A security expert has found a way to steal the login credentials from a computer even when it’s locked down by a password — all with a tiny USB device. The hack can be carried out in less than 30 seconds and the hardware to do this costs around US$50. Read on to find out more.
Rob Fuller, also known by the moniker mubix, is a security engineer at R5 Industries. He recently wrote a blog post about a Hak5 Turtle hacking tool, a device that looks like a USB Ethernet adaptor, to steal login credentials from computers that are password locked. You can buy the Hak5 Turtle for around US$50 and its meant to give system administrators and security testers the ability to covertly gain remote access to devices for legitimate reasons. It is essentially a tiny computer that runs Linux.
To capture the login credentials, Fuller loaded Responder on the Hak5Turtle and configured it to perform the hack. You can find the full details on his blog post. He also posted a video that shows the device in action:
Once the authentication hash is stolen, it can be manipulated to gain unauthorised access on a system. From Fuller’s test results, this hack works on:
- Windows 98 SE
- Windows 2000 SP4
- Windows XP SP3
- Windows 7 SP1
- Windows 10 (Enterprise and Home)
- OSX El Capitan / Mavericks
But how is this even possible, and with such ease? Fuller explained:
“Because USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed. Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.
“Computers are constantly creating traffic, even if you don’t have any browsers or applications open, and most computers trust their local network for some reason (I know the technical bits on ‘why’, just complaining…). Network preference when there are more than gateway or network connection is based on “metrics” on Windows and a combination of metrics and “preference” on OSX, but by default “wired” and “newer/faster” always win out.”
“This means that by plugging in the device it quickly becomes the gateway, DNS server, WPAD server and others thanks to Responder.”
The average time it has taken him to steal login credentials from a locked machine is 13 seconds.
You can find out more about this Fuller’s findings over at Room362“>his personal blog.