Slashdot Mirror

← Back to Stories (view on slashdot.org)

Modified USB Ethernet Adapter Can Steal Windows and Mac Credentials (softpedia.com)

Posted by BeauHD on from the stolen-credentials dept.

An anonymous reader writes from a report via Softpedia: An attacker can use a modified USB Ethernet adapter to fool Windows and Mac computers into giving away their login credentials. The attack relies on using a modified USB Ethernet adapter that runs special software, which tricks the attacked computer into accepting the Ethernet adapter as the network gateway, DNS, and WPAD server. The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device. Even worse, when installing the new (rogue) USB Ethernet adapter, the computer will give out the local credentials needed to install the device. The custom software installed on the USB intercepts these credentials and logs them to an SQLite database. This attack can take around 13 seconds to carry out, and the USB Ethernet adapter can be equipped with an LED that tells the attacker when the login credentials have been stolen.

19 of 82 comments (clear)

  1. USB whitelisting by Anonymous Coward · · Score: 5, Insightful

    This is why ALL of my USB devices are white listed on my computers.

    There is no reason to allow rogue/unidentified hardware to be connected to a computer.

    1. Re: USB whitelisting by Anonymous Coward · · Score: 4, Funny

      White listed... Here you go with your white superiority again. Always trying to keep the black man down

    2. Re: USB whitelisting by Anonymous Coward · · Score: 2, Informative

      Through udev rules on Linux and group policy under Windows.

  2. Squints suspiciously... by complete+loony · · Score: 2

    Exactly what kind of credentials?

    --
    09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    1. Re: Squints suspiciously... by Rosyna · · Score: 5, Informative

      Bad article is bad. It initiates a man-in-the-middle attack for network requests.

      On Windows, this gets NTLM for a pass-the-hash attack if a network share is mounted or set to automatically connect.

  3. Umm yea. by jellomizer · · Score: 2

    You can plug in a hardware device into a computer and it may communicate with it. Just as long it tells the computer the correct response timely you can process the data sent to it in any way possible.
    What may be just as easy is a pass threw sub connector where you plug your keyboard into one end. It will send keyboard data to the PC just fine. But log it and connect to a wireless network and send the data to different spots.
    You can run all the system checks and not realizing they keyboard extension cable is the actual hack.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  4. Re:errr by AvitarX · · Score: 2

    Does that get you passwords, or anything, with encrypted home/user directory and a strong password?

    --
    Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  5. Re:How to protect? by chispito · · Score: 2

    How can I protect my computer against that?

    The best way is to not allow people to plug usb devices into your computer. Physical access trumps all.

    --
    The Daddy casts sleep on the Baby. The Baby resists!
  6. Re:Rubby Ducky by Burz · · Score: 3, Informative

    This is one reason why Qubes keeps USB controllers cordoned off in a separate unprivileged VM.

    Users have no idea about the many drivers and services that any ol' USB device can run on a system, not to mention the varying quality and vulnerabilities therein.

  7. Re: How to protect? by viperidaenz · · Score: 2

    acetone also dissolves ABS, polycarbonate, polystyrene and other similar types of plastic. Better hope the USB port isn't made of those.
    It's not too good for polyethylene either.

  8. Re:Be afraid by h33t+l4x0r · · Score: 2

    Nah, you just leave a bunch of them lying around in a public area. Eventually someone's going to pick one up and plug it in.

  9. Re:errr by 110010001000 · · Score: 2

    No, but this doesnt either. It just gets you the credential tokens, not the password itself.

  10. Re:Why is autorun still a thing? by viperidaenz · · Score: 2

    I don't believe this runs arbitrary code on the computer, the only code that runs is the built-in usb-ethernet drivers.

    The OS installs the adapter and sends DHCP requests through it. It responds with extra config options in the DHCP response telling it the URL to the web proxy configuration file. The OS then sends an authentication request to the configured web proxy. This is the credentials that get stolen. Windows will send out an NTLMv2 hashed password you then need to crack.

  11. Re:Rubby Ducky by tnyquist83 · · Score: 2

    Not a Rubber Ducky, but a LAN Turtle built by the same people. While a Rubber Ducky is a microcontroller in a USB case that poses as a HID, the LAN Turtle is a SoC running openwrt crammed into a USB-Ethernet case.

  12. How can I get one? by LoTonah · · Score: 2

    Seriously sick of trying to deal with customers who forgot their own damn passwords. This would be a godsend!

  13. Re:Bullshit - Neither OS X or Windows work that wa by WaffleMonster · · Score: 2

    Windows doesn't provide the USB dongle with a password at any point, as implied by the article. It 'auto-installs' signed drivers already on the PC or if configured, downloads them from the internet ... SIGNED DRIVERS ... SIGNED BY MICROSOFT. Not just any random driver on the USB device.

    Windows does not do 'auto-run'

    OS X doesn't do anything implied in this article either. If it doesn't have a driver for your USB device already, it just doesn't work, with the exception of printers there isn't a magic way that it reads drivers from the USB device or random internet sites.

    This story is simply bullshit.

    Yea TFA is worthless and does not disclose anything of relevance. This isn't about USB or device drivers. It is about getting windows to automatically do stupid crap over a network like trying to login to something. The IE Advanced option for example "Enabled Integrated Windows Authentication" is I believe enabled by default in at least Windows 7.

    If you can get a browser or some internal service to attempt login by initial DHCP/WPAD/whatever you can make short work of the authentication attempt to derive most passwords because Microsoft insists on using completely worthless CHAP based authentication protocols (e.g. Kerberos, MSCHAPv2) which subject users to at the very least offline dictionary simply for trying to logon... and by default it tries automatically... which is just awesome.

  14. Re:Why is autorun still a thing? by Anonymous Coward · · Score: 3, Interesting

    or the device just sends an error response and then Windows sends out an NTLMv1 hash - and you don't NEED to crack it.

  15. Re:Rubby Ducky by SQLGuru · · Score: 3, Informative

    Hak5.org (blocked from work, so no direct link) sells the Rubber Ducky and the Turtle (the actual device used in the attack). Rob (aka Mubix -- the guy documenting the hack) does a fair bit with Darren Kitchen, the main guy behind Hak5.

    Also, Darren and Shannon (the co-hosts of Hak5) consulted on Mr. Robot.

    https://www.youtube.com/watch?...

  16. Re:Bullshit - Neither OS X or Windows work that wa by SQLGuru · · Score: 4, Informative

    The USB device pretends to be an Ethernet adapter. Once the adapter is installed, the PC attempts to communicate with the network. The other portion of the box is running code that will automatically respond as if it's a domain controller so that Windows will attempt to authenticate using the existing credentials. This request includes the password hash. The software responds "thanks for the hash!". Unplug everything and go home to break the hash on your own time.

    The OS isn't running any software from the device, the device is just taking advantage of the default behavior (authenticate to the new network).