Skip to content
/ Physical_Security_Experiments Public

This was an assignment for ITEC285 during college at MHC. The time I spend debugging was great, however, there are quite interesting projects that came out of it, see 4 demo videos.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Flogging0140/Physical_Security_Experiments

BranchesTags

Repository files navigation

Physical Security Experiments

Google Slides Here

Overview

This was a project during my last semester at MHC for ITEC285, my security class. The goal was to pick a security topic, research its importance, and extra for a demo.

Including source code, though omitting the 17pg essay as there is little need for it here

Highlights

  • Created a Rubber ducky from an Raspberry Pi Pico
  • Created a Rubber ducky from an Arduino Leonardo
  • Outlined simple security issues and potential solutions
  • Brute forced Samsung A70 with Pico
  • Persistent Reverse Shell, w/BAD-USB
  • .py Script for Windows 10 hash collection

Video Demo, Gandalf, Pico, Leonardo

Setup both Raspberry Pi Pico and Arduino Pro Micro (Leonardo) as HID devices. Basically they are now user input devices. System does not know difference. Pico also a mass storage device (2mb). Simulate user input to enter commands in RUN box.

Google Drive Proj Demo

Video Demo, Persistent Reverse Shell, w/BAD-USB

During class created persistent Kali USB for a lab. Listening with NC on port 87, for any IP. Pico injects PowerShell, creates scheduled task on logon, logs out user.

Caveat: Thought PS turns off firewall and Live-Protection, tamper protection has to be disabled (not by default), though this does not get reset when restarted, so only needs to be done once by user or by Ducky Script.

Google Drive Proj Demo

  • Project Resources, Attributes
    • Starting point, Netcat-Reverseshell-On-Log-In - HokkaidoInu
    • Pair Programmer, help w/Debugging, Emotional Support
      • ChatGPT
        • PowerShell syntax/commands, debugging assistance
  • Issues
    • Stuck in session 0 😭
    • Permissions issue, which users to use
    • Task Scheduler running but not running script 👀
    • Disabling live-protection
    • Tamper protection
    • Potential dependency issue
    • Currently working with this one

Video Demo, Brute-Force, Android-10, 4 digit lock

Pico can connect to android phone like a computer, because it is one. Lockout time is limited to 30 seconds, try every 30 seconds, only 10k possibilities, ~4 days, no lockdown/wipe by default.

Note: I do 4 days because don't have a camera mount. This just was a shortened version, just proof we can enter data and unlock a phone with prompts from DuckyScript.

Google Drive Proj Demo

Video Demo, Hash-Collection, Win-10, .py Script

Using lab (from Mike L, ITEC285, MHC) as process. Python Script used as delivery method, already runs fine, installed on Kali. Detects largest drive, guesses is Win-10, mounts, collects hashes, outputs to file, uses pastebin's API to send to internet (anon), unmounts drive. Process finishes in <5 seconds if successful.

Google Drive Proj Demo

  • Project Resources, Attributes
    • Mike Long’s ITEC285, labs.
      • Practiced python in his labs
      • Given lab on collecting hashes, following same process in code
    • Boilerplate, syntax help, debugging help

Technologies Used

icon

icon

icon

icon

About

This was an assignment for ITEC285 during college at MHC. The time I spend debugging was great, however, there are quite interesting projects that came out of it, see 4 demo videos.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages