Top 5 Ways The Red Team breached and assessed the Physical Environment

Adam Toscher
5 min readMar 6, 2019

We tailgate, skim and clone. Social engineer and deceived to employee and CISO alike, to get onsite and hit our “Breach” Physical, or “Red Team” goal. In my years performing physical security assessments, these are some of the techniques my peers and I found successful.

Some say that as the perimeter, and external environments are becoming harder to breach and penetrate; and as Windows Domains and
Personal Computers become less common, and networks change, computers like everything else evolves.

One must ask the question it’s only a of time before adversaries will go the Physical route? The benefits of a controlled Physical Environment assessment — .— it’s a philosophical argument where Breach reports don’t disclose all the facts, but as technical control weaken, adversaries will take the path of least resistance. This much I know is true…

USB Harpooning victims, and implanting WiFi chips in charging cables? OMG!!!

I believe this myself, this is my own philosophy and that of my peers who see the Physical realm as an overlooked component when conducting security assessments. I’ve read the papers and know that APT’s use; mostly external means to breach the perimeter.

1. Tailgate

Most of the time it’s easy enough to just walk in to a company, determined and stern. The path of least resistance is hard wired within us, follow this instinct and act like you’re supposed to be there.

I’ve tail gated behind cars and people alike. How many people walk into massive shared complexes where an unusual face is more common than not? Once you’re inside you can then proceed to skim or obtain a badge to clone later on.

2. Proximity Card Skimming and Long Distance Access Control Attacks

Using devices like the Proxmark you can start with the HID Prox and eventually copy and even modify other types of proximity cards.

For attacking the actual controls themselves, you can use a BLEKEY, or an ESPKEY. These devices allow you to interface directly with the reader, and can be installed in a matter of minutes not hours. These devices are small, well designed and inconspicuous if installed properly As Mark Basesggio creator of the BLEKEY comments that most access controls sucked in 2016 and I’d say that nothing much has changed; they’re dated and vulnerable. Easy to skim and clone.

You can rig up a nice long distance RF reader like Bishop Fox outlines below:

Image from Bishop Fox

Cost of acquiring the the hardware fluctuates on Ebay but it’s amazing how many of these HID proximity systems are used when looking at large and small businesses, corporations, health care institutions and municipalities; including secure sites like data centers, and the wiring/server closets in many offices.

Remember that access controls are often overlooked or not prioritized according to the rules of standard Red Teaming and Penetration defined by corporations themselves. Red Tape can often completely stop a company from even considering a Physical Breach Simulation.

3. Social Engineer

Ah, the good old fake letter, solid pretext and a friendly call to the building before you even land , can have sold as as a security guard, or pest control. You arrive onsite, already verified with the right gear and the proper attire. Get on that LAN, and drop a device or grab some hashes and get Domain Admin before Lunch.

Evil Maid: Gain access to the laptop when unwanted by dressing the part ,and install your favorite backdoor of choice.

4. Physical Access Control Bypass & Lock Picking

Arguably obtaining as many universal or “bump-able ” keys is the name to this game. Simple non secure keys can be copied with a high resolution photograph and a 3d printer.

Master keys can be copied and abused to bypass doors, and gain access to shared building stairwells and elevators.

In the world of physical security assessments, most large consulting companies don’t want to take on the responsibility, of scratched tumblers and potential damage to locks in event and the definitive element of uncertainty that comes with a Red Team Physical Penetration Test. This simulation is not logical but real.

Sometimes you can bypass certain sensors from the outside, with a can of compressed air. Depending on the sensor, keys and overall security posture of the building, different techniques may apply.

5. WiFi credential harvesting and Internal Network disclosure, badge identification and corporate mobile device

You can target a building’s local coffee shop for an incognito and effective way to gain access to a GUEST or improperly configured wireless supplicant on a device connected at one time, to the corporate network. DNS information, usernames and even passwords can be disclosed on a Rogue/Evil Twin network. Being onsite gives you the ability to sniff and perform long period of OSINT recon anonymous and covertly.

I must state that I did all of my physical assessments, with a carefully planned scope, a get of jail letter in case I was apprehended, and a lot of planning. Be courteous, obey the rules of the engagement, and happy pwning!



Adam Toscher

Adam is a offensive security engineer and red team operator with over 20 years of experience in IT