A USB device is all it takes to steal credentials from locked PCs

Most users lock their computer screens when they temporarily step away from them. While this seems like a good security measure, it isn’t good enough, a researcher demonstrated this week.

Rob Fuller, principal security engineer at R5 Industries, found out that all it takes to copy an OS account password hash from a locked Windows computer is to plug in a special USB device for a few seconds. The hash can later be cracked or used directly in some network attacks.

For his attack, Fuller used a flash-drive-size computer called USB Armory that costs $155, but the same attack can be pulled off with cheaper devices, like the Hak5 LAN Turtle, which costs $50.

The device needs to masquerade as an USB-to-Ethernet LAN adapter in such a way that it becomes the primary network interface on the target computer. This shouldn’t be difficult because: 1) operating systems automatically start installing newly connected USB devices, including Ethernet cards, even when they are in a locked state and 2) they automatically configure wired or fast Ethernet cards as the default gateways.

For example, if an attacker plugs in a rogue USB-to-Gigabit-Ethernet adapter into a locked Windows laptop that normally uses a wireless connection, the adapter will get installed and will become the preferred network interface.

Furthermore, when a new network card gets installed, the OS configures it to automatically detect the network settings through the Dynamic Host Configuration Protocol (DHCP). This means that an attacker can have a rogue computer at the other end of the Ethernet cable that acts as a DHCP server. USB Armory is a computer on a stick that’s powered via USB and can run Linux, so no separate machine is required.

Once an attacker controls a target computer’s network settings via DHCP, he also controls DNS (Domain Name System) responses, can configure a rogue internet proxy through the WPAD (Web Proxy Autodiscovery) protocol and more. He essentially gains a privileged man-in-the-middle position that can be used to intercept and tamper with the computer’s network traffic.

According to Fuller, computers in a locked state still generate network traffic, allowing for the account name and hashed password to be extracted. The time it takes for a rogue USB device to capture credentials from a system using this attack is around 13 seconds, he said.

He tested the attack successfully on Windows and OS X. However, he’s still working on confirming if OS X is vulnerable by default or if it was his Mac’s particular configuration that was vulnerable.

“First off, this is dead simple and shouldn’t work, but it does,” the researcher said in a blog post. “Also, there is no possible way that I’m the first one who has identified this, but here it is.”

Depending on the Windows version installed on the computer and its configuration, the password hashes will be in NT LAN Manager (NTLM) version 2 or NTLMv1 format. NTLMv2 hashes are harder to crack, but not impossible, especially if the password is not very complex and the attacker has access to a powerful password cracking rig.

There are also some relay attacks against network services where NTLM hashes can be used directly without having to know the user’s plaintext password.

The lesson from all this is, as Fuller noted on Twitter: “Don’t leave your workstation logged in, especially overnight, unattended, even if you lock the screen.”