Rob Fuller a security researcher has discovered a unique attack method which can steal PC credentials from both Windows and Mac computers, and possibly even Linux (not tested as of now).
Rob’s attack is very effective against locked computers in which user has already logged in.
According to the researcher he used USB-based Ethernet adapters, on which he modified the firmware code to run a special software which sets the plug-and-play USB device as the network gateway, WPAD and DNS servers on the computer it is connected to.
The reason this attack works is because most computers will automatically install any plug-and-play (or PnP) USB device once it is connected.
“Why does this work? Because USB is Plug-and-Play. This means that even if a system is locked out, USB still gets installed,” Rob explained.
“I believe there are some restrictions on what types of devices are allowed to install at a locked out state on latest operating systems (Win10/El Capitan), but LAN /Ethernet is definitely on the white list” he said.
When installing a new rogue plug-and-play USB-Ethernet adapter, the computer will give out the local credentials needed in order to install the device.
Rob’s modified device includes software which intercepts these credentials and saves them on an SQLite database.
This researcher’s modified device also includes a small LED which lights up when the credentials are recorded.
Any attacker would possibly need a physical access to the device to plug in the rogue USB Ethernet adapter, but Rob says the average attack time is 13 seconds.
Rob coul d not believe that this type of attack was possible, so he tested the scenario with USB Ethernet dongles such as USB-Armory and also Hak5 Turtle.
He says the attack was successful against operating systems like Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 (Enterprise and Home), OS X El Capitan, and OS X Mavericks. He is planning to test the attack against several Linux distros as well. Below is a video of Fuller’s attack in action.