Hack into a Windows PC; with Winlockpwn.
Posted by HappyAndyK via WinVistaClub on 08 March 2008 - 12:15 · 65 comments & 21337 views
About the Author
Full name: Unknown
Forum name: HappyAndyK
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name: HappyAndyK
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
#1 Posted by S7un7 on 08 Mar 2008 - 12:20
- Good thing I didn't give a damn that my laptop didn't have Firewire when I bought it.
-
(8 replies)
#2 Posted by ffenliv on 08 Mar 2008 - 12:40
- I hate to sound super-critical, but is there any chance that these things could be proofed for simple grammar mistakes prior to hitting the front page? I know this is 'unprofessional journalism', but that doesn't mean we can't show a basic command of English while we're at it.
-
#2.1 Posted by Tha Bloo Monkee on 08 Mar 2008 - 17:09
- I'm not seeing any. What "mistakes" are you referring to?
-
#2.3 Posted by Tikitiki on 08 Mar 2008 - 18:59
- (noroom said @ #2.2)Re-read the last paragraph...
A little too many comma's me thinks. -
#2.4 Posted by theyarecomingforyou on 08 Mar 2008 - 19:10
- Far too many commas. That is simply terrible English.
-
#2.5 Posted by TRC on 08 Mar 2008 - 19:59
- Yes, I agree, that paragraph, is just, very poorly written.
-
#2.6 Posted by ffenliv on 08 Mar 2008 - 21:39
- Like I said, I dont wan't to sound like I'm beating the poster up. I probably should have posted the suggested changes, but others beat me to it. Better to submit news and learn from the mistakes then never try at all.
-
#2.7 Posted by +Berserk87 on 09 Mar 2008 - 09:04
- ROFL
-
#2.8 Posted by creamhackered on 09 Mar 2008 - 18:53
- Moan at the site that wrote the article not us.
-
(3 replies)
#3 Posted by Nrupesh on 08 Mar 2008 - 12:40
- So technically if someone has a PCMCIA-FIREWIRE or USB-FIREWIRE adapter they can unlock any pc???
-
#3.1 Posted by
markjensen on 08 Mar 2008 - 15:45
- Probably not OSX or Linux. Not sure about Vista (I would think not, but don't know). But XP, it sounds like it.
EDIT: a few links down, it seems that other OSes too, possibly due to a problem in the general 1394 spec. -
#3.2 Posted by Deviate_X on 08 Mar 2008 - 18:00
- Here's a pdf document explaining the Firewire hack against OSX (gets interesting at page 19).
See here: http://md.hudora.de/presentations/firewire...-cansecwest.pdf
and a blog post about it here: http://blog.juhonkoti.net/2008/02/29/autom...al-via-firewire
(markjensen said @ #3.1)Probably not OSX or Linux. Not sure about Vista (I would think not, but don't know). But XP, it sounds like it.
EDIT: a few links down, it seems that other OSes too, possibly due to a problem in the general 1394 spec. -
#3.3 Posted by Personmans on 27 Mar 2008 - 16:45
- Well if you use USB-> firewire it will generally come up as a "new device" in windows, which in this case would not be automatically installed because it requires an administrator login.
I guess if you had a stupid user and hid the USB-Firewire device before the boot. They might miss the installation of the new device and you could come back later with your 'tool'.
-
(2 replies)
#4 Posted by Reverse Engineer on 08 Mar 2008 - 12:56
- With my machine, all you have to do is turn it on, and voilà, instant access.
Nonetheless, i have no firewire ports, nor am i blind, so a cable running from my comp to someone elses would be kinda noticeable to me. -
#4.1 Posted by +StevoFC on 08 Mar 2008 - 13:25
- yeah, because people only lock their computer's while they are sitting at them. right?
-
#4.2 Posted by Reverse Engineer on 08 Mar 2008 - 22:15
- (StevoFC said @ #4.1)yeah, because people only lock their computer's while they are sitting at them. right?True...i'd just nick it then If they want to leave an expensive laptop lying around...
-
(4 replies)
#5 Posted by ksalter on 08 Mar 2008 - 13:23
- This requires physical access to the computer. Once you have physical access to a computer, you can forget about security anyway.
-
#5.1 Posted by darkmark327 on 08 Mar 2008 - 14:11
- There's a difference between ripping the guts apart of a PC to reset the BIOS password or remove the hard disk, and plugging in a firewire device.
-
#5.2 Posted by Richteralan on 08 Mar 2008 - 16:58
- (darkmark327 said @ #5.1)There's a difference between ripping the guts apart of a PC to reset the BIOS password or remove the hard disk, and plugging in a firewire device.
Yes but it's still physical access. -
#5.3 Posted by Aahz on 08 Mar 2008 - 20:35
- There have been boot cds and floppies for ages which do this type of thing using linux/unix. (I keep one in my toolkit in fact for when people inherit PCs or whathaveyou) It's simply a matter of whether or not you have to bypass the BIOS password via backdoor mobo manufacturer passwords or simply removing the CMOS battery. Once the BIOS are opened the machine is all yours.
It's far from new and ksalter is absolutely correct as once someone has physical access to a machine it's all over. -
#5.4 Posted by Personmans on 27 Mar 2008 - 16:51
- Aahz, I'd have to disagree with the "It's far from new". As speculated in the above discussion, this type of attack would allow a few things:
1) Unnoticed access. You can leave the PC exactly as it was when you arrived. No passwords reset, no red flags.
2) Access to currently opened items, this is especially useful in a corporate setting where the user is "logged in" to some sort of networked application. You can access it with their privileges and then leave the computer as in #1.
3) Access network shares. This is a big one too, you can authenticate against the server just as you would if you were actually logged in as the user. On a domain, this breaks 99% of your security.
Enjoy.
-
#6 Posted by +Octol on 08 Mar 2008 - 13:29
- I don't use firewire, so I always disable it in the BIOS along with any other features that I don't use. Not that it matters, though; nobody has the physical access to my systems necessary to use this hack.
-
#7 Posted by Angel Blue01 on 08 Mar 2008 - 13:34
- I've never seen an IEEE 1394 cable but my laptop has ports, might be interesting to try on my own machine and see if this is real, then disable the port!
Last edited by Angel Blue01 on 08 Mar 2008 - 13:39
-
(1 reply)
#8 Posted by +tunafish on 08 Mar 2008 - 13:37
- This is more for corp enviroments this is going to play madness at schools etc
-
#8.1 Posted by n_K on 09 Mar 2008 - 01:22
- (tunafish said @ #
This is more for corp enviroments this is going to play madness at schools etc
If I was still at my old school, I would use this with a rootkit to get the admin passwords and reformat the HDs with a linux distro, guess quite a load of other people would too
-
(1 reply)
#9 Posted by +GreyWolfSC on 08 Mar 2008 - 13:55
- This can affect ANY computer with a 1394, not just Windows machines.
original source -
#9.1 Posted by darkmark327 on 08 Mar 2008 - 14:13
- Right; actually we have Apple to thank for the flawed spec. Linux and Macs have been owned by this too (though obviously not this particular tool). Disable Firewire when not in use!
And if you're an IT guy who manages computers with Firewire ports, well, I feel for you.
-
(1 reply)
#11 Posted by XerXis on 08 Mar 2008 - 14:20
- apple's mistake, thank you apple
i do like the 10 microsoft laws of security though:http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true (found at the source if you are wondering if this is offtopic
)
-
(4 replies)
#12 Posted by Azmodan on 08 Mar 2008 - 14:31
- Actually, I do have a tool that unlocks Windows PCs in seconds, but I'll restrain myself to mention this product.
We tried it and it retreives all hashed account passwords, thus making any Windows version up to Vista accesible. And yes, I've tried it already, and it works.
I wouldn't be suprised anyone could make such tool.(GreyWolfSC said @ #9)
(Author's page) Bypasses windows authentication via firewire, as demoed at Ruxcon 2006, and released on Risky Business, 2008.
Same source you're using. -
#12.1 Posted by +GreyWolfSC on 08 Mar 2008 - 18:44
- (Azmodan said @ #12)Actually, I do have a tool that unlocks Windows PCs in seconds, but I'll restrain myself to mention this product.
We tried it and it retreives all hashed account passwords, thus making any Windows version up to Vista accesible. And yes, I've tried it already, and it works.
I wouldn't be suprised anyone could make such tool.(GreyWolfSC said @ #9)
(Author's page) Bypasses windows authentication via firewire, as demoed at Ruxcon 2006, and released on Risky Business, 2008.
Same source you're using.
Only looking for what you want to see? Same source, farther down the page:However, despite working fine against Linux, Macs and BSD boxen, it didn't work against Windows. My colleague Tmasky set to it, and soon enough had found the miracle ingredient. -
#12.2 Posted by +Brandon Live on 08 Mar 2008 - 19:41
- Err, you can't retrieve a Windows password, just reset it or brute-force it. But brute forcing a good password will take an obscene amount of time, especially against Vista where there's no LM hash.
Of course, Bitlocker and domain-joined machines make doing any of those things impossible. -
#12.3 Posted by Azmodan on 08 Mar 2008 - 20:43
- (GreyWolfSC said @ #12.1)Only looking for what you want to see? Same source, farther down the page:However, despite working fine against Linux, Macs and BSD boxen, it didn't work against Windows. My colleague Tmasky set to it, and soon enough had found the miracle ingredient.
You're sure he's talking about the SAME tool?However, despite working fine against Linux, Macs and BSD boxen, it didn't work against Windows. My colleague Tmasky set to it, and soon enough had found the miracle ingredient.
Skip forward a few months, and it's now a big deal for reasons I'm not wholly sure about. I presented "Hit By A Bus: Physical Access Attacks With Firewire" at Ruxcon 2006, and hopefully if you came along, you were entertained.
At Ruxcon I released my firewire libraries (high level python bindings for libraw1394), the tool for fooling windows into giving you DMA (romtool), and a forensic memory imager (1394memimage). I demoed some of the malicious uses (like unlocking a locked Win XPSP2 workstation, and spawning an admin shell), but I'm not going to release that code (uh, unless you've got a compelling reason, I suppose). The talk and the tools are available just below. -
#12.4 Posted by yakumo on 08 Mar 2008 - 21:17
- The tool your talking about uses LM hashes, these are by default still enabled in winXP for improved backwards compatibility, but are easily disabled (reboot and change passwords for it to actually take effect tho ), and anyone not concerned about networking to machines using winME or younger should do so.
vista has LM hashes disabled, though if you really need to you can enable them.
-
#13 Posted by HappyAndyK on 08 Mar 2008 - 14:45
- Update : Apparently, this hack has been demonstrated on Mac OSX also !
-
(2 replies)
#14 Posted by RPDL on 08 Mar 2008 - 15:11
- Oh, come on, XP login is ridiculously easy to bypass. You dont need this firewire thing to do it.
Anyway, my firewire plug short-circuited, so I'm protected against this.
-
#15 Posted by HappyAndyK on 08 Mar 2008 - 15:53
- Another Update : FireWire Attack Also Defeats Windows Vista. Microsoft may not address the "winlockpwn" authentication bypass issue because it's not technically a vulnerability.
-
(1 reply)
#16 Posted by +Zhivago on 08 Mar 2008 - 16:04
- Not much of a threat, imho, since physical access to a PC is needed.
-
#16.1 Posted by Tha Bloo Monkee on 08 Mar 2008 - 17:11
- That's what I was thinking.
-
#17 Posted by +zer0day on 08 Mar 2008 - 16:14
- This is a problem with the Firewire spec, not with any OS. They are implementing the spec, fix the spec, fix the flaw.
-
(1 reply)
#18 Posted by Evolution on 08 Mar 2008 - 17:32
- Why don't they simply disable all ports except video and sound when the computer is locked?
-
#19 Posted by +Piggy on 08 Mar 2008 - 18:02
- When you have physical access to a machine the password is never really an issue.
All it takes is a USB drive or a Bootable CD and you have access. I can see why MS ignored this.
Edit: come to think of it, this is just another tool for techs to use when users lock themselves out of their own machines.
-
#20 Posted by PsiMoon314 on 08 Mar 2008 - 18:16
- Hi,
This Firewire issue also affects Mac's and Linux based PC's. It's not a Windows problem.
It's a Firewire problem because it depends on the DMA access which all Firewire implimentations use to send and recieve data.
The only way to resolve this is to disable your fireware ports and don't allow strange folks to plug their devices into your firewire ports.
So unless the protocols for Firewire are changed then there is very little you can do to stop this other than prevent physical access to your systems.
Regards
Simon
-
(1 reply)
#21 Posted by JonathanMarston on 08 Mar 2008 - 19:06
- Funny how the article states that the issue is due to a flaw in the FireWire spec itself, but they only approached Microsoft for comment - ignoring the fact that FireWare is an Apple designed (and IEEE approved) spec. Why weren't Apple or the IEEE approached and asked why the spec has not been updated? Why wasn't it mentioned that a similar attack is possible on any OS that fully adheres to the IEEE 1394 spec?
Obviously another of the many articles written with the intent of spreading an opinion (in this case, that Microsoft OSs are insecure), even if that meant skipping a few facts because they didn't help the author's case...
-
#22 Posted by rpgfan on 08 Mar 2008 - 19:39
- I wonder if this would affect things like a virtual XP machine...
-
(1 reply)
#23 Posted by TRC on 08 Mar 2008 - 20:00
- Isn't firewire pretty much dead anyway? Even Apple seems to be dropping it.
-
(1 reply)
#24 Posted by Kushan on 08 Mar 2008 - 20:57
- Didn't Apple create this (apparently flawed) Firewire spec?
So why is this article pinning the blame on Microsoft to fix their mistake?
Also, if Apple managed to create a flaw so vast in one protocol, surely it's feasible to think that they've done it in other places as well? -
#24.1 Posted by neufuse on 08 Mar 2008 - 21:02
- (Kushan said @ #24)Didn't Apple create this (apparently flawed) Firewire spec?
So why is this article pinning the blame on Microsoft to fix their mistake?
Also, if Apple managed to create a flaw so vast in one protocol, surely it's feasible to think that they've done it in other places as well?
Yes Apple created the firewire spec... which is also called i.Link (Sony), IEEE1394(Standard Name) and Firewire(Apple)
-
(3 replies)
#25 Posted by Shadrack on 08 Mar 2008 - 21:16
- Does this hack give any specific user rights? Can someone bypass the security of a domain authenticated file server by using this hack to gain access to a domain computer?
As previously pointed out, in most cases someone can just use one of those Linux boot CDs or whatever that automatically mount NTFS partitions to gain access to the local file system. All the NTFS security, unless the files are encrypted, is completely managed from within Windows and does not actually physically exist on the files. However, a smart administrator would disable booting from a CD/usb memory stick from bios and password protect bios. Too bad there isn't that many smart administrators out there... -
#25.1 Posted by MioTheGreat on 09 Mar 2008 - 01:39
- Absolutely nothing about this is a Windows flaw, as has been pointed out.
Under any OS that doesn't disable the port (And I do not believe any of them do) or unless you've got some funky non-standard Firewire controller stuff going on (Like in Apple's old G5s), the machine is completely compromised.
What makes this particularly scary is that it does not require a reboot. -
#25.2 Posted by +Brandon Live on 09 Mar 2008 - 19:32
- I cannot see how this would give you access to encrypted data. All it does it bypass the logon process, they basically edit the memory containing the code that checks your credentials and makes it say "Yup, those are right!" for whatever you type.
It will NOT magically let them know your username and password, and will certainly not give them your encryption keys.
Also, they haven't said if they have compromised domain accounts. If they have, they would only be able to logon to the local PC and access unencrypted data that is ACL'd for that user. It won't let you magically access corporate resources on the network with that person's token, since they don't have it.
This gives them the SAME level of access as if they had removed the hard drive and put it in another PC. Nothing more. No encrypted file access, no corporate network access. -
#25.3 Posted by Personmans on 27 Mar 2008 - 16:41
- Unfortunately I'd have to disagree. When you bypass the "locked" screen, you keep the current user's credentials. If they had been previously accessing any network resources, or if they have files encrypted using the account that you logged into, they will definitely be given full access.
If you have just booted a computer, bypassing local passwords *should* not give you access to these things. On the other hand, you are now logged in as an authenticated user, so anything is possible. Argumentatively, though from boot if you're logging into a domain type computer it is almost sure that you will NOT have access because you will not have authenticated.
Moral of the story? When you lock your computer (that has firewire ports) you're not safe at all.
-
(2 replies)
#26 Posted by RealFduch on 08 Mar 2008 - 22:44
- Hack into a Windows PC with a hammer.
A worker from workshop based in New Zealand has shown a tool that can break Windows computers in seconds, via smashing them with a hammer, without the need for a password.
With this tool, called Hammer, one could "hack locked Windows machines or erase sensitive data without a password ... merely by hitting it with Hammer several times".
This hack, which affects Windows XP computers but has not yet been tested with Windows Vista, was first demonstrated, at a drunk party in 2006, but Microsoft has yet to develop a fix. But now that a couple of years have passed and the issue has not resolved, the worker, decided to show the tool on his website. -
#26.1 Posted by Relativity_17 on 08 Mar 2008 - 23:33
- Holy crap, it worked! All my data was successfully destroyed using the hammer hack! When will Microsoft fix this horrendous vulnerability??? If they don't, I'm gonna switch to Lunix.
-
#26.2 Posted by Tha Bloo Monkee on 09 Mar 2008 - 05:18
I might give this a shot!
-
#28 Posted by carmatic on 09 Mar 2008 - 03:50
- is it possible to have the firewire done out-of-spec , and risk compatibility with things you try to plug in, but preventing the dma-based hacks?
With this tool, called Winlockpwn, one could "unlock locked Windows machines or login without a password ... merely by plugging in your Firewire cable and running a command".
The hack, which affects Windows XP computers but has not yet been tested with Windows Vista, was first demonstrated, at a security conference in Sydney in 2006, but Microsoft has yet to develop a fix. But now that a couple of years have passed and the issue has not resolved, Boileau, decided to release the tool on his website.