June 28, 2017, 03:41:52 AM
Welcome, Guest. Please login or register.

telnet towel.blinkenlights.nl

Author Topic: Snagging Creds from Locked Machines  (Read 930 times)

Offline Priest

  • *CWSP Certified*
  • Experienced
  • *******
  • Posts: 133
  • Internets: +20/-0
  • C://dos.run run.dos.run
Snagging Creds from Locked Machines
« on: September 12, 2016, 07:54:26 AM »
If I remember correctly, this was originally presented at Blackhat this year.  A genius concept and execution in my opinion.  Requires physical access to the machine, but depending on the terms of your redhat agreement, not completely implausible. 
I'm attaching the link that a coworker found to get his up.

Article
http://www.pcworld.com/article/3117793/security/a-usb-device-is-all-it-takes-to-steal-credentials-from-locked-pcs.html

The actual How to and walkthrough:
https://room362.com/post/2016/snagging-creds-from-locked-machines/

Offline r3k0hu

  • Top Hat Member
  • Professional
  • ********
  • Posts: 482
  • Internets: +48/-0
Re: Snagging Creds from Locked Machines
« Reply #1 on: September 12, 2016, 12:36:22 PM »
Perfect timing Priest

I was talking to the guys at work about this today. I've got a Turtle in front of me this very second so going to set it up and see how it goes.. will test on a few machines at work and let you know how fast and reliable it actually is.
r3k0hu
-43.9515-176.561

Offline H4v0K

  • Administrator
  • Elite
  • *****
  • Posts: 1017
  • Internets: +986/-1
Re: Snagging Creds from Locked Machines
« Reply #2 on: September 12, 2016, 01:18:32 PM »
I was just glancing over some of this the other day , thanks for sharing the walkthrough :)

Offline r3k0hu

  • Top Hat Member
  • Professional
  • ********
  • Posts: 482
  • Internets: +48/-0
Re: Snagging Creds from Locked Machines
« Reply #3 on: September 12, 2016, 01:43:28 PM »
If you're using the Turtle, it looks like Darren has made a module already - credit to Mubix @ Room362.com. Just do an update and it'll be the last module on the list called 'QuickCreds'. Once enabled, go to configure and install the required dependencies.

Going to test it tomorrow at work on a few machines so will let you know

Would like to do this with a Pi as well.. has anyone tried this yet?
r3k0hu
-43.9515-176.561

Offline Priest

  • *CWSP Certified*
  • Experienced
  • *******
  • Posts: 133
  • Internets: +20/-0
  • C://dos.run run.dos.run
Re: Snagging Creds from Locked Machines
« Reply #4 on: September 12, 2016, 04:22:49 PM »
Dude, to be Darren K...that's the dream.

If you scroll down to the comments section within the tutorial I posted, you'll see a guy claim to have gotten it working on a zero.  Certainly seems plausible. 

I just saw today a Hak5 episode where Darren talks about using a rubber duck to initiate an SMB request to a rogue samba server to get the hash of the user.  I had actually thought of using a Pi0 to act as the server for that once physically inside the net.  Great way to trail the admin's USB policies.

Just goes to show you, there are still very simple sploits out there, just waiting to be found

Offline r3k0hu

  • Top Hat Member
  • Professional
  • ********
  • Posts: 482
  • Internets: +48/-0
Re: Snagging Creds from Locked Machines
« Reply #5 on: September 13, 2016, 04:30:54 AM »
Okay - I tried the stock standard QuickCreds module on the Turtle on a few machines, and will need to do a bit of playing and further testing. Most likely will look at the Pi via Ethernet connection, but for now I had the following

OSX 10.11 Macbook Pro (Home Machine) - Nothing :(
Windows 7 VM (on the above laptop) - Nothing

Windows 7 Laptop, bound to domain (work)
   - At first nothing as Realtek USB driver needs to be installed - that's a show stopper for all our corporate laptops (a good thing)
   - Once driver was installed, it captured my domain account hash

OSX 10.11 Macbook Pro (work) - The LED sequence indicated it had captured some cred's but noting is logged. Need to look into this

So, so far I've had mixed results. In theory it's working but the lack of drivers on Windows threw a spanner in the art of being stealthy :) I'll look into the Pi, and see if I can also find why I have such a low success rate with the Turtle and let you know
r3k0hu
-43.9515-176.561

Offline Priest

  • *CWSP Certified*
  • Experienced
  • *******
  • Posts: 133
  • Internets: +20/-0
  • C://dos.run run.dos.run
Re: Snagging Creds from Locked Machines
« Reply #6 on: September 13, 2016, 05:10:48 AM »
thanks for the feedback.  This incident reignited my research into the USB Armory device, and I finally pulled the trigger.  However, a lot of people did the same so I have to wait a month or so for it.

Talking with people, the drivers for the Armory appear to have a better chance of being supplied with OS's, so the success rate might be higher?  I'll load up my turtle this afternoon and give it a go