Security researcher Rob Fuller has demonstrated a simple way for stealing login credentials from locked computers running Windows and Mac OS X.
For the attack to work, you’ll need to have:
- Access to the targeted computer
- A portable, plug-in computer that you have modified to impersonate a USB Ethernet adapter, and
- A computer with software that will crack (or downgrade and crack) the authentication hashes you have pilfered.
The actual attack can be performed in less than half a minute, as demonstrated in this video:
“Why does this work? Because USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed,” Fuller explained. “Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.”
In his blog post, he explained how to set up a USB Armory or a Hak5 Turtle – two cheap ($155 and $49.99, respectively) USB-mounted Linux computers – to be able to use them in the attack.
Basically, they have to be equipped with Responder, open source software that simulates an authentication server. The OS “recognises” the server, trusts it by default as it’s on the local network, and responds to the authentication request with the login credentials. Responder logs them in a database.
To finish the attack, one has to extract the hashes of the stolen credentials and crack them. Different OSes use different hashes, but all can be cracked or downgraded into a format that can be used for a “pass the hash” attack.
He tested the attack on various OSes and OS versions, and it works on Windows 98 SE, 2000 SP4, XP SP3, 7 SP1, and 10, as well as OS X El Capitan / Mavericks (his own setups, anyway). He hasn’t yet tested the attack on Linux.
“This is dead simple and shouldn’t work, but it does,” he concluded, positing that he isn’t the first to have discovered this attack possibility.
The fact that this option is now out in the open is scary, and there isn’t much we can do to protect our computers from attack. At the moment, Fuller advises users not to leave their workstation logged in, unattended, even if the screen is locked.