Hacking Windows logon in 20 seconds

[ScratchCat]

http://www.notebookcheck.net/Windows-Login-Hacked-with-a-USB-stick-in-a-couple-of-seconds.173940.0.html

Quote

In less than 20 seconds, the locked Windows PC redirected network traffic through the USB device, which then requested authentification and was presented with the login credentials of the currently logged in user.

Quote

Even if Windows did not give out the password in clear text but as a hash, this just caused a small delay. According to Rob, this worked with every Windows version up to Windows 10. He said, that he was also successful on OS X using the same technique but so far there is no proof on that yet. At the moment he is working to see if Linux is susceptible to this kind of attack as well.

In short with a small usb stick which can be turned into usb gadget ethernet mode you can steal anyones login credentials in seconds. This works by presenting your device as an ethernet access which is installed even when the computer is locked. The coputer then transfers the login crededtials and this is recorded by the usb device. The login may be hashed but It is stored in NTLMv2(?) which only will take a day to a few hours to break on a modern GPU.

 

What the real questions is, who thought it would be a good idea to install any device plugged in while at the lockscreen? Then also send the hash of the password to that device?

If I remember correctly you can use the raspberry pi zero in usb gadget mode so you can build your own version of this for less than $10.

What do you think of this flaw in both windows, Mac and possibly linux?

[KuJoe]

Thank god for 2FA!

[Eniqmatic]

I wouldn't call this new, I successfully demonstrated this to my then employers at the time, about 2 years ago now. You can indeed capture cached credentials which are stored in NTLMv2 and are ridiculously easy to get. As for breaking the hash, that is totally dependant on how hard the original password is. Combinations of around 8 and above of mixed numbers letters and symbols with lower and uppercase will take you a lot longer than a few hours.

 

Having said that when I've done this before I've broken a password in 28 seconds I think it was, the password was 5 characters in length with no numbers or symbols.

 

But yeah, I wouldn't call this new at all.

[ManIkWeet]

Installing devices on the lockscreen, yummy!

 

I get it for security enhancing devices like a hardware key... But a network device? That automatically takes prevalence over the existing network device?

[MrDynamicMan]

"Up to windows ten" to all those saying 7 is so much more secure.

 

Edit: Before the flame wars start I know there are a lot of other factors, this is just a joke.

[DrMikeNZ]

30 minutes ago, Eniqmatic said:

Having said that when I've done this before I've broken a password in 28 seconds I think it was, the password was 5 characters in length with no numbers or symbols.

Why would anyone ever use a password that is less than 16 randomly generated mixed case letters, numbers and symbols and 2FA.

 

1 minute ago, MrDynamicMan said:

"Up to windows ten" to all those saying 7 is so much more secure.

Do they mean including or excluding 10?

[KuJoe]

2 minutes ago, MrDynamicMan said:

"Up to windows ten" to all those saying 7 is so much more secure.

Once you have physical access to a machine security goes out the window regardless of what OS you have.

[KuJoe]

Just now, DrMikeNZ said:

Why would anyone ever use a password that is less than 16 randomly generated mixed case letters, numbers and symbols and 2FA.

There are plenty of reasons.

[MrDynamicMan]

3 minutes ago, DrMikeNZ said:

Why would anyone ever use a password that is less than 16 randomly generated mixed case letters, numbers and symbols and 2FA.

 

Do they mean including or excluding 10?

Excluding, unless they cant english.

[Eniqmatic]

2 minutes ago, DrMikeNZ said:

Why would anyone ever use a password that is less than 16 randomly generated mixed case letters, numbers and symbols and 2FA.

 

Do they mean including or excluding 10?

Because in my experience, non technical people struggle to remember anything remotely close to that. Some even struggle to remember a single word less than 8 characters long!

[Eniqmatic]

1 minute ago, MrDynamicMan said:

Excluding, unless they cant english.

Judging by the video where they demonstrate it on Windows 10, I would say they haven't worded it correctly.

[KuJoe]

1 minute ago, Eniqmatic said:

Because in my experience, non technical people struggle to remember anything remotely close to that. Some even struggle to remember a single word less than 8 characters long!

And in reality you shouldn't need a complex password to login to your local machine. Luckily MS has made it really easy to use extremely complex passwords and login to your PC with just a few numbers without having to know your password (but if you ever need to login to Safe Mode then be ready for that adventure, Safe Mode is the reason I refuse to have an MS account on my PC).

[MrDynamicMan]

13 minutes ago, Eniqmatic said:

Judging by the video where they demonstrate it on Windows 10, I would say they haven't worded it correctly.

In that case they must to english lern.

[MrDynamicMan]

15 minutes ago, Eniqmatic said:

Because in my experience, non technical people struggle to remember anything remotely close to that. Some even struggle to remember a single word less than 8 characters long!

What was than one XKCD things about passwords... Like horse flashlight toffey fly

[DrMikeNZ]

7 minutes ago, KuJoe said:

There are plenty of reasons.

 

5 minutes ago, Eniqmatic said:

Because in my experience, non technical people struggle to remember anything remotely close to that. Some even struggle to remember a single word less than 8 characters long!

 

3 minutes ago, KuJoe said:

And in reality you shouldn't need a complex password to login to your local machine. Luckily MS has made it really easy to use extremely complex passwords and login to your PC with just a few numbers without having to know your password (but if you ever need to login to Safe Mode then be ready for that adventure, Safe Mode is the reason I refuse to have an MS account on my PC).

Unfortunately that is the way many businesses are headed with excessive faux security. Now if only they could get those people to stop writing down their impossible to remember passwords on post-it notes...

 

6 minutes ago, MrDynamicMan said:

Excluding, unless they cant english.

English was broken a very long time ago.

 

[KuJoe]

18 minutes ago, DrMikeNZ said:

Unfortunately that is the way many businesses are headed with excessive faux security. Now if only they could get those people to stop writing down their impossible to remember passwords on post-it notes...

Agreed. The main problem is people want convenient security, security cannot be both secure and convenient. I wish more companies would implement 2FA and password alternatives but the majority of users aren't ready to part with their insecure usernames and passwords they are comfortable with.

[Vode]

Good luck with my 24 character password. 

[Prysin]

21 minutes ago, Vode said:

Good luck with my 24 character password. 

if you have such a device, you dont need luck. all you need is TIME.

 

There is no "luck" involved when using password cracking software, just time vs complexity.

[You_are_a_cunt]

And this is one of the reasons I invested in a TPM. Sure it adds an extra step to powering on my machine, but I'll take that over my data (as in files) being stolen.

GL&HF

[KuJoe]

1 hour ago, MrDynamicMan said:

What was than one XKCD things about passwords... Like horse flashlight toffey fly

 

Sorry to self promote but since it's relative to the topic and doesn't benefit me at all (no ads, referral links, or anything that can earn me money) I put this site together a while back that lets you test your password's complexity (I update the number of guesses per second every few months and it should still be accurate since I updated it recently): http://rand.pw/

[KuJoe]

46 minutes ago, Prysin said:

if you have such a device, you dont need luck. all you need is TIME.

 

There is no "luck" involved when using password cracking software, just time vs complexity.

I think I would notice if somebody was in front of my computer that wasn't supposed to be.

 

And the "luck" involved in password cracking is that you crack the password early and not get it on the last attempt.

[Vode]

1 hour ago, Prysin said:

if you have such a device, you dont need luck. all you need is TIME.

 

There is no "luck" involved when using password cracking software, just time vs complexity.

How much time do you need for a 24 character password with brute force on NTLMv2?

 

It was a figure of speech. Good luck as in it's not gonna be feasable.

[Master Disaster]

3 hours ago, ScratchCat said:

http://www.notebookcheck.net/Windows-Login-Hacked-with-a-USB-stick-in-a-couple-of-seconds.173940.0.html

In short with a small usb stick which can be turned into usb gadget ethernet mode you can steal anyones login credentials in seconds. This works by presenting your device as an ethernet access which is installed even when the computer is locked. The coputer then transfers the login crededtials and this is recorded by the usb device. The login may be hashed but It is stored in NTLMv2(?) which only will take a day to a few hours to break on a modern GPU.

 

What the real questions is, who thought it would be a good idea to install any device plugged in while at the lockscreen? Then also send the hash of the password to that device?

If I remember correctly you can use the raspberry pi zero in usb gadget mode so you can build your own version of this for less than $10.

What do you think of this flaw in both windows, Mac and possibly linux?

Literally anybody whose ever used a keyboard or mouse. Why they'd send the hash is beyond me though. 

 

Still a pretty major bug, especially since it affects Windows & Macs. 

[Misanthrope]

Still not as laughable as this old classic though:

 

[Tech_Dreamer]

HMMMMM.... *Scratches chin*