For some years, the safety standards dictate us that it is best to have always enabled a password on your computer, a measure that we know is not 100% sure but it helps to have an extra layer to protect our information.
Within these “customs” many users tend to activate the lock when they are away from their computers by temporarily, lock where the session is still open. This measure might seem a good habit, but today we see that it is not, as it has been discovered that a computer in this state is the perfect victim to extract credentials.
The recommendation is to log off or shut down completely
Rob Fuller, safety engineer for R5 Industries, has found that operating systems like Windows and OS X (now macOS) are likely to credential theft when they are blocked with active sessions, because the computer keeps many active processes where it has registered the hash or digital signature of the user, including network connection.
To access this digital signature only you need to connect a USB device for a few seconds in order to violate the hash and store it on the device, which then serve to access other services “protected” where network services are included.
To demonstrate the vulnerability, Fuller has used a strategy known as USB Armory unit, which is in the market for about $ 155, which must be programmed to simulate be a USB LAN to Ethernet adapter, which will become the interface primary network computer that you want to hack.
You may also like to read another article on Lab-Soft: Why USB Type-C is not going to be the final cable?
This is possible because the vast majority of computers are programmed to automatically install the USB devices connected, and when the USB device is a network card, the computer configured to become the main gateway.
With this, the attacker is control network configuration, which will give access to DNS, configuring proxies, among other things, but most important is that allows intercept and manipulate all network traffic that occurs on the computer “locked”. All that traffic that occurs while the session is open can use the hash NTLM (NT LAN Manager) removed to access the account name and password in about 13 seconds.
Fuller tested this method on a couple of computers with Windows 8 and 10, as well as in OS X, but still cannot confirm that the case of Mac due to a failure by default in the operating or due to a configuration that makes vulnerable. Meanwhile, the recommendation is completely log off, lock disconnecting the network connection, or in any case the computer off completely, because as Fuller states: “It is not possible that I am the first to have discovered this”. More on : Spottingit.com/