hacktricks/physical-attacks/physical-attacks.md

108 lines
6.9 KiB
Markdown
Raw Normal View History

2022-05-01 13:25:53 +00:00
# Physical Attacks
2022-04-28 16:01:33 +00:00
<details>
2024-01-10 10:22:19 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-01-10 10:22:19 +00:00
Other ways to support HackTricks:
2022-04-28 16:01:33 +00:00
2024-01-10 10:22:19 +00:00
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 00:38:08 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2024-01-10 10:22:19 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2024-04-18 03:21:24 +00:00
### [WhiteIntel](https://whiteintel.io)
2024-04-18 03:10:20 +00:00
2024-04-18 03:13:38 +00:00
<figure><img src="/.gitbook/assets/image (1224).png" alt=""><figcaption></figcaption></figure>
2024-04-18 03:10:20 +00:00
[**WhiteIntel**](https://whiteintel.io) is a **dark-web** fueled search engine that offers **free** functionalities to check if a company or its customers have been **compromised** by **stealer malwares**.
Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.
You can check their website and try their engine for **free** at:
{% embed url="https://whiteintel.io" %}
---
2024-02-08 21:36:35 +00:00
## BIOS Password Recovery and System Security
2022-04-28 16:01:33 +00:00
2024-02-08 21:36:35 +00:00
**Resetting the BIOS** can be achieved in several ways. Most motherboards include a **battery** that, when removed for around **30 minutes**, will reset the BIOS settings, including the password. Alternatively, a **jumper on the motherboard** can be adjusted to reset these settings by connecting specific pins.
2024-02-08 21:36:35 +00:00
For situations where hardware adjustments are not possible or practical, **software tools** offer a solution. Running a system from a **Live CD/USB** with distributions like **Kali Linux** provides access to tools like **_killCmos_** and **_CmosPWD_**, which can assist in BIOS password recovery.
2024-02-08 21:36:35 +00:00
In cases where the BIOS password is unknown, entering it incorrectly **three times** will typically result in an error code. This code can be used on websites like [https://bios-pw.org](https://bios-pw.org) to potentially retrieve a usable password.
2024-02-08 21:36:35 +00:00
### UEFI Security
2024-02-08 21:36:35 +00:00
For modern systems using **UEFI** instead of traditional BIOS, the tool **chipsec** can be utilized to analyze and modify UEFI settings, including the disabling of **Secure Boot**. This can be accomplished with the following command:
2024-02-08 21:36:35 +00:00
`python chipsec_main.py -module exploits.secure.boot.pk`
2024-02-08 21:36:35 +00:00
### RAM Analysis and Cold Boot Attacks
2024-02-08 21:36:35 +00:00
RAM retains data briefly after power is cut, usually for **1 to 2 minutes**. This persistence can be extended to **10 minutes** by applying cold substances, such as liquid nitrogen. During this extended period, a **memory dump** can be created using tools like **dd.exe** and **volatility** for analysis.
2024-02-08 21:36:35 +00:00
### Direct Memory Access (DMA) Attacks
2024-02-08 21:36:35 +00:00
**INCEPTION** is a tool designed for **physical memory manipulation** through DMA, compatible with interfaces like **FireWire** and **Thunderbolt**. It allows for bypassing login procedures by patching memory to accept any password. However, it's ineffective against **Windows 10** systems.
2024-02-08 21:36:35 +00:00
### Live CD/USB for System Access
2024-02-08 21:36:35 +00:00
Changing system binaries like **_sethc.exe_** or **_Utilman.exe_** with a copy of **_cmd.exe_** can provide a command prompt with system privileges. Tools such as **chntpw** can be used to edit the **SAM** file of a Windows installation, allowing password changes.
2024-02-08 21:36:35 +00:00
**Kon-Boot** is a tool that facilitates logging into Windows systems without knowing the password by temporarily modifying the Windows kernel or UEFI. More information can be found at [https://www.raymond.cc](https://www.raymond.cc/blog/login-to-windows-administrator-and-linux-root-account-without-knowing-or-changing-current-password/).
2024-02-08 21:36:35 +00:00
### Handling Windows Security Features
2024-02-08 21:36:35 +00:00
#### Boot and Recovery Shortcuts
2024-02-08 21:36:35 +00:00
- **Supr**: Access BIOS settings.
- **F8**: Enter Recovery mode.
- Pressing **Shift** after the Windows banner can bypass autologon.
2024-02-08 21:36:35 +00:00
#### BAD USB Devices
2024-02-08 21:36:35 +00:00
Devices like **Rubber Ducky** and **Teensyduino** serve as platforms for creating **bad USB** devices, capable of executing predefined payloads when connected to a target computer.
2024-02-08 21:36:35 +00:00
#### Volume Shadow Copy
2024-02-08 21:36:35 +00:00
Administrator privileges allow for the creation of copies of sensitive files, including the **SAM** file, through PowerShell.
2024-02-08 21:36:35 +00:00
### Bypassing BitLocker Encryption
2024-02-08 21:36:35 +00:00
BitLocker encryption can potentially be bypassed if the **recovery password** is found within a memory dump file (**MEMORY.DMP**). Tools like **Elcomsoft Forensic Disk Decryptor** or **Passware Kit Forensic** can be utilized for this purpose.
2024-02-08 21:36:35 +00:00
### Social Engineering for Recovery Key Addition
2024-02-08 21:36:35 +00:00
A new BitLocker recovery key can be added through social engineering tactics, convincing a user to execute a command that adds a new recovery key composed of zeros, thereby simplifying the decryption process.
2024-04-18 03:21:24 +00:00
### [WhiteIntel](https://whiteintel.io)
2024-04-18 03:10:20 +00:00
2024-04-18 03:13:38 +00:00
<figure><img src="/.gitbook/assets/image (1224).png" alt=""><figcaption></figcaption></figure>
2024-04-18 03:10:20 +00:00
[**WhiteIntel**](https://whiteintel.io) is a **dark-web** fueled search engine that offers **free** functionalities to check if a company or its customers have been **compromised** by **stealer malwares**.
Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.
You can check their website and try their engine for **free** at:
{% embed url="https://whiteintel.io" %}
2022-04-28 16:01:33 +00:00
<details>
2024-01-10 10:22:19 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-01-10 10:22:19 +00:00
Other ways to support HackTricks:
2022-04-28 16:01:33 +00:00
2024-01-10 10:22:19 +00:00
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 00:38:08 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2024-01-10 10:22:19 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>