This should come as a surprise, a mild or perhaps not-so-mild shock, to those many people who lock their computer screens while temporarily moving away. Well, your system, your data is not secure when you do so. It’s just a USB device that’s needed to steal critical data from your locked system. This might be news for many, as regards PC security.
Security expert Rob Fuller has now explained that it’s very easy to copy an OS account password hash from a locked computer using a special USB device, and that too in a few seconds. This hash can then be cracked or used directly in network attacks. Rob, who has over a decade’s experience covering all aspects of information security, has explained this in detail in a post that he has made on his website www.room362.com.
Rob Fuller has proved this using a flash-drive-size computer device called USB Armory that costs $155, but he has also stated that it can be done using other cheaper devices as well. Says Rob Fuller- “I started off with a USB Armory ($155) but below I’ll show you how to do this with a Hak5 Turtle ($49.99) as well.”
How it works
All that it takes is to plug in a device that masquerades as a USB Ethernet adapter in such a way that it becomes the primary network interface on the locked computer that’s targeted. This is rather easy because firstly, even if a computer is locked, OSs automatically start installing newly connected USB devices, including Ethernet cards, and secondly, the OSs automatically configure such devices as the default gateways.
Says Rob Fuller in his website post- “USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed. Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.”
When a new network card gets installed, the Operating System would configure it to automatically detect the network settings. This is done through the DHCP (Dynamic Host Configuration Protocol) and anyone wishing to steal data from a locked computer can have a rogue computer at the other end of the Ethernet cable to act as a DHCP server. When it’s a USB Armory that’s used, it becomes easier because USB Armory works like a computer on a stick, powered via USB and running on Linux. Thus, there is no need to attach a separate rogue machine.
Thus, the attacker happens to gain control of a computer’s network settings using the USB device. He thus also can control the system’s DNS (Domain Name System) responses and is able to configure a rogue internet proxy through the WPAD (Web Proxy Autodiscovery) protocol and more. Thereby he attains an advantageous man-in-the-middle position, which he can utilize to intercept and tamper with the computer’s network traffic.
As Rob Fuller says- “Computers are constantly creating traffic, even if you don’t have any browsers or applications open, and most computers trust their local network…” Thus, it becomes possible for the attacker who makes his entry into the system using the USB device to extract the account name and the hashed password. The capturing of credentials from a locked system in this manner can be done in a short time. Rob Fuller says he needed only about 13 seconds for his test attack.
The stolen password hashes would either be in the in NT LAN Manager (NTLM) version 2 or NTLMv1 format, based on the targeted computer and its configuration. NTLMv2 hashes, though harder to crack, can be cracked if the password is not too complex and the hacker uses a powerful password cracking rig. Moreover, there are some instances where relay attacks against network services can be made possible by using NTLM hashes directly without having to know plaintext passwords.
So, next time you move away leaving your computer locked, remember that someone can very easily get away with your credentials and shatter your concepts regarding PC security.