2

I've read that devices that look like USB flash drives can be hidden network cards that can then steal credentials even when the screen is locked. (Like the Bash Bunny)

I understand that being the network they can send internet traffic anywhere. But how would that help? I can even understand that if someone is willing to type their password into a non secure site (http) - they can read that. But as long as https is used (and I assume automatic traffic like Windows Update for example, even if they would send some credentials, would be over TLS) how would they read that? And besides, why would any automatic traffic send credentials?

So my question is how can a hidden network card steal credentials when not being used by a user (e..g. when the screen is locked)?

ispiro
  • 773
  • 1
  • 7
  • 18
  • Related: [How worried should I be about getting hacked with PoisonTap?](https://security.stackexchange.com/questions/142879/how-worried-should-i-be-about-getting-hacked-with-poisontap). – Steffen Ullrich Feb 19 '18 at 13:03
  • Your question is not clear enough: if you want to know how such stealing works at all see the question about PoisonTap I've linked to. If you want to know why it works also for https - it usually does not. If you want to know why sites send traffic (with credentials or session cookies) while the screen is locked - locking the screen does not stop the browser and sites often exchange data in the background since otherwise they could not show you updates by their own but only on explicit refresh. – Steffen Ullrich Feb 19 '18 at 13:08
  • @SteffenUllrich Thanks for the link. My question is about password-stealing - when would a password be sent without the user present, and over http. The link, though good reading, doesn't seem to bring any case of that. Though I guess that in itself is an answer - that this seldom, if ever, happens. – ispiro Feb 19 '18 at 13:13
  • @SteffenUllrich But your comment adds information - that some sites will continuously send my credentials in order to update the page. If this is indeed common, and if it's done insecurely - that is probably the best answer to my question. Please turn it into an answer so I can upvote it. (Is that how StackOverflow notifies me of new comments? If so - then when SO wasn't served securely - it seems to be an example of this vulnerability.) – ispiro Feb 19 '18 at 13:15
  • Might be talking about NTLM hashes. Windows sends those over the network for a lot of reasons. Once they're obtained, they can be cracked offline or used in pass-the-hash attacks. – Ajedi32 Feb 19 '18 at 16:58
  • @Ajedi32 This is probably it! It fits what I've read. Please feel free to post it as an answer. – ispiro Feb 19 '18 at 18:49
  • @ispiro Unfortunately I don't really know much about NTLM beyond what I said in my comment. If someone who's more familiar with Windows wants to expand that into an answer though, be my guest. – Ajedi32 Feb 19 '18 at 18:53

1 Answers1

4

The attack you read about is probably PoisonTap. Basically it works by the USB device being a small computer which emulates an USB network adapter and provides IP address and routes so that most of the network traffic of the attacked computer gets send to the USB device.

Getting credentials this way is possible since browsers continue to run if the screen is locked and they continue to update sites in the background. PoisonTap provides such "site updates" and includes links to even more sites inside the update so that lots of sites gets accessed. And it provides the content for these sites too etc. The requests to the sites where the user is currently logged usually include a session cookie which often can be used to impersonate the user. Sometimes requests also includes the original username and password credentials, for example if basic authentication is used by the site. And, if the victim is using a password manager which automatically fills in credentials the attacking USB device might return pages which include login forms and some Javascript and thus extract the automatically filled in credentials.

Note that this works only for HTTP and not HTTPS since the attacking USB device does not provide trusted certificates for the sites in question. Still, not all sites use HTTPS and some times will provide the session id also if the target URL is HTTP only (i.e. no secure flag set on cookie).

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424