Home / Physical Red Team

Physical Red Team: Beyond the Keyboard

The best firewall in the world doesn't stop someone walking through the front door. Physical red teaming tests physical security controls - badge access, locks, security guards, and human nature. Combined with cyber attacks, physical access often provides the fastest path to total compromise.

Authorization is Everything

Physical intrusion without authorization is breaking and entering - a serious crime. Always have written authorization, emergency contacts, and a "get out of jail" letter. Even with authorization, things can go wrong. Plan accordingly.

Physical Reconnaissance

Before any physical engagement, extensive reconnaissance identifies entry points, security measures, and opportunities. 

PHYSICAL RECON CHECKLIST:

EXTERNAL OBSERVATION:
├── Building entrances (front, back, loading dock, garage)
├── Security guard presence and schedules
├── Camera locations and coverage gaps
├── Badge reader types (HID, MIFARE, etc.)
├── Fence types, gates, barriers
├── Lighting (for night operations)
├── Neighboring buildings (shared access?)
└── Dumpster locations

OSINT GATHERING:
├── Google Maps/Earth (building layout, parking)
├── LinkedIn (employee photos with badges visible)
├── Social media (badge designs, office photos)
├── Glassdoor (security complaints, office layout)
├── Job postings (technologies used, locations)
├── Building permits (floor plans sometimes public)
└── Badge photos from conferences/events

SOCIAL ENGINEERING RECON:
├── Employee schedules (when offices are empty)
├── Delivery schedules (good cover)
├── Cleaning crew schedules
├── Smoking areas (badge-out doors)
└── Common pretexts that work here

Physical Access Methods

Tailgating/Piggybacking

The simplest and most effective entry technique. Follow an authorized person through a secured door. Success depends on confidence and timing.

The Coffee Carry

Carry two coffees, hands full. Employee holds door out of courtesy. Works at morning rush.

The Box Carry

Large box obscures view, makes badge check awkward. Delivery uniform adds legitimacy.

The Phone Call

Animated conversation while approaching door. Employee avoids interrupting.

The Quick Follow

Time approach to arrive just as someone badges in. Natural flow, no hesitation.

Badge Cloning

Many access control systems use insecure RFID cards that can be read and cloned with inexpensive equipment. 

COMMON CARD TYPES & VULNERABILITIES:

LOW FREQUENCY (125 kHz):
├── HID ProxCard II - No encryption, trivially cloneable
├── EM4100 - No encryption, read with $20 reader
├── AWID - Slightly more complex, still cloneable
└── Indala - Proprietary but breakable

HIGH FREQUENCY (13.56 MHz):
├── MIFARE Classic - Broken encryption, cloneable
├── MIFARE DESFire - Stronger, but often misconfigured
├── iCLASS SE - More secure, attacks still exist
└── HID SEOS - Modern, cryptographically secure

CLONING EQUIPMENT:
├── Proxmark3 ($200-400) - The gold standard
├── ChameleonMini ($100) - Portable, HF cards
├── Blue cloner ($20) - Basic 125kHz cloning
├── Flipper Zero ($170) - Consumer-friendly
└── HID card copiers (varies) - Available online
proxmark3 - Badge Cloning 
# Read a card
pm3> lf search
pm3> lf hid reader

# Clone to T5577 blank
pm3> lf hid clone -r 2006123456

# High frequency MIFARE
pm3> hf mf autopwn
pm3> hf mf dump

# Simulate a card (no physical clone needed)
pm3> lf hid sim -r 2006123456

Lock Bypass Techniques

Physical locks remain common despite electronic access control. Lock picking is often faster than social engineering.

Lock Picking

Traditional skill using tension wrench and picks. Most pin tumbler locks open in under 2 minutes.

Lock Bumping

Specially cut bump keys with tapping force. Fast, effective against most pin tumblers.

Under-Door Tool

Slip flexible tool under door, hook interior handle. Defeats many commercial doors.

Shim Attacks

Thin metal shims defeat padlocks. Bypass tools for handcuffs same principle.

BASIC LOCK PICKING KIT:

ESSENTIAL PICKS:
├── Short hook - Pin by pin picking
├── Medium hook - Deeper pins
├── Rake (city rake/snake) - Fast SPP alternative
├── Bogota rake - Quick entry
└── Diamond pick - Wafer locks

TENSION TOOLS:
├── Bottom of keyway (BOK) - Standard technique
├── Top of keyway (TOK) - More feedback
├── Pry bar - Heavy locks
└── Feather touch tensioner - High security

BYPASS TOOLS:
├── Under door tool (UDT)
├── Shims (padlock/handcuff)
├── Comb picks (wafer locks)
├── Jiggler keys
└── Air wedge + long reach

In-Person Social Engineering

Most physical intrusions rely more on social engineering than technical skill. People want to be helpful and avoid confrontation.

Common Pretexts

IT Support

"Here to check the network equipment." Clipboard, polo shirt, confident demeanor.

Fire Inspector

High authority, access everywhere. Requires good props but works extremely well.

HVAC/Facilities

"Checking the thermostats." Low authority but grants access to utility closets, server rooms.

Vendor/Contractor

Expected visitors get less scrutiny. Schedule fake meeting for cover story.

New Employee

"First day, badge isn't working yet." Works at large organizations. Ask for "help."

Delivery Person

Package in hand, urgency implied. FedEx/UPS uniforms available online.

Pretext Preparation

Never improvise a pretext. Research thoroughly: Who would legitimately be there? What would they wear? What paperwork would they have? What questions might they answer? Practice your cover story until it's automatic.

The Authority Gradient

PRETEXT AUTHORITY LEVELS:

HIGH AUTHORITY (Hard to Challenge):
├── Fire Marshal / Building Inspector
├── Health Inspector
├── Law Enforcement (risky, possible impersonation charges)
├── Executive/C-Suite (from "another office")
└── External Auditor

MEDIUM AUTHORITY (Some Access):
├── IT Support (vendor badge)
├── Facilities Management
├── Pest Control
├── Security Consultant
└── Compliance Auditor

LOW AUTHORITY (Limited Access):
├── Delivery Person
├── Caterer/Event Staff
├── Cleaning Crew
├── Job Candidate
└── Lost Visitor

AUTHORITY ESCALATION:
Start low → Build trust → Request more access
"While I'm here, could you also show me..."

Device Implants

Physical access enables planting hardware that provides persistent network access or data capture. Small devices can remain undetected for months.

Network Implants

Common Implant Devices 
NETWORK TAPS:
├── LAN Turtle - USB Ethernet adapter with shell access
├── Packet Squirrel - Inline network tap, MITM capable
├── Raspberry Pi Zero W - Hidden in enclosure, WiFi C2
├── Shark Jack - Quick network recon, payload deploy
└── Pwn Plug - Commercial pentest dropbox

WIRELESS IMPLANTS:
├── WiFi Pineapple - Rogue AP, credential capture
├── Hak5 Key Croc - Keylogger with WiFi exfil
├── P4wnP1 (Pi Zero) - USB attack platform
└── ESP32/8266 - Custom WiFi implants

HIDING LOCATIONS:
├── Behind monitors
├── Inside phone system junction boxes
├── In ceiling tiles
├── Under raised floor
├── In unused Ethernet jacks
├── Inside desktop computers
└── Taped behind furniture

Keystroke Loggers

HARDWARE KEYLOGGERS:

USB KEYLOGGERS:
├── Inline USB (between keyboard and computer)
├── Looks like USB adapter/hub
├── Storage: 2GB-16GB typical
├── Retrieval: Physical or WiFi-enabled
└── Cost: $30-200

WiFi KEYLOGGERS:
├── Key Croc / KeyGrabber
├── Exfiltrates over WiFi
├── Remote access to captured data
├── Timestamped entries
└── Can inject keystrokes

DETECTION DIFFICULTY:
├── Visual inspection rarely done
├── Doesn't appear in Device Manager
├── No software/driver footprint
├── Hidden in keyboard cable
└── Can be embedded in keyboard itself

Dumpster Diving

What people throw away reveals passwords, org charts, project codenames, and technical documentation. Recycling bins are goldmines. 

HIGH-VALUE TARGETS:

AUTHENTICATION DATA:
├── Sticky notes (passwords)
├── Password reset printouts
├── Temporary access codes
├── Badge photos/numbers
└── Access forms

ORGANIZATIONAL INTEL:
├── Org charts
├── Phone directories
├── Meeting schedules
├── Project documentation
├── Network diagrams

TECHNICAL DATA:
├── Server printouts
├── Configuration sheets
├── Support tickets
├── Decommissioned hard drives (!)
└── Backup tapes

OPERATIONAL TIPS:
├── Early morning or late evening
├── Dress appropriately (not suspicious)
├── Bag everything, sort elsewhere
├── Focus on recycling bins (paper)
├── IT disposal areas are goldmines
└── Document everything photographically

USB Drop Attacks

Leave USB drives where employees will find them. Curiosity wins - studies show 45-98% pickup and plug-in rates depending on location and labeling.

Parking Lot Drop

Near building entrances. "Someone dropped this" mentality. Label with employee names from OSINT.

Lobby/Restroom

Indoor drops have higher success. Leave near coffee machines, copiers, restrooms.

Labeled Drives

"Confidential - Q4 Bonuses" or "Layoff List" - irresistible to curious employees.

Branded Drives

Company logo makes it seem legitimate. "Must be from the IT department."

USB Payload Types

Payloads range from simple (HTML file that beacons home) to complex (Rubber Ducky HID attacks). Always include callback mechanism to track who plugged in what, when, and where. See BadUSB & Rubber Ducky for detailed payloads.

Entry & Exit Procedures

PHYSICAL ASSESSMENT PLANNING:

PRE-ENGAGEMENT:
├── Written authorization (signed, dated)
├── Emergency contacts (client, lawyer)
├── "Get out of jail" letter
├── Scope boundaries (which buildings, floors)
├── Time windows (business hours? After hours?)
├── What's off-limits (executives, certain areas)
└── Evidence requirements (photos? Just report?)

OPERATIONAL GEAR:
├── Authorization letter (multiple copies)
├── Client contact info (verified phone)
├── Photo ID
├── Cover story props (uniform, clipboard)
├── Lock picks (if authorized)
├── Badge cloning gear (if authorized)
├── Implant devices (if in scope)
├── Camera (document everything)
└── Burner phone (OPSEC)

DURING ENGAGEMENT:
├── Stay in character
├── Document everything
├── Know your exit routes
├── Have abort signals with team
├── Don't escalate confrontations
├── If caught, de-escalate immediately
└── Never resist security/police

POST-ENGAGEMENT:
├── Debrief immediately
├── Secure evidence
├── Return any cloned badges
├── Remove implants (if planted)
├── Document timeline
└── Report findings professionally

Detection & Defense

Defensive Measures

Understanding physical attack vectors helps build better defenses. Most organizations dramatically underestimate physical security risk. 

PHYSICAL SECURITY HARDENING:

ACCESS CONTROL:
├── Mantrap entries for sensitive areas
├── Multi-factor (badge + PIN)
├── Visitor management system
├── Badge photo verification
├── No tailgating signs + culture
└── Regular badge audits

BADGE SECURITY:
├── Encrypt credentials (iCLASS SE, SEOS)
├── Short badge validity windows
├── Disable lost badges immediately
├── Unique badge designs (hard to fake)
├── No visible badge numbers
└── Photo on badge

LOCK HARDENING:
├── High-security locks (Medeco, Abloy)
├── Electronic locks for critical areas
├── Anti-bump, anti-pick features
├── Regular re-keying
├── Restricted keyways
└── No master key systems if possible

DETECTION:
├── Security awareness training
├── Challenge unknown persons policy
├── Report tailgating incidents
├── USB port blockers/monitoring
├── Network tap detection
└── Regular physical audits

DUMPSTER DEFENSE:
├── Shred everything
├── Cross-cut shredders minimum
├── Locked dumpsters
├── Secure IT disposal process
├── Hard drive destruction
└── Regular shredder audits

MITRE ATT&CK Mapping

T1200

Hardware Additions - Implanting rogue devices for network access

T1091

Replication Through Removable Media - USB drop attacks

T1056.001

Keylogging - Hardware keystroke capture

T1598

Phishing for Information - Social engineering for physical access