Skip to content
This repository

Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe i…

branch: master
README.md

Inception

Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.

Inception aims to provide a stable and easy way of performing intrusive and non-intrusive memory hacks in order to unlock live computers using FireWire SBP-2 DMA. It it primarily attended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other (and better) ways to hack a machine that doesn't pack encryption.

As of version 0.3.5, it is able to unlock the following x86 and x64 operating systems:

OS Version Unlock lock screen Escalate privileges Dump memory < 4 GiB
Windows 8 8.1 Yes Yes Yes
Windows 8 8.0 Yes Yes Yes
Windows 7 SP1 Yes Yes Yes
Windows 7 SP0 Yes Yes Yes
Windows Vista SP2 Yes Yes Yes
Windows Vista SP1 Yes Yes Yes
Windows Vista SP0 Yes Yes Yes
Windows XP SP3 Yes Yes Yes
Windows XP SP2 Yes Yes Yes
Windows XP SP1 Yes
Windows XP SP0 Yes
Mac OS X Mavericks Yes (1) Yes (1) Yes (1)
Mac OS X Mountain Lion Yes (1) Yes (1) Yes (1)
Mac OS X Lion Yes (1) Yes (1) Yes (1)
Mac OS X Snow Leopard Yes Yes Yes
Mac OS X Leopard Yes
Ubuntu (2) Saucy Yes Yes Yes
Ubuntu Raring Yes Yes Yes
Ubuntu Quantal Yes Yes Yes
Ubuntu Precise Yes Yes Yes
Ubuntu Oneiric Yes Yes Yes
Ubuntu Natty Yes Yes Yes
Ubuntu Maverick Yes (3) Yes (3) Yes
Ubuntu Lucid Yes (3) Yes (3) Yes
Linux Mint 13 Yes Yes Yes
Linux Mint 12 Yes Yes Yes
Linux Mint 12 Yes Yes Yes

(1): If FileVault 2 is enabled, the tool will only work when the operating system is unlocked. (2): Other Linux distributions that use PAM-based authentication may also work using the Ubuntu signatures. (3): x86 only.

The tool also effectively enables escalation of privileges, for instance via the runas or sudo -s commands, respectively. More signatures will be added. The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.

Key data

Requirements

Inception requires:

  • Attacker machine: Linux or Mac OS X (host / attacker machine) with a FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port. Linux is currently recommended due to buggy firewire interfaces on OS X
  • Victim machine: A FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port

Installation

For now you should be able to run the tool without any installation except dependencies on Mac OS X and Linux distros. Check out the README file in libforensic1394 for installation and FireWire pro-tips.

Dependencies

Linux

On Debian-based distributions the installation command lines can be summarized as:

sudo apt-get install git cmake python3 g++

Mac OS X

On OS X, you can install the tool dependencies with homebrew:

brew install git cmake python3

After installing the dependencies, download and install libforensic1394:

git clone git://git.freddie.witherden.org/forensic1394.git
cd forensic1394
cmake CMakeLists.txt
sudo make install
cd python
sudo python3 setup.py install

Download and install Inception

git clone git://github.com/carmaa/inception.git
cd inception
sudo python3 setup.py install

Usage

  1. Connect the attacker machine (host) and the victim (target) with a FireWire cable
  2. Run Inception
  3. Logon to the target using any password

Simply type:

incept

For a more complete and up-to-date description, please run:

incept -h

or see the tool home page.

Known bugs / caveats

Please see the tool home page.

Troubleshooting

Please see the tool home page.

Planned features

  • Insert and execute memory-only rootkit
  • Other winlockpwn techniques

Development history

  • 0.0.1 - First version, supports basic Windows XP SP3, Vista and 7, Mac OS X and Ubuntu Gnome unlocking
  • 0.0.2 - Added signatures for early XP SP3, and Windows 7 x86 and x64 SP1
  • 0.0.3 - Added some signatures (thanks Tekkenhead) and error handling
  • 0.0.4 - Added businfo to display connected FireWire devices as well as memory dumping capabilities
  • 0.0.5 - Enhanced memory dumping abilities and added samples catalog
  • 0.0.6 - Added unit testing
  • 0.0.7 - Updated Ubuntu signatures and priv. escalation - thanks Adel Khaldi from Algeria
  • 0.0.8 - Fixed Ubuntu unlock and privilege escalation patches - single patch for double the action
  • 0.1.0 - First minor version! Added signatures for OS X and Vista, plus quite a few bug fixes
  • 0.1.1 - Added signatures for Ubuntu 12.04 LTS
  • 0.1.2 - Patched several bugs
  • 0.1.3 - Patched OS X 10.6.8 x64 signature bug
  • 0.1.4 - Added manual mode easing testing of new signatures
  • 0.2.0 - Added signatures for OS X Mountain Lion (10.8) and Windows 8
  • 0.2.1 - Added signatures for Ubuntu 12.10
  • 0.2.2 - Added signatures for Linux Mint
  • 0.2.3 - General code cleanup, and nicer and more consistent output
  • 0.2.4 - Added a progress bar
  • 0.2.5 - No longer needed to be root to run the tool
  • 0.2.6 - Bug fixes
  • 0.3.0 - Added support for Ubuntu 13.04 targets
  • 0.3.1 - Added support for OS X Maverics and Windows 8.1
  • 0.3.2 - Bug fixes and support for Ubuntu 13.10
  • 0.3.3 - Bug fixes regarding output and error handling
  • 0.3.4 - Maestro!
  • 0.3.5 - Added signatures for Ubuntu 10.04 and 10.10 x86

Disclaimer

Do no evil with this tool. Also, I am a pentester, not a developer. So if you see weird code that bugs your pythonesque purity senses, drop me a note on how I can improve it. Or even better, fork my code, change it and issue a pull request.

Something went wrong with that request. Please try again.