Comments on: Sterling login credentials from a locked PC or Mac just got easier | Ars Technica

By: Tomi Engdahl

Tomi Engdahl — Thu, 08 Sep 2016 19:41:07 +0000

USB credential stealing while screen is locked
https://www.youtube.com/watch?v=Oplubg5q7ao

By: Tomi Engdahl

Tomi Engdahl — Thu, 08 Sep 2016 19:40:21 +0000

Snagging creds from locked machines
https://room362.com/post/2016/snagging-creds-from-locked-machines/

Thesis:

If I plug in a device that masquerades as a USB Ethernet adapter and has a computer on the other end, can I capture credentials from a system, even when locked out (yes, logged in, just locked). (..or do even more, but we’ll save that for another time, this post is already too long)

Tested on:

Windows 98 SE
Windows 2000 SP4
Windows XP SP3
Windows 7 SP1
Windows 10 (Enterprise and Home)
OSX El Capitan / Mavericks (I was able to get creds on both of these but I’m still testing to see if it was a fluke, or my own configurations)
I still have not tested on Linux, I will make a new post on if that works.

Why does this work?

Because USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed. Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.
Computers are constantly creating traffic, even if you don’t have any browsers or applications open, and most computers trust their local network for some reason (I know the technical bits on ‘why’, just complaining…)
Network preference when there are more than gateway or network connection is based on “metrics” on Windows and a combination of metrics and “preference” on OSX, but by default “wired” and “newer/faster” always win out.
This means that by plugging in the device it quickly becomes the gateway, DNS server, WPAD server and others thanks to Responder.

The average time for freshly inserted into a locked workstation and by the time I have creds is about 13 seconds, all depends on the system. Some addition setup I used inotify to watch for a file change in the Responder.db database and shutdown the Armory. This helps finalize file writes as well and giving me an indicator via the LED that creds were obtained.

By: Tomi Engdahl

Tomi Engdahl — Thu, 08 Sep 2016 19:38:29 +0000

Attack works because computers trust PnP devices
The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device.

“Why does this work? Because USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed,” Fuller wrote on his blog yesterday.

“Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.”

By: Tomi Engdahl

Tomi Engdahl — Thu, 08 Sep 2016 19:38:04 +0000

Modified USB Ethernet Adapter Can Steal Windows and Mac Credentials
Possibly Linux creds too, but yet untested