For some years the security rules dictate that it is best to always have a password enabled on our computer, a measure that we know is not 100% safe but it helps to have an additional layer to protect our information.
Within these “customs” many users usually activate the lock when they are about to move away from their computers temporarily, blocking where the session is still open. This measure might seem like a good habit, however, today we will see that it is not, since it has been discovered that a computer in this state is the perfect victim to extract access credentials.
Rob Fuller, a security engineer for R5 Industries, has discovered that operating systems such as Windows and OS X are prone to credential theft when locked with active sessions, as the computer maintains many of the active processes where the hash or digital signature of the user, including the network connection, has been registered.
To access this digital signature you only need to connect a USB device for a few seconds to violate the hash and store it in the device, which will later serve to access other “protected” services where network services are included.
To demonstrate the vulnerability, Fuller has used a unit known as USB Armory, which is available on the market for approximately $155, which must be programmed to simulate a USB to Ethernet LAN adapter, which will become the interface of the main network of the computer to be hacked.
This is possible because the vast majority of computers are programmed to automatically install USB devices that connect, and when the USB device is a network card, the computer configures it to become the main gateway.
#SecurityTip Don't leave your workstation logged in, especially overnight, unattended, even if you lock the screen.. 😉
— Rob Fuller (@mubix) September 7, 2016
With this, the attacker becomes the control of the network configuration, which will give access to DNS, the configuration of proxies, among other things, but more importantly, it allows you to intercept and manipulate all the network traffic that occurs on the computer “locked”.
All that traffic that occurs while the session is open allows you to use the extracted NTLM (NT LAN Manager) hash to access the account name and password in approximately 13 seconds.
So, if you liked this article then simply do not forget to share this article with your friends and family.