Advanced Techniques in Physical Pen Testing

A professional physical engagement follows a strict workflow:

1. Scoping and Rules of Engagement — exact addresses, allowed entry windows, prohibited actions (no actual theft, no damage above defined thresholds), safe words, emergency contacts, get-out-of-jail letters signed by an authorized executive.
2. Open-source intelligence (OSINT) — Google Earth and Street View, building permits, public-facing tenant directories, employee LinkedIn for badge styles and uniforms, dumpster reconnaissance from public sidewalks.
3. On-site reconnaissance — passive observation of entry/exit patterns, badge readers, camera placements, security guard rotations, smoking areas, loading docks, delivery schedules.
4. Plan development — primary, alternate, contingency, and emergency (PACE) entry plans; cover stories, props, escape routes.
5. Execution — covert entry, objective completion, exfiltration.
6. Reporting — narrative, video, photographic evidence, control-failure analysis, recommendations.

The disciplines required: lockpicking, RFID and electronic-access exploitation, social engineering, alarm bypass, surveillance, and on-the-fly improvisation. Frameworks like the Red Team Operator lineage and books by Deviant Ollam, Babak Javadi, and the CORE Group canonize much of the modern practice.

Effective recon answers questions like: What does the badge look like? Which doors are the most heavily used (and thus most tailgateable)? Where do smokers congregate? What time do janitors arrive? Which entrances have a vestibule with two sets of doors (anti-tailgating)? Which loading docks have unattended periods? Where are the smoke-break propped doors?

Specific OSINT moves:

• Image search of employee badges visible in social-media photos — clone the format.
• Google Earth for roof access, fence gaps, perimeter cameras.
• Job postings that reveal the access control vendor (HID, Lenel, Brivo, Genetec).
• Construction permits for floor plans.
• Glassdoor and Reddit for employee culture observations (do people challenge strangers? are visitors strictly escorted?).
• Vendor uniform photography for cover identity (Uber Eats, ISS, JLL, CBRE, telecom, utility).

Mechanical locks remain pervasive even in modern offices. Operators carry:

• Pick and tension wrench sets — standard pin-tumbler locks (Kwikset, Schlage SC1, Master Lock) yield to skilled hands in seconds to minutes.
• Bump keys — for compatible cylinders.
• Comb picks — for cheaper wafer locks.
• Under-the-door tools (UDT) — fish through the gap under a door to grip and turn the inside lever; defeats office doors with no astragal.
• Loid (latch) tools — slip past spring-latched doors without deadbolts.
• Pad-lock shimming — beer-can-shim defeats many low-cost padlocks.
• Master-key escalation — many commercial properties use 5- or 6-pin master systems with predictable progression; one tenant key plus a reverse-engineered master enables full-facility access.
• Deadbolts require thumb-turn flipping via UDT or sophisticated picking; high-security cylinders (Medeco, Mul-T-Lock, ASSA Abloy Protec) significantly raise difficulty.

Door-frame and hinge attacks are the lower-effort path: kick-plate prying, hinge-pin removal on outward-swinging doors, latch shimming on improperly installed strikes.

Most corporate buildings use proximity cards or smart cards:

• Low-frequency (125 kHz) HID Prox, EM4100, Indala — fundamentally insecure; cloneable with a Proxmark3 or even a cheap RFID Diva tool from across a meeting-room conference table.
• Mifare Classic — broken since 2008 (Crapto1); NFC clones via Proxmark3 or Flipper Zero.
• Mifare DESFire EV1/EV2/EV3 — properly configured is strong; misconfiguration (default keys, weak diversification) repeatedly observed.
• HID iCLASS / Seos — generations vary; legacy iCLASS broken with widely available tools, Seos better but reader-side compromise (ESPKey, BLEKey) still applies.
• Long-range readers — operators carry a covertly mounted long-range reader in a bag or coat to snag credentials from walk-by victims.
• Wiegand sniffing — the wiring between reader and controller is often unauthenticated; an ESPKey device inserted in a reader's back can capture and replay any badge swiped.
• Wireless locks (Salto, ASSA Abloy Aperio) — vendor-specific weaknesses periodically disclosed.

The Flipper Zero democratized RFID exploration, with both legitimate research and consumer-side misuse driving vendor responses.

Most physical engagements succeed via humans, not tools.

• Tailgating — entering behind someone who badges open a door. Universal in any office over ~50 employees. Pose with hands full (coffee + laptop), look harried, target groups rather than individuals.
• Pretext cover stories — IT contractor, AV technician for a meeting, fire-extinguisher inspection, food delivery, sandwich-board lunch caterer.
• Lost-badge gambits — "I forgot my badge in my car, can you let me in to the elevator? I'll get a temp from reception."
• Vendor impersonation — uniforms (purchased on eBay or fabricated), branded clipboard, work order with a real vendor's logo.
• Authority cover — "I'm here from facilities to check the smoke detectors." Few employees challenge a clipboard.

Reception is the choke point. Skilled operators study reception scripts, look for shift-change windows, and pre-position alternate entries. Once past reception, the building usually opens up — internal doors are often unlocked, restrooms accessible to anyone, conference rooms unscheduled and empty.

Once inside, operators drop persistent footholds:

• Network implants — LAN Turtle, Packet Squirrel, hidden Raspberry Pi with a 4G HAT, plugged into an unused Ethernet wall jack in a conference room or under a desk.
• Wireless implants — Wi-Fi Pineapple or rogue AP for capturing nearby employee devices.
• Keystroke loggers — USB pass-through devices on executive workstations.
• HID attacks — Rubber Ducky / O.MG Cable plugged into an unattended workstation, scripted to execute payloads.
• Camera implants — discreet IP cameras observing badge swipes, PIN pads, server-room keypads.
• Physical document theft — printer trays, unlocked filing cabinets, sticky-noted passwords on monitors — but most modern engagement rules prohibit removing documents; photograph instead.

Exfiltration of captured data uses the implant's 4G channel, the corporate Wi-Fi guest network, or simple physical removal of the implant on a follow-up visit.

Operators map cameras during recon; many can be defeated by appearing to belong (cover stories) rather than evading lenses. Motion sensors are usually pet-immune below 40 lbs and can be defeated with slow, low-profile movement; glass-break detectors are frequency-specific. Operators avoid triggering alarms when possible — getting caught quietly by guards is far better than triggering a police response (with attendant legal and physical risk).

For after-hours engagements, signed letters of authorization and pre-coordinated guard-force or property-management notification are mandatory; surprise after-hours entries carry unacceptable risk.

• Defcon Social Engineering Capture-the-Flag and Tradecraft Labs / Red Team Village CTFs demonstrate live tradecraft.
• Jek Hyde, Deviant Ollam, and Babak Javadi — long-running publicly documented engagements (with redactions) demonstrating tailgating, lock bypass, and badge cloning at Fortune 500 facilities.
• Coalfire incident (2019) — two contracted pen testers arrested while testing physical security at a county courthouse in Iowa; landmark case for clarifying the legal importance of the chain of authorization between client, contractor, and on-site staff.
• Public datacenter visit reports — researchers repeatedly badge into colocation facilities with social engineering alone.

For organizations:

1. Replace legacy 125 kHz proximity cards with modern, mutually authenticated credentials (HID Seos, Mifare DESFire EV3 properly configured) and mobile credentials (Apple/Google Wallet, HID Mobile Access).
2. Anti-tailgating measures — mantraps/vestibules at high-value entries, optical turnstiles in lobbies, security-guard challenge culture.
3. Visitor management — every visitor escorted, badged with photo, system that records and audits.
4. Reader and controller hardening — readers mounted with tamper detection, controllers in locked utility closets, OSDP secure-channel between reader and controller instead of Wiegand.
5. Locks with bypass resistance — anti-pick pins, UDT protection (vestibule doors, astragals), hinge-protection pins on outward-swinging doors.
6. Security awareness training that addresses tailgating, pretexting, and reporting of suspicious behavior, with named-reward programs.
7. Network-port disabling by default for unused jacks; 802.1X port authentication; rogue-device detection.
8. Camera and motion-sensor coverage of access points, server rooms, and high-value areas with rapid alert triage.
9. Clear policies and legal posture — engagement letters, get-out-of-jail letters, coordination with internal and external counsel, awareness in property management and guard force where appropriate.
10. Regular physical red-team tests — at least annually, with rotating scope (HQ, branch, datacenter, warehouse) and follow-on remediation.

For operators:

• Safety first — guard force compliance, immediate de-escalation, do not run.
• Document everything — body-worn cameras, time-stamped photos, narrative notes.
• Stay within scope — every step must be auditable to written authorization.
• Brief and debrief with the client — physical findings are often the most impactful and most uncomfortable in a security program; deliver them constructively.