Cold Boot Attack

Cold-boot attacks are used to capture encryption keys from a running system. Two primary methods have been used for cold-boot attacks: removing memory modules from a running system and placing them in a system under the attacker’s control to capture memory contents, and performing a cold-boot (full shutdown and restart) with a removable drive used to load an operating system that can read the contents of pre-boot physical memory.

Cold-boot attacks target unencrypted memory locations, allowing the theft of BitLocker and other encryption keys that are not protected by two-factor authentication. Cold-boot attacks require both technical sophistication and sufficient undisturbed access to a system to access system memory or boot it from an external drive, making them somewhat unlikely to occur in practice for most penetration testers—but they’re still part of the exam objectives!

JTAG Debug

JTAG is an industry standard for hardware debug ports that provide serial connections. Hardware hackers, including curious penetration testers, can use JTAG debug test pins to conduct physical hardware attacks on devices including routers, IoT devices, and anything else that you can fi nd JTAG pins or ports on!

JTAG attacks are often used to recover firmware from devices, allowing you to analyze the device’s operating system and software for vulnerabilities and security issues like embedded passwords or back doors. JTAG access can also allow you to use built-in debugging tools to craft more capable attacks by using the same tools developers did to test the device. It is often possible to use JTAG connections to test attacks that might not be possible without a direct on-device debugging console.

The same debugging access also means that you may be able to pull passwords or encryption keys directly from memory while the device is live. While all of these attacks require direct physical access, if you can acquire a device and spend time with it, a JTAG port or pins may provide you with a wealth of information.

Serial Console

Physical access to hardware like network devices, Internet of Things (IoT) devices, and a multitude of other systems is accomplished via a serial connection that can provide console access. Penetration testers who can gain access to systems can sometimes find unsecured or insecure system or administrative access via serial consoles . In most cases, a serial console uses either a traditional 9-pin serial port or an RJ45 network port style connection directly to a device, allowing console access.

Once you have found a device and have identified the manufacturer and type of device, you can typically find manuals that will provide details for how to connect to the serial console, default passwords (if they are even required), and what types of commands you can use from the console. With that information in hand, you may be able to take a variety of actions, ranging from changing system states to resetting the administrative password for the device as part of a recovery process!

Because serial consoles typically require local physical access, many are designed as recovery consoles, allowing the locally connected user to bypass most or all security controls. That makes access to a serial console very desirable if you can get it!