Security researcher Rob Fuller published a simple way to steal credentials connection(passwords) from locked Windows and OS X computers.
Attack requires:
Access to the target computer
A connected notebook that you have modified to impersonate a USB Ethernet adapter
and
a computer with software that will crack the hashes that will be intercepted.
The actual attack can be done in less than half a minute, as you will see in the video below.
"Why; Because USB is Plug-and-Play. This means that even if a system is locked, the device still works, ”says Fuller.
"Right now, I think there are restrictions on the types of devices you can install on a locked computer with newer operating systems (Win10 / El Capitan), but Ethernet / LAN devices definitely work."
In his blog, tells how to set up a USB Armory or a Hak5 Turtle - two cheap ($ 155 and $ 49.99 respectively) USB-mounted Linux computers to use in attack.
Basically, they must be equipped with Responder, an open source software that simulates a control server identity. It functional system "recognizes" the server, and trusts it by default, as if it were on the local network. It thus responds to the authentication request with the login credentials (passwords) recorded in a database.
To complete the attack, you must break the hashes of the stolen credentials. Different operating systems use different hashes, but all can be broken or downgraded to a form that can be used in attacks "Pass the hash."
Attack has been tested on various operating systems and OS versions. It works in Windows 98 SE, 2000 SP4, XP SP3, 7 SP1, and 10, as well as OS X El Capitan / Mavericks. It's not currently tested on Linux.
Watch the video and think the next time you lock your PC and think it's safe.