Modified USB Ethernet Adapter Can Steal Windows and Mac Credentials

An anonymous reader writes from a report via Softpedia: An attacker can use a modified USB Ethernet adapter to fool Windows and Mac computers into giving away their login credentials. The attack relies on using a modified USB Ethernet adapter that runs special software, which tricks the attacked computer into accepting the Ethernet adapter as the network gateway, DNS, and WPAD server. The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device. Even worse, when installing the new (rogue) USB Ethernet adapter, the computer will give out the local credentials needed to install the device. The custom software installed on the USB intercepts these credentials and logs them to an SQLite database. This attack can take around 13 seconds to carry out, and the USB Ethernet adapter can be equipped with an LED that tells the attacker when the login credentials have been stolen.

USB whitelisting

This is why ALL of my USB devices are white listed on my computers.

There is no reason to allow rogue/unidentified hardware to be connected to a computer.

Re: USB whitelisting

Care to explain how?

Re: USB whitelisting

White listed... Here you go with your white superiority again. Always trying to keep the black man down

Re: USB whitelisting

Through udev rules on Linux and group policy under Windows.

Re: USB whitelisting

They're not. They have their own, it's called a blacklist.

Re:USB whitelisting

Actually doesn't matter unless your USB controller has an IOMMU.

Without the IOMMU, usb devices can scan the entire system memory.

Re:USB whitelisting

Shame you don't have any portable computers, or that would be a handy feature.

Re: USB whitelisting

Even better, google 'whitelist', google 'blacklist' and compare the number of hits.
If that's not reverse racism, I don't know what is.

Re: USB whitelisting

Windows wise it'd be something like

REGEDIT4
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions]
;Prevent installation of devices not described by other policy settings
"DenyUnspecified"=dword:00000001
;Allow installation of devices that match any of these device IDs
"AllowDeviceIDs"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\AllowDeviceIDs]
;xbox one controller
"1"="HID\\VID_045E&PID_02FF&IG_00"
"2"="USB\\VID_045E&PID_02FF&IG_00"

Re: USB whitelisting

not to nitpick...but "reverse racism" is just racism.

Re:USB whitelisting

And when your keyboard dies, good luck adding the new one to the white list when you can't type.

Nice!

[110010001000]

It runs special software? Impressive.

How to protect?

[JcMorin]

How can I protect my computer against that?

Re: How to protect?

Set your computer on fire.

Re:How to protect?

[110010001000]

I put super glue on all my ports to prevent that.

Re: How to protect?

You need to put epoxy. Superglue is easily removed by acetone (nail polish remover)

Re: How to protect?

[110010001000]

But I never visit Poland.

Re:How to protect?

[Tuidjy]

In windows, set the group policy so that USB devices are not automatically installed. Of course, you could also simply disable your USB hubs, but that may reduce the functionality of your PC beyond what you'd consider acceptable.

Re:How to protect?

[chispito]

How can I protect my computer against that?

The best way is to not allow people to plug usb devices into your computer. Physical access trumps all.

Re: How to protect?

[viperidaenz]

acetone also dissolves ABS, polycarbonate, polystyrene and other similar types of plastic. Better hope the USB port isn't made of those.
It's not too good for polyethylene either.

Re:How to protect?

Few links from a quick Google search
How to use Windows 7 to lock down removable media and keep your computer safe
Allow only known usb devices - Gentoo Wiki

See also Plug and Prey: Malicious USB Devices

Re:How to protect?

By not poking any unknown or foreign objects into its openings.

From a Windows NT 4 screen saver (paraphrased)

If you let the bad guys get physical access to your computer ---- It's not your computer anymore.
If you let the gad guys run their software on your computer ---- It's not your computer anymore.

Gee - are people really such dumb fucks?

Re:From a Windows NT 4 screen saver (paraphrased)

gad guys - Shit - I need an old fogies screen. These letters are toooooo sssmmmaaalll.

Squints suspiciously...

[complete+loony]

Exactly what kind of credentials?

Re: Squints suspiciously...

[Rosyna]

Bad article is bad. It initiates a man-in-the-middle attack for network requests.

On Windows, this gets NTLM for a pass-the-hash attack if a network share is mounted or set to automatically connect.

Rubby Ducky

[Dracos]

This is essentially the Rubber Ducky dongle that's been used in Mr Robot. Esmail and his tech consultants doesn't invent stuff like that, so this must have been available for a while.

Re:Rubby Ducky

[Burz]

This is one reason why Qubes keeps USB controllers cordoned off in a separate unprivileged VM.

Users have no idea about the many drivers and services that any ol' USB device can run on a system, not to mention the varying quality and vulnerabilities therein.

Re:Rubby Ducky

[tnyquist83]

Not a Rubber Ducky, but a LAN Turtle built by the same people. While a Rubber Ducky is a microcontroller in a USB case that poses as a HID, the LAN Turtle is a SoC running openwrt crammed into a USB-Ethernet case.

Re:Rubby Ducky

[SQLGuru]

Hak5.org (blocked from work, so no direct link) sells the Rubber Ducky and the Turtle (the actual device used in the attack). Rob (aka Mubix -- the guy documenting the hack) does a fair bit with Darren Kitchen, the main guy behind Hak5.

Also, Darren and Shannon (the co-hosts of Hak5) consulted on Mr. Robot.

https://www.youtube.com/watch?...

Re:Rubby Ducky

[Burz]

Sorry about the bad link. The correct one is https://www.qubes-os.org/

Umm yea.

[jellomizer]

You can plug in a hardware device into a computer and it may communicate with it. Just as long it tells the computer the correct response timely you can process the data sent to it in any way possible.
What may be just as easy is a pass threw sub connector where you plug your keyboard into one end. It will send keyboard data to the PC just fine. But log it and connect to a wireless network and send the data to different spots.
You can run all the system checks and not realizing they keyboard extension cable is the actual hack.

Re:Umm yea.

[Solandri]

This is one criticism I've had of USB. Under the guise of being user friendly, OS programmers have made the OS automatically do all sorts of stupid and insecure things when you plug something into the USB port. CD/DVD drives used to have the same problem (automatically running an executable off the disc) until it became such a common vector for malware that Microsoft finally disabled the autorun feature by default.

When you plug in a USB device, you should get a pop-up asking if you want to access it in read-only mode or read/write mode, and whether it should be active (can auto-install stuff and mess with the system) or passive (can't change anything about your system - you will have to select/install the drivers yourself). You can have a "let the OS manage this automatically" option for the computer illiterate, but it should not be the default, and should throw up a big warning about malware vulnerability and decreased security with that option.

errr

Isn't it just easier to just steal the computer?

Re:errr

[AvitarX]

Does that get you passwords, or anything, with encrypted home/user directory and a strong password?

Re:errr

[110010001000]

No, but this doesnt either. It just gets you the credential tokens, not the password itself.

Re:errr

Which with Windows, at least, you might as well have got the password. It gives you nearly the same results.

Re:errr

An access token is valid until the end of the session, or until it expires, whichever comes first.
Diamonds^H^H^H^H^H^H^H^HPasswords are forever, unless there's a good password policy.

Why is autorun still a thing?

These sort of attacks have been going on since win95 started auto-running CDROMs, but apparently we still haven't learnt the lesson: auto-run should never be set as default!

Re:Why is autorun still a thing?

[viperidaenz]

I don't believe this runs arbitrary code on the computer, the only code that runs is the built-in usb-ethernet drivers.

The OS installs the adapter and sends DHCP requests through it. It responds with extra config options in the DHCP response telling it the URL to the web proxy configuration file. The OS then sends an authentication request to the configured web proxy. This is the credentials that get stolen. Windows will send out an NTLMv2 hashed password you then need to crack.

Re:Why is autorun still a thing?

[joe_frisch]

I really don't see why windows can't ask before installing ANYTHING from usb. Clicking "OK' is not that big a deal relative to the effort of plugging in a usb device.

Re: Why is autorun still a thing?

Including the USB mouse & keyboard?

Re:Why is autorun still a thing?

[MBGMorden]

Because realistically most people are pretty dumb when it comes to using a computer. Autorun is a thing because otherwise more than half of computer users would never be able to launch a program.

That's why we have consistent UI's getting thrown out of the window and now most app developers are basically going with the approach of "throw everything randomly up in their face and hopefully they'll see a button that does what they want". Makes it easier for the average idiot to stumble upon what they want - makes it a lot harder for someone to navigate a program expecting it to work like most other programs do.

I had kinda thought all this would improve as the older generation faded away and most younger people literally grew up using computers, but truthfully the younger generation is no better. They're no longer AFRAID of using a computer/phone/whatever, but they're certainly not any BETTER at it.

Re:Why is autorun still a thing?

or the device just sends an error response and then Windows sends out an NTLMv1 hash - and you don't NEED to crack it.

Re:Why is autorun still a thing?

But how do I plug in the usb keyboard then.

Re:Why is autorun still a thing?

( the younger generation ) They're no longer AFRAID of using a computer/phone/whatever, but they're certainly not any BETTER at it.

Better? On the contrary.
There's a whole floor full of developers here.
The older ones know how a computer works, down to the bit level. They craft their own SQL manually, to be executed from a C++ application.

The younger ones know how their programming environment works, know a programming language or two, but don't know the difference between scripting and a compiled language. They don't even know there IS a difference. Three outta four think C# is just another variant of C, like C++. All four are wondering why their data access objects perform so slow, compared to that C++ code of the older generation, and don't have a clue that it's not C++ versus C# that makes the difference.

And at the bottom of the spectrum, the PHP-ers, are beyond rescue. They know git inside out, they may even turn out secure web code from time to time if they use the proper framework that has that security built in, but after having lived in PHP for a couple of years, nobody will ever again be able to turn them into real programmers.

Re:Why is autorun still a thing?

A driver for a USB device is automatically installed, the first time it is connected to a certain USB port.
That could be made optional, confirmation still only needed the first time.

A USB keyboard is a special case, the OS already knows about those. No device-dependent driver needed (although some install one anyway, so the OS gets to know the extra keys).
The same with mice (with some exceptions, notably wireless).

You would think that would be different for special keyboards with built-in smartcard reader etc., but those present themselves as more than one device. The keyboard part is still just a keyboard.

Re:Why is autorun still a thing?

[cjjjer]

That could be made optional, confirmation still only needed the first time.

If we have learned anything from malware people will just say yet to that regardless even if the device is known or unknown to be trusted. Users are funny that way.

Re:Why is autorun still a thing?

No he wrote, "not any better", so your whole post was pointless.

Be afraid

[Dunbal]

The evil maid strikes again. Seriously this is a non issue. Unless they let absolutely everyone into the server room at your workplace.

Re:Be afraid

[h33t+l4x0r]

Nah, you just leave a bunch of them lying around in a public area. Eventually someone's going to pick one up and plug it in.

Re:Be afraid

A conference room would probably be the ideal choice to leave one.

Credentials?

Sounds like the special software needs to run on the OS to intercept the credentials passed to it. But Windows and OSX wouldn't just run any special driver that the device provides. And in the modern os, if the driver isn't signed, NO WAY windows/osx will automatically Install said driver. This seems unlikely. However, if the device behaves as a generic NET class driver, then yes, it can "spoof" a dhcp response, a DNS server what not... And yes, it can probably capture authentication attempts from Windows for certain resources (automatic upnp resource...), is that what's captured?

doesn't have to be an adapter

[Gravis+Zero]

This kind of attack could run on any USB device with a modified firmware (e.g. memory stick). If you don't want to hack an existing USB device, then for a few bucks you can make your own. It also doesn't have to interfere the original functionality of the USB device, so if you aren't paying attention, the device could perform it's task undetected.

Re: Bullshit - Neither OS X or Windows work that w

says the person who has one of these things that does work

News?

I remember hardware keyloggers from the early days of ps/2. Sure, this is a tad more sofisticated, but newsworthy?

I wonder if it works without a logged session

[cloud.pt]

I can see this being super useful (for the perpetrators I mean) in scenarios where pcs are left either locked (session running, yet needs pass) or even before logging any account. Windows time to desktop from a login screen is so fast it looks like every service, such as the PnP one is already up and accepting software installation. Does anyone have deeper knowledge if such a thing might happen? As in: has anyone ever tested plugging a PnP device whilst a Win pc is locked, then found ways to check it DID install (maybe even that it ran whatever form of "autorun")?

Re:I wonder if it works without a logged session

[cloud.pt]

All of this without actually logging in or unlocking the logged account of course...

How can I get one?

[LoTonah]

Seriously sick of trying to deal with customers who forgot their own damn passwords. This would be a godsend!

Re:How can I get one?

Post-it notes are cheaper, and offer the added benefit that they can't be read remotely.

Re:Bullshit - Neither OS X or Windows work that wa

[WaffleMonster]

Windows doesn't provide the USB dongle with a password at any point, as implied by the article. It 'auto-installs' signed drivers already on the PC or if configured, downloads them from the internet ... SIGNED DRIVERS ... SIGNED BY MICROSOFT. Not just any random driver on the USB device.

Windows does not do 'auto-run'

OS X doesn't do anything implied in this article either. If it doesn't have a driver for your USB device already, it just doesn't work, with the exception of printers there isn't a magic way that it reads drivers from the USB device or random internet sites.

This story is simply bullshit.

Yea TFA is worthless and does not disclose anything of relevance. This isn't about USB or device drivers. It is about getting windows to automatically do stupid crap over a network like trying to login to something. The IE Advanced option for example "Enabled Integrated Windows Authentication" is I believe enabled by default in at least Windows 7.

If you can get a browser or some internal service to attempt login by initial DHCP/WPAD/whatever you can make short work of the authentication attempt to derive most passwords because Microsoft insists on using completely worthless CHAP based authentication protocols (e.g. Kerberos, MSCHAPv2) which subject users to at the very least offline dictionary simply for trying to logon... and by default it tries automatically... which is just awesome.

Now with convenient red LED!

[cormandy]

Now with convenient red LED to let you know when password stolen! Time to upgrade my Ethernet USB password stealers!

News at eleven..

[CptLoRes]

Breaking news! Physical access to computers, makes them more susceptible to security exploits.

Start using SSL

[DrYak]

Another alternative is to use proper cryptography between your machine and the necessary server.

I'm not that used to Windows and Active Domain, so I can't comment much.

The Unix equivalent would be to setup LDAPS for the credential validation instead of plain LDAP, with properly signed certificate.
The rogue credential server running inside the USB would fail the certificate validation and the worsktation will refuse to use it.

Re:Start using SSL

I think Windows and *n*x are both sufficiently protected against simple network sniffing to make that a non-issue.
So I think this adapter does more than just snooping on what comes by - it must change the behavior of the OS in some way.

Re:Start using SSL

[WaffleMonster]

Another alternative is to use proper cryptography between your machine and the necessary server.

The alternative is using authentication algorithms that don't suck. If Microsoft used a PAKE none of this would be possible. It's almost as if they are trying to get everyone hacked.

The Unix equivalent would be to setup LDAPS for the credential validation instead of plain LDAP, with properly signed certificate. The rogue credential server running inside the USB would fail the certificate validation and the worsktation will refuse to use it.

LDAP is used for backend authentication of incoming authentication and authorization requests. A client connecting to another UNIX server is not connecting to LDAP it is connecting to that server using whatever authentication mechanism is offered by the protocol associated with the connection.

Regardless sending credentials in the clear over a wire whether that wire is "encrypted" or not is an unnecessary completely avoidable risk.

Depending on organizations to properly deploy PKI is a fools errand.

Re:Start using SSL

[WaffleMonster]

I think Windows and *n*x are both sufficiently protected against simple network sniffing to make that a non-issue. So I think this adapter does more than just snooping on what comes by - it must change the behavior of the OS in some way.

This made my day. Thanks for the laugh.

Re:Bullshit - Neither OS X or Windows work that wa

This isn't about USB or device drivers. It is about getting windows to automatically do stupid crap over a network like trying to login to something.

Whether the OS does something automatically or not (like auto-mounting network shares because it's easier to have them in /etc/fstab than to do it manually every time) is irrelevant. It can snoop just as well when you mount something manually.

Stranger Danger

So, don't accept a drink from a stranger, OR a USB/Ethernet adapter.

Not a password

but NTLM hash, now you need to crack it....

Re:Bullshit - Neither OS X or Windows work that wa

[v1]

how is this any different than say, a modified router? Or a computer acting as a gateway? Is this device just intercepting unencrypted network traffic? Like any point on the internet can?

That would be no more earth-shattering than hearing that someone found a way to read my postal mail.

If you want privacy, you should be using end-to-end network encryption of some sort. Be it VPN, pgp email, ssh, etc. If you're sending in the clear and trusting every member of a huge network of random actors between you and your destination, you're stupid. Once it leaves your computer, it's fair game. It doesn't matter if it's getting sucked up at one of the NSA's big facilities, your ISP, the public kiosk's router, or a random ethernet adapter you found laying on the ground.

Re:Bullshit - Neither OS X or Windows work that wa

This is simply bullshit.

Yeah, exactly like you 'working at a carrier'.

Re:Bullshit - Neither OS X or Windows work that wa

[guruevi]

Windows will actually happily and by default send the credentials in clear text over wireless if you're using 802.1x without a Windows approved RADIUS server. The article and the summary is dumb because no USB device gets credentials by plugging it in. This is probably a network attack and could be done anywhere on a network.

IDIOT!!!

when you plug something into the USB port.

you have already failed, USB was not designed for security,

When you plug in a USB device, you should get a pop-up

I LOVE how people use the word "should" and they think it will solve their problems

should throw up a big warning about malware vulnerability

that most users will just click right past anyway.

OH MAN you are SO STUPID

Re:IDIOT!!!

OH MAN you are 13 AT MOST

Re:Bullshit - Neither OS X or Windows work that wa

[SQLGuru]

The USB device pretends to be an Ethernet adapter. Once the adapter is installed, the PC attempts to communicate with the network. The other portion of the box is running code that will automatically respond as if it's a domain controller so that Windows will attempt to authenticate using the existing credentials. This request includes the password hash. The software responds "thanks for the hash!". Unplug everything and go home to break the hash on your own time.

The OS isn't running any software from the device, the device is just taking advantage of the default behavior (authenticate to the new network).

Re:Bullshit - Neither OS X or Windows work that wa

[WaffleMonster]

If you're sending in the clear and trusting every member of a huge network of random actors between you and your destination, you're stupid.

This is exactly what Microsoft is enabling today in 2016 with "integrated authentication".... Apparently a sufficient number of people have not taken the opportunity to tell them how stupid they are.

There are some small caveats but none of them matter. The passwords aren't set in the clear but might as well be given the ease of deriving them from challenge material.

Re:Bullshit - Neither OS X or Windows work that wa

It's bitztream, the autism-hating Slashdot troll!

Not sniffing

[DrYak]

I think Windows and *n*x are both sufficiently protected against simple network sniffing to make that a non-issue.

Unix: depends on configuration.
(goes from straight "everybody trust everyone else" like NIS and NFS servers, all the way up to Kerberos - everything is authentified over an encrypted link)
(and the home variant: use SSH + keys for everything)

Windows:
I've read some very appalling description of how it works.
No or not enough encryption.

So I think this adapter does more than just snooping on what comes by - it must change the behavior of the OS in some way.

Accroding to the summary, the key redirects to different (attacker-controlled) name server and Active Domain server (either running inside the USB adapter, or running elsewhere on the network with the key doing redirection of connections)
Without proper cryptographic authentication in place, the attacked workstation will blindly trust these servers.

Most typical installtion of Unix services run encryption (e.g.: SSH for remote access, LDAPS for authentication/log-in, even DNSsec is possible for names) or can be authenticated (NFS support kerberos). Such a different server will fail the cryptographic authentication and will be rejected.