Red Team Guide: Physical Attacks (WIP)

Published Apr 2, 2022

Contents


Introduction

Note: This article is work in progress.

Do you have a physical access to a machine that you want to attack? In this guide we are going to learn some tricks about physical attacks.

BIOS Password

The Battery

Most of the motherbords have a battery. If you remove it 30min the settings of the BIOS will be restarted (password included).

Jumper CMOS

Most of the motherboards have a jumper that can restart the settings. This jumper connects a central pin with another, if you connect thoses pins the motherbord will be reseted.

Live Tools

If you could run for example a Kali Linux from a Live CD/USB you could use tools like killCmos or CmosPWD you could try to recover the password of the BIOS.

Online BIOS Password Recovery

Put the password of the BIOS 3 times wrong, then the BIOS will show an error message and it will be blocked. Visit the page https://bios-pw.org and introduce the error code shown by the BIOS and you could be lucky and get a valid password (the same search could show you different passwords and more than 1 could be valid).

UEFI

To check the settings of the UEFI and perform some kind of attack you should try chipsec. Using this tool you could easily disable the Secure Boot.

python chipsec_main.py -module exploits.secure.boot.pk

RAM

Cold Boot

The RAM memory is persistent from 1 to 2 minutes from the time the computer is powered off. If you apply cold (liquid nitrogen, for example) on the memory card you can extend this time up to 10 minutes.

Then, you can do a memory dump (using tools like dd.exe, mdd.exe, Memoryze, win32dd.exe or DumpIt) to analyze the memory.

You should analyze the memory using volatility.

Inception

Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe HW interfaces.

Connect your computer to the victim computer over one of those interfaces and Inception will try to patch the pyshical memory to give you access.

If Inception succeeds, any password introduced will be vaid.

It doesn't work with Windows 10.