The security expert and blogger Rob Fuller demonstrated how to exploit a USB SoC-based device to sniff credentials from a locked laptop. The expert has modified the device in a way that once it is plugged into an Ethernet adapter, it acts as a network gateway, a DNS server, and WPAD (Web proxy autodiscovery protocol) server for the targeted machine.
“If I plug in a device that masquerades as a USB Ethernet adapter and has a computer on the other end, can I capture credentials from a system, even when locked out (yes, logged in, just locked). (..or do even more, but we’ll save that for another time, this post is already too long)” wrote Fuller in a blog post.
Fuller explained that with this technique he is able to trick the machine that in the process of trying to install a harmless Ethernet adapter, it will send it the credentials over the spoofed network.
The expert tested two USB SoC-based devices for the attack, the USB Armory ($155) and the Hak5 Turtle ($49.99).
Fuller explained that the Ethernet adapter needs to be set up to sniff the traffic and capture the credentials sent by the target machine when it will trying to connect to the network through the adapter.
{blog} Snagging creds from locked machines – https://t.co/zqYo142tVj
— Rob Fuller (@mubix) 6 settembre 2016
The attack leverages on Laurent Gaffié’s Responder to capture the credentials, the Hak5 Turtle already has a module for it, for the USB Armory it is possible to either use SCP, Internet Connection Sharing, the USB host/client adapter.
“Basically the capturing is done with Laurent Gaffié’s Responder so you need to find a way to get Responder onto the device. The Hak5 Turtle already has a module for it” explained Fuller. “You do have to “Enable” the module for the first time (plugged into Internet access) to get it to actually download all of dependencies and package itself.As for the USB Armory is you can either use SCP, Internet Connection Sharing, the USB host/client adapter.”
He added that on average the retrieval time was 13 seconds.
With this attack, it is possible to steal every kind of information stored on the target machine.
Be careful, the attacks could fail against some machine, anyway, the expert tested it on Windows up to Windows 10 Enterprise and Home (except Windows 8), on OS X El Capitan and it works!
For example, when a target machine sees both a wireless and wired network, it’ll try to connect to the faster one, a circumstance that could result in the failure of the attack.
Of course, in order to launch the attack, it is necessary the physical access to the target.
Below a video PoC of the attack that demonstrates how to sniff credentials from a locked laptop running Windows 10 via Ethernet adapter on USB
“What you see in the video is the Windows 10 lock screen (Full screened fresh install VM). When the LED goes solid white the Armory has fully shutdown because of the watch script, creds achieved!.!
[adrotate banner=”9″]
(Security Affairs – Ethernet adapter, sniff credentials)