Physical Penetration Testing Basics – A Primer

Physical Penetration Testing is an assessment that involves testing physical security controls to see where they might fail. While this can include a number of different activities, including social engineering, many doors and locks are designed to simply slow down an attacker, not completely protect against one. At SecureState, we constructed a sample door for demonstration and practice exploiting these vulnerabilities. In this blog, we will discuss 5 common weaknesses of physical defenses and how to defeat them.

1. Shimming a MasterLock combination lock

These locks are most commonly found on storage lockers or toolboxes due to their low cost and high availability. The intention for opening one of these locks is by spinning the dial in clockwise and counterclockwise motions to a certain combination. In doing so, the internal disks align to the right place and the shackle is able to be lifted. There is a well-documented weakness in certain combination locks that allows an attacker to “brute force” the correct combination and open the lock, but a faster way would be through using a shim. Shims can be purchased, but also made from something like an aluminum pop can. As long as the material is relatively strong, easily moldable, and flat, it will function as a shim. By pressing this piece of metal into the latch and pulling on the shackle, you are able to completely bypass this process.

2. Defeating a Chain Latch

Chain latches are common in hotel rooms and other public buildings. These are metal links that prevent the door from opening all the way. While this might seem like an additional layer of protection, these latches can easily be defeated with some shoelaces and rubber bands. If you open the door all the way so that the chain is showing and tie the rubber band on this chain, you are able to move this to its original position with the shoelace.

3. Unprotected Latch

In this scenario, the door is locked from the inside but the actual latch is visible from the outside. Using a tool for leverage and a simple latch tool, it is possible for an attacker to turn the latch and therefore bypass this protection. A typical latch tool is flat with a notch on the end to allow the latch to be manipulated.

By putting the notch around the latch, an attacker is able to move this tool from side to side and push it so that the door stays open. If you have seen a door with a large gray place over the latch, this is designed to protect against this particular attack.

4. Under the Door Tool

This attack is most common in office doors, where fire codes often mandate that doors must be able to be exited safely by someone inside. One way to check and see that the door may be vulnerable would be to look at the lever. If the lever looks somewhat like a hook, it is possible to use a tool from the other side of the door to pull this lever down. While some vendors make specialized tools for this purpose, it is relatively simple to construct this with a wire hanger, a ring, and some fishing line. The attacker places the bar and the line underneath the door and then hooks on to the other side of the lever. When the string is pulled, pressure is applied to the inside door handle and the lever pulls down, opening the door.

5. Bump Key

A bump key is one of the most well-known methods to get inside locked doors, but one of the trickiest to pull off in practice. In order to use a bump key, you will need to first acquire one of these keys. Typically a bump key looks relatively neutral with regular ridges. When pressure is applied to this key, the notches jump up and the energy transfer causes the lock’s pins to move into place. For best results, the bump key should be struck with a rubber mallet, or in a pinch, the back of a hammer.




Research analyst. Physics geek. Former educator. OSCP

Latest posts by rascuache (see all)