# Physical attacks

## Physical recon

* Google street view is handy
    * can be outdated
* drive-by
    * just stalk them

## Physical barriers

* doors, gates
* motion sensor door locks
    * canned air can trigger motion sensor from outside
* doors with keys and padlocks
    * lock picking (manual and electronic) open these easily
* door unlock button
* RFID door locks
    * backend systems often very dumb
    * plenty of devices can copy cards
    * Flipper Zero

## Drop boxes

* device that gets stealthily added to local network
* preconfigured to provide connection for attacker
* make it inconspicuous
    * in cable tray
    * behind desktops
    * ...
* when using multiple, make sure they don't communicate
    * finding one shouldn't find the others

### Lan turtle

* looks like USB ethernet dongle
* routes attacker traffic through VPN into victim network

### Packet squirrel

* [https://shop.hak5.org/products/packet-squirrel-mark-ii]
* mostly aimed at network interception and manipulation
    * logs network traffic
    * captures print spool jobs
    * intercepts DNS request and directs them to server of your choosing

### Hidden camera

* drop boxes that contain hidden camera
* look like ordinary devices (e.g. USB charger)
* position is key

## HID injection attacks

* attacks using devices that act as Human Interface Devices (HID), e.g.
  keyboard
* Rubber Ducky
    * USB that acts like HID
    * sends lots of keystrokes to e.g. install malware
* Bash Bunny
    * more advanced Rubber Ducky
    * emulates ethernet, serial and flash storage as well
    * typical attacks
        * QuickCreds: run Responder on device to extract NTLMv2 hashes
        * BunnyTap: funnel cookies of user to attacker
        * Kon-Boot: allows access into password-protected PC by booting with
          Kon-Boot enabled on USB
* drop attacks
    * leave thumb drive for people to find
    * curious people will plug it in
* devices that look like cables also exist
* destructive attacks
    * killer USBs that send high voltage through device
    * destroy mission critical devices

## WiFi attacks

* capture handshakes of devices
* pass handshake to hashcat
* most tools require monitor mode
    * not present on most devices
* WiFi pineapple
    * preconfigured WiFi attack tool
    * rogue access point
    * reroute traffic
    * capture handshakes
    * ...

## Mitigation

* proper training of staff
* network scans for unauthorised devices
* monitoring and incident response