$50 Device Could Hack Countless Computers

Discussion in 'HardForum Tech News' started by HardOCP News, Sep 8, 2016.

  1. HardOCP News

    HardOCP News [H] News

    Messages:
    0
    Joined:
    Dec 31, 1969
    Just what we need, an "easy button" for hacking into a locked PC. Remember back in the day when it took a bit of skill to do this? Now anyone with fifty bucks and the ability to press a button can do it. :(

    According to Fuller, the hack works by plugging in a flash-sized minicomputer — such as a $50 Hak5 Turtle — into an unattended computer that is logged in, but currently locked. Once plugged in the device becomes the default gateway able to receive traffic and can obtain the computer’s user name and password in about 20 seconds. The procured password can then either be cracked or downgraded, Fuller says, to gain access to the device.
     
  2. Bandalo

    Bandalo 2[H]4U

    Messages:
    2,660
    Joined:
    Dec 15, 2010
    So how is this really different from your normal USB keylogger? Still requires the hacker to have physical access to your PC.
     
  3. lcpiper

    lcpiper [H]ardForum Junkie

    Messages:
    10,541
    Joined:
    Jul 16, 2008
    When it works against a smart card and pin, two factor authentication, then it's news worthy. Until then, it's click-bait.
     
    Ur_Mom, MoFoQ and Scizyr like this.
  4. Tweak42

    Tweak42 Gawd

    Messages:
    605
    Joined:
    Dec 1, 2010
    Same old, if someone has physical access to your computer it's all over if they really want to break in.
     
    Ur_Mom likes this.
  5. ChoGGi

    ChoGGi [H]ard|Gawd

    Messages:
    1,462
    Joined:
    May 7, 2005
    What people don't use GPO to whitelist device drivers? Easy as shit to setup with a list of regularly updated drivers.

    Code:
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions]
    ;Prevent installation of devices not described by other policy settings
    "DenyUnspecified"=dword:00000001
    ;Allow installation of devices that match any of these device IDs
    "AllowDeviceIDs"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\AllowDeviceIDs]
    ;video card
    "1"="PCI\\VEN_10DE&DEV_1B80&SUBSYS_33601462&REV_A1"
    ;sound
    "2"="USB\\VID_0B05&PID_180D&REV_0103&MI_00"
    ;network
    "3"="PCI\\VEN_8086&DEV_15A1&SUBSYS_85C41043&REV_05"
    to temp disable (say to install a bunch of drivers you don't want to bother adding to the list)
    change DenyUnspecified/AllowDeviceIDs to 00000000 and install away


    Edit: P.S. this whitelist doesn't matter for already installed drivers, so if you have a USB drive you don't leave plugged in, it'll still work fine without having to whitelist it.

    To give yourself a custom error message when you try to use devmgmt to install something use
    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy]
    "SimpleText"="driver install denied or something"
    Though the device will have a yellow mark with "The installation of this device is forbidden by system policy. Contact your system administrator." in the status message.



    Edit2: Erm it's always a good idea to add kb or m to that list (might save you having to force a reboot)
     
    Last edited: Sep 8, 2016
  6. lcpiper

    lcpiper [H]ardForum Junkie

    Messages:
    10,541
    Joined:
    Jul 16, 2008

    It's a STIG vulnerability check isn't it?
     
  7. MoFoQ

    MoFoQ Gawd

    Messages:
    840
    Joined:
    Sep 18, 2002
    exactly, it can be prevented w/ some minimal precautions

    also, it IS from ARS(E) so yea, clickbaity indeed
     
  8. Dwango

    Dwango Gawd

    Messages:
    682
    Joined:
    Feb 23, 2011
    This is very different than a keylogger. You can walk into an office with a locked (but logged in) PC and plug a device into it for 20 secs, unplug it and walk away with the password hash which is easy to crack. The person who is logged into the machine doesn't have to do anything or even be there for you to do this.

    Granted that is a very particular set of circumstances and you do still have to have physical access to the PC to do it.
     
  9. ChoGGi

    ChoGGi [H]ard|Gawd

    Messages:
    1,462
    Joined:
    May 7, 2005
    What I posted? I suppose so? First time I've heard that term, but it seems to be correct.
     
  10. amddragonpc

    amddragonpc [H]ard|Gawd

    Messages:
    1,996
    Joined:
    Sep 20, 2012
    Hacking countless computers, one computer at a time. Sounds like a long day.
     
    windianrecords and SvenBent like this.
  11. Bandalo

    Bandalo 2[H]4U

    Messages:
    2,660
    Joined:
    Dec 15, 2010
    Granted...I'd be curious to see some independent testing of this method and see how well it actually works in the wild. I didn't know username and pw hash were sent out to the DHCP server or the network in most PCs, unless you're in an office environment with an AD type server.
     
  12. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    13,063
    Joined:
    Aug 16, 2004
    This particular attack is named Mubix Snagging according to Hak5

    Also, you don't actually get the creds, you ONLY get the password hash, so you then have to take that and crack it.

    And you don't even need a $50 device to do this. Somebody posted that they have it working on a Rasberry Pi 0.

    In theory, if you put it on an unsecured network and switched the network cable over to the LAN Turtle, you could send the hash offsite to a remote computer that has the capability to hack the password hash, and then have the password texted to you or whatever.

    The article leaves a huge amount of pertinent information out. Almost like they didn't do any research at all before posting... so click-bait.
     
  13. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    13,063
    Joined:
    Aug 16, 2004
    Sounds to me like it doesn't actually have to do anything with the user typing in the creds... it just grabs the hash from the registry when it installs the device while the screen is locked. NICs are, by default, whitelisted by Windows to be able to be installed while the screen is locked.
     
  14. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    13,063
    Joined:
    Aug 16, 2004
    All you really need is an Admin user/password and you have the keys to the kingdom.
     
  15. Bandalo

    Bandalo 2[H]4U

    Messages:
    2,660
    Joined:
    Dec 15, 2010
    If that's true, it sounds like something fairly easy for MS to patch.
     
  16. lcpiper

    lcpiper [H]ardForum Junkie

    Messages:
    10,541
    Joined:
    Jul 16, 2008
    a STIG is a Security Techinical Implimentation Guide.

    It's a list of guides for everything from OS to Services like vCenter Server, DNS, AD, switches, architecture STIGs for SAN networks, etc.

    You take the guide and there is a tool you use to load the STIG and create a checklist, follow the checklist and you will reach a point where you have many of the things you should do locked down and even things that you need open should have some control or oversight. Then you can have your IA guys run SCAP scans and use the vulnerabilities identified in the scans to help tighten up much of the rest of it. There is a lot more that goes into it but it's a very formal approach and it can be a good way to implement IA for an organization, but it is a painful process.

    On the other hand. There are some really good blogs with good hardening guides and if you didn't have to go through all this STIG junk I would use those other resources as a starting point and get the simple shit locked down fast. Then if you need to hit the STIGs and chase down, and get a real understanding for all these other things that can effect your security posture.

    I take from everyone else and create my own tailored to my architecture, why chase down and waste time locking up services you don't use. I don't have a Fiber SAN fabric, why try and lock down something I don't have?

    And last, I love the scans, I make friends with the IA guys running ACAS. I want their scans and I want to dig in and and find out what's not right so I can close it down if possible. If I can't lock it down, I try to engineer a way to eliminate the vulnerability. If I can't lock down a vulnerability in the NFS protocol, can I isolate the VLAN and use ACLs etc to limit access to where the protocol is running, it doesn't fix the protocol but if no one can get to it ...

    Anyway, if your into this part of the business than you get it.
     
    Deadly Ramon likes this.
  17. sharp

    sharp [H]ard|Gawd

    Messages:
    1,267
    Joined:
    Feb 9, 2003
    Between ChoGGI and Lcpiper I'm feeling the need to unplug everything and rock in the corner (while looking around suspiciously).
     
    Deadly Ramon likes this.
  18. ChoGGi

    ChoGGi [H]ard|Gawd

    Messages:
    1,462
    Joined:
    May 7, 2005
    Hmm you seemed to have explained it better then wiki (surprise surprise). It does sound somewhat familiar, but I'm not in the business; just somewhat paranoid.
    Heh, what I posted is supposed to make you less suspicious :)
     
    Deadly Ramon likes this.
  19. drakken

    drakken [H]ard|Gawd

    Messages:
    1,196
    Joined:
    Aug 19, 2004
    So this basically pretends to be a wireless network connection passing data? so when they have that hash what are the assumptions? password is so many character's long? password is in english? then even my old trick of adding a space bar to the password would defeat this device... just use the more that one languge set and the extra characters add to the length of time it takes to brute force... every umlet and diadict is one more collum on the xy xy colluoms and rows. Even if you don't use them if the person does not know this the the password is that much hard to just if they can query the character sets. have the time I use handwritten characters in my password to be funny because with a stylus or mouse there is no common keys worn away. More languages than kanji and kanna let you do this. grin. In theroy you could write your own character set and run it as an extension with a special character but every pc you wanted to us it on would need to be configured with an slipstreamed rebuild of certain data that may not be available yet. I know when I set up small buisse severs for japanesse and other forgien companies in the usa I got paid an extra twenty thousand so they got the interface they expected on the us version so everything they bought in the us would work as long as it supported uft-8 or unicode. I usually warned them that unicode would displace their fonts and letters better but some software they would have to track down a version from home to look right. Mine I have like fifteen plus lanuges loaded and a special keyboard so most of the pan asian companies and the Scandinavian and eastern euro ones means the theoretical time to brut force it without walking up and looking over my shoulder is about forty years and if you are standing behind me looking over my shoulder you better be pretty, female and have a good reason so standing there... snicker... though making the gestest with your mouse might be a wee bit interesting even seeing it...
     
  20. bbs lm-r

    bbs lm-r Limp Gawd

    Messages:
    289
    Joined:
    Sep 2, 2010
  21. ChoGGi

    ChoGGi [H]ard|Gawd

    Messages:
    1,462
    Joined:
    May 7, 2005
    From the blog post:
    The password hash for windows is NTLMv2, so ophcrack or hashcat?
     
  22. evilsofa

    evilsofa [H]ardForum Junkie

    Messages:
    10,078
    Joined:
    Jan 1, 2007
    "an unattended computer that is logged in, but currently locked."

    At first I was not understanding this because I had assumed that if it requires a password to get back in, it's not logged in. When I put my computer to sleep, it requires a password to wake back up. Apparently that's locked but not logged out, which is not enough now.

    So what we need is to have a setting such that a sleep event doesn't just lock but also logs the user out. All I get when I go searching for such a setting is people looking for ways to stop Windows from automatically going to sleep.

    I'm not sure if it was that way before, but as of the WIndows 10 Anniversary Update, if you right-click the start menu, you can choose to Sign-Out, Sleep, Shut down or Restart (and if you choose Sleep there, it doesn't annoyingly wake up with the Start menu open like it does if you use the left-click sleep button, by the way).

    Choosing Sign-Out from the right-click Start Menu gets me to the Login screen, and from there the Power icon in the lower right allows you to Sleep. I want the signed-out Sleep available from the right-click Start Menu. Any ideas how to do that?
     
  23. ChoGGi

    ChoGGi [H]ard|Gawd

    Messages:
    1,462
    Joined:
    May 7, 2005
    Pretty sure sleep counts? Just make sure wake on LAN or whatever it's called is turned off
     
  24. evilsofa

    evilsofa [H]ardForum Junkie

    Messages:
    10,078
    Joined:
    Jan 1, 2007
    There is a lock screen and there is a log-in screen.

    To see the lock screen, Ctrl-Alt-Del and choose Lock. Pressing any key while on the Lock screen brings me to the log-in screen.

    So now I'm back to not understanding how you get a PC into a locked but logged-in state. How do you determine whether or not a PC is logged in while it is locked?
     
  25. TheHobbyist

    TheHobbyist Hugs Hard Johnnies [H]ard

    Messages:
    456
    Joined:
    Apr 8, 2008
    I have a windows password hash and even with rainbow tables I was unable to crack it. Perhaps someone here has the knowledge I'm lacking? PM please.
     
  26. elavanis

    elavanis n00b

    Messages:
    43
    Joined:
    Feb 1, 2008

    You are at the "locked and logged-in" state at that point. You would need to choose "sign out" instead of lock on the pc.
     
  27. elavanis

    elavanis n00b

    Messages:
    43
    Joined:
    Feb 1, 2008

    There are different attacks variations depending on what you want to get. I'm watching one of their videos that gives you the plain text password. I haven't finished it as its time to go to work but I assume it only gives you the password of the user(s) that are logged in.
     
  28. michalrz

    michalrz 2[H]4U

    Messages:
    2,730
    Joined:
    Jun 4, 2012
    I understand it like this: The PC doesn't log in anywhere.
    Windows services, like updates, time sync, do on the other hand log onto the PC using built-in system accounts.
    When a user logs in, you see his credentials flying around in the form of attempts to mount network drives or use network printers.
    Flying around the network that is, and this device apparently operates as a promiscuous (hee hee) network interface.
    So, as was said, tuning via GPO should prevent this.

    However, if you're already managed to install a random device driver to a system, you should be able to do a whole lot more than just snag the local creds.
    It's somewhat scary but sounds preventable.
     
  29. Darcschnider

    Darcschnider n00b

    Messages:
    48
    Joined:
    Apr 21, 2009
    Meh, that is the least of the issues.... There are better methods for taking over a PC with out the need to plug something in. Cost for that is just over $100.00. Its the gathering of knowledge of how comminucation layers work and how to manipulate that is the hard part. that takes a lot of reading and understanding. There is always a method to get in :)
     
  30. GaryJohnson

    GaryJohnson [H]ard|Gawd

    Messages:
    1,053
    Joined:
    Feb 1, 2010
    I know NTLM is weak and all, but it hasn't been totally broken has it? And provided you have a proper password that's not in a table somewhere and has enough entropy it still gonna take thousands of years to brute force it right?
     
  31. ChoGGi

    ChoGGi [H]ard|Gawd

    Messages:
    1,462
    Joined:
    May 7, 2005
    If I recall correctly; long as you can get the hash, you can bruteforce reasonably enough (NTLM doesn't use slow hashing).
     
  32. evilsofa

    evilsofa [H]ardForum Junkie

    Messages:
    10,078
    Joined:
    Jan 1, 2007
    When I choose "sleep", is that signed out or just locked but logged in?
     
  33. Exavior

    Exavior [H]ardForum Junkie

    Messages:
    9,657
    Joined:
    Dec 13, 2005
    just locked.

    I am surprised how many people here don't understand locked vs logged out. If your programs are still running and you return to where you left off you are locked. If the action results in all programs being closed and nothing is running you have logged out.
     
  34. likeman

    likeman Gawd

    Messages:
    605
    Joined:
    Aug 17, 2011
    Not even sure why it's a question (sleep or hibernate or locked is not logged off)

    Log out or just shut the computer down (might find it easier with classic shell)

    but i strongly recommend turning off fast start up( under power, chose what power button/lid does) as you have random software problems (mainly antivirus stops working) when the system has been hybrid hibernate shutdown for more then 5-20 days when you shutdown (been causing lots of issues with my customers and to make it worse each upgrade turns fast start up back on so have to turn off again )
     
  35. Exavior

    Exavior [H]ardForum Junkie

    Messages:
    9,657
    Joined:
    Dec 13, 2005
    I just started to have that issue with our corporate AV software. Kept complaining that no AV software was running so I found an article that said to turn off fast boot. Problem went away. What is odd is that out of 125 desktops and laptops mine is the only one with a problem at the office
     
  36. evilsofa

    evilsofa [H]ardForum Junkie

    Messages:
    10,078
    Joined:
    Jan 1, 2007
    Okay, thanks. That's what I needed to know, to just have an application open and see if it gets closed.

    To log out and put my PC to sleep, I must:
    1. Right-click Start Menu
    2. Choose Sign Out
    3. Click or press any key to dispel the Lock Screen
    4. Click the power icon in the lower right corner
    5. Choose Sleep

    Left-clicking the Start Menu and clicking the user icon to get Log Out from there doesn't save any steps or clicks.

    I'm going to go out on a limb here and say that nobody does this to put their PC to sleep. I don't seem to be able to find a simpler way to achieve a log out and sleep. This hack would catch a lot of people who think their PC is logged out but isn't.

    Seems like with today's SSD boot times, it's easier just to shut down rather than try to sleep while logged out.
     
  37. evilsofa

    evilsofa [H]ardForum Junkie

    Messages:
    10,078
    Joined:
    Jan 1, 2007
    Did Microsoft just fix this vulnerability?

    Cumulative update for Windows 10 Version 1607: September 13, 2016

    In there, this caught my eye:

    3178469 MS16-112: Security update for Windows Lock Screen: September 13, 2016

    "This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if Windows improperly allows web content to load from the Windows lock screen. To learn more about the vulnerability, see Microsoft Security Bulletin MS16-112."

    (The Affected OS list shows it's for Windows 8.1 and up, not just 10 AU).
     
  38. ChoGGi

    ChoGGi [H]ard|Gawd

    Messages:
    1,462
    Joined:
    May 7, 2005
    It's a fix for privilege elevation "An attacker who successfully exploited the vulnerability could potentially execute code on a user's locked computer".
    It isn't going to stop a device from installing (and if you notice it doesn't mention win7 so it's just for newer crap they've added to windows).

    btw someone made a post on the blog about an easier way to disable this issue (compared to what I use above)
    Code:
    REGEDIT4
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions]
    "DenyDeviceClasses"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses]
    "1"="{4d36e972-e325-11ce-bfc1-08002be10318}"
    That'll block any network devices from installing

    and for admins to manually install blocked drivers
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions]
    "AllowAdminInstall"=dword:00000001