Inception | Break & Enter - Improving security by breaking it

Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.

Inception aims to provide a stable and easy way of performing intrusive and non-intrusive memory hacks on live computers using FireWire SBP-2DMA. It is primarily intended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other ways to hack a machine that doesn’t pack encryption. Inception is also useful for incident response teams and digital forensics experts when faced with live machines.

Inception’s main mode works as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim. Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s password authentication modules. Once found, the tool short circuits the code that is triggered if an incorrect password is entered.

An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the nerdy equivalent of a memory inception.

After running the tool you should be able to log into the victim machine using any password.

The in-memory patching is non-persistent, and a reboot will restore the normal password functionality. This contributes to a key property of Inception: It’s stealthy.

You can also use Inception to elevate privileges on (almost) any machine you have physical access to. As the tool patches the inner authentication mechanism in the OS, you can elevate your privileges to Local Adminstrator / root by using the Windows runas or Linux/OS X sudo su -s commands.

As of version 0.2.2, it is able to unlock Windows 8 SP0, Windows 7 SP0-1, Vista SP0 and SP2, Windows XP SP2-3, Mac OS X Snow Leopard, Lion and Mountain Lion, Ubuntu 11.04, 11.10, 12.04, 12.10, Linux Mint 11, 12 and 13 x86 and x64-bit machines. Signatures are added by request.

Inception requires:

• A unix-flavor operating system to perform the attack from:
  • Linux with the ‘Juju’ IEEE FireWire stack (Ubuntu 11 and higher and BackTrack 5 is known to work)
  • Mac OS X (via IOkit, not recommended as IOkit is notoriously buggy at the moment)
• Python 3 (http://www.python.org)
• libforensic1394 (https://freddie.witherden.org/tools/libforensic1394/)
• A FireWire/Thunderbolt/ExpressCard/PC Card interface at both machines. If you don’t have a native FireWire port, you can buy an adapter to hotplug one. The tool works over anything that expands the PCIe bus

The latest development version can always be fetched from GitHub.

You should be able to run the tool without any installation (except the dependencies) on Mac OS X and Linux operating systems. Please be referred to the README file in libforensic1394 for installation of the libraries and FireWire pro-tips.

On Debian-based distros the process of installing the dependencies and the tool may be summarized as the following commands:

sudo apt-get install git cmake python3 g++
wget http://freddie.witherden.org/tools/libforensic1394/releases/libforensic1394-0.2.tar.gz
tar xvf libforensic1394-0.2.tar.gz
cd libforensic1394-0.2
cmake CMakeLists.txt
sudo make install
cd python
sudo python3 setup.py install

Unzip the tool into a suitable directory, or fetch the latest development version from GitHub:

git clone https://github.com/carmaa/inception.git
cd inception

To install the attack script natively, use the supplied setup.py script (as root if required by your OS):

sudo ./setup.py install

Please test Inception on a similar target before running it against a production box. A full list of available functionality of the tool can is available by running the tool with the -h/–help switch:

./incept --help

To run, hook up your host computer to a target using available FireWire interfaces or expansion ports and simply type (as root if required by your OS):

incept

The tool automatically loads signatures from the configuration file, and you can specify your own if you want to using the -s switch or by editing the file. The file contains a syntax defining search signatures, patches and offsets.

To dump memory off the target machine to a file at the host, use the -D/-d/–dump switches. -D dumps all available memory, while -d dumps a specific region as specified by the user. Memory content is dumped to files with the file name syntax: ‘memdump_START-END.bin’. Examples:

Dumping 5 MiB of memory from offset 0xffff:

incept -d 0xffff,5MiB

Dumping all memory (up to 4 GiB):

incept -D

To automatically dump memory from target machines that connects to a FireWire or Thunderbolt Daisy chain where your attacking machine is connected, use the -p/–pickpocket switch:

incept --pickpocket

Not working you say? Here’s a couple of hints:

• First, use the -v switch to visually confirm that the tool is able to read memory from the victim.
• Make sure you actually are connected with a IEEE134 FireWire cable (FireWire to USB converters, etc. won’t work, but 4/6/9 pin FireWire adapters do). Doh.
• “No firewire devices detected on the bus”
  • First, try running the tool again.
  • If you get this error message, try a different cable and/or using a couple of converters  (such as this and this) to convert from 6/9 pin FireWire connector to 4 pin and back again. 6/9 pin FireWire cables are capable of transferring power, and this may cause trouble for some FireWire chipsets. Some FireWire cables are also known to be “straight-through” (i.e., not “crossover”), an this is known to cause trouble.
  • Are you attacking from an OS that doesn’t support hot-plugging (such as BackTrack) using a ExpressCard/etc. on the host side? Re-boot the machine with the expansion card plugged in before running Inception.
• Are you sure you’re getting DMA? Sometimes the target machine uses an extended period of time (I’ve experienced time-spans up to around 30 secs on slow targets) installing the FireWire drivers and lowering the DMA shield; it is possible that you just didn’t wait long enough before attacking. Use the delay switch to increase the delay, and -v/–verbose to see if you actually read data. Also, looking in the Device Manager (assuming you are setting up a demo attacking Windows) may be helpful to see that a FireWire SBP2 device actually pops up when running the tool. Mind you, it is all right with a yellow exclamation mark by the device, the tool should work nevertheless.
• Does your target use some form of endpoint protection? Some antivirus vendors specifically block FireWire DMA. Turn it off and see what happens.
• Does your FireWire port work? Try connecting a FireWire disk and see if it is recognized. Check your BIOS setting to see that it is not disabled. Ensure that FireWire drivers are present and not removed from the system.
• Are you getting data, but still can’t find the signature? Check the above and see the FAQ below. Also check the amount of RAM installed (FireWire max addressable memory space is 4 GiB). The code may lie above that threshold, in which case the unlock attack won’t work. This is especially true for Linux machines, where kernel code resides in high memory addresses.
• Did Inception patch successfully, but you cannot log in? Try a non-blank password. Some OS authentication mechanisms check for blank passwords before passing control to the mechanism that Inception patches.
• Try again. Sometimes the DMA shield fails to lower on the first try/tries.

• Due to severe bugs in the Mac OS X FireWire stack IOKit, attacking from a Mac can cause a kernel panic at the target and/or host system if an error condition should occur. As of March 2012, attacking from Mac OS X is not recommended.

• Inception may not work reliably against machines with more than 4 GiB RAM, as the signatures the tool look for may be loaded at a memory address > 0xffffffff. You may still be able to exploit the target by dumping as much memory as possible and, say, search for encryption keys.
• You may have trouble reading above 2 GiB on targets with more than 2 GiB RAM. This is due to the way the memory controller provisions physical addresses. Since there’s currently no way of detecting (over FireWire) how much physical memory the target has, the tool will continue to attempt to read memory up to the 4 GiB limit. You will see a noticeable slowdown in reading when the tool tries to read data from addresses that doesn’t map to hardware RAM.
• OS X Lion disables DMA when the user is logged out/screen is locked and FileVault is enabled. Attacking will only work while the user is logged in, or if user switching is enabled. The user switching trick only works for  versions before 10.7.2, where the vulnerability is patched.
• If you have a OF/EFI firmware password set on the target Mac OS X, FireWire DMA is off by default.

Inception was originally coded as a GPL replacement for winlockpwn, the Windows FireWire unlock tool made available by Adam Bolieu aka Metlstorm. winlockpwn was quite stable against older Windows XP targets, but did not perform well against more modern operating system like Windows 7 (and it is not maintained anymore). As of Linux kernel 2.6.22 Linux Distros ships with the new ‘Juju’ FireWire stack, making winlockpwn obsolete. Alas, Inception was born.

DMA attacks has been known for many years, so this is nothing new (except for the fact that I will reverse engineer new signatures and update the tool’s functionality until the problem is fixed). However, vendors generally dismiss DMA attacks as a non-issue, which I hope that the awareness that this tool generates will change. Users deserve secure devices, even when attackers gain physical access.

The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.

If you like tool, and especially if you use it successfully in a digital investigation, please consider making a donation to me using either option below.

16UUjxTvjJknVBH5Qhet468YbicgubTZU7