As the cybersecurity industry moves from the traditional network vulnerability assessment services to replicating attacks from advanced actors the need to run physical security tests as part of a red team engagement is growing. The lack of information available from a physical red team point of view has led me to write this article based on my experience with a basic premise: What would you put in a red team everyday carry physical toolkit?
The result is this kit, very similar to the one I use during my physical security assignments. A small lockpicking, lock bypass and basic tools kit with the low skill but high percentage success stuff that can be easily carried and get you through your next red team engagement. Whatever the Hollywood bank vault score or more realistically to open a network cabinet padlock at a nondescript warehouse to install a network drop box or remote access device.
Let’s be honest, about most of the jobs you would be given access to the target building as part of the scope of the red team engagement, although if not, is more most likely to get inside from social engineering using either pretexting, tailgating or employee impersonation. So, you don’t need expensive or fancy stuff most of the time. The only exception is the RFID badges cloning tools that I will cover in a separate article.
Security once inside the target’s premises will be mostly low-security office-type. But still, you have to gain access either picking or bypassing locks to server rooms, network equipment cabinets, secure shredding bins, or computer racks. Occasionally you will also need some basic tools to reach under raised floor or suspended ceiling to install a network drop box or hide cameras to capture passwords. Physical intrusion and hardware backdoors mix are a highly effective form of red team attack. Take a look at some of my posts on the subject, for example leave behind a cheap disposable WiFi Pineapple clone.
For a basic toolkit, I tend to recommend stuff like multi-tools, a set of utility keys and a minimal pick set, tools that would get you through 80% of the stuff with minimal money and training time invested. Remember this not about sport lockpicking, red teamers don’t want to put a lot of time into training lock picking and they just want the high probability low skill physical attack that will get them access to the corporate network. That’s the tool kit that you see right here.
Please note that I actually own more expensive tools, such as Peterson picks or tools from top brands, but then a kit like that would cost several hundred dollars, and the aim of this article was to offer an easy and inexpensive way to get started in the physical security field.
Basic Physical red team toolkit
- Pick tools ( $15 Basic lockpicking set or $40 for a higher quality and more complete set with clear training locks) plus additional spare tension tools. Although many people don’t pay attention to it, tension tools are just as important as picks, so have a good selection of types and sizes.
- Utility key set. (Multi-function Cross Wrench Square Triangle Key Set) Suitable for industrial, electric control and network cabinets, remove panels on raised floor, elevators, train doors, service ducts, industrial control valves and more.
- Quality multi-tool for unscrewing, disassembling, cutting and other jobs. It has everything needed to make improvised bypass tools using materials around you such as padlocks shim from drink cans, in addition to making small repairs or other useful tasks in your daily work. I usually prefer Leatherman and Gerber tools, but you can find cheaper alternatives such as the excellent Nexttool Flagship (high-quality leatherman clone) built to last for decades and a third of the cost of brand tools.
- High Powered Flashlight, you are going to need it more than you think and I assure you that the flashlight of your smartphone will be insufficient most of the time. I tend to prefer the classic Convoy S2+, remember you would also need an 18650 Lion battery and charger for this type of tactical flashlights.
- Assortment of zip ties: Useful to secure cables, temporarily replace padlocks, secure some locks in open position and small repairs during work.
- A basic pouch that would easily hold all items ($9 nylon molle tactical bag)
While not strictly a part of the basic kit i often carry the incredibly useful Pocket 7 mini laptop, small enough to fit in a pocket and go unnoticed, while you have all the power to run a full featured Kali Linux.
I’ve come up with this but I know I’m going to catch a lot of heat because the lock picking community is going to look at this infosec guy and say hey there’s nothing there but a multi-tool and a basic pick set and say where’s all the high security dimple lockpicks or bypass tools and that’s because those tools take a lot of practice in order to master them. The odds are that the more expensive a lockpick tool more hours of hands-on practice in order to get the feel of these tools require. Or if a tool work fast as the case of a bump key it will only work for a single type of lock out of the thousands that may exist. While with a basic kit an only some practice you can really start defeating locks right away and I think that’s really what red teams are after. That doesn’t mean I’m not open to suggestions for improvement. Do you miss something on my kit? Leave it in the comments.
The essential physical red team skillset
Although having the right tools is nice, you’ll need to know how to use them. There are plenty of topics to master before becoming a physical security expert, lockpicking and lock bypass is undoubtedly the most important knowledge.
The MIT Guide to Lockpicking and the Lockpicking-Detail-Overkill are pretty decent free ebooks, but it can be a bit tough conceptually if you aren’t yet all that familiar with lock internals. After reading the basic concepts you will be very useful a set of transparent practice locks and padlocks, same as those used in the real world but manufactured in clear plastic so you can see what’s happening inside. Please note that they are not really the right long-term learning tool, but will help you to quickly visualize how a lock works before starting with the real world ones.
There are many lockpicking youtube channels out there, my favorites are LockPickingLawyer and Bosnianbill. Especially the latter because unlike many sport lockpickers Bosnianbill has multiple videos from the perspective of a security professional who needs to open locks quickly at work.
Once you’ve opened your first lock you’ll want to delve into the various types of locks, the great range of lockpick tools as well as the techniques used by physical red team, for it I recommend some reference books that in my opinion are the next training material you should get.
Unauthorised Access: Physical Penetration Testing For IT Security Teams by Wil Allsopp. You won’t find any other book like this one, it’s the only one really written from the perspective of a red team who has done multiple real world physical penetration tests. It’s full of useful information for beginners and more advanced pen-testers. More importantly, it covers not only lock picking but also multiple techniques from social engineering to surveillance equipment along with operational planning and execution of physical intrusion tests.
Deviant Ollam, security auditor and penetration testing consultant at The CORE Group, frequent speaker at security conferences also a member of the Board of Directors of TOOOL US division, is the author of two interesting books on physical security, while really good books those are mostly about picking locks and do not cover other operational aspects of red teaming as well as Unauthorised Access. In any case those are also very recommendable books: Practical Lock Picking: A Physical Penetration Tester’s Training Guide and Keys to the Kingdom: Impressioning, Privilege Escalation, Bumping, and Other Key-Based Attacks Against Physical Locks.
Visual Guide to Lock Picking by Mark McCloud. I would recommend this book for those who are starting in lock picking basically because the illustrations show beautifully the inner workings of a wide variety of locks.
How To Open Locks With Improvised Tools: Practical, Non-Destructive Ways Of Getting Back Into Just About Everything When You Lose Your Keys (formerly published as Lock Bypass Methods) by Hans Conkel. What I like about this book is that unlike most texts that have an approximation as a lock sport guide this one deals with practical techniques on improvised tools. This book was to me a very useful guide to bypass locks and other entry methodologies.
Physical Red Team: Do’s and Don’ts
From reading some IT security forums debating physical security, seeing some promotional videos from the industry competitors marketing just Stunt Hacking and after my own experience I have come to some important tips that I would like to share before you start your first assignment.
Please don’t dress military-style or as a ninja, you’ll stand out, you won’t get away if challenged, and in some jurisdictions you could be shot by a security guard who thinks you’re some kind of terrorist or part of an armed robbery. Instead, use a grey man’s attitude: dress in casual clothing that fit your target environment, just avoid bright or distinctive colors. If you work as a team, make sure you guys and gals don’t dress the same way or you’ll also stand out from the crowd. If you carry a laptop to an impersonation job it would be better not to be covered with hacker stickers or you will shine like a Christmas tree.
Be careful if you seek advice, training material or courses from special forces, SWAT or most military types. Explosive breaching, subduing a guard or clearing rooms is something you will rarely encounter during physical pen-testing. Instead read all you can from accounts of con men, white collar criminals or jewel thieves. As an exercise, I recommend you to research about the Antwerp diamond heist, one of the largest robberies in history accounting more than $100 million. The heist is the subject of the book Flawless: Inside the Largest Diamond Heist in History by Scott Andrew Selby and Greg Campbell
Always make sure that what you are going to do is part of what was agreed with the client. Always carry the contact numbers of the target’s security staff who can explain who you are and what you are doing. Whatever possible, carry a copy of the agreement for the job signed by the CEO, CTO or CISO. I’m sure you’ve read the story of how the state of Iowa paid a security company to break into a courthouse, then arrested the employees when they were successful.
On legal issues Trustedsec people recently made public an open-sourced legal documentation used for physical penetration tests. The purpose is to help the community and organizations protect their employees when conducting testing.
Until my next article arrives on my full size lock picking kit and RFID kit take advantage to practice your new skills. Stay safe and stay legal.