diff --git a/07_physical_attacks.md b/07_physical_attacks.md
new file mode 100644
index 0000000..6af53e1
--- /dev/null
+++ b/07_physical_attacks.md
@@ -0,0 +1,93 @@
+# Physical attacks
+
+## Physical recon
+
+* Google street view is handy
+    * can be outdated
+* drive-by
+    * just stalk them
+
+## Physical barriers
+
+* doors, gates
+* motion sensor door locks
+    * canned air can trigger motion sensor from outside
+* doors with keys and padlocks
+    * lock picking (manual and electronic) open these easily
+* door unlock button
+* RFID door locks
+    * backend systems often very dumb
+    * plenty of devices can copy cards
+    * Flipper Zero
+
+## Drop boxes
+
+* device that gets stealthily added to local network
+* preconfigured to provide connection for attacker
+* make it inconspicuous
+    * in cable tray
+    * behind desktops
+    * ...
+* when using multiple, make sure they don't communicate
+    * finding one shouldn't find the others
+
+### Lan turtle
+
+* looks like USB ethernet dongle
+* routes attacker traffic through VPN into victim network
+
+### Packet squirrel
+
+* [https://shop.hak5.org/products/packet-squirrel-mark-ii]
+* mostly aimed at network interception and manipulation
+    * logs network traffic
+    * captures print spool jobs
+    * intercepts DNS request and directs them to server of your choosing
+
+### Hidden camera
+
+* drop boxes that contain hidden camera
+* look like ordinary devices (e.g. USB charger)
+* position is key
+
+## HID injection attacks
+
+* attacks using devices that act as Human Interface Devices (HID), e.g.
+  keyboard
+* Rubber Ducky
+    * USB that acts like HID
+    * sends lots of keystrokes to e.g. install malware
+* Bash Bunny
+    * more advanced Rubber Ducky
+    * emulates ethernet, serial and flash storage as well
+    * typical attacks
+        * QuickCreds: run Responder on device to extract NTLMv2 hashes
+        * BunnyTap: funnel cookies of user to attacker
+        * Kon-Boot: allows access into password-protected PC by booting with
+          Kon-Boot enabled on USB
+* drop attacks
+    * leave thumb drive for people to find
+    * curious people will plug it in
+* devices that look like cables also exist
+* destructive attacks
+    * killer USBs that send high voltage through device
+    * destroy mission critical devices
+
+## WiFi attacks
+
+* capture handshakes of devices
+* pass handshake to hashcat
+* most tools require monitor mode
+    * not present on most devices
+* WiFi pineapple
+    * preconfigured WiFi attack tool
+    * rogue access point
+    * reroute traffic
+    * capture handshakes
+    * ...
+
+## Mitigation
+
+* proper training of staff
+* network scans for unauthorised devices
+* monitoring and incident response