How spoofing an Ethernet adaptor lets you sniff PC credentials

The trick works whether or not the target system is locked.
Written by Charlie Osborne, Contributing Writer
Rob Fuller

A security researcher has discovered a simple way to use a spoofed USB Ethernet adaptor to capture credentials from locked computer systems.

This week, researcher Rob Fuller described how a modified dongle could be used to trick a PC into sending credentials to the device in the quest to install what it believes to be an Ethernet adaptor.

Once plugged in, the spoofed Plug-and-Play adaptor turns itself into the systems' network gateway, a DNS server, and WPAD (Web proxy autodiscovery protocol) server. When the victim's PC recognizes that the device has been plugged in, credentials are then sent over the spoofed network, whereby they can then be captured by the attacker.

As Fuller explains, the attack "should not work," but does on a variety of machines and operating systems. The spoof attack has been successful against Windows 98, Windows 2000, Windows XP SP3, Windows 7 SP1, Windows 10 -- both Home and Enterprise -- as well as OS X El Capitan, and Mavericks.

However, it is worth noting that Fuller is not certain whether the attack against the Mac operating systems was due to his own system configurations, or whether the average user would indeed be vulnerable. Linux machines have not been tested.

The attack is possible because, by design, most PCs will automatically install Plug-and-Play USB devices.

"Even if a system is locked out, the device still gets installed," Fuller says.

The researcher tested out the attack using two products, the USB Armory and a Hak5 Turtle.

In the video below, you can see the spoof attack levied against a Windows 10 OS on a virtual machine which is locked but a user is logged-in.

See also: Yelp lures researchers with $15k rewards in bug bounty program

The attack does need physical access to a system to work, but potentially, it would take only 13 seconds on some systems, according to the researcher.

However, default network preferences do also come into play and may result in the attack failing. PCs will usually go for wired and faster connections as a default process, so if both a wired and wireless network are detected, the PC may ignore connecting to the spoofed network entirely.

This week, in related news, Google issued a patch which fully resolved the "Quadrooter" set of four security flaws affecting millions of Android devices.

The 10 step guide to using Tor to protect your privacy

Editorial standards