Security consultant and blogger Rob Fuller has turned a USB SoC-based device into a credential-sniffer that works even on locked machines.

Fuller's attack works by modifying the dongle; when it's plugged in, it installs and makes itself the victim's network gateway, DNS server, and WPAD (Web proxy autodiscovery protocol) server. In the process of trying to install what it thinks is an Ethernet adapter, the target machine will send its credentials over the spoofed network.

The modded Ethernet adapter also needs to be set up to capture the credentials the target machine offers, as it's trying to connect to the network through the adapter.

While the password it captures has whatever hash the victim's machine applies in storage, that's also what a server will expect to see.

As Fuller explains here, it's an attack that shouldn't work, but he reckons it does and has tested the attack on Windows up to Windows 10 Enterprise and Home (but not Windows 8). It also worked on OS X El Capitan, but Fuller is unsure if that is down to quirks in his own setup.

As he explains, if a machine can see both a wireless and wired network, it'll try to connect to whichever is faster – and the USB key is providing network responses rather than having to pass requests upstream.

He tested two dongles for the attack, the USB Armory and the Hak5 Turtle.

While the attack needs physical access to the target, Fuller says his average retrieval time was 13 seconds. ®