Physical Security: From Locks to Dox

Similar documents
Section 2.2 Locks and Keys. Legal Notice

CSE 127 Computer Security

Strengths and Weaknesses of Access Control Systems. Eric Schmiedl and Mike Spindel

LOCKS AND HIGH INSECURITY: PROTECTING CRITICAL INFRASTRUCTURE

Degree Key System. Technical Manual

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

MIT Guide to Lock Picking. Ted the Tool

Ten Things Everyone Should Know About Lockpicking & Physical Security Deviant Ollam

Cabinet Locks. Benefits:

OPERATING INSTRUCTIONS FOR

What locks do I have Timber Doors

Techno Security's Guide to Securing SCADA

Physical Security to mitigate Social Engineering Risks

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Palm Beach County Sheriff s Office

Maker: Call a 3D Locksmith How 3D Printing can Defeat Physical Security

Keypad Locks User Guide

GATES, GUARDS, AND GADGETS: AN INTRODUCTION TO THE PHYSICAL SECURITY OF IT

OPERATING INSTRUCTIONS FOR THE MODEL 210B-2 SRA

WINDOW REPAIR MANUAL & REFERENCE GUIDE

Contents TABLE OF. List of Illustrations... IX. Preface... XV. Chapter 1: How the Burglar Breaks into Your Home... 1

INTRODUCTION TO PENETRATION TESTING

SIMPLEX UNICAN LOCKS CHANGING THE CODE / COMBINATION 900 Series 1000 Series L1000 Series LP1000 Series EE1000 Series 2000 Series 2015 Series

Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks

2. This is a close up of a typical area where the rocker is rusted out leaving holes under where the rocker moulding would be..

BODY-12, Door Handle - Removal, Installation, and Adjustment

John P Zelsnack CISSP/CISM/CRISC/Securty+/ITILv3 Senior Technical Manager/Cyber Security Engineer General Dynamics - Advanced Information Systems

Protecting your business interests through intelligent IT security services, consultancy and training

All-Season Sunroom Sliding Glass Door Installation Instructions

WESTERVILLE DIVISION OF POLICE Security Survey Checklist: Business

Wall Mount Installation and Use

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Supply Chain Security Audit Tool - Warehousing/Distribution

Removable cylinders available for kwik re-keying 2004 REKEYING MANUAL

Customs-Trade Partnership Against Terrorism (C-TPAT) Security Guidelines for Suppliers/Shippers

INSTALLATION AND OPERATING INSTRUCTIONS For Model GL1 Gate Locks

ipad 2 GSM Headphone Jack & SIM Slot Replacement

Physical Security for Drinking Water Facilities

GLOSSARY OF LOCK TERMINOLOGY

Date: Business Name: Business Contact Person: Business Address: Business Telephone Number: Alternate Contact Number/ Officer: Case No:

GARDEN WINDOW GLAZING AND DE-GLAZING INSTRUCTIONS

Physical Security. Paul Troncone CS 996

From the Lab to the Boardroom:

More details >>> HERE <<<

Guide for Non-Profit Housing Societies Security Guide Table of Contents

INSTALL/REMOVAL INSTRUCTIONS: WINDOW REGULATOR

1000 Series Knob Pushbutton Locks

Responsibilities of a Volunteer Leader


Table of Contents: Safety Rules Safety Selector Loading the Magazine Loading Magazine into Rifle Chambering a Round...

By SP Partners, LLC. INSTALLATION GUIDE. Prestige

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Safety Rules. Car Washes CORPORATE HEADQUARTERS 518 EAST BROAD STREET COLUMBUS, OHIO STATEAUTO.COM

Installation Instructions

WARNING: Important: Keep these instructions for future reference. Gate Instructions (1) Assembly and Installation Instructions

An ASSA ABLOY Group brand. 4800LN Series. Interconnected Locks

Master Code 2. Troubleshooting: Installation 7. Troubleshooting: Door Jamming and Door Handing 8. Troubleshooting: Keypad 12

Security Through Transparency: An Open Source Approach to Physical Security

Georgia Performance Standards Framework for Physical Science 8 th GRADE. Unit: Fast and Furious Forces General Task Life is Easy with Simple Machines

Technical Testing. Network Testing DATA SHEET

Series 18 Pass Thru Air Lock Cleanroom Entry System

ALBINS SEQUENTIAL SHIFTER

GLOCK "SAFE ACTION" Gen4 GEN4 PISTOLS NEXT GENERATION OF PERFECTION

Cable Drum Installation

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

INSTRUCTIONS: LocknCharge Laptop Carts

Back, start, and search key Lock the keys and screen Unlock the keys and screen Set the keys and screen to lock automatically...

PCI (Payment Card Industry) Compliance For Healthcare Offices By Ron Barnett

ASSA HIGH SECURITY LOCKS ASSA Twin ASSA Twin 6000, Twin Exclusive & V10. ASSA cylinders can be supplied in the following keying forms:

Written By: Walter Galan

Sargent and Greenleaf Mechanical Safe Lock Guide

More effective protection for your access control system with end-to-end security

BOBBIN WINDER - TYPES & FUNCTION

3. Loosen 3 x grub screws in the Dec end cap and unscrew the cap and counterweight shaft. NEQ6 Belt Modification Kit.

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

WIRE ROPE CUTTERS. Designed for new and unused wire rope. Since 1928

Retrofit Instructions Installing a Sport Heated Steering Wheel - Leather, Multifunction BMW X5, E53,

Physical Security Assessments. Tom Eston Spylogic.net

SHIFT INTERLOCK SYSTEM SHIFT INTERLOCK SYSTEM

Understanding Access Control

Commercial or Business Security Survey

How To Use A Magistrate Desktop Computer

SECURITY VS. EXITING... Door Locking Hardware in Schools DIVISION OF THE STATE ARCHITECT

Penetration Testing. Presented by

The Basics of Robot Mazes Teacher Notes

Seventh Avenue Inc. 1

White Paper FIRE DOOR INSPECTIONS, REPAIRS AND LABELING

PANELIZED HOME INSTALLATION GUIDELINE

This directive establishes Department of Homeland Security (DHS) policy regarding the physical protection of facilities and real property.

DIRECTIONS FOR ASSEMBLING BASE & WALL CABINETS

What is Penetration Testing?

INSTALLATION INSTRUCTIONS IMPERVIA (Vent and Fixed) AWNING, CASEMENT, and LARGE AWNING WINDOW WITH FINS

Transcription:

Physical Security: From Locks to Dox Introduction to Red Team Physical Security Penetration Testing Jess Hires Jax Locksport www.hacksonville.com

Disclaimer This information is to be used for professional and/or hobbyist use only. I am not responsible for any actions you take with the knowledge gained from this presentation. Don't get yourself in trouble. 2

About Me Jess Hires Information Security Analyst Founder of Jax Locksport and B-Sides JAX Founder and Coordinator of TOOOL Jax Coordinator of Jax2600/DC904 President of Jacksonville Linux Users Group Teacher of Linux, lock picking, and hacking 3

About This Talk Physical Security knowledge can be a critical asset on a Red Team Penetration Test. Touching on Penetration Testing Methodology Heavy on Exploitation 4

Topics Covered Penetration Testing Methodology Lock Identification Tools Required Attacking Locking Systems 5

Terminology Locksport The practice of picking locks or defeating physical security measures for fun or competition. Physical Security Using physical measures to prevent unauthorized access to valuable data or assets. 6

Terminology Penetration Test A test to find weaknesses in an organizations security plans, with a deliverable report of findings and remediation steps. There are several types. Red Team The team that conducts the Penetration Test. Members will often specialize in multiple disciplines, including network security and physical security. 7

Penetration Testing Methodology A framework for performing Penetration Tests. Pre-Engagement Interactions Reconnaissance Phase Vulnerability Analysis Phase Exploitation Phase Post-Exploitation Phase 8

Phase 1: Pre-Engagement Interactions Make sure your test aligns with your client's needs. Define: Scope Boundaries (off-limits) Trophies Time constraints 9

Phase 2: Reconnaissance Know yourself, know your enemy. Most important part of a penetration test Information gathering Passive and Active 10

Passive Reconnaissance Reconnaissance that is (virtually) undetectable. Google Maps Website Photos on social media Promotional videos Virtual tours 11

Active Reconnaissance Reconnaissance that could be easily detected. Visit the target site Take a tour Get creative 12

Phase 3: Vulnerability Analysis Detect weaknesses and potential road blocks. Define Targets Potential Difficulty Potential Value Define Obstacles Things to avoid Determine attack method Plan Exploitation Phase 13

Potential Difficulty vs Potential Value Low Difficulty High Difficulty Low Value Maybe a Target Never a Target High Value Always a Target Strategic Target 14

Targeting Desk Drawers Low Difficulty, Low Value Usernames and Passwords Personally Identifiable Information (PII) Filing Cabinets Low Difficulty, Low Value More PII and other sensitive information 15

Targeting Storage Rooms Low to High Difficulty, Low to High Value Storage media RFID tags Server Rooms Low to High Difficulty, High Value For the network Penetration Test 16

Targeting Vaults High Difficulty, High Value Company Secrets Other valuables? 17

Obstacles Perimeter Security Fences Guard Stations Locks Identify locks on your targets Higher security locks Security Cameras 18

Lock Identification Attacks are much different depending on the lock. Pin/Wafer Tumbler Lock picking, raking, bumping Multiple Dial Combination Lock decoding Single Dial Combination Lock manipulation Electronic Locks shoulder surfing, finger printing RFID Locks tag duplication And many more... 19

Pin Tumbler Lock 20

Tubular (Ace) Lock 21

Wafer Tumbler Lock 22

Warded Lock 23

Lever Lock 24

Multiple Dial Combination Lock 25

Single Dial Combination Lock 26

Electronic Lock 27

Higher Security Locks Some locks will pose more of a threat than others. Pin Tumbler locks with Sidebars Finger Pins and Angled Pins Disc Detainer locks Group 1 Combination locks Other exotic locks 28

Medeco Angled key cuts, rotating pins, sidebar 29

Medeco 30

Medeco 31

Medeco 32

Schlage Primus Finger pins, sidebar 33

Disc Detainer Lock Angled key cuts, rotating discs 34

Disc Detainer Lock 35

Phase 4: Exploitation Destroy those security mechanisms. Infiltration Social Engineering Bypass Lock Picking Exfiltration Trophies 36

Social Engineering Sometimes you can enter an area by tricking a legitimate person to let you in. Badges and Uniforms Delivery/Vendor Visitor New Employee Confidence 37

Bypass Doors and locks can sometimes be bypassed entirely, without needing to manipulate a lock. Latch tool Under Door and Push to Exit tools Specialty lock bypass tools Remove door from hinges Drop ceiling and raised floors 38

Loiding A flat tool used to depress the plunger of a door lock (called loiding, or carding). Also known as the credit card method Tool is called a loid, also known as Shovit Tool Open Out or Open In doors Not usable on deadbolts Light to moderate forensic evidence 39

Shovit Tool 40

Shovit Tool Open Out Door 41

Under the Door Tool Opens doors with lever handles from the outside. Tool is slid under the door, turned up to catch on door handle, and a wire is used to pull the lever down Easy to make Little to no forensic evidence 42

Under the Door Tool 43

Push to Exit Tool Open doors with push bars from the outside. Slide tool between the door and frame, turn it so it will strike the push bar, and pull to open the door An air wedge may be used to help the tool fit Easy to make Little to no forensic evidence 44

Push to Exit Tool 45

Lock Bypass Tools Sometimes the inner workings of a lock can be manipulated without interacting with the pins. Insert tool into keyway, past the core, to interact with internal lock mechanisms Various tools for various locks Specialized situations Little forensic evidence 46

Lock Bypass Tools 47

Knife Tool 48

Drop Ceiling and Raised Floor Harris, Shon. CISSP All-in-One Exam Guide, 6th Edition. New York: McGraw Hill, 2012. Print. 49

Lock Picking Pick all the locks! Single Pin Picking Raking Small set of tools needed Time depends on lock and skill Light forensic evidence 50

Lock Operation A standard pin tumbler lock. 51

Lock Operation Pin tumbler lock cutaway. 52

Lock Operation Lock with proper key. 53

Lock Operation Lock with improper key (one bitting too high). 54

Lock Operation Lock with improper key (one bitting too low). 55

Single Pin Picking Apply torsion. As a pin binds, lift it to the sheer line. 56

Single Pin Picking When a binding pin is set, a different pin will bind. 57

Single Pin Picking When all pins are set, the lock will open. 58

Raking Try to set many pins quickly. 59

Security Pins Various shaped pins for pick resistance. 60

Tubular (Ace) Lock 61

Specialty Lock Picks Some locks require additional tools and training. Wafer locks Warded lock Tubular (Ace) lock Disc Detainer lock Exotic shaped locks 62

Wafer Lock Picks (Jigglers) 63

Warded Lock Picks 64

Tubular Lock Pick 65

Disc Detainer Lock Pick 66

Cruciform Keyway Pick 67

Pick Gun A pick gun can make quick work of a pin tumbler lock, by snapping all of the pins simultaneously. Also known as Snap Gun Energy exerted on key pins is transferred to driver pins Creates a brief gap between keys pins and drivers pins, allowing the lock to be opened Easy to learn Moderate forensic evidence 68

Pick Gun 69

Bump Keys Using Bump Keys (or bumping) can also be a very easy way to open a pin tumbler lock. Same principle as a Pick Gun Keys are easily available, and can be duplicated Easy to learn Heavy forensic evidence 70

Bump Keys 71

Bump Keys and Hammer 72

Decoding Many multiple dial combination locks have a notch in each wheel, which can be easily decoded. Decoder Tool Makeshift tools Very quick if it works Little to no forensic evidence 73

Decoder Tool 74

Multiple Dial Combination Decoding 75

Manipulation The Art of Safe Cracking. Uses touch and sight Must be able to visualize internal components Time consuming No tools required Difficult to learn No forensic evidence 76

Sargent and Greenleaf 6730 77

S&G 6730 Back 78

LaGard 3330 Insides 79

Combination Lock Side View 80

All Wheels Left Left Contact Point 81

All Wheels Left Left Contact Point 14.5 82

All Wheels Left Right Contact Point 83

All Wheels Left Right Contact Point 8.125 84

Manipulation Graph As wheels set, the nose drops into the drive cam. Differences in depth are measurable on the dial. Measure 1/4 or 1/8 of a dial position for precision. Dial every other number and measure the left and right contact points. Mark these on graph paper. Dial stickers are available to help with this Tape with fine markings works well too 85

Manipulation Graph 86

Some Wheels Set Left Contact Point 87

Some Wheels Set Left Contact Point 14.25 88

Some Wheels Set Right Contact Point 89

Some Wheels Set Right Contact Point 8.25 90

LaGard 3330 All Wheels Set 91

LaGard 3330 Bolt Retracted 92

More About Safe Cracking Safe Cracking for the Computer Scientist by Matt Blaze 93

Other Exploitation Activities Getting into a secure area can be of great benefit for the network portion of a penetration test. Install LAN taps Connect drop boxes 94

Phase 5: Post-Exploitation Maintaining access and covering your tracks. Key Decoding Key Duplication RFID Tag Duplication 95

Key Decoding Use a key gauge to decode keys. Different for each key/lock manufacturer Codes can be used to cut new keys 96

Key Gauge 97

Key Duplication Creating a duplicate key can ensure future access. Clam Shell duplication tool Used to create a mold, and cast a duplicate key Online key duplication services Only need a photo 98

Deliverables Show your client the damage. Findings and Documentation Areas exploited Trophies and Photos 99

Questions & Comments Thank you! Jess Hires @Hacksonville jess@hacksonville.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information