A USB device is all it takes to steal credentials from locked PCs

Attackers can use rogue USB-to-Ethernet adapters to steal credentials from locked Windows, and possibly OS X, computers

Most users lock their computer screens when they temporarily step away from them. While this seems like a good security measure, it isn't good enough, a researcher demonstrated this week.

Rob Fuller, principal security engineer at R5 Industries, found out that all it takes to copy an OS account password hash from a locked Windows computer is to plug in a special USB device for a few seconds. The hash can later be cracked or used directly in some network attacks.

For his attack, Fuller used a flash-drive-size computer called USB Armory that costs $155, but the same attack can be pulled off with cheaper devices, like the Hak5 LAN Turtle, which costs $50.

The device needs to masquerade as an USB-to-Ethernet LAN adapter in such a way that it becomes the primary network interface on the target computer. This shouldn't be difficult because: 1) operating systems automatically start installing newly connected USB devices, including Ethernet cards, even when they are in a locked state and 2) they automatically configure wired or fast Ethernet cards as the default gateways.

For example, if an attacker plugs in a rogue USB-to-Gigabit-Ethernet adapter into a locked Windows laptop that normally uses a wireless connection, the adapter will get installed and will become the preferred network interface.

Furthermore, when a new network card gets installed, the OS configures it to automatically detect the network settings through the Dynamic Host Configuration Protocol (DHCP). This means that an attacker can have a rogue computer at the other end of the Ethernet cable that acts as a DHCP server. USB Armory is a computer on a stick that's powered via USB and can run Linux, so no separate machine is required.

Once an attacker controls a target computer's network settings via DHCP, he also controls DNS (Domain Name System) responses, can configure a rogue internet proxy through the WPAD (Web Proxy Autodiscovery) protocol and more. He essentially gains a privileged man-in-the-middle position that can be used to intercept and tamper with the computer's network traffic.

According to Fuller, computers in a locked state still generate network traffic, allowing for the account name and hashed password to be extracted. The time it takes for a rogue USB device to capture credentials from a system using this attack is around 13 seconds, he said.

He tested the attack successfully on Windows and OS X. However, he's still working on confirming if OS X is vulnerable by default or if it was his Mac's particular configuration that was vulnerable.

"First off, this is dead simple and shouldn’t work, but it does," the researcher said in a blog post. "Also, there is no possible way that I’m the first one who has identified this, but here it is."

Depending on the Windows version installed on the computer and its configuration, the password hashes will be in NT LAN Manager (NTLM) version 2 or NTLMv1 format. NTLMv2 hashes are harder to crack, but not impossible, especially if the password is not very complex and the attacker has access to a powerful password cracking rig.

There are also some relay attacks against network services where NTLM hashes can be used directly without having to know the user's plaintext password.

The lesson from all this is, as Fuller noted on Twitter: "Don't leave your workstation logged in, especially overnight, unattended, even if you lock the screen."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?