$50 Device Could Hack Countless Computers

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Just what we need, an "easy button" for hacking into a locked PC. Remember back in the day when it took a bit of skill to do this? Now anyone with fifty bucks and the ability to press a button can do it. :(

According to Fuller, the hack works by plugging in a flash-sized minicomputer — such as a $50 Hak5 Turtle — into an unattended computer that is logged in, but currently locked. Once plugged in the device becomes the default gateway able to receive traffic and can obtain the computer’s user name and password in about 20 seconds. The procured password can then either be cracked or downgraded, Fuller says, to gain access to the device.
 
So how is this really different from your normal USB keylogger? Still requires the hacker to have physical access to your PC.
 
Same old, if someone has physical access to your computer it's all over if they really want to break in.
 
What people don't use GPO to whitelist device drivers? Easy as shit to setup with a list of regularly updated drivers.

Code:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions]
;Prevent installation of devices not described by other policy settings
"DenyUnspecified"=dword:00000001
;Allow installation of devices that match any of these device IDs
"AllowDeviceIDs"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\AllowDeviceIDs]
;video card
"1"="PCI\\VEN_10DE&DEV_1B80&SUBSYS_33601462&REV_A1"
;sound
"2"="USB\\VID_0B05&PID_180D&REV_0103&MI_00"
;network
"3"="PCI\\VEN_8086&DEV_15A1&SUBSYS_85C41043&REV_05"

to temp disable (say to install a bunch of drivers you don't want to bother adding to the list)
change DenyUnspecified/AllowDeviceIDs to 00000000 and install away


Edit: P.S. this whitelist doesn't matter for already installed drivers, so if you have a USB drive you don't leave plugged in, it'll still work fine without having to whitelist it.

To give yourself a custom error message when you try to use devmgmt to install something use
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy]
"SimpleText"="driver install denied or something"

Though the device will have a yellow mark with "The installation of this device is forbidden by system policy. Contact your system administrator." in the status message.



Edit2: Erm it's always a good idea to add kb or m to that list (might save you having to force a reboot)
 
Last edited:
What people don't use GPO to whitelist device drivers? Easy as shit to setup with a list of regularly updated drivers.

Code:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions]
;Prevent installation of devices not described by other policy settings
"DenyUnspecified"=dword:00000001
;Allow installation of devices that match any of these device IDs
"AllowDeviceIDs"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\AllowDeviceIDs]
"1"="PCI\\VEN_10DE&DEV_1B80&SUBSYS_33601462&REV_A1"
"2"="USB\\VID_0B05&PID_180D&REV_0103&MI_00"
"3"="etc..."

to temp disable (say to install a bunch of drivers you don't want to bother adding to the list)
change DenyUnspecified/AllowDeviceIDs to 00000000 and install away


It's a STIG vulnerability check isn't it?
 
exactly, it can be prevented w/ some minimal precautions

also, it IS from ARS(E) so yea, clickbaity indeed
 
So how is this really different from your normal USB keylogger? Still requires the hacker to have physical access to your PC.

This is very different than a keylogger. You can walk into an office with a locked (but logged in) PC and plug a device into it for 20 secs, unplug it and walk away with the password hash which is easy to crack. The person who is logged into the machine doesn't have to do anything or even be there for you to do this.

Granted that is a very particular set of circumstances and you do still have to have physical access to the PC to do it.
 
This is very different than a keylogger. You can walk into an office with a locked (but logged in) PC and plug a device into it for 20 secs, unplug it and walk away with the password hash which is easy to crack. The person who is logged into the machine doesn't have to do anything or even be there for you to do this.

Granted that is a very particular set of circumstances and you do still have to have physical access to the PC to do it.

Granted...I'd be curious to see some independent testing of this method and see how well it actually works in the wild. I didn't know username and pw hash were sent out to the DHCP server or the network in most PCs, unless you're in an office environment with an AD type server.
 
This is very different than a keylogger. You can walk into an office with a locked (but logged in) PC and plug a device into it for 20 secs, unplug it and walk away with the password hash which is easy to crack. The person who is logged into the machine doesn't have to do anything or even be there for you to do this.

Granted that is a very particular set of circumstances and you do still have to have physical access to the PC to do it.

This particular attack is named Mubix Snagging according to Hak5

Also, you don't actually get the creds, you ONLY get the password hash, so you then have to take that and crack it.

And you don't even need a $50 device to do this. Somebody posted that they have it working on a Rasberry Pi 0.

In theory, if you put it on an unsecured network and switched the network cable over to the LAN Turtle, you could send the hash offsite to a remote computer that has the capability to hack the password hash, and then have the password texted to you or whatever.

The article leaves a huge amount of pertinent information out. Almost like they didn't do any research at all before posting... so click-bait.
 
Granted...I'd be curious to see some independent testing of this method and see how well it actually works in the wild. I didn't know username and pw hash were sent out to the DHCP server or the network in most PCs, unless you're in an office environment with an AD type server.

Sounds to me like it doesn't actually have to do anything with the user typing in the creds... it just grabs the hash from the registry when it installs the device while the screen is locked. NICs are, by default, whitelisted by Windows to be able to be installed while the screen is locked.
 
Sounds to me like it doesn't actually have to do anything with the user typing in the creds... it just grabs the hash from the registry when it installs the device while the screen is locked. NICs are, by default, whitelisted by Windows to be able to be installed while the screen is locked.

If that's true, it sounds like something fairly easy for MS to patch.
 
What I posted? I suppose so? First time I've heard that term, but it seems to be correct.

a STIG is a Security Techinical Implimentation Guide.

It's a list of guides for everything from OS to Services like vCenter Server, DNS, AD, switches, architecture STIGs for SAN networks, etc.

You take the guide and there is a tool you use to load the STIG and create a checklist, follow the checklist and you will reach a point where you have many of the things you should do locked down and even things that you need open should have some control or oversight. Then you can have your IA guys run SCAP scans and use the vulnerabilities identified in the scans to help tighten up much of the rest of it. There is a lot more that goes into it but it's a very formal approach and it can be a good way to implement IA for an organization, but it is a painful process.

On the other hand. There are some really good blogs with good hardening guides and if you didn't have to go through all this STIG junk I would use those other resources as a starting point and get the simple shit locked down fast. Then if you need to hit the STIGs and chase down, and get a real understanding for all these other things that can effect your security posture.

I take from everyone else and create my own tailored to my architecture, why chase down and waste time locking up services you don't use. I don't have a Fiber SAN fabric, why try and lock down something I don't have?

And last, I love the scans, I make friends with the IA guys running ACAS. I want their scans and I want to dig in and and find out what's not right so I can close it down if possible. If I can't lock it down, I try to engineer a way to eliminate the vulnerability. If I can't lock down a vulnerability in the NFS protocol, can I isolate the VLAN and use ACLs etc to limit access to where the protocol is running, it doesn't fix the protocol but if no one can get to it ...

Anyway, if your into this part of the business than you get it.
 
Between ChoGGI and Lcpiper I'm feeling the need to unplug everything and rock in the corner (while looking around suspiciously).
 
Anyway, if your into this part of the business than you get it.
Hmm you seemed to have explained it better then wiki (surprise surprise). It does sound somewhat familiar, but I'm not in the business; just somewhat paranoid.
Between ChoGGI and Lcpiper I'm feeling the need to unplug everything and rock in the corner (while looking around suspiciously).
Heh, what I posted is supposed to make you less suspicious :)
 
So this basically pretends to be a wireless network connection passing data? so when they have that hash what are the assumptions? password is so many character's long? password is in english? then even my old trick of adding a space bar to the password would defeat this device... just use the more that one languge set and the extra characters add to the length of time it takes to brute force... every umlet and diadict is one more collum on the xy xy colluoms and rows. Even if you don't use them if the person does not know this the the password is that much hard to just if they can query the character sets. have the time I use handwritten characters in my password to be funny because with a stylus or mouse there is no common keys worn away. More languages than kanji and kanna let you do this. grin. In theroy you could write your own character set and run it as an extension with a special character but every pc you wanted to us it on would need to be configured with an slipstreamed rebuild of certain data that may not be available yet. I know when I set up small buisse severs for japanesse and other forgien companies in the usa I got paid an extra twenty thousand so they got the interface they expected on the us version so everything they bought in the us would work as long as it supported uft-8 or unicode. I usually warned them that unicode would displace their fonts and letters better but some software they would have to track down a version from home to look right. Mine I have like fifteen plus lanuges loaded and a special keyboard so most of the pan asian companies and the Scandinavian and eastern euro ones means the theoretical time to brut force it without walking up and looking over my shoulder is about forty years and if you are standing behind me looking over my shoulder you better be pretty, female and have a good reason so standing there... snicker... though making the gestest with your mouse might be a wee bit interesting even seeing it...
 
Mr-Robot-Untapped-Cities-Times-Square-MTA-USA-Sam-Esmail-TV-Film-Locations-NYC.jpg
 
So this basically pretends to be a wireless network connection passing data? so when they have that hash what are the assumptions? password is so many character's long? password is in english?
From the blog post:
Why does this work?
  1. Because USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed. Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.
  2. Computers are constantly creating traffic, even if you don’t have any browsers or applications open, and most computers trust their local network for some reason (I know the technical bits on ‘why’, just complaining…)
  3. Network preference when there are more than gateway or network connection is based on “metrics” on Windows and a combination of metrics and “preference” on OSX, but by default “wired” and “newer/faster” always win out.
This means that by plugging in the device it quickly becomes the gateway, DNS server, WPAD server and others thanks to Responder.

The password hash for windows is NTLMv2, so ophcrack or hashcat?
 
"an unattended computer that is logged in, but currently locked."

At first I was not understanding this because I had assumed that if it requires a password to get back in, it's not logged in. When I put my computer to sleep, it requires a password to wake back up. Apparently that's locked but not logged out, which is not enough now.

So what we need is to have a setting such that a sleep event doesn't just lock but also logs the user out. All I get when I go searching for such a setting is people looking for ways to stop Windows from automatically going to sleep.

I'm not sure if it was that way before, but as of the WIndows 10 Anniversary Update, if you right-click the start menu, you can choose to Sign-Out, Sleep, Shut down or Restart (and if you choose Sleep there, it doesn't annoyingly wake up with the Start menu open like it does if you use the left-click sleep button, by the way).

Choosing Sign-Out from the right-click Start Menu gets me to the Login screen, and from there the Power icon in the lower right allows you to Sleep. I want the signed-out Sleep available from the right-click Start Menu. Any ideas how to do that?
 
Pretty sure sleep counts? Just make sure wake on LAN or whatever it's called is turned off
 
Pretty sure sleep counts? Just make sure wake on LAN or whatever it's called is turned off

There is a lock screen and there is a log-in screen.

To see the lock screen, Ctrl-Alt-Del and choose Lock. Pressing any key while on the Lock screen brings me to the log-in screen.

So now I'm back to not understanding how you get a PC into a locked but logged-in state. How do you determine whether or not a PC is logged in while it is locked?
 
I have a windows password hash and even with rainbow tables I was unable to crack it. Perhaps someone here has the knowledge I'm lacking? PM please.
 
There is a lock screen and there is a log-in screen.

To see the lock screen, Ctrl-Alt-Del and choose Lock. Pressing any key while on the Lock screen brings me to the log-in screen.

So now I'm back to not understanding how you get a PC into a locked but logged-in state. How do you determine whether or not a PC is logged in while it is locked?


You are at the "locked and logged-in" state at that point. You would need to choose "sign out" instead of lock on the pc.
 
This particular attack is named Mubix Snagging according to Hak5

Also, you don't actually get the creds, you ONLY get the password hash, so you then have to take that and crack it.

And you don't even need a $50 device to do this. Somebody posted that they have it working on a Rasberry Pi 0.

In theory, if you put it on an unsecured network and switched the network cable over to the LAN Turtle, you could send the hash offsite to a remote computer that has the capability to hack the password hash, and then have the password texted to you or whatever.

The article leaves a huge amount of pertinent information out. Almost like they didn't do any research at all before posting... so click-bait.


There are different attacks variations depending on what you want to get. I'm watching one of their videos that gives you the plain text password. I haven't finished it as its time to go to work but I assume it only gives you the password of the user(s) that are logged in.
 
There is a lock screen and there is a log-in screen.

To see the lock screen, Ctrl-Alt-Del and choose Lock. Pressing any key while on the Lock screen brings me to the log-in screen.

So now I'm back to not understanding how you get a PC into a locked but logged-in state. How do you determine whether or not a PC is logged in while it is locked?

I understand it like this: The PC doesn't log in anywhere.
Windows services, like updates, time sync, do on the other hand log onto the PC using built-in system accounts.
When a user logs in, you see his credentials flying around in the form of attempts to mount network drives or use network printers.
Flying around the network that is, and this device apparently operates as a promiscuous (hee hee) network interface.
If I plug in a device that masquerades as a USB Ethernet adapter
So, as was said, tuning via GPO should prevent this.

However, if you're already managed to install a random device driver to a system, you should be able to do a whole lot more than just snag the local creds.
It's somewhat scary but sounds preventable.
 
Meh, that is the least of the issues.... There are better methods for taking over a PC with out the need to plug something in. Cost for that is just over $100.00. Its the gathering of knowledge of how comminucation layers work and how to manipulate that is the hard part. that takes a lot of reading and understanding. There is always a method to get in :)
 
From the blog post:


The password hash for windows is NTLMv2, so ophcrack or hashcat?

I know NTLM is weak and all, but it hasn't been totally broken has it? And provided you have a proper password that's not in a table somewhere and has enough entropy it still gonna take thousands of years to brute force it right?
 
If I recall correctly; long as you can get the hash, you can bruteforce reasonably enough (NTLM doesn't use slow hashing).
 
When I choose "sleep", is that signed out or just locked but logged in?

just locked.

I am surprised how many people here don't understand locked vs logged out. If your programs are still running and you return to where you left off you are locked. If the action results in all programs being closed and nothing is running you have logged out.
 
Not even sure why it's a question (sleep or hibernate or locked is not logged off)

Log out or just shut the computer down (might find it easier with classic shell)

but i strongly recommend turning off fast start up( under power, chose what power button/lid does) as you have random software problems (mainly antivirus stops working) when the system has been hybrid hibernate shutdown for more then 5-20 days when you shutdown (been causing lots of issues with my customers and to make it worse each upgrade turns fast start up back on so have to turn off again )
 
Not even sure why it's a question (sleep or hibernate or locked is not logged off)

Log out or just shut the computer down (might find it easier with classic shell)

but i strongly recommend turning off fast start up( under power, chose what power button/lid does) as you have random software problems (mainly antivirus stops working) when the system has been hybrid hibernate shutdown for more then 5-20 days when you shutdown (been causing lots of issues with my customers and to make it worse each upgrade turns fast start up back on so have to turn off again )

I just started to have that issue with our corporate AV software. Kept complaining that no AV software was running so I found an article that said to turn off fast boot. Problem went away. What is odd is that out of 125 desktops and laptops mine is the only one with a problem at the office
 
just locked.

I am surprised how many people here don't understand locked vs logged out. If your programs are still running and you return to where you left off you are locked. If the action results in all programs being closed and nothing is running you have logged out.

Okay, thanks. That's what I needed to know, to just have an application open and see if it gets closed.

To log out and put my PC to sleep, I must:
1. Right-click Start Menu
2. Choose Sign Out
3. Click or press any key to dispel the Lock Screen
4. Click the power icon in the lower right corner
5. Choose Sleep

Left-clicking the Start Menu and clicking the user icon to get Log Out from there doesn't save any steps or clicks.

I'm going to go out on a limb here and say that nobody does this to put their PC to sleep. I don't seem to be able to find a simpler way to achieve a log out and sleep. This hack would catch a lot of people who think their PC is logged out but isn't.

Seems like with today's SSD boot times, it's easier just to shut down rather than try to sleep while logged out.
 
Did Microsoft just fix this vulnerability?

Cumulative update for Windows 10 Version 1607: September 13, 2016

In there, this caught my eye:

3178469 MS16-112: Security update for Windows Lock Screen: September 13, 2016

"This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if Windows improperly allows web content to load from the Windows lock screen. To learn more about the vulnerability, see Microsoft Security Bulletin MS16-112."

(The Affected OS list shows it's for Windows 8.1 and up, not just 10 AU).
 
It's a fix for privilege elevation "An attacker who successfully exploited the vulnerability could potentially execute code on a user's locked computer".
It isn't going to stop a device from installing (and if you notice it doesn't mention win7 so it's just for newer crap they've added to windows).

btw someone made a post on the blog about an easier way to disable this issue (compared to what I use above)
Code:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions]
"DenyDeviceClasses"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses]
"1"="{4d36e972-e325-11ce-bfc1-08002be10318}"
That'll block any network devices from installing

and for admins to manually install blocked drivers
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions]
"AllowAdminInstall"=dword:00000001
 
Back
Top