【AVTOKYO2025】☄️Red Team Hacks: Physical Locks -> Cyber Backdoors

Transcript

1. Red Team Hacks: Physical Locks -> Cyber Backdoors Satoki Tsuji

2. Satoki Tsuji WebSec / AISec / Pentesting 𝕏：@satoki00 E-mail：[email protected] GitHub：https://github.com/satoki

   Web Application Tuntsun Shokunin, CTF Player, Bug Hunter I have spoken at AVTOKYO (2020, 2023, 2024), Security Analyst Summit 2024, Hack Fes. 2024, m0leCon 2025, TyphoonCon Seoul 2025, HITCON 2025, Queen City Conference 0x3, and DefCamp 2025.

3. Today's Topic I have conducted penetration tests for multiple organizations,

   involving physical intrusions into office premises, remote control through custom malware, and lateral movement via GitHub. The Physical and Cyber Attack Flow

4. Outline ・Attack Scenario ・On-Site Operation ~Visual Recon / Badge Forgery~

   ・On-Site Operation ~Bypassing Door Authentication~ ・On-Site Operation ~Constructing Bad Hardware~ ・On-Site Operation ~Deploying Bad Hardware~ ・Remote Operation ~Borrowing Test Laptop~ ・Remote Operation ~Data Exfiltration and Infiltration~ ・Remote Operation ~Designing Malware~ ・Remote Operation ~Connecting to C2~ ・Remote Operation ~Repository-Based Lateral Movement~

5. Pentesting Workflow Covert operation, excluding executives and internal collaborators. Pre-

   engagem ent NDA Team structure, scope, and liability waiver defined Contract finalized Defining attack objectives and scenarios Hearing on implemented security controls / solutions Detection evasion and attack feasibility testing Recon, Exploitation Analysis, Reporting Hearing Attack

6. Attack Scenario Physical infiltration is increasingly recognized as a critical

   threat. Examples include newly hired employees with falsified backgrounds, and insiders under coercion or bribery. Physical breaches often provide a stronger initial access vector than malware-based methods such as phishing. Malware Infection Lateral Movement Physical Intrusion Data Exfiltration Pentesting Services APTs

7. Attack Scenario Cases of failed internal infiltration attempts KnowBe4: How

   a North Korean Fake IT Worker Tried to Infiltrate Us https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us

8. Attack Scenario Develop attack scenarios based on assumed physical breaches

9. Pentesting Workflow Covert operation, excluding executives and internal collaborators. Pre-

   engagem ent NDA Team structure, scope, and liability waiver defined Contract finalized Defining attack objectives and scenarios Hearing on implemented security controls / solutions Detection evasion and attack feasibility testing Recon, Exploitation Analysis, Reporting Hearing Attack

10. On-Site Operation

11. Visual Recon / Badge Forgery Bypassing Door Authentication Constructing Bad

    Hardware Deploying Bad Hardware On-Site Operations Workflow

12. On-Site Operation ~Visual Recon / Badge Forgery~ Mimic Employee Appearance

    to Avoid Suspicion During Physical Intrusion Stake out nearby restaurants during lunch/dinner hours to observe employees ・ Dress code (business attire or casual) ・ Commute timing (arrival and departure hours) ・ Types of devices in use ・ Whether devices or ID cards are left unattended Analyze online interview photos to examine ID cards ・ Design and material of employee badges ・ Neck strap color and number of connectors

13. On-Site Operation ~Bypassing Door Authentication~ Investigate Office Entry Authentication to

    Assess Intrusion Feasibility Examine physical security controls at the entrance ・ Type of authentication (IC card, biometrics, etc.) ・ Positioning of security guards and cameras ・ Anti-passback mechanisms Observe employee behavior during entry/exit ・ Automatic door open duration ・ Whether employees check behind them

14. On-Site Operation ~Bypassing Door Authentication~ Bypass Entry Authentication to Physically

    Enter the Office Confirm IDm/UID-based authentication via public manuals or documentation Approach employees in close proximity (e.g., escalators, smoking areas) and clone their ID cards using a Flipper Zero

15. On-Site Operation ~Constructing Bad Hardware~ Prepare Bad Hardware for Use

    After Physical Entry O.MG Cable、Screen Crab、Packet Squirrel Mark II、Plunder Bug LAN Tap …… ※技適マークが無いため、無線モジュールは物理的に除去・破壊する

16. On-Site Operation ~Constructing Bad Hardware~ O.MG Cable：USB Cable Functioning as

    Keylogger or BadUSB Swap with existing cable on the target’s office desk Attach a pre-made asset label matching the target company Add invisible markings for later retrieval

17. On-Site Operation ~Constructing Bad Hardware~ Screen Crab：HDMI Passthrough Device for

    Capturing Video Insert between monitor and HDMI cable in meeting rooms or on desks Modify via root shell over UART (Android-based) Connect to Raspberry Pi for real-time monitoring

18. On-Site Operation ~Constructing Bad Hardware~ Packet Squirrel Mark II：MITM +

    Sniffing Device for Ethernet Insert between Ethernet cable and critical devices (e.g., workstations or MFPs) Configure to capture only specific protocols Max throughput is 100Mbps

19. On-Site Operation ~Constructing Bad Hardware~ Plunder Bug LAN Tap：Ethernet Sniffing

    Device Insert between Ethernet cables in the server room Physically connect to a Raspberry Pi for real-time packet capture Mass deployment

20. On-Site Operation ~Constructing Bad Hardware~ Key Croc：Keystroke Logger and Injector

    Device Insert between a wired keyboard and PC left unattended in the office Use key injection to spoof package names for typosquatting Primary use is logging to minimize risk of detection

21. On-Site Operation ~Constructing Bad Hardware~ Q70：Ultra-Compact Voice Recorder with Voice

    Operated Recording Attach under desks or behind monitors in meeting rooms Emits no radio signals (undetectable by RF scan) Up to 300 days standby and ~450 hours of recording on full charge

22. On-Site Operation ~Constructing Bad Hardware~ 4GPi：4G (LTE) Communication Module Designed

    for Raspberry Pi Acts as an AP to aggregate data from other Bad Hardware and exfiltrate via LTE Use a separate LTE subscription and verify connectivity Set the AP’s SSID to a natural-looking name

23. On-Site Operation ~Deploying Bad Hardware~ Prepare to Avoid Detainment During

    Physical Intrusion Notify the local police with jurisdiction over the target company about the operation Establish safety protocols for physical operatives ・Maintain constant communication via headset ・Keep backup personnel nearby for support Plan for potential detainment ・Carry documentation proving team affiliation ・Equip with devices capable of recording audio

24. On-Site Operation ~Deploying Bad Hardware~ Deploying

25. On-Site Operation ~Deploying Bad Hardware~ Workspaces Data Collection Server O.MG

    Cable 4GPi 4GPi Deployment & Retrieval Personnel Packet Squirrel Mark II Server Rooms Plunder Bug LAN Tap Raspberry Pi Physical Intrusion LTE Meeting Rooms Screen Crab Raspberry Pi Wi-Fi Key Croc Q70

26. On-Site Operation ~Deploying Bad Hardware~ Analyze and Leverage Data Collected

    from Bad Hardware Extract organizational structure and security intel from captured monitor footage Use credentials obtained via keyloggers for Remote Operations

27. Remote Operation

28. Borrowing Test Laptop Data Exfiltration and Infiltration Designing Malware Connecting

    to C2 Remote Operations Workflow Repository-Based Lateral Movement

29. Remote Operation ~Borrowing a Test Laptop~ Investigate Local Attack Feasibility

    Using a Preconfigured Test Device Examine data leakage countermeasures in case of device loss ・Status of logon policy enforcement ・Presence of disk encryption such as BitLocker or LUKS2 Assess possibility of gaining administrator privileges ・Existence of files with excessive privileges ・Feasibility of using one-day kernel exploits ・Feasibility of creating zero-day exploits Check for existence and type of security solutions

30. Remote Operation ~Data Exfiltration and Infiltration~ Exfiltrate Confidential Files and

    Introduce Malware via a Test Device Investigate whether physical exfiltration and infiltration can be prevented ・Removable storage (USB, SD cards, external HDDs) ・Media Transfer Protocols (MTP) ・Optical media (CDs, DVDs, BDs) ・Short-range wireless communication (Bluetooth)

31. Remote Operation ~Data Exfiltration and Infiltration~ Exfiltrate Confidential Files and

    Introduce Malware from the Test Device Investigate whether exfiltration and infiltration via network are detected ・HTTP/S（curl、/dev/tcp、CertReq.exe） ・DNS（dnsteal by m57、PyExfil by ytisf） ・NTP（ntpescape by evallen） ・ICMP（ICMPExfil by martinoj2009）

32. Remote Operation ~Designing Malware~ Construct Malware to Be Executed in

    the Production Environment Assume that a malicious package is installed via pip ・Executed using Python 3 (Embeddable) ・Obfuscated using tools such as Pyarmor, Pyfuck ・Converted to binary using PyInstaller Evasion via V8 bytecode, based on real-world attack cases ・Executed using Node.js (Standalone Binary) ・Packed with tools such as nexe, node-packer, or pkg

33. Remote Operation ~Connecting to C2~ Execute Malware on an Employee

    Workstation and Establish a Connection with the C2 Server Use services employed by the target organization as the C2 server ・Instances on AWS, GCP, Azure, etc. ・Messenger applications such as Slack or Discord Mimic business communication when issuing commands ・Text or images from daily reports ・Values periodically sent by bots Do not use of well-known C2 frameworks

34. Remote Operation ~Repository-Based Lateral Movement~ Access GitHub Repositories and Select

    Targets for Tampering Obtain ssh keys from the production endpoint to access the target org’s repos ・Retrieve the username from the ssh key Recursively collect all accessible repositories ・Gather previously accessed repositories from .bash_history ・Collect additional repositories referenced in retrieved content such as README Select frequently updated repositories as tampering targets ・Prioritize internal tools likely to be executed regularly ・Prioritize repositories with a large number of files or high code volume

35. Remote Operation ~Repository-Based Lateral Movement~ Tamper with Internal Tools or

    Deliverables in GitHub Repos and Propagate Laterally

36. Remote Operation ~Repository-Based Lateral Movement~ Target Org’s GitHub Repositories Pentester

    Infrastructure systems Documents Internal tools Customer products Pull & Analysis Backdoor Employee Pull & Exec Customer Exec

37. Remote Operation ~Repository-Based Lateral Movement~ Conceal Suspicious Activity Such as

    Commits and Pushes to GitHub Repositories Spoof the user when adding backdoor code to the repository ・ Ensure that branch protection rules are disabled ・ Set the author to a user who updates frequently ・ Follow the target organization's commit message conventions

38. Remote Operation ~Repository-Based Lateral Movement~ Conceal Tampering of Internal Tools

    and Deliverables in GitHub Repositories Disable diff display (files changed) for backdoor code added to the repository 1. Pretend to make a mistake and delete multiple files 2. Add backdoor code to some of the deleted files 3. Restore the deleted files containing the backdoor

39. Remote Operation ~Repository-Based Lateral Movement~ Disrupt Detection of Backdoor Code

    in Internal Tools and Deliverables in GitHub Use special characters in backdoor code added to the repository to evade search ・ Use visually similar Cyrillic characters (e.g., Latin p and Cyrillic р) to mimic existing variable names

40. Remote Operation ~Repository-Based Lateral Movement~ Analyze and Leverage Information Obtained

    from GitHub Repositories Scan repository code for vulnerabilities to find new entry points Use internal tools to spread laterally and steal new credentials Check if supply chain attacks on customers via deliverables are possible GitHub Repos Compromise Steal new Credentials Lateral Movement via Internal tools Customer Supply Chain Attack

41. Wrap Up I conducted operations along two main axes: On-Site

    Operations and Remote Operations. It’s not uncommon for the blue team to miss all of my attacks entirely. Can your organization detect and neutralize the attacks I executed?

42. Wrap Up Beyond the Attack Flow Presented, Many Other Scenarios

    Exist ・Passing job interviews using a fabricated background ・Data theft via multifunction printers ・Cyber recon and phishing targeting real employees ・Compromising cloud-based assets Penetration Testing Anecdotes ・The harsh reality of operating as a small red team ・Deep dives into Bad Hardware configuration ・Discovering another company's pentest report left on a breached internal directory

43. Special Thanks ・Kazushi Kato - Red Team ・Minho Kim -

    Red Team & White Team ・Yuma Kurogome - White Team ・Tomoya Kitagawa - Technical Advisor（IoT） ・Yudai Fujiwara - Technical Advisor（Exploit） ・Yuichi Sugiyama - Technical Advisor（Exploit）

44. End End