There are some attacks that you can use to test the physical security of the target's hosts, rather than testing them from a purely virtual space. Note that these tests are technical in nature, and usually involve vulnerabilities in how the host's hardware is configured. Also, these attacks are not OS-specific—because they are hardware-based, they can apply to Windows, Linux, and more.
In a cold boot attack, an attacker with physical access to a computer with an encrypted drive may be able to retrieve encryption keys after starting the computer from its off state. When the operating system loads, you scan the system's RAM to find the keys that were stored temporarily in memory and not just on the storage device itself. Although RAM is volatile, it can take several minutes after losing power before data is completely erased.
A serial console refers to the use of a computer serial port (COM, USB) to provide a direct console interface to a device. Routers, switches, firewalls, wireless access points, and other networking devices generally have neither keyboard in nor video out ports. They depend on the administrator either making a network connection or a console connection to manage them. The benefit of a serial console is that the device need not have any networking capabilities configured for the administrator to make a connection. The vulnerability is that administrators often do not configure a user name and password on the console. This means that anyone who has physical access to the device can plug their laptop into it and gain an administrator prompt.
A JTAG connector is a simple hardware interface that allows a computer to communicate directly with chips on a board. Although it may have somewhat different pinouts and connector types, it specifies a standardized set of signals and is used in nearly all embedded devices. JTAG debugging is a troubleshooting methodology used by hardware manufacturers to test printed circuit boards. It can also be used to hack a device; for example, to gain root access to a home router.
Note: For more information on JTAG connections and using JTAG debugging to hack a home router, see https://blog.senr.io/blog/jtag-explained