“First off, this is dead simple and shouldn’t work, but it does,” Fuller, one of the principal security engineers at R5 Industries, recently blogged. “Also, there is no possible way that I’m the first one that has identified this, but here it is (trust me, I tested it so many ways to confirm it because I couldn’t believe it was true).”
He began the experiment using a $155 USB Armory, a flash-drive sized computer with an 800MHz processor based on ARM Cortex-A8 core technology, 512MB of DDR3 system memory, a MicroSD card slot, and native support for Android, Debian, Ubuntu, and Arch Linux. However, he also ended up using a $50 Hak5 Turtle mini-computer with a built-in Ethernet port for wired networking. The USB Armory device can emulate Ethernet connectivity as well.
The blog shows how he set up both devices. First, the Armory device needed Python installed, and then he set up its interface, its DHCP server, and other small details before he could insert the device into the computer’s USB port. The Hak5 Turtle unit was nearly ready right out of the box. Ultimately, both units were capable of grabbing login credentials in about 13 seconds, depending on the system. The Armory device even lit up an LED when it obtained the credentials.
According to Fuller, the Armory unit is more versatile, has more storage, and uses a faster processor. The Hak5 Turtle unit is less suspicious appearance-wise because of the built-in Ethernet port, but it doesn’t sport an LED indicating that credentials are captured. However, it’s capable of getting Shell access to the connected PC as well as login credentials.
In the tests, both devices used a software module called Responder, which allows the devices to become a network gateway, a DNS server, a WPAD server, and more. This software is defined as an LLMNR, NBT-NS and MDNS poisoner, meaning it enables the device to appear a PC on a local network and respond with false information to another machine on the network looking for a host address, such as a network printer. In turn, the device using Responder will say it’s actually the printer (which it’s not), thus the “victim” computer will send the login credentials to the device.
So why does this work? “Because USB is plug-and-play,” Fuller says. “This means that even if a system is locked out, the device still gets installed. Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.”
So far, Fuller has tested this “hack” on Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 Enterprise, Windows 10 Home, OS X El Capitan, and OS X Mavericks. He has yet to test this method on a Linux machine, so stay tuned for that.