Modified USB Ethernet Adapter Can Steal Windows and Mac Credentials (softpedia.com)

← Back to Stories (view on slashdot.org)

Modified USB Ethernet Adapter Can Steal Windows and Mac Credentials (softpedia.com)

Posted by BeauHD on Wednesday September 7, 2016 @12:30PM from the stolen-credentials dept.

An anonymous reader writes from a report via Softpedia: An attacker can use a modified USB Ethernet adapter to fool Windows and Mac computers into giving away their login credentials. The attack relies on using a modified USB Ethernet adapter that runs special software, which tricks the attacked computer into accepting the Ethernet adapter as the network gateway, DNS, and WPAD server. The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device. Even worse, when installing the new (rogue) USB Ethernet adapter, the computer will give out the local credentials needed to install the device. The custom software installed on the USB intercepts these credentials and logs them to an SQLite database. This attack can take around 13 seconds to carry out, and the USB Ethernet adapter can be equipped with an LED that tells the attacker when the login credentials have been stolen.

5 of 82 comments (clear)

Min score:

Reason:

Sort:

Re: USB whitelisting by Anonymous Coward · 2016-09-07 12:51 · Score: 2, Informative

Through udev rules on Linux and group policy under Windows.
Re:Rubby Ducky by Burz · 2016-09-07 14:05 · Score: 3, Informative

This is one reason why Qubes keeps USB controllers cordoned off in a separate unprivileged VM.
Users have no idea about the many drivers and services that any ol' USB device can run on a system, not to mention the varying quality and vulnerabilities therein.
Re: Squints suspiciously... by Rosyna · 2016-09-07 19:42 · Score: 5, Informative

Bad article is bad. It initiates a man-in-the-middle attack for network requests.
On Windows, this gets NTLM for a pass-the-hash attack if a network share is mounted or set to automatically connect.
Re:Rubby Ducky by SQLGuru · 2016-09-08 03:17 · Score: 3, Informative

Hak5.org (blocked from work, so no direct link) sells the Rubber Ducky and the Turtle (the actual device used in the attack). Rob (aka Mubix -- the guy documenting the hack) does a fair bit with Darren Kitchen, the main guy behind Hak5.
Also, Darren and Shannon (the co-hosts of Hak5) consulted on Mr. Robot.
https://www.youtube.com/watch?...
Re:Bullshit - Neither OS X or Windows work that wa by SQLGuru · 2016-09-08 03:32 · Score: 4, Informative

The USB device pretends to be an Ethernet adapter. Once the adapter is installed, the PC attempts to communicate with the network. The other portion of the box is running code that will automatically respond as if it's a domain controller so that Windows will attempt to authenticate using the existing credentials. This request includes the password hash. The software responds "thanks for the hash!". Unplug everything and go home to break the hash on your own time.
The OS isn't running any software from the device, the device is just taking advantage of the default behavior (authenticate to the new network).