Physical penetration testing: methodology, tools and legal principles
Physical penetration testing evaluates physical security measures: access control, tailgating, lock picking, badge cloning, OSINT for physical targets, and on-site social engineering. This article explains the methodology (PTES Physical), tools (Proxmark3, Flipper Zero, lock picks), legal safeguards (authorization letters), and protective measures against physical attacks.
Table of Contents (7 sections)
Physical penetration testing assesses a company’s physical security: Can an attacker gain undetected access to offices, data centers, or production facilities? In many red team exercises, a physical attack is the most efficient way to reach critical infrastructure—one hour of undetected access often replaces weeks of technical work.
Why Physical Penetration Testing Is Important
Physical Access: A Game Changer for Attackers:
What physical access enables:
→ Installing keyloggers at workstations
→ USB drop: Connecting a malware-infected USB drive to a PC
→ Hiding network implants (LAN Turtle, Packet Squirrel)
→ Direct access to server console ports (IPMI, iDRAC)
→ Laptop theft (unencrypted = complete data exfiltration)
→ Cloning badges for follow-up attacks
→ On-site OSINT: IT infrastructure labels, system names, network topology
Classic attack chain (Red Team):
OSINT → Tailgating → Network implant → Remote access → Lateral movement
Cost-benefit ratio for attackers:
→ Technical exploit: Weeks of development time, high risk of detection
→ Physical access: Hours of preparation, low risk of detection
→ "The cheapest attack is the physical one"
Countermeasure:
→ Technical security without physical security = worthless!
→ Zero Trust applies physically as well: Do not trust anyone who walks inLegal Basis and Authorization
CRITICAL: Without authorization, a physical penetration test constitutes trespassing!
Legal situation in Germany:
§ 123 StGB (German Criminal Code) Trespassing:
→ Unauthorized entry into premises → Punishable!
→ Also applies if "just testing security"
→ No good intentions protect against prosecution
§ 202a StGB (German Criminal Code) Data espionage:
→ Accessing a computer without authorization → Punishable
→ Also: Connecting a data storage device to someone else’s PC
§ 303 StGB (German Criminal Code) Property damage:
→ Lock-picking causing scratches → Property damage!
Authorization Letter (Get-Out-of-Jail Letter):
SAMPLE CONTENT:
────────────────────────────────────────────────────
[NAME OF TESTER] / [COMPANY] is hereby authorized
to conduct physical security tests on the following properties
during the period from [DATE] to [DATE]:
Properties: [ADDRESS, BUILDING, FLOORS]
Scope: Access attempts, badge tests, tailgating
For questions: [CONTACT PERSON] Tel: [PHONE NUMBER]
Client’s signature: _____________
────────────────────────────────────────────────────
Carry this with you at all times! Show to police/security personnel if stopped.
Keep a separate copy with the client → telephone confirmation possible.
Legal review: Consult a criminal defense attorney before the first operation!
Coordination with the client:
→ Keep the test a secret? (Blind test) or be transparent?
→ Who needs to know: Security, reception, management?
→ Emergency contact: Available 24/7 if a tester is detained
→ Scope: Which buildings? Floors? Server rooms?
→ Out-of-scope: Production, customer areas, private areasReconnaissance and OSINT
Physical OSINT before the operation:
Public sources:
→ Google Maps Street View: Entrances, cameras, exterior areas
→ Google Earth: Roof access points, ventilation shafts, outbuildings
→ LinkedIn: Employee names, department structure, organizational chart
→ XING: Less international, good for DACH
→ Company website: "Careers," "Team," "Contact" → Names, photos, location details
→ Commercial register: Subsidiaries, locations
→ Building plans: Sometimes publicly available through city planning
Leverage job postings:
→ IT job posting: "Knowledge of Juniper routers and Cisco switches preferred"
→ Reveals technology stack → important for technical attacks
→ Security service provider: Which company guards the site?
→ "Security guard from [COMPANY X] wanted immediately" → Dress code known!
Social engineering preparation:
→ Organizational chart: Who is the receptionist? Who is the janitor?
→ Typical visitors: Suppliers, IT service, contractors
→ IT support company: "We’re here regarding your ticket..."
→ Supplier: Amazon/DHL clothing + large packages → Door open!
On-site reconnaissance (without entering):
→ Observe the exterior: Smoking break times → Doors open!
→ Map camera positions
→ Identify badge system: HID, MIFARE, LEGIC?
→ Observe guard intervals: When does the security guard make his rounds?
→ Shift handoffs: A moment of distraction!Tools and Techniques
Physical Penetration Testing Toolkit:
Badge/RFID Cloning:
Proxmark3 (professional, ~300 EUR):
→ Reads all common RFID cards: EM4100, HID, MIFARE, iCLASS
→ Clones 125kHz cards (EM4100, HID Prox) without the victim’s knowledge!
→ 13.56 MHz (MIFARE Classic): can be cloned if the key is known
→ Range: 5–10 cm (card in a "bumper’s" pants pocket)
Flipper Zero (~200 EUR):
→ Multitool for RFID, NFC, Sub-GHz, IR, iButton
→ EM4100 (125 kHz): read and emulate → straightforward
→ MIFARE Classic: read (if unsecured), clone
→ Sub-GHz: clone garage door openers (433 MHz, 868 MHz)
→ Also: Bluetooth sniffing, BadUSB attacks
Long-Range Reader (LF Reader):
→ Hidden in a shoulder bag
→ Reads EM4100 badges from ~50 cm away
→ Combined with social engineering: "approach the target closely"
Lock Picking:
→ Basic set: hook pick, diamond, tension wrench
→ Single Pin Picking (SPP): set each pin individually
→ Raking: faster, less precise (for inexpensive locks)
→ Bypass methods often easier than picking:
→ Shimming: padlock with plastic strips
→ Under-the-Door-Tool: operate door handle from the inside
→ Loid (credit card): Push back the deadbolt
Legal: Lock picks are not prohibited in Germany (to possess)
→ Use: only with authorization! (§ 123 StGB)
Keyloggers:
→ Hardware keylogger between keyboard and PC (~50 EUR)
→ PS/2 and USB variants
→ Records all keystrokes → read later
→ Detection: physical inspection or USB device management
Network implants:
→ LAN Turtle (Hak5, ~80 EUR): Disguises itself as a USB Ethernet adapter
→ Packet Squirrel: passive traffic logger
→ Raspberry Pi Zero W: full Linux system, hidden behind a rack
→ WiFi Pineapple: MITM attack on Wi-Fi
BadUSB:
→ USB Rubber Ducky (~80 EUR): emulates HID keyboard
→ Types payload commands at 1000 WPM
→ Autorun sequence: PowerShell → Reverse Shell → 10 seconds!
→ O.MG Cable: Standard Lightning cable with embedded WiFiAttack Techniques in Detail
Tailgating and Social Engineering:
Tailgating (Following Behind):
→ Keeps distance from employee → follows through security door
→ "Sorry, I forgot my badge" → social inhibition
→ Worst-case scenario: Employee holds door open → invited in!
Countermeasures:
→ Mantrap (airlock): only one person at a time
→ Tailgating detection cameras (video sensors)
→ Cultural measure: speaking up is encouraged!
Pretexting scenarios:
Tradespeople/technicians:
→ "I'm from [local HVAC company] for air conditioning maintenance"
→ Toolbox + safety shoes + vest + clipboard
→ Reception: "Please wait a moment, I’ll call facilities management"
→ Tip: "I’ve already spoken with Mr. [Name from LinkedIn]"
IT Support:
→ "We’ve received a report regarding your network connection"
→ Laptop + IT attire → immediately credible
→ "I need to quickly check the network cable in the server room"
Delivery person:
→ Amazon-branded clothing + packages (empty, but heavy)
→ "Package for [Name from mailbox]"
→ Door is held open → go in, head toward the elevator, then exit later
New employee:
→ "I'm starting today; I'm in the wrong building"
→ No badge, appears uncertain → Empathy response
Bypassing doors:
Rex Sensor (Request to Exit):
→ Many doors: Motion sensor on the inside opens the door
→ Thin wire slipped under the door → Trigger the sensor!
→ Or: Spray a burst of compressed air from a can under the door
Emergency exits:
→ Must always be openable from the inside (fire safety)
→ From the outside: sometimes a bar lock without an alarm
→ Or: Alarm triggers → but who will come?
Ventilation shafts (rarely practical, but conceivable in a pentest):
→ Real-world: very unlikely (size, alarm)
→ Usually only in movies!Physical Security Checks
Physical Security Assessment Checklist:
Outdoor area:
□ Perimeter security: Are fences, gates, and lighting sufficient?
□ Camera coverage: Blind spots? Obstructions?
□ Camera quality: HD? Night vision capable? Recording duration?
□ Unsupervised entrances (supplier access, side entrance)?
Access control:
□ Badge system strength: EM4100 (insecure!) vs. iCLASS SE/Elite?
□ Tailgating possibilities at all entrances?
□ Mantrap in place for critical areas?
□ Visitor management: ID required? Escorted access?
Internal physical security:
□ Unattended PCs (screen lock after X minutes)?
□ Clean desk policy: no passwords on sticky notes?
□ Printing area: printers with confidential documents?
□ Waste security: Document shredding (P-4 cross-cut)?
□ Network ports in reception areas? (LAN Turtle target)
Server room/data center:
□ Access log: Who was inside and when?
□ Camera surveillance in the data center?
□ Rack locks? (Easy to bypass!)
□ Console ports secured? (BIOS password, iDRAC authentication)
□ Empty slots in racks = loss of cooling air + physical access
Reporting chain:
□ What happens if an unknown person is encountered?
□ Security awareness: Train employees to "approach strangers"
□ Reporting of physical incidents?
RFID Badge Audit:
□ Have all active badges been inventoried?
□ Former employees: Have badges been deactivated?
□ Badge technology: 125 kHz → Upgrade to 13.56 MHz SE/Elite!
□ Provide anti-skimming protective covers for employeesReporting
Physical Penetration Test Report - Structure:
Executive Summary:
→ Scope and timeframe
→ Summary: What was achieved?
→ Most critical findings
→ Overall risk assessment
Scenarios and findings:
Each attempted attack:
→ Description: What was attempted?
→ Result: Successful/unsuccessful?
→ Evidence: Photos (anonymized!), badge clones as proof
→ Risk classification: Critical/High/Medium/Low
→ Recommendation: Specific countermeasure
Example finding:
Title: Tailgating through main entrance successful
Severity: High
Description: Tester followed employee through secured entrance,
without badge scan. Employee held door open.
Impact: Physical access to entire office area, including IT infrastructure
Evidence: Video recording (attached), timestamp 2:23 PM
Recommendation:
1. Training: "Security Culture - Addressing Strangers"
2. Install a mantrap at the main entrance
3. Activate the tailgating detection camera
Photo documentation:
→ Badge clone: Proxmark3 log screenshot
→ Notes with passwords found: anonymized
→ Network ports in public areas
→ Printer with uncollected printoutsQuestions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
M.Sc. IT-Sicherheit mit über 5 Jahren Erfahrung in offensiver Sicherheitsanalyse. Leitet die Durchführung von Penetrationstests mit Spezialisierung auf Web-Applikationen, Netzwerk-Infrastruktur, Reverse Engineering und Hardware-Sicherheit. Verantwortlich für mehrere Responsible Disclosures.
OSCP+ OSCP OSWP OSWA
