A new discovery has made it very easy to steal login credentials from a locked computer, taking only a USB-mounted computer, and about 30 seconds.
Rob Fuller, a security engineer at R5 Industries, discovered the vulnerability. He states that it works not only on Windows, but also on Mac OS X computers. By plugging in a flash-sized minicomputer into an unattended but locked system, anyone can get the username and password hash used to login on the host PC.
With the stolen hash in hand, it can now be cracked or downgraded in order to gain access to the host. Computer security protocols called NT LAN Manager or simply NTLM are responsible in putting out these hashes. With this in consideration, in the event that the stolen credentials were from a computer running on an older version of Windows, the hash can be converted to a simple variant of the LAN Manager, no matter how complex the credentials are. In newer systems such as those with Windows 10, cracking the hashes is more difficult but not impossible. In Fuller's trial in a Mac running a fully updated OS X El Capitan, the stolen hashes were reportedly converted into a simpler ones, making it possible to create an attack anytime.
In order to to do all of this, he made a few configurations to the attack minicomputers, disguising them as USB Ethernet devices. He also used a hacking app called 'Responder,' which poisons network protocols. Through all this, the minicomputers get an authentication, which grants the login credentials.
Fuller further explains what is really happening in the hack:
What is happening in the video, is the USB Armory is being plugged into a locked (but logged in) system. It boots up via the USB power, and starts up a DHCP server, and Responder. While it's doing this, the victim is recognizing it as a Ethernet adapter. The victim then makes route decisions and starts sending the traffic it was already creating to the Armory instead of the "real" network connection. Responder does its job and responds to all kinds of services asking for authentication, and since most OSs treat their local network as "trusted" it sees the authentication request and automatically authenticates. Seeing that the database of Responder has been modified the Armory shuts down (LED goes solid).
While the discovery is indeed alarming, the security engineer tries to comfort those who are concerned by stating that he's working on a follow-up post suggesting ways to prevent the attack.