When you hear that you can steal user hashes from locked machines, everyone’s ears perk up. This attack vector has been around for almost a year now, which surprised me that several pen testers/security experts were either totally unaware or not utilizing it in their physical penetration exercises. Below I’ll try my hand at explaining the attack as well as my experience with conducting it.
Essentially you can configure and plug in a Hak5 LAN Turtle into a locked (logged in but locked) machine and it will store user hashes onto the Turtle within a matter of seconds. It does this by winning out to be the “newest most fastest” network attached and responder spoofs several roles, thus allowing the authentication challenge to occur which has the hash within it.
This attack appears to have been first published on Mubix’s site on Sep 6, 2016. He describes in great detail how to replicate this attack (even on a USB Armory) and why and how this attack works.
Only a Hak5 LAN Turtle
But it’s always nice to have options… If you have the extra money to fork over, then you can accomplish this with a USB Armory. I personally haven’t used it for this attack but have read of its success. There are some trade offs, it doesn’t look as inconspicuous as the Turtle but it does offer more development control.
This was my first time using the Turtle so I had to go through the setup process and download the various modules. I think it’s important to wade through the documentation and setup videos offered on their wiki, so that you understand all the options/functionality that comes with it. The documentation is laid out well and it’s easy to follow, so don’t skip this step, go explore it. With that being said, I won’t offer instructions on the Turtle setup. However, we will go over the specifics to this attack.
I recommend installing all the modules that are offered so that you can have them readily available anytime you want to play around with them. Once you have them, the Hak5 guys were nice enough to create a module for this exercise called “QuickCreds”.
Log into the Turtle and select “Modules”
Select “Enable”, so that it starts whenever the Turtle is plugged into the Target Machine
Optional – If you didn’t download the module then you can click “Configure” and download it at that time.
Optional – If you want to test QuickCreds against your machine currently then you can start it by selecting “Start”
Insert the Turtle into a logged in but locked machine and wait for the credentials to be harvested. With the QuickCreds module, you can view the status of the operation by the light indicator. Once the light begins blinking rapidly, the credentials have been captured and you can simply remove the Turtle from the machine.
To view the captured credentials, you can plug the Turtle back into your machine and connect to it via Putty. Go to the “Exit” option so that you’ll be presented with a command prompt, which you already know because you read the wiki (right?). Change to the loot directory with
cd loot and display the files located within that folder with
ls -al. You should see a responder.log and one or more folders that are numbered numerically. Each time you plug in the Turtle and it begins to capture credentials, it will store the results in a separate folder. To view the harvested credential simply open the respective folder and look for a text file containing the credentials (example: Proxy-Auth-NTLMv2-220.127.116.11.txt).
Within the file you should be presented with something similar to the below line
The User1 section is the username and the domain1 section is the domain in which the machine is located on. The following information is the hash that you would most likely throw into hashcat or use within your favorite cracking method.
Since Hak5 was kind enough to script this into a module, it made this exercise a snap. I’ve had mixed results on timing and the ability to pull the credentials though. From my research online, this seems to be a common theme and perhaps the inability for some machines to download/enable the correct driver. However, I would say that the majority of my tests passed with flying colors. I tried various OS’s and I didn’t particularly find any that it just didn’t work on. The light sequence used in QuickCreds sometimes was right and sometimes it wasn’t but for the most part it did well.
- Combining this with other attack methods (the Turtle can offer a shell back to you!) offer a ton of options and attacking scenarios to conduct
- Since just about every OS is going to trust Ethernet/LAN and employees typically need a USB, it would difficult to find an enterprise level defense solution. Thusly, this is going to increase your chances at advancing your physical pen test.
- This is super simple to carry out and usually can be done within 30 seconds. The LAN Turtle disguises itself nicely which is certainly a perk for going for the cheaper option.
- Depending on the hash that you’ve obtained, you could attempt a pass-the-hash type attack and not even bother with cracking