From 8c54486c2af10d699cfd46d11fc7a55c22e33ea8 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 15 Jul 2025 12:47:40 +0000 Subject: [PATCH] Add content from: Framework 13. Press here to pwn --- .../physical-attacks.md | 87 ++++++++++++++++--- 1 file changed, 74 insertions(+), 13 deletions(-) diff --git a/src/hardware-physical-access/physical-attacks.md b/src/hardware-physical-access/physical-attacks.md index 9de4b4f6a..e5c1cf047 100644 --- a/src/hardware-physical-access/physical-attacks.md +++ b/src/hardware-physical-access/physical-attacks.md @@ -14,46 +14,107 @@ In cases where the BIOS password is unknown, entering it incorrectly **three tim For modern systems using **UEFI** instead of traditional BIOS, the tool **chipsec** can be utilized to analyze and modify UEFI settings, including the disabling of **Secure Boot**. This can be accomplished with the following command: -`python chipsec_main.py -module exploits.secure.boot.pk` +```bash +python chipsec_main.py -module exploits.secure.boot.pk +``` -### RAM Analysis and Cold Boot Attacks +--- + +## RAM Analysis and Cold Boot Attacks RAM retains data briefly after power is cut, usually for **1 to 2 minutes**. This persistence can be extended to **10 minutes** by applying cold substances, such as liquid nitrogen. During this extended period, a **memory dump** can be created using tools like **dd.exe** and **volatility** for analysis. -### Direct Memory Access (DMA) Attacks +--- + +## Direct Memory Access (DMA) Attacks **INCEPTION** is a tool designed for **physical memory manipulation** through DMA, compatible with interfaces like **FireWire** and **Thunderbolt**. It allows for bypassing login procedures by patching memory to accept any password. However, it's ineffective against **Windows 10** systems. -### Live CD/USB for System Access +--- + +## Live CD/USB for System Access Changing system binaries like **_sethc.exe_** or **_Utilman.exe_** with a copy of **_cmd.exe_** can provide a command prompt with system privileges. Tools such as **chntpw** can be used to edit the **SAM** file of a Windows installation, allowing password changes. **Kon-Boot** is a tool that facilitates logging into Windows systems without knowing the password by temporarily modifying the Windows kernel or UEFI. More information can be found at [https://www.raymond.cc](https://www.raymond.cc/blog/login-to-windows-administrator-and-linux-root-account-without-knowing-or-changing-current-password/). -### Handling Windows Security Features +--- -#### Boot and Recovery Shortcuts +## Handling Windows Security Features + +### Boot and Recovery Shortcuts - **Supr**: Access BIOS settings. - **F8**: Enter Recovery mode. - Pressing **Shift** after the Windows banner can bypass autologon. -#### BAD USB Devices +### BAD USB Devices Devices like **Rubber Ducky** and **Teensyduino** serve as platforms for creating **bad USB** devices, capable of executing predefined payloads when connected to a target computer. -#### Volume Shadow Copy +### Volume Shadow Copy Administrator privileges allow for the creation of copies of sensitive files, including the **SAM** file, through PowerShell. -### Bypassing BitLocker Encryption +--- + +## Bypassing BitLocker Encryption BitLocker encryption can potentially be bypassed if the **recovery password** is found within a memory dump file (**MEMORY.DMP**). Tools like **Elcomsoft Forensic Disk Decryptor** or **Passware Kit Forensic** can be utilized for this purpose. -### Social Engineering for Recovery Key Addition +--- + +## Social Engineering for Recovery Key Addition A new BitLocker recovery key can be added through social engineering tactics, convincing a user to execute a command that adds a new recovery key composed of zeros, thereby simplifying the decryption process. + +--- + +## Exploiting Chassis Intrusion / Maintenance Switches to Factory-Reset the BIOS + +Many modern laptops and small-form-factor desktops include a **chassis-intrusion switch** that is monitored by the Embedded Controller (EC) and the BIOS/UEFI firmware. While the primary purpose of the switch is to raise an alert when a device is opened, vendors sometimes implement an **undocumented recovery shortcut** that is triggered when the switch is toggled in a specific pattern. + +### How the Attack Works + +1. The switch is wired to a **GPIO interrupt** on the EC. +2. Firmware running on the EC keeps track of the **timing and number of presses**. +3. When a hard-coded pattern is recognised, the EC invokes a *mainboard-reset* routine that **erases the contents of the system NVRAM/CMOS**. +4. On next boot, the BIOS loads default values – **supervisor password, Secure Boot keys, and all custom configuration are cleared**. + +> Once Secure Boot is disabled and the firmware password is gone, the attacker can simply boot any external OS image and obtain unrestricted access to the internal drives. + +### Real-World Example – Framework 13 Laptop + +The recovery shortcut for the Framework 13 (11th/12th/13th-gen) is: + +```text +Press intrusion switch → hold 2 s +Release → wait 2 s +(repeat the press/release cycle 10× while the machine is powered) +``` + +After the tenth cycle the EC sets a flag that instructs the BIOS to wipe NVRAM at the next reboot. The whole procedure takes ~40 s and requires **nothing but a screwdriver**. + +### Generic Exploitation Procedure + +1. Power-on or suspend-resume the target so the EC is running. +2. Remove the bottom cover to expose the intrusion/maintenance switch. +3. Reproduce the vendor-specific toggle pattern (consult documentation, forums, or reverse-engineer the EC firmware). +4. Re-assemble and reboot – firmware protections should be disabled. +5. Boot a live USB (e.g. Kali Linux) and perform usual post-exploitation (credential dumping, data exfiltration, implanting malicious EFI binaries, etc.). + +### Detection & Mitigation + +* Log chassis-intrusion events in the OS management console and correlate with unexpected BIOS resets. +* Employ **tamper-evident seals** on screws/covers to detect opening. +* Keep devices in **physically controlled areas**; assume that physical access equals full compromise. +* Where available, disable the vendor “maintenance switch reset” feature or require an additional cryptographic authorisation for NVRAM resets. + +--- + +## References + +- [Pentest Partners – “Framework 13. Press here to pwn”](https://www.pentestpartners.com/security-blog/framework-13-press-here-to-pwn/) +- [FrameWiki – Mainboard Reset Guide](https://framewiki.net/guides/mainboard-reset) + {{#include ../banners/hacktricks-training.md}} - - -