Researcher steals computer login details via USB Ethernet adapter

Security researcher Rob Fuller has described in a blog post how he steals a logged-in user’s credentials via a custom USB Ethernet adapter, while the lockscreen is displayed. This would work on Windows and OS X computers.

Fuller, aka “Mubix,” explains that he could use both a USB Armory and a LAN Turtle for the attack. Various software can be installed on these USB devices equipped with a SOC, for example for purposes such as penetration testing. By using the so-called Responder module, the USB drive acts as a gateway, dns server and wpad server for the computer to which it is connected. For example, the researcher was able to retrieve the login details of a user who is logged in to a system that displays a lockscreen. Physical access to the device is required for this.

The researcher explains that the attack works because the device is installed via plug-and-play immediately after connection. After that, the victim’s computer forwards the local credentials to the USB drive for installation, as devices on the local network are generally trusted, according to Fuller. This data can then be intercepted with special software. The computer automatically chooses the most suitable Ethernet connection based on speed and ‘newness’, Fuller explains. In this way, the researcher was able to get hold of the data within thirteen seconds.

The login details are not immediately visible in plain text, but are hashed with an ntlmv2 hash. This must be cracked at a later time. Fuller writes that he has tested his method on computers running Windows 98 SE, 2000 SP4, XP SP3, 7 SP1, and on Windows 10. He also had success on the Mavericks and El Capitan versions of OS X, only he doesn’t know yet. whether it was due to his configuration. Fuller says he doesn’t know yet if his attack will work on Linux, but promises to make a new blog post if it turns out to be the case.

Demonstration of the attack