Inception ========= Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces. Inception aims to provide a stable and easy way of performing intrusive and non-intrusive memory hacks in order to unlock live computers using FireWire SBP-2 DMA. It it primarily attended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other (and better) ways to hack a machine that doesn't pack encryption. The tool works over any interface that expands and can master the PCIe bus. This includes FireWire, Thunderbolt, ExpressCard and PCMCIA (PC-Card). As of version 0.3.3, it is able to unlock the following x86 and x64 operating systems: |OS |Version |Unlock lock screen|Escalate privileges|Dump memory < 4 GiB| |:------------|:--------------|:----------------:|:-----------------:|:-----------------:| |Windows 8 |8.1 | Yes | Yes | Yes | |Windows 8 |8.0 | Yes | Yes | Yes | |Windows 7 |SP1 | Yes | Yes | Yes | |Windows 7 |SP0 | Yes | Yes | Yes | |Windows Vista|SP2 | Yes | Yes | Yes | |Windows Vista|SP1 | Yes | Yes | Yes | |Windows Vista|SP0 | Yes | Yes | Yes | |Windows XP |SP3 | Yes | Yes | Yes | |Windows XP |SP2 | Yes | Yes | Yes | |Windows XP |SP1 | | | Yes | |Windows XP |SP0 | | | Yes | |Mac OS X |Mavericks | Yes (1) | Yes (1) | Yes (1) | |Mac OS X |Mountain Lion | Yes (1) | Yes (1) | Yes (1) | |Mac OS X |Lion | Yes (1) | Yes (1) | Yes (1) | |Mac OS X |Snow Leopard | Yes | Yes | Yes | |Mac OS X |Leopard | | | Yes | |Ubuntu (2) |Saucy | Yes | Yes | Yes | |Ubuntu |Raring | Yes | Yes | Yes | |Ubuntu |Quantal | Yes | Yes | Yes | |Ubuntu |Precise | Yes | Yes | Yes | |Ubuntu |Oneiric | Yes | Yes | Yes | |Ubuntu |Natty | Yes | Yes | Yes | |Linux Mint |13 | Yes | Yes | Yes | |Linux Mint |12 | Yes | Yes | Yes | |Linux Mint |12 | Yes | Yes | Yes | (1): If FileVault 2 is enabled, the tool will only work when the operating system is unlocked. (2): Other Linux distributions that use PAM-based authentication may also work using the Ubuntu signatures. The tool also effectively enables escalation of privileges, for instance via the `runas` or `sudo -s` commands, respectively. More signatures will be added. The tool makes use of the `libforensic1394` library courtesy of Freddie Witherden under a LGPL license. Key data -------- * Version: 0.3.3 * License: GPL * Author: Carsten Maartmann-Moe (carsten@carmaa.com) AKA ntropy * Twitter: @breaknenter * Site: http://www.breaknenter.org/projects/inception * Source: https://github.com/carmaa/inception Requirements ------------ Inception requires: * Attacker machine: Linux or Mac OS X (host / attacker machine) with a FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port. Linux is currently recommended due to buggy firewire interfaces on OS X * Victim machine: A FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port Installation ------------ For now you should be able to run the tool without any installation except dependencies on Mac OS X and Linux distros. Check out the README file in `libforensic1394` for installation and FireWire pro-tips. ### Dependencies * Python 3 * git * gcc (incl. g++) * cmake * [libforensic1394] [3] #### Linux On Debian-based distributions the installation command lines can be summarized as: sudo apt-get install git cmake python3 g++ #### Mac OS X On OS X, you can install the tool dependencies with [homebrew] [4]: brew install git cmake python3 After installing the dependencies, download and install libforensic1394: git clone git://git.freddie.witherden.org/forensic1394.git cd forensic1394 cmake CMakeLists.txt sudo make install cd python sudo python3 setup.py install ### Download and install Inception git clone git://github.com/carmaa/inception.git cd inception sudo python3 setup.py install Usage ----- 1. Connect the attacker machine (host) and the victim (target) with a FireWire cable 2. Run Inception 3. Logon to the target using any password Simply type: incept For a more complete and up-to-date description, please run: incept -h or see the [tool home page] [5]. Known bugs / caveats -------------------- Please see the [tool home page] [5]. Troubleshooting --------------- Please see the [tool home page] [5]. Planned features ---------------- * Insert and execute memory-only rootkit * Other winlockpwn techniques Development history ------------------- * 0.0.1 - First version, supports basic Windows XP SP3, Vista and 7, Mac OS X and Ubuntu Gnome unlocking * 0.0.2 - Added signatures for early XP SP3, and Windows 7 x86 and x64 SP1 * 0.0.3 - Added some signatures (thanks Tekkenhead) and error handling * 0.0.4 - Added businfo to display connected FireWire devices as well as memory dumping capabilities * 0.0.5 - Enhanced memory dumping abilities and added samples catalog * 0.0.6 - Added unit testing * 0.0.7 - Updated Ubuntu signatures and priv. escalation - thanks Adel Khaldi from Algeria * 0.0.8 - Fixed Ubuntu unlock and privilege escalation patches - single patch for double the action * 0.1.0 - First minor version! Added signatures for OS X and Vista, plus quite a few bug fixes * 0.1.1 - Added signatures for Ubuntu 12.04 LTS * 0.1.2 - Patched several bugs * 0.1.3 - Patched OS X 10.6.8 x64 signature bug * 0.1.4 - Added manual mode easing testing of new signatures * 0.2.0 - Added signatures for OS X Mountain Lion (10.8) and Windows 8 * 0.2.1 - Added signatures for Ubuntu 12.10 * 0.2.2 - Added signatures for Linux Mint * 0.2.3 - General code cleanup, and nicer and more consistent output * 0.2.4 - Added a progress bar * 0.2.5 - No longer needed to be root to run the tool * 0.2.6 - Bug fixes * 0.3.0 - Added support for Ubuntu 13.04 targets * 0.3.1 - Added support for OS X Maverics and Windows 8.1 * 0.3.2 - Bug fixes and support for Ubuntu 13.10 Disclaimer ---------- Do no evil with this tool. Also, I am a pentester, not a developer. So if you see weird code that bugs your pythonesque purity senses, drop me a note on how I can improve it. Or even better, fork my code, change it and issue a pull request. [3]: http://freddie.witherden.org/tools/libforensic1394/ [4]: http://mxcl.github.io/homebrew/ [5]: http://www.breaknenter.org/projects/inception/