Snatching the login credentials of a locked computer just got easier and faster, thanks to a technique that requires only $50 worth of hardware and takes less than 30 seconds to carry out.
Rob Fuller, a principal security engineer at R5 Industries, said the hack works reliably on Windows devices and has also succeeded on OS X, although he’s working with others to determine if it’s just his setup that’s vulnerable. The hack works by plugging a flash-sized minicomputer into an unattended computer that’s logged in but currently locked. In about 20 seconds, the USB device will obtain the user name and password hash used to log in to the computer. Fuller, who is better known by his hacker handle mubix, said the technique works using both the Hak5 Turtle ($50)and USB Armory ($155), both of which are USB-mounted computers that run Linux.
“First off, this is dead simple and shouldn’t work, but it does,” mubix wrote in a blog post published Tuesday. “Also, there is no possible way that I’m the first one that has identified this, but here it is (trust me, I tested it so many ways to confirm it because I couldn’t believe it was true).”
The pilfered authentication hash can either be cracked or downgraded to another hash that can be used to gain unauthorized access. In the event the machine is running an older version of Windows, the returned NTLMv1 hash can be converted to NTLM format no matter how complex the underlying plaintext password is. And from there, it can be used in pass-the-hash-style attacks. A NTLMv2 hash used by newer versions of Windows would require more work. In mubix’s tests, hashes returned by even a fully up-to-date El Capitan Mac were able to be downgraded to a susceptible NTLMv1 hash.
The Hak5 Turtle and USB Armory are both full Linux computers that are capable of emulating a USB Ethernet device. Mubix outfitted them with simple configuration modifications that present the hardware as a DHCP server. The status makes the USB device the default gateway that’s able to receive network traffic. Using a hacking app known as Responder, the device can then receive authentication tokens. Mubix reports that some people have gotten a similar setup to work on a RaspberriPi Zero, making the cost of this hack $5 and about 10 minutes of configuration setup.
Here’s a video of it in action:
In an e-mail, Fuller wrote:
What is happening in the video, is the USB Armory is being plugged into a locked (but logged in) system. It boots up via the USB power, and starts up a DHCP server, and Responder. While it’s doing this, the victim is recognizing it as a Ethernet adapter. The victim then makes route decisions and starts sending the traffic it was already creating to the Armory instead of the “real” network connection. Responder does its job and responds to all kinds of services asking for authentication, and since most OSs treat their local network as “trusted” it sees the authentication request and automatically authenticates. Seeing that the database of Responder has been modified the Armory shuts down (LED goes solid).
The demo underscores the age-old maxim equating physical access with owning or “pwning” a device. Still, the lock screen is a regular feature in most offices for users who don’t want to turn off or physically bring their computer with them while using the restroom. And for that reason, a hack that surreptitiously steals the passwords of such computers in 20 seconds is noteworthy.
Mubix said he’s working on a follow-up post suggesting ways to prevent the attack. In the meantime, he’s referring people to this mitigation technique, which he says works “pretty well.”