SkillAgentSearch skills...

Inception

Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.

GenerateConvertImprove

Install / Use

/learn @carmaa/Inception
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

Note: This tool is no longer under active development, please look at PCILeech instead.

INCEPTION

Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe HW interfaces.

Inception aims to provide a relatively quick, stable, easy and extendable way of performing intrusive and non-intrusive memory hacks against live computers using DMA.

How it works

Inception’s modules work as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over a IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim.

Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s code. Once found, the tool manipulates this code. For instance, in the unlock module, the tool short circuits the operating system’s password authentication module that is triggered if an incorrect password is entered.

After running that module you should be able to log into the victim machine using any password.

An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the equivalent of a [memory inception] [1].

Inception is free as in beer and a side project of mine.

Awesome! But why?

The world's forensics experts, governments and three-letter acronym agencies are using [similar tools] [2] already. So if you are a dissident or facing an opressive regime, this tool illustrates why OPSEC is important. Never leave your laptop out of sight.

Caveats

[OS X > 10.7.2] [6] and [Windows > 8.1] [7] disables FireWire DMA when the user has locked the OS and thus prevents inception. The tool will still work while a user is logged on. However, this is a less probable attack scenario IRL.

In addition, [OS X Mavericks > 10.8.2 on Ivy Bridge (>= 2012 Macs)] [8] have enabled VT-D, effectively blocking DMA requests and thwarting all inception modules even when the user is logged in. Look for vtd[0] fault entries in your log/console.

Even though these two caveats gradually will reduce the number of scenarios where this tool is useful, as of March 2015 [70 % of machines out there are still vulnerable] [9].

Key data

  • Version: 0.4.2
  • License: GPL
  • Author: Carsten Maartmann-Moe (carsten@carmaa.com)
  • Twitter: @MaartmannMoe
  • Source: https://github.com/carmaa/inception

The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.

Requirements

Inception requires:

  • Hardware:
    • Attacker machine: Linux or Mac OS X (host / attacker machine) with a FireWire interface, either through a native FireWire port, an ExpressCard/PCMCIA expansion port or a Thunderbolt to FireWire adapter.
    • Victim machine: A FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port

Linux is currently recommended on the attacker side due to buggy firewire interfaces on OS X. Note that direct ThunderBolt to ThunderBolt does not work, you need a FireWire adapter. Your mileage may vary when attempting to use Thunderbolt on Linux.

  • Software:
    • Python 3
    • git
    • gcc (incl. g++)
    • cmake
    • pip (for automatic resolution of dependencies)
    • [libforensic1394] [3]
    • msgpack

Installation

On Debian-based distributions the installation commands can be summarized as (apply sudo as needed if you're not root):

apt-get install git cmake g++ python3 python3-pip

On OS X, you can install the tool requirements with [homebrew] [4]:

brew install git cmake python3

After installing the requirements, download and install libforensic1394:

wget https://freddie.witherden.org/tools/libforensic1394/releases/libforensic1394-0.2.tar.gz -O - | tar xz
cd libforensic1394-0.2
cmake CMakeLists.txt
make install
cd python
python3 setup.py install

Download and install Inception

git clone git://github.com/carmaa/inception.git
cd inception
./setup.py install

The setup script should be able to install dependencies if you have pip installed.

General usage

  1. Connect the attacker machine (host) and the victim (target) with a FireWire cable
  2. Run Inception

Simply type:

incept [module name]

For a more complete and up-to-date description, please run:

incept -h

or see the [tool home page] [5].

Modules

As of version 0.4.0, Inception has been modularized. The current modules, and their functionality is described below.

For detailed options on usage, run:

incept [module name] -h

Unlock

The unlock module can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The module is primarily attended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other (and better) ways to hack a machine that doesn't pack encryption.

The unlock module is stable on machines that has 4 GiB of main memory or less. If your the target has more then that, you need to be lucky in order to find the signatures mapped to a physical memory page frame that the tool can reach.

As of this version, it is able to unlock the following x86 and x64 operating systems:

|OS |Version |Unlock lock screen|Escalate privileges| |:------------|:--------------|:----------------:|:-----------------:| |Windows 8 |8.1 | Yes (1) | Yes (1) | |Windows 8 |8.0 | Yes | Yes | |Windows 7 |SP1 | Yes | Yes | |Windows 7 |SP0 | Yes | Yes | |Windows Vista|SP2 | Yes | Yes | |Windows Vista|SP1 | Yes | Yes | |Windows Vista|SP0 | Yes | Yes | |Windows XP |SP3 | Yes | Yes | |Windows XP |SP2 | Yes | Yes | |Windows XP |SP1 | | | |Windows XP |SP0 | | | |Mac OS X |Mavericks | Yes (1) | Yes (1) | |Mac OS X |Mountain Lion | Yes (1) | Yes (1) | |Mac OS X |Lion | Yes (1) | Yes (1) | |Mac OS X |Snow Leopard | Yes | Yes | |Mac OS X |Leopard | | | |Ubuntu |Saucy | Yes | Yes | |Ubuntu |Raring | Yes | Yes | |Ubuntu |Quantal | Yes | Yes | |Ubuntu |Precise | Yes | Yes | |Ubuntu |Oneiric | Yes | Yes | |Ubuntu |Natty | Yes | Yes | |Linux Mint |13 | Yes | Yes | |Linux Mint |12 | Yes | Yes | |Linux Mint |12 | Yes | Yes |

(1): See caveats above.

Other Linux distributions that use PAM-based authentication may also work using the Ubuntu signatures.

The module also effectively enables escalation of privileges, for instance via the runas or sudo -s commands, respectively.

Execution

To unlock, simply type:

incept unlock

 _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
 _|  _|_|    _|  _|        _|        _|    _|    _|    _|  _|    _|  _|_|    _|
 _|  _|  _|  _|  _|        _|_|_|    _|_|_|      _|    _|  _|    _|  _|  _|  _|
 _|  _|    _|_|  _|        _|        _|          _|    _|  _|    _|  _|    _|_|
 _|  _|      _|    _|_|_|  _|_|_|_|  _|          _|    _|    _|_|    _|      _|

v.0.4.0 (C) Carsten Maartmann-Moe 2014
Download: https://github.com/carmaa/inception | Twitter: @MaartmannMoe

[?] Will potentially write to file. OK? [y/N] y
[*] Available targets (known signatures):

[1] Windows 8 MsvpPasswordValidate unlock/privilege escalation
[2] Windows 7 MsvpPasswordValidate unlock/privilege escalation
[3] Windows Vista MsvpPasswordValidate unlock/privilege escalation
[4] Windows XP MsvpPasswordValidate unlock/privilege escalation
[5] Mac OS X DirectoryService/OpenDirectory unlock/privilege escalation
[6] Ubuntu libpam unlock/privilege escalation
[7] Linux Mint libpam unlock/privilege escalation

[?] Please select target (or enter 'q' to quit): 2
[*] Selected target: Windows 7 MsvpPasswordValidate unlock/privilege escalation
[=============>                                                ]  227 MiB ( 22%)
[*] Signature found at 0xe373312 in page no. 58227
[*] Patch verified; successful
[*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!

Implant

The implant module implants a (memory-only) Metasploit payload directly to the volatile memory of the target machine. It integrates with MSF through the msfrpcd daemon that is included in all versions of Metasploit.

The current version only work as a proof-of-concept against Windows 7 SP1 x86. No other OSes, versions or architectures are supported, nor is there any guarantee that they wi

carmaa

View profile

View on GitHub
GitHub Stars1.6k
CategoryDevelopment
Updated3d ago
Forks198
carmaa/inception

Languages

Python

Security Score

80/100

Audited on Mar 24, 2026

No findings