Nytro Posted February 19, 2014 Report Posted February 19, 2014 InceptionInception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces. Inception aims to provide a stable and easy way of performing intrusive and non-intrusive memory hacks on live computers using FireWire SBP-2 DMA. It is primarily intended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other ways to hack a machine that doesn’t pack encryption. Inception is also useful for incident response teams and digital forensics experts when faced with live machines. Inception’s main mode works as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim. Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s password authentication modules. Once found, the tool short circuits the code that is triggered if an incorrect password is entered. An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the nerdy equivalent of a memory inception. After running the tool you should be able to log into the victim machine using any password.The in-memory patching is non-persistent, and a reboot will restore the normal password functionality. This contributes to a key property of Inception: It’s stealthy. You can also use Inception to elevate privileges on (almost) any machine you have physical access to. As the tool patches the inner authentication mechanism in the OS, you can elevate your privileges to Local Adminstrator / root by using the Windows runas or Linux/OS X sudo su -s commands. As of version 0.3.1, it is able to unlock Windows 8.0-1, Windows 7 SP0-1, Vista SP0 and SP2, Windows XP SP2-3, Mac OS X Mavericks, Snow Leopard, Lion and Mountain Lion, Ubuntu 11.04, 11.10, 12.04, 12.10, 13.04, Linux Mint 11, 12 and 13 x86 and x64-bit machines. Signatures are added by request. Requirements Inception requires:A unix-flavor operating system to perform the attack from:Linux with the ‘Juju’ IEEE FireWire stack (Ubuntu 11 and higher and BackTrack 5 is known to work) Mac OS X (via IOkit, not recommended as IOkit is notoriously buggy at the moment) [*]Python 3 (http://www.python.org) [*]libforensic1394 (https://freddie.witherden.org/tools/libforensic1394/) [*]A FireWire/Thunderbolt/ExpressCard/PC Card interface at both machines. If you don’t have a native FireWire port, you can buy an adapter to hotplug one. The tool works over anything that expands the PCIe bus Download The latest development version can always be fetched from GitHub. Installation You should be able to run the tool without any installation (except the dependencies) on Mac OS X and Linux operating systems. Please be referred to the README file in libforensic1394 for installation of the libraries and FireWire pro-tips.Sursa: Inception | Break & Enter Quote
