Penetration Testing with FireWire / Inception
I recently had the opportunity to use the tool Inception, exploiting an express card / smart card port to get Administrator access on a locked down Windows 7 laptop. The laptop had full disk encryption and all I had was a username and physical access, being stuck at the first Windows login screen (no pre-boot authentication). This is such a great attack because it can be used against Windows, Linux, and OS X, so long as there is a IEEE 1394 compliant interface. What's even more sweet, is that the mitigation is rarely enabled and with some cheap hardware you can quickly root most modern laptops. Overall, this attack enables you to dump the RAM of the system, inject your processes into memory, privilege escalate to administrator and even log into a system that you know the username for.
The attack requires some basic hardware, a victim machine to exploit, an attacker machine (I recommend Linux, I go with Arch in the guide, when using my Mac the attacking machine crashed multiple times), FireWire/ExpressCard adapter, and a FireWire cable.
The attack starts with identifying the express card port and inserting a FireWire/ExpressCard adapter. When you plug this in, the computer should instantly recognize and load the appropriate SBP-2 drivers (which you will see if you have access to the desktop). If you have trouble plugging the adapter in, make sure it's flush to the left side of the express card port. If the driver loads, you are good to go! Jump over to your attacking machine, and setup / install Inception (an open source framework for manipulating Direct Memory Access via the FireWire protocol). Inception has some basic dependencies you will need to take care of, such as Python3, pip, git, gcc, cmake, msgpack, and libforensic1394. Installing the whole thing on Arch was really simple:
sudo pacman -S git cmake g++ python3 python3-pip
pip3 install msgpack
git clone git://git.freddie.witherden.org/forensic1394.git
cd forensic1394
cmake CMakeLists.txt
sudo make install
cd python
sudo python3 setup.py install
cd ../../
git clone git://github.com/carmaa/inception.git
cd inception
./setup.py install
Wala! Now, if the two machines are connected via the FireWire you can start the attack!
To bypass the login with a known user and any password, as well as privilege escalate, issue: incept unlock
To get a RAM dump of the running system, issue: incept dump
After you get the RAM dump you can use volatility to analyze it, and the options are limitless with that epic framework! (This is also a fun way to acquire memory dumps and practice memory forensics). Just remember to use python2.7 with Volatility, and python3 with things like the forensics1394 framework.
One caveat that I hit while performing this attack is that I was hitting some type of transfer limit around 3GBs (with the victim machine having 4GBs of RAM), which caused an incomplete dump and resulted in volatility not being able to properly parse the resulting memory dump. I found a quick workaround was to simple open the machine up, pop 2GBs of RAM out, and reboot the machine with just 2GBs of RAM. It was a viable workaround for the error, although I'm pretty sure you could also do the dump in pieces, using the dump flags -a (start address) and -s (for the size of the dump).
The mitigation for this attack is pretty simple too. On Windows, uninstall the SBP-2 drivers and set a group policy to prevent their instillation. On Linux, remove the IEEE 1394 drivers. On OS X you can password protect your DMA drivers.
The attack requires some basic hardware, a victim machine to exploit, an attacker machine (I recommend Linux, I go with Arch in the guide, when using my Mac the attacking machine crashed multiple times), FireWire/ExpressCard adapter, and a FireWire cable.
The attack starts with identifying the express card port and inserting a FireWire/ExpressCard adapter. When you plug this in, the computer should instantly recognize and load the appropriate SBP-2 drivers (which you will see if you have access to the desktop). If you have trouble plugging the adapter in, make sure it's flush to the left side of the express card port. If the driver loads, you are good to go! Jump over to your attacking machine, and setup / install Inception (an open source framework for manipulating Direct Memory Access via the FireWire protocol). Inception has some basic dependencies you will need to take care of, such as Python3, pip, git, gcc, cmake, msgpack, and libforensic1394. Installing the whole thing on Arch was really simple:
sudo pacman -S git cmake g++ python3 python3-pip
pip3 install msgpack
git clone git://git.freddie.witherden.org/forensic1394.git
cd forensic1394
cmake CMakeLists.txt
sudo make install
cd python
sudo python3 setup.py install
cd ../../
git clone git://github.com/carmaa/inception.git
cd inception
./setup.py install
Wala! Now, if the two machines are connected via the FireWire you can start the attack!
To bypass the login with a known user and any password, as well as privilege escalate, issue: incept unlock
To get a RAM dump of the running system, issue: incept dump
After you get the RAM dump you can use volatility to analyze it, and the options are limitless with that epic framework! (This is also a fun way to acquire memory dumps and practice memory forensics). Just remember to use python2.7 with Volatility, and python3 with things like the forensics1394 framework.
One caveat that I hit while performing this attack is that I was hitting some type of transfer limit around 3GBs (with the victim machine having 4GBs of RAM), which caused an incomplete dump and resulted in volatility not being able to properly parse the resulting memory dump. I found a quick workaround was to simple open the machine up, pop 2GBs of RAM out, and reboot the machine with just 2GBs of RAM. It was a viable workaround for the error, although I'm pretty sure you could also do the dump in pieces, using the dump flags -a (start address) and -s (for the size of the dump).
The mitigation for this attack is pretty simple too. On Windows, uninstall the SBP-2 drivers and set a group policy to prevent their instillation. On Linux, remove the IEEE 1394 drivers. On OS X you can password protect your DMA drivers.