| name | performing-physical-intrusion-assessment |
| description | Conduct authorized physical penetration testing using tailgating, badge cloning, lock bypassing, and rogue device deployment to evaluate facility security controls. |
| domain | cybersecurity |
| subdomain | red-teaming |
| tags | - physical-security - red-team - tailgating - badge-cloning - lock-picking - rfid - physical-pentest |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| d3fend_techniques | - Platform Hardening - Hardware Component Inventory - Electromagnetic Radiation Hardening - RF Shielding - Asset Inventory |
| nist_csf | - ID.RA-01 - GV.OV-02 - DE.AE-07 |
Performing Physical Intrusion Assessment
Overview
Physical intrusion assessment evaluates an organization's physical security controls by attempting to gain unauthorized access to facilities, server rooms, and restricted areas. This includes tailgating employees, cloning RFID access badges, bypassing locks, deploying rogue network devices, and testing security guard procedures. Physical security testing is a critical component of full-scope red team engagements, as it often provides the most direct path to network access. MITRE ATT&CK maps physical access techniques under T1200 (Hardware Additions) and T1091 (Replication Through Removable Media).
When to Use
- When conducting security assessments that involve performing physical intrusion assessment
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- Signed authorization letter (carry at all times during assessment)
- Emergency contact for client security team (24/7)
- Get-out-of-jail letter signed by executive authority
- Physical security testing toolkit
- Body camera or documentation equipment
- Disguise/cover identity materials (uniform, badge, clipboard)
MITRE ATT&CK Mapping
| Technique ID | Name | Tactic |
|---|
| T1200 | Hardware Additions | Initial Access |
| T1091 | Replication Through Removable Media | Initial Access |
| T1199 | Trusted Relationship | Initial Access |
| T1078 | Valid Accounts | Initial Access |
Physical Security Testing Toolkit
| Tool | Purpose | Approximate Cost |
|---|
| Proxmark3 RDV4 | RFID badge cloning (125kHz/13.56MHz) | $300 |
| Flipper Zero | Multi-protocol RF analysis | $170 |
| Lock pick set (Sparrows) | Mechanical lock bypassing | $35 |
| Under-door tool (UDT) | Bypass door from outside | $30 |
| Shove knife / latch slip | Spring bolt bypass | $15 |
| LAN Turtle | Rogue network implant | $60 |
| WiFi Pineapple | Rogue wireless AP | $100 |
| Rubber Ducky / Bash Bunny | USB keystroke injection | $50-80 |
| Clipboard + hard hat + hi-vis | Social engineering props | $20 |
| Body camera | Evidence documentation | $50 |
Technique 1: Tailgating
Tailgating involves following an authorized person through a secured entry point without presenting credentials.
Methods:
- Hands full approach: Carry boxes/equipment, ask someone to hold the door
- Smoke break return: Wait near smoking area, follow employees back inside
- Delivery driver: Wear delivery uniform, carry packages
- Busy entrance timing: Enter during shift change or lunch rush
- Door propping: Observe if employees prop doors open
Countermeasures to test:
- Turnstiles / mantraps
- Security guard challenge procedures
- Piggybacking detection systems
- Employee security awareness
Technique 2: Badge Cloning
proxmark3> lf hid read
proxmark3> lf hid clone --fc 123 --cn 45678
proxmark3> hf mf rdbl --blk 0 -k FFFFFFFFFFFF
proxmark3> lf hid read
Badge cloning attack flow:
- Position near badge reader (elevator, door entry)
- Read badge wirelessly as employee passes (1-3 second window)
- Clone to blank card
- Use cloned badge to access secured areas
- Document which areas were accessible
Technique 3: Lock Bypassing
| Lock Type | Bypass Method | Difficulty |
|---|
| Pin tumbler (standard) | Pick, rake, or bump key | Easy-Medium |
| Wafer lock (filing cabinets) | Pick or jiggle | Easy |
| Tubular lock (vending, server) | Tubular pick tool | Easy |
| Electronic lock (keypad) | Shoulder surf, thermal camera | Medium |
| Magnetic lock (mag lock) | Under-door tool, REX sensor bypass | Medium |
| Smart lock (Bluetooth) | Replay attack, firmware exploit | Hard |
Technique 4: Rogue Device Deployment
Technique 5: Dumpster Diving
Search external waste containers and recycling bins for:
- Printed documents with sensitive information
- Employee directories and org charts
- Network diagrams and IP addresses
- Shredded documents (cross-cut vs strip-cut assessment)
- Discarded hardware (hard drives, USB drives)
Assessment Methodology
Pre-Assessment Reconnaissance
- Perimeter walk - identify all entry points, cameras, guard posts
- Observe employee patterns - shift changes, break schedules
- Identify badge technology (HID, MIFARE, iCLASS)
- Map camera coverage and blind spots
- Note security guard patrol routes and timing
Execution Phases
- External perimeter: Fencing, gates, parking barriers
- Building entry: Main entrance, side doors, loading dock
- Internal access: Floor access, elevator controls
- Restricted areas: Server rooms, executive offices, data centers
- Device deployment: Network implants, rogue wireless
Documentation Requirements
- Timestamp and location for every access attempt
- Photos/video of successful entries
- Badge reader locations that accepted cloned credentials
- Unlocked doors, propped doors, tailgating opportunities
- Network ports accessible in public areas
- Evidence of data in waste containers
Ethical and Safety Considerations
- Always carry authorization letter - Be prepared to identify yourself immediately if confronted
- Never force entry - If a technique damages property, document and skip
- Immediate stop if law enforcement is called before deconfliction
- Never photograph individuals without authorization
- Document, don't exploit - Take photos as evidence, don't steal actual data
- Safety first - Do not enter hazardous areas or bypass fire safety
References
- ISACA Physical Penetration Testing White Paper (2023)
- ASIS Physical Security Professional (PSP) guidelines
- NIST SP 800-116 Rev. 1: Smart Card PIV guidelines
- Deviant Ollam - Physical Security Assessment methodology
- MITRE ATT&CK T1200: https://attack.mitre.org/techniques/T1200/
