentials-508034.shtml#ixzz4Jh9Muczh

    Reply
  2. Tomi Engdahl says:

    Attack works because computers trust PnP devices
    The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device.

    “Why does this work? Because USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed,” Fuller wrote on his blog yesterday.

    “Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.”

    Read more: http://news.softpedia.com/news/modified-usb-ethernet-adapter-can-steal-windows-and-mac-credentials-508034.shtml#ixzz4Jh9UIn2v

    Reply
  3. Tomi Engdahl says:

    Snagging creds from locked machines
    https://room362.com/post/2016/snagging-creds-from-locked-machines/

    Thesis:

    If I plug in a device that masquerades as a USB Ethernet adapter and has a computer on the other end, can I capture credentials from a system, even when locked out (yes, logged in, just locked). (..or do even more, but we’ll save that for another time, this post is already too long)

    Tested on:

    Windows 98 SE
    Windows 2000 SP4
    Windows XP SP3
    Windows 7 SP1
    Windows 10 (Enterprise and Home)
    OSX El Capitan / Mavericks (I was able to get creds on both of these but I’m still testing to see if it was a fluke, or my own configurations)
    I still have not tested on Linux, I will make a new post on if that works.

    Why does this work?

    Because USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed. Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.
    Computers are constantly creating traffic, even if you don’t have any browsers or applications open, and most computers trust their local network for some reason (I know the technical bits on ‘why’, just complaining…)
    Network preference when there are more than gateway or network connection is based on “metrics” on Windows and a combination of metrics and “preference” on OSX, but by default “wired” and “newer/faster” always win out.
    This means that by plugging in the device it quickly becomes the gateway, DNS server, WPAD server and others thanks to Responder.

    The average time for freshly inserted into a locked workstation and by the time I have creds is about 13 seconds, all depends on the system. Some addition setup I used inotify to watch for a file change in the Responder.db database and shutdown the Armory. This helps finalize file writes as well and giving me an indicator via the LED that creds were obtained.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*