Hats off to security researcher Rob Fuller, aka mubix, for spending part of his Labor Day weekend figuring out how to use a spoofed USB Ethernet adapter to steal credentials from logged in but locked Windows and Mac computers.
It works!!! Muhahahahah I can steal credentials from a locked computer. Muahahahhahahahah pic.twitter.com/9l3d0tvs8i— Rob Fuller (@mubix) September 4, 2016
Fuller did not use a zero-day; although the attack is “stupid simple” and “should not work,” it does work because most computers automatically install Play-and-Play USB devices. “Even if a system is locked out, the device still gets installed.” There may be restrictions on what devices can be installed when the box is a locked state, but he said, “Ethernet/LAN is definitely on the white list.”
Fuller successfully tested the attack on Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 Home and Enterprise, and OS X El Capitan and Mavericks. He said after he tests the attack on Linux, he will write a new post if it works.
While he first used a $155 USB Armory for his unique attack, Fuller said it can be pulled off with a $50 Hak5 Turtle.
Once the device is plugged in, and the computer can see both a wireless and wired network, Fuller said it will connect to whichever is faster. “By default, ‘wired’ and ‘new/faster’ always win out.”
After plugging in the modified device, Fuller said, “It quickly becomes the gateway, DNS server, WPAD server and others thanks to Responder.”
His attack takes about 13 seconds on average; that’s from the time he plugged in the modified PnP USB Ethernet adapter to when he captured the credentials on the locked computer.
In the video, Fuller shows the spoof attack working against a Windows 10 lock screen. (It’s on a virtual machine with full-screen mode.) The OS is locked, but the user is logged in.
Fuller explained on GitHub that it “requires packages and responder” to work. He added:
I saved script into /root folder and made a custom command in NetHunter app to launch script. To be safe I turned off Wi-Fi also.
Once script launched, I ran a screen -r and plugged it into Windows 10 box which had a locked screen. It returned the NTLMv2 hash and username in responder.
If you want to try it out, but don’t have either dongle, then Fuller described the $155 Armory as “more versatile with APT package to do more fun,” but the $50 Hak5 LAN Turtle “is much easier to pass off when you are trying to plug in a device during an SE attack.” He said the Hak5 LAN Turtle includes the “added functionality of a working Ethernet port, so you could get creds and a shell.” The Armory has an LED which shows when credentials are captured, but Hak5’s Darren Kitchen explained how to configure the Hak5 LAN Turtle to also blink when credentials are saved.