Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.
Inception aims to provide a stable and easy way of performing intrusive and non-intrusive memory hacks on live computers using FireWire SBP-2 DMA. It is primarily intended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other ways to hack a machine that doesn’t pack encryption. Inception is also useful for incident response teams and digital forensics experts when faced with live machines.
Inception’s main mode works as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim. Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s password authentication modules. Once found, the tool short circuits the code that is triggered if an incorrect password is entered.
An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the nerdy equivalent of a memory inception.
After running the tool you should be able to log into the victim machine using any password.
The in-memory patching is non-persistent, and a reboot will restore the normal password functionality. This contributes to a key property of Inception: It’s stealthy.
You can also use Inception to elevate privileges on (almost) any machine you have physical access to. As the tool patches the inner authentication mechanism in the OS, you can elevate your privileges to Local Adminstrator / root by using the Windows
runas or Linux/OS X
sudo su -s commands.
As of version 0.2.2, it is able to unlock Windows 8 SP0, Windows 7 SP0-1, Vista SP0 and SP2, Windows XP SP2-3, Mac OS X Snow Leopard, Lion and Mountain Lion, Ubuntu 11.04, 11.10, 12.04, 12.10, Linux Mint 11, 12 and 13 x86 and x64-bit machines. Signatures are added by request.
- A unix-flavor operating system to perform the attack from:
- Linux with the ‘Juju’ IEEE FireWire stack (Ubuntu 11 and higher and BackTrack 5 is known to work)
- Mac OS X (via IOkit, not recommended as IOkit is notoriously buggy at the moment)
- Python 3 (http://www.python.org)
- libforensic1394 (https://freddie.witherden.org/tools/libforensic1394/)
- A FireWire/Thunderbolt/ExpressCard/PC Card interface at both machines. If you don’t have a native FireWire port, you can buy an adapter to hotplug one. The tool works over anything that expands the PCIe bus
The latest development version can always be fetched from GitHub.
You should be able to run the tool without any installation (except the dependencies) on Mac OS X and Linux operating systems. Please be referred to the README file in libforensic1394 for installation of the libraries and FireWire pro-tips.
On Debian-based distros the process of installing the dependencies and the tool may be summarized as the following commands:
sudo apt-get install git cmake python3 g++ wget http://freddie.witherden.org/tools/libforensic1394/releases/libforensic1394-0.2.tar.gz tar xvf libforensic1394-0.2.tar.gz cd libforensic1394-0.2 cmake CMakeLists.txt sudo make install cd python sudo python3 setup.py install
Unzip the tool into a suitable directory, or fetch the latest development version from GitHub:
git clone https://github.com/carmaa/inception.git cd inception
To install the attack script natively, use the supplied setup.py script (as root if required by your OS):
sudo ./setup.py install
Please test Inception on a similar target before running it against a production box. A full list of available functionality of the tool can is available by running the tool with the -h/–help switch:
To run, hook up your host computer to a target using available FireWire interfaces or expansion ports and simply type (as root if required by your OS):
The tool automatically loads signatures from the configuration file, and you can specify your own if you want to using the -s switch or by editing the file. The file contains a syntax defining search signatures, patches and offsets.
To dump memory off the target machine to a file at the host, use the -D/-d/–dump switches. -D dumps all available memory, while -d dumps a specific region as specified by the user. Memory content is dumped to files with the file name syntax: ‘memdump_START-END.bin’. Examples:
Dumping 5 MiB of memory from offset
incept -d 0xffff,5MiB
Dumping all memory (up to 4 GiB):
To automatically dump memory from target machines that connects to a FireWire or Thunderbolt Daisy chain where your attacking machine is connected, use the -p/–pickpocket switch:
Not working you say? Here’s a couple of hints:
- First, use the -v switch to visually confirm that the tool is able to read memory from the victim.
- Make sure you actually are connected with a IEEE134 FireWire cable (FireWire to USB converters, etc. won’t work, but 4/6/9 pin FireWire adapters do). Doh.
- “No firewire devices detected on the bus”
- First, try running the tool again.
- If you get this error message, try a different cable and/or using a couple of converters (such as this and this) to convert from 6/9 pin FireWire connector to 4 pin and back again. 6/9 pin FireWire cables are capable of transferring power, and this may cause trouble for some FireWire chipsets. Some FireWire cables are also known to be “straight-through” (i.e., not “crossover”), an this is known to cause trouble.
- Are you attacking from an OS that doesn’t support hot-plugging (such as BackTrack) using a ExpressCard/etc. on the host side? Re-boot the machine with the expansion card plugged in before running Inception.
- Are you sure you’re getting DMA? Sometimes the target machine uses an extended period of time (I’ve experienced time-spans up to around 30 secs on slow targets) installing the FireWire drivers and lowering the DMA shield; it is possible that you just didn’t wait long enough before attacking. Use the delay switch to increase the delay, and -v/–verbose to see if you actually read data. Also, looking in the Device Manager (assuming you are setting up a demo attacking Windows) may be helpful to see that a FireWire SBP2 device actually pops up when running the tool. Mind you, it is all right with a yellow exclamation mark by the device, the tool should work nevertheless.
- Does your target use some form of endpoint protection? Some antivirus vendors specifically block FireWire DMA. Turn it off and see what happens.
- Does your FireWire port work? Try connecting a FireWire disk and see if it is recognized. Check your BIOS setting to see that it is not disabled. Ensure that FireWire drivers are present and not removed from the system.
- Are you getting data, but still can’t find the signature? Check the above and see the FAQ below. Also check the amount of RAM installed (FireWire max addressable memory space is 4 GiB). The code may lie above that threshold, in which case the unlock attack won’t work. This is especially true for Linux machines, where kernel code resides in high memory addresses.
- Did Inception patch successfully, but you cannot log in? Try a non-blank password. Some OS authentication mechanisms check for blank passwords before passing control to the mechanism that Inception patches.
- Try again. Sometimes the DMA shield fails to lower on the first try/tries.
- Due to severe bugs in the Mac OS X FireWire stack IOKit, attacking from a Mac can cause a kernel panic at the target and/or host system if an error condition should occur. As of March 2012, attacking from Mac OS X is not recommended.
- Inception may not work reliably against machines with more than 4 GiB RAM, as the signatures the tool look for may be loaded at a memory address >
0xffffffff. You may still be able to exploit the target by dumping as much memory as possible and, say, search for encryption keys.
- You may have trouble reading above 2 GiB on targets with more than 2 GiB RAM. This is due to the way the memory controller provisions physical addresses. Since there’s currently no way of detecting (over FireWire) how much physical memory the target has, the tool will continue to attempt to read memory up to the 4 GiB limit. You will see a noticeable slowdown in reading when the tool tries to read data from addresses that doesn’t map to hardware RAM.
- OS X Lion disables DMA when the user is logged out/screen is locked and FileVault is enabled. Attacking will only work while the user is logged in, or if user switching is enabled. The user switching trick only works for versions before 10.7.2, where the vulnerability is patched.
- If you have a OF/EFI firmware password set on the target Mac OS X, FireWire DMA is off by default.
To stay safe and protect against FireWire DMA attacks, here’s a couple of suggestions:
- Block the SBP-2 driver
- Remove FireWire drivers from your system if you don’t need to use FireWire
- Don’t panic – if you are using FileVault2 and OS X Lion (10.7.2) and higher, the OS will automatically turn off DMA when locked – you’re still vulnerable to attacks when unlocked, though
- Set a firmware password
- Disable DMA or remove the 1394 drivers (see the ‘Mitigation: Linux’ section)
All of the above will impact FireWire in one way or the other. Unfortunately, this is a FireWire design problem, not an OS problem, and would have to be fixed in the SBP-2 protocol itself.
Inception was originally coded as a GPL replacement for winlockpwn, the Windows FireWire unlock tool made available by Adam Bolieu aka Metlstorm. winlockpwn was quite stable against older Windows XP targets, but did not perform well against more modern operating system like Windows 7 (and it is not maintained anymore). As of Linux kernel 2.6.22 Linux Distros ships with the new ‘Juju’ FireWire stack, making winlockpwn obsolete. Alas, Inception was born.
DMA attacks has been known for many years, so this is nothing new (except for the fact that I will reverse engineer new signatures and update the tool’s functionality until the problem is fixed). However, vendors generally dismiss DMA attacks as a non-issue, which I hope that the awareness that this tool generates will change. Users deserve secure devices, even when attackers gain physical access.
- Q: This tool is irrelevant, I can just boot the machine with [insert live CD OS here], dump the SAM and SECURITY hives and crack the passwords.
A: No, you can’t if the target is a full disk encrypted machine. See above. This tool is designed to unlock powered on machines that utilize secure, full disk encryption. It is also far stealthier than the above attack.
- Q: Can’t I just use the screen_unlock.rb Metasploit script?
A: Well you can, assuming that you already have a shell at the target machine. If you have that, you probably won’t need this tool.
- Q: I use full disk encryption. Your tool is moot.
A: No, you’re missing the point: The tool is intended to be used against full disk encrypted machines. Se FAQ 1.
- Q: This is FUD! I would never let anyone plug anything into my machine! I’m never more than an arm’s length from my computer. In fact, my machine is the only object I have a non-platonic relationship with, and I would never let my eyes off her. No one would go to the trouble of hacking a single machine anyway.
A: Good for you. The attack is dependent on physical access to a box in a powered on or standby state, so likely you’ll not be hacked. However, there are organizations out there that would go to utmost lengths to be able to access machines in seconds without leaving a trace. If you are not a target of these organizations, you’re likely never going to be hacked this way. However, if it is your job to be paranoid, you should know about this attack and make an informed decision to protect yourself.
- Q: I’ve just glued/desoldered all my Firewire ports. Your move, mhuddafuckah.
A: Ahem. See the answer to FAQ 7.
- Q: Wasn’t this fixed years ago? I remember hearing about this in the olden days (2004).
A: Sadly, no. And yes, the problem is old, but it is not entirely fixable with a driver update, a patch or a new OS version. The problem is in the Firewire specs. All OS vendors that want to include Firewire drivers that are OHCI compliant and works out of the box with SBP-2 devices are vulnerable in some degree.
- Q: Isn’t FireWire a dying horse? Few laptops ship with FireWire ports these days, which makes Inception a useless tool.
A: You can use any interface that expands the PCIe bus, for example PCMCIA, ExpressCards, the new Thunderbolt interface and perhaps SD/IO to hotplug a FireWire interface into the victim machine. The OS will install the necessary drivers on the fly, even when the machine is locked.
- Q: Your tool isn’t working.
A: That’s not a question. Check the troubleshooting section above first, and when you have made sure that the error source isn’t between the chair and the keyboard, preferably open an issue at github describing the problem, including:
- Your host OS
- The target OS (For Windows, the output of running winver.exe on the machine, format: major.minor.build, for Linux the output of uname -a and perhaps cat /etc/lsb-release)
- The target CPU architecture (x86/x64, etc.)
- Output of the tool
- Memory size of target
License / donate
If you like tool, and especially if you use it successfully in a digital investigation, please consider making a donation to me using either option below.
My Bitcoin address
My PayPal account