maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Framework 13. Press here to pwn

Browse Source
This commit is contained in:
HackTricks News Bot 2025-07-15 12:47:40 +00:00
parent fe6cf11722
commit 8c54486c2a
1 changed files with 74 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
src/hardware-physical-access/physical-attacks.md
View File

@ -14,46 +14,107 @@ In cases where the BIOS password is unknown, entering it incorrectly **three tim
For modern systems using **UEFI** instead of traditional BIOS, the tool **chipsec** can be utilized to analyze and modify UEFI settings, including the disabling of **Secure Boot**. This can be accomplished with the following command:
`python chipsec_main.py -module exploits.secure.boot.pk`
```bash
python chipsec_main.py -module exploits.secure.boot.pk
```
### RAM Analysis and Cold Boot Attacks
---
## RAM Analysis and Cold Boot Attacks
RAM retains data briefly after power is cut, usually for **1 to 2 minutes**. This persistence can be extended to **10 minutes** by applying cold substances, such as liquid nitrogen. During this extended period, a **memory dump** can be created using tools like **dd.exe** and **volatility** for analysis.
### Direct Memory Access (DMA) Attacks
---
## Direct Memory Access (DMA) Attacks
**INCEPTION** is a tool designed for **physical memory manipulation** through DMA, compatible with interfaces like **FireWire** and **Thunderbolt**. It allows for bypassing login procedures by patching memory to accept any password. However, it's ineffective against **Windows 10** systems.
### Live CD/USB for System Access
---
## Live CD/USB for System Access
Changing system binaries like **_sethc.exe_** or **_Utilman.exe_** with a copy of **_cmd.exe_** can provide a command prompt with system privileges. Tools such as **chntpw** can be used to edit the **SAM** file of a Windows installation, allowing password changes.
**Kon-Boot** is a tool that facilitates logging into Windows systems without knowing the password by temporarily modifying the Windows kernel or UEFI. More information can be found at [https://www.raymond.cc](https://www.raymond.cc/blog/login-to-windows-administrator-and-linux-root-account-without-knowing-or-changing-current-password/).
### Handling Windows Security Features
---
#### Boot and Recovery Shortcuts
## Handling Windows Security Features
### Boot and Recovery Shortcuts
- **Supr**: Access BIOS settings.
- **F8**: Enter Recovery mode.
- Pressing **Shift** after the Windows banner can bypass autologon.
#### BAD USB Devices
### BAD USB Devices
Devices like **Rubber Ducky** and **Teensyduino** serve as platforms for creating **bad USB** devices, capable of executing predefined payloads when connected to a target computer.
#### Volume Shadow Copy
### Volume Shadow Copy
Administrator privileges allow for the creation of copies of sensitive files, including the **SAM** file, through PowerShell.
### Bypassing BitLocker Encryption
---
## Bypassing BitLocker Encryption
BitLocker encryption can potentially be bypassed if the **recovery password** is found within a memory dump file (**MEMORY.DMP**). Tools like **Elcomsoft Forensic Disk Decryptor** or **Passware Kit Forensic** can be utilized for this purpose.
### Social Engineering for Recovery Key Addition
---
## Social Engineering for Recovery Key Addition
A new BitLocker recovery key can be added through social engineering tactics, convincing a user to execute a command that adds a new recovery key composed of zeros, thereby simplifying the decryption process.
---
## Exploiting Chassis Intrusion / Maintenance Switches to Factory-Reset the BIOS
Many modern laptops and small-form-factor desktops include a **chassis-intrusion switch** that is monitored by the Embedded Controller (EC) and the BIOS/UEFI firmware. While the primary purpose of the switch is to raise an alert when a device is opened, vendors sometimes implement an **undocumented recovery shortcut** that is triggered when the switch is toggled in a specific pattern.
### How the Attack Works
1. The switch is wired to a **GPIO interrupt** on the EC.
2. Firmware running on the EC keeps track of the **timing and number of presses**.
3. When a hard-coded pattern is recognised, the EC invokes a *mainboard-reset* routine that **erases the contents of the system NVRAM/CMOS**.
4. On next boot, the BIOS loads default values **supervisor password, Secure Boot keys, and all custom configuration are cleared**.
> Once Secure Boot is disabled and the firmware password is gone, the attacker can simply boot any external OS image and obtain unrestricted access to the internal drives.
### Real-World Example Framework 13 Laptop
The recovery shortcut for the Framework 13 (11th/12th/13th-gen) is:
```text
Press intrusion switch → hold 2 s
Release → wait 2 s
(repeat the press/release cycle 10× while the machine is powered)
```
After the tenth cycle the EC sets a flag that instructs the BIOS to wipe NVRAM at the next reboot. The whole procedure takes ~40 s and requires **nothing but a screwdriver**.
### Generic Exploitation Procedure
1. Power-on or suspend-resume the target so the EC is running.
2. Remove the bottom cover to expose the intrusion/maintenance switch.
3. Reproduce the vendor-specific toggle pattern (consult documentation, forums, or reverse-engineer the EC firmware).
4. Re-assemble and reboot firmware protections should be disabled.
5. Boot a live USB (e.g. Kali Linux) and perform usual post-exploitation (credential dumping, data exfiltration, implanting malicious EFI binaries, etc.).
### Detection & Mitigation
* Log chassis-intrusion events in the OS management console and correlate with unexpected BIOS resets.
* Employ **tamper-evident seals** on screws/covers to detect opening.
* Keep devices in **physically controlled areas**; assume that physical access equals full compromise.
* Where available, disable the vendor “maintenance switch reset” feature or require an additional cryptographic authorisation for NVRAM resets.
---
## References
- [Pentest Partners “Framework 13. Press here to pwn”](https://www.pentestpartners.com/security-blog/framework-13-press-here-to-pwn/)
- [FrameWiki Mainboard Reset Guide](https://framewiki.net/guides/mainboard-reset)
{{#include ../banners/hacktricks-training.md}}