# Physical Attacks

<details>

<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>

## BIOS password

### The battery

Most of the **motherbords** have a **battery**. If you **remove** it **30min** the settings of the BIOS will be **restarted** (password included).

### Jumper CMOS

Most of the **motherboards** have a **jumper** that can restart the settings. This jumper connects a central pin with another, if you **connect thoses pins the motherbord will be reseted**.

### Live Tools

If you could **run** for example a **Kali** Linux from a Live CD/USB you could use tools like ***killCmos*** or ***CmosPWD*** (this last one is included in Kali) you could try to **recover the password of the BIOS**.

### Online BIOS password recovery

Put the password of the BIOS **3 times wrong**, then the BIOS will **show an error messag**e and it will be blocked.\
Visit the page <https://bios-pw.org> and **introduce the error code** shown by the BIOS and you could be lucky and get a **valid password** (the **same search could show you different passwords and more than 1 could be valid**).

## UEFI

To check the settings of the UEFI and perform some kind of attack you should try [chipsec](https://github.com/chipsec/chipsec/blob/master/chipsec-manual.pdf).\
Using this tool you could easily disable the Secure Boot:

```
python chipsec_main.py -module exploits.secure.boot.pk
```

## RAM

### Cold boot

The **RAM memory is persistent from 1 to 2 minutes** from the time the computer is powered off. If you apply **cold** (liquid nitrogen, for example) on the memory card you can extend this time up to **10 minutes**.

Then, you can do a **memory dump** (using tools like dd.exe, mdd.exe, Memoryze, win32dd.exe or DumpIt) to analyze the memory.

You should **analyze** the memory **using volatility**.

### [INCEPTION](https://github.com/carmaa/inception)

Inception is a **physical memory manipulation** and hacking tool exploiting PCI-based DMA. The tool can attack over **FireWire**, **Thunderbolt**, **ExpressCard**, PC Card and any other PCI/PCIe HW interfaces.\
**Connect** your computer to the victim computer over one of those **interfaces** and **INCEPTION** will try to **patch** the **pyshical memory** to give you **access**.

**If INCEPTION succeeds, any password introduced will be vaid.**

**It doesn't work with Windows10.**

## Live CD/USB

### Sticky Keys and more

* **SETHC:** *sethc.exe* is invoked when SHIFT is pressed 5 times
* **UTILMAN:** *Utilman.exe* is invoked by pressing WINDOWS+U
* **OSK:** *osk.exe* is invoked by pressing WINDOWS+U, then launching the on-screen keyboard
* **DISP:** *DisplaySwitch.exe* is invoked by pressing WINDOWS+P

These binaries are located inside ***C:\Windows\System32***. You can **change** any of them for a **copy** of the binary **cmd.exe** (also in the same folder) and any time that you invoke any of those binaries a command prompt as **SYSTEM** will appear.

### Modifying SAM

You can use the tool ***chntpw*** to **modify the** ***SAM*** **file** of a mounted Windows filesystem. Then, you could change the password of the Administrator user, for example.\
This tool is available in KALI.

```
chntpw -h
chntpw -l <path_to_SAM>
```

**Inside a Linux system you could modify the** ***/etc/shadow*** **or** ***/etc/passwd*** **file.**

### **Kon-Boot**

**Kon-Boot** is one of the best tools around which can log you into Windows without knowing the password. It works by **hooking into the system BIOS and temporarily changing the contents of the Windows kernel** while booting (new versions work also with **UEFI**). It then allows you to enter **anything as the password** during login. The next time you start the computer without Kon-Boot, the original password will be back, the temporary changes will be discarded and the system will behave as if nothing has happened.\
Read More: <https://www.raymond.cc/blog/login-to-windows-administrator-and-linux-root-account-without-knowing-or-changing-current-password/>

It is a live CD/USB that can **patch the memory** so you **won't need to know the password to login**.\
Kon-Boot also performs the **StickyKeys** trick so you could press ***Shift*** **5 times to get an Administrator cmd**.

## **Running Windows**

### Initial shortcuts

### Booting shortcuts

* supr - BIOS
* f8 - Recovery mode
* *supr* - BIOS ini
* *f8* - Recovery mode
* *Shitf* (after the windows banner) - Go to login page instead of autologon (avoid autologon)

### **BAD USBs**

#### **Rubber Ducky tutorials**

* [Tutorial 1](https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Tutorials)
* [Tutorial 2](https://blog.hartleybrody.com/rubber-ducky-guide/)

#### **Teensyduino**

* [Payloads and tutorials](https://github.com/Screetsec/Pateensy)

There are also tons of tutorials about **how to create your own bad USB**.

### Volume Shadow Copy

With administrators privileges and powershell you could make a copy of the SAM file.[ See this code](/dashboard/windows-hardening/basic-powershell-for-pentesters.md#volume-shadow-copy).

## Bypassing Bitlocker

Bitlocker uses **2 passwords**. The one used by the **user**, and the **recovery** password (48 digits).

If you are lucky and inside the current session of Windows exists the file ***C:\Windows\MEMORY.DMP*** (It is a memory dump) you could try to **search inside of it the recovery password**. You can **get this file** and a **copy of the filesytem** and then use *Elcomsoft Forensic Disk Decryptor* to get the content (this will only work if the password is inside the memory dump). You could also **force the memory dump** using ***NotMyFault*** of *Sysinternals,* but this will reboot the system and has to be executed as Administrator.

You could also try a **bruteforce attack** using ***Passware Kit Forensic***.

### Social Engineering

Finally, you could make the user add a new recovery password making him executed as administrator:

```bash
schtasks /create /SC ONLOGON /tr "c:/windows/system32/manage-bde.exe -protectors -add c: -rp 000000-000000-000000-000000-000000-000000-000000-000000" /tn tarea /RU SYSTEM /f
```

This will add a new recovery key (composed of 48 zeros) in the next login.

To check the valid recovery keys you can execute:

```
manage-bde -protectors -get c:
```

<details>

<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://breached.gitbook.io/dashboard/hardware-physical-access/physical-attacks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.