digg

Facebook Connect Join Digg About

USB flash drive that steals passwords in seconds

hak5.org The latest episode of Hak5 has a segment where they show a USB key that takes advantage of U3 technology and weaknesses in Windows autorun and LAN Manager features. Essentially this USB key steals password hashes, LSA secrets, and creates back doors within seconds on insertion. The show notes are pretty detailed.

Who dugg this? Made popular Sep 5, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

74 Comments

show profanity settings
expand all
  • geekworking, on 10/12/2007, -5/+58Hacking a box with physical access and already logged in as administrator.

    What's next how to steal an unlocked car that has the keys in the ignition?
  • melodic666, on 10/12/2007, -7/+35Trust Your Technoslut?
  • dustyshadow, on 10/12/2007, -0/+26"First is that physical access is needed to the Windows computer for which we will be testing. Second is that the computer is logged in with administrative access. And third is that no anti-virus that would detect the payload is running. In our tests Symantec Corporate Anti-Virus was able to detect the pwdump tool in the payload and prevent it from running. Many other anti-virus solutions may do the same. "

    That's a lot of "ifs"
    Most, if not all corporate computers should have at least one of those ifs so this isn't THAT big of an exploit.
  • Insidiea, on 10/12/2007, -5/+28Trust Your Technolust!
  • eclectro, on 10/12/2007, -4/+25No, time to hack your windows install CD. By "hack" I mean take a hacksaw to it and cut it in half.
  • ZaNkY, on 10/12/2007, -7/+22What's with all the gray???

    Learn to post responsibly guys, just because "steal passwords" and "Hack" is in the title (and description) doesn't mean we become 1337 13 year olds.....
  • fagatini, on 10/12/2007, -3/+17be sure to include a spell checker on the drive.
  • 1337squirrel, on 10/12/2007, -0/+12Which is why Auto-run should be disabled in Active Directory or in the Local Security Policy as well. If for nothing else then keeping music CDs from installing rootkit DRM software on your 'puter without your knowledge. ;) Again, if no one has enabled these settings...
  • eclectro, on 10/12/2007, -5/+14How hard would it be to write a custom trojan that Symantec wouldn't detect? They teach that in hackerz school, don't they?
  • pronobozo, on 10/12/2007, -2/+11time to epoxy the USB!
  • mubix, on 10/12/2007, -1/+9If you know someone is an admin on their machine and they pop up to go the bathroom and lock their machine out, Autorun still happens, so you pop over to their machine, insert USB, wait and then take it out, before they get back you could be done
  • ZaNkY, on 10/12/2007, -0/+6so??? I think the point is that you walk by a machine where the owner got up for a second, maybe you can somehow distract him or ask him if you can print something off their comp via usb....

    It only needs to be in the comp for a couple seconds.....
  • lunytunz42, on 10/12/2007, -4/+10I will definately need to build on of these for myself.
  • unluckier, on 10/12/2007, -1/+5@1337squirrel:

    If you think AV heuristics actually work as advertised, I've got a bridge to sell you!
  • requiem18th, on 10/12/2007, -0/+4I think you jumped straight to the slash
  • Ouroboros, on 10/12/2007, -0/+4I don't get it. Why go through the trouble of replacing the ISO, which would be easier for a security outfit to tag? The U3 launchpad software that normally autoruns already has the ability to internally spawn/autolaunch applications that have been customized/retrofited for compatibility with the U3 launchpad and set to autolaunch in the U3 launchpad software. The developer API is basically free to get, so all one would need to do is compile a small application that behaves the way the U3 API expects that executes the necessary commands, then pack it up as a U3 application install file.

    This would be much harder to block, because U3 is legitemate software put out by reputable companies. Blocking the applications the U3 launchpad spawns requires serious application/endpoint control or a good behavior heuristic in your antivirus/antispyware. Disabling autorun won't seriously mitigate things, because a user can doubleclick the U3 launchpad software anyways to start it.

    To make security professionals really hate their lives, just make an application to autogenerate the U3 install file, randomly pad the application exe to prevent an easy signature, and use the U3 launchpad's ability to load applications from local U3 installer files instead of from U3.com and you are good to go.

    Why reinvent the wheel when you already have sufficient and good tools in front of you? I didn't see much to explain the justification for the custom ISO.
  • inactive, on 10/12/2007, -0/+4Season 4 of 24, they use such device
  • dustyshadow, on 10/12/2007, -0/+4Most home Windows computers just log right in to admin without using a password so this really won't help you. You'd already have everything you need. The normal Windows installation doesn't really make it clear how to set up an admin account. It just starts you with one. That, and the fact that autorun still exists, are the main problems here. Autorun should be done away with.
  • misterjangles, on 10/12/2007, -0/+4You can disable Windows saving the LM Hash by following the instructions here - http://support.microsoft.com/kb/299656/ Basically just change a registry value from a 0 to a 1, rebooting and changing your password.

    You can also disable auto-run on all drives using TweakUI http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
  • aardwolf, on 10/12/2007, -1/+4well if you look at http://www.hak5.org/forums/viewtopic.php?p=31679#31677 you can see that already the anti-virus part isn't a problem. it's only a matter of time before this utility is fully developed.
  • rjinso, on 10/12/2007, -1/+4Using a USB drive to "recover" passwords is old news. Why not skip all this nonsense about having to have Admin access rights, no antivirus software running, etc. and instead boot from a USB drive with utilities to "recover" password hashes? Mpentoo, for instance, will do exactly this.
  • jd_digger, on 10/12/2007, -2/+5As per the show notes reference to the M$ KB. Disable the LM hash.

    1. Click Start, click Run, type regedit, and then click OK.
    2. Locate and then click the following key in the registry:
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
    3. On the Edit menu, point to New, and then click DWORD Value.
    4. Type NoLMHash, and then press ENTER.
    5. On the Edit menu, click Modify.
    6. Type 1, and then click OK.
    7. Restart your computer, and then change your password.
  • Otto, on 10/12/2007, -0/+3Just for information's sake, it's entirely possible to do this with an iPod too, with much the same software. You don't need a U3 capable device to do it. iPod's are capable of being autorun. There's a little bit of a trick to it though. :)

    A normal flash drive, on the other hand, will not usually do autorun, without the U3 capability.
  • 1337squirrel, on 10/12/2007, -0/+3Dugg for further review... ;)

    The mitigating factors limit this setup's usage to PRE-APPROVED pen-testing, or someone's home computer. Any Active Directory network SHOULD be using AT LEAST NTLM + NTLM2 (and denying any LM), but there will always be misconfigured networks out there.

    What would be interesting to me is if they had workarounds for the needs for admin login and auto-run. Of course, there are quite a few good LiveCD distros out there now that will get around those (by booting from them). I mean, if you have physical access but no admin rights, the LiveCD is a better option IMO. Otherwise, this USB drive is great if you catch an admin AFK that didn't lock their workstation. Or approved pen-testing.
  • JrGhoull, on 10/12/2007, -0/+2hey it beats asking
  • 1337squirrel, on 10/12/2007, -2/+4@eclectro:
    Symantec, as well as pretty much any AV software worth it's salt, uses virus heuristics detection. I don't know the nuts and bolts of what it is, but it's basically detecting virus-like characteristics in the data about to be used (even it's new unknown viral code), and quarantines it until the user takes action on it. Occasionally heuristics detection will key on harmless software, but most of the time it catches what it's supposed to catch.
  • MrJester7521, on 10/12/2007, -2/+4Hak.5 is the shizzle
  • Duggy, on 10/12/2007, -1/+3While you all make excellent comments as to why this shouldn't work and how it would be easier to retrieve another way in the real world i think this would work.

    A: anti virus, as posted in the forum its already able to bypass symantec.
    B: you could use more then 15 letters in your password.. tell that to the *****... i mean users, i have to work with.
    C: no admin access.... funny enough most of the ***** i work with have to have admin access so that the poxy banking software they work with actually works.
    D: you could retireve this information another way... yes you could but it would be a lot less obvious by just sticking in a usb key and and pulling it out again.
  • HappyScrappy, on 10/12/2007, -0/+2already did. I tried these crackers. They don't work on my machine.
  • machineking, on 10/12/2007, -0/+1Had to read in detail to see you actually need a special type of USB drive...
  • pucosk, on 10/12/2007, -1/+2Yea just drop a CD labeled "boss with his assistant" or "horse porn" in the smoking area and you dont have to waste a USB stick. Well I wonder how many companies give and admin access to their boxes. Plus you don't get AD passwords only local admin. And that is virtually useless on good network.
    I mean this is really sooo lame.
  • ohstoopid1, on 10/12/2007, -0/+1Thereby wasting a usb-drive, and also assuming the PC it plugs into has network access. You'd be better off running to their PC while they're in the smoking area or bathroom.
  • ptrcd003, on 10/12/2007, -0/+1I'd try it, but that means I'd have to take off the U3 software, which is surprisingly useful for me.
  • spamdies, on 10/12/2007, -0/+1usb can be disabled in both the bios and the os, then what?
  • 1337squirrel, on 10/12/2007, -3/+4Which is why in your scenario, someone's home computer is probably the target, I mean test system. ;) However, if all the mitigating factors are nullified (admin logged in, autorun disabled, no AV software), why not just create yourself an admin account and lock the other accounts out, or at least demote them to plain users? =)

    Alas, I must Digg you down, because the exploit IS technically accurate in theory, and in practice, given the right conditions.
  • jones20992, on 10/12/2007, -0/+1I just use EBCD pro its got better tools and i don't have to monkey with a usb drive.
  • h00ligan, on 10/12/2007, -0/+1and..uhmm... not disabling backwards compat pass. ie keeping to 14 characters or less is necessary....
  • kickarse, on 10/12/2007, -0/+1It's all hypothetical and should be tested in the real world. Have fun testing!
  • FLAESHAL, on 10/12/2007, -0/+0never mind, I found it feeling like an idiot, but would it work with an ativa 1 gig u3 drive?
  • twistedf8, on 10/12/2007, -0/+0I have come across this type of security threat before; there is ways to secure your PC/network from something like this. Not only can USB storage devices be used to install crap they can also be used to steal your personal information. Before, someone burns me at the stake these are only some of the ways that I have found I am sure there are other ways. http://twistedf8.blogspot.com
  • nickweb, on 10/12/2007, -0/+0never mind
  • rjinso, on 10/12/2007, -0/+0How incredibly lame is this method such that you have to use a particular kind of USB drive?
  • FLAESHAL, on 10/12/2007, -0/+0In the article it stated that i needa .iso file and coulden't find a link to one would I have to rename the existing or download it from someplace?
  • lofan, on 10/12/2007, -0/+0Using USB drive can do many things, recover password, collect forensic evidence. etc.

    It is not news, even you can build your own bootable USB to hack a windows machine..
  • MaxDam, on 10/12/2007, -0/+0Man why so much flaming. I wrote it just to show that a usb key is dangerous. It is not a hacking tool. Lighten up guys. Oh I have one for *nix too and I have onr that escalates privs so you don't need admin :)
  • signal15, on 10/12/2007, -1/+0They should add the capability for it to email the data off somewhere. Then you could leave these things laying around smoking areas and bathrooms where employees frequent. They are certain to pick them up and insert them. Then you don't even need to have access to the machine, the employee inserts it and it does its thing and sends you the results.
  • dranyam, on 10/19/2007, -11/+10Keep on Rockin' in the Free World.... Big ups to the hak.5 crew
  • Pestilence, on 10/12/2007, -3/+1And then he comes back and says 'hey, why are you under my desk messing with the back of my computer'?
  • dustyshadow, on 10/12/2007, -6/+4@FCon4
    Anyone with a half sense of grammar knows what I meant. This isn't the place for grammar lessons but since you seem to want it to be, I will start by saying you don't use an apostrophe in the plural form. It is "ifs", not "if's".
  • Urusai, on 10/12/2007, -5/+3What, nobody ever rootkitted Linux? We must all migrate to OpenBSD ASAP!
  • Fetching more discussions...
    Show 51 - 74 of 74 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.