Ahead of the Game: The Importance of Researching Security Systems for Pentesters

As a physical penetration tester, your primary goal is to identify and exploit vulnerabilities in physical security systems. This task requires not only a keen understanding of various security mechanisms but also a deep knowledge of their weaknesses and how to exploit them.

One of the most effective ways to prepare for a physical penetration test is by researching and testing common security systems such as access control systems, magnetic alarms, and physical lock brands and types.

Why Research and Testing are Crucial

1. Understanding System Mechanics: Each security system, whether it’s a sophisticated access control system or a simple magnetic alarm, operates on specific principles and mechanisms. By studying these systems in advance, you gain a deeper understanding of how they work, which is crucial in identifying potential vulnerabilities.

2. Identifying Vulnerabilities: Different systems have different weaknesses. For example, some magnetic door alarms require precise placement and polarity of magnets to deactivate. Without prior research and testing, you might not know these specifics, which could lead to failure in bypassing the security during a test.

3. Developing Tailored Strategies: By knowing the specifics of the systems in place, you can develop more effective strategies for your penetration tests. This preparation allows you to approach each scenario with a tailored plan, increasing the likelihood of a successful breach.

4. Saving Time and Reducing Risk: In a real-world scenario, time is of the essence, and mistakes can raise alarms. If you’re already familiar with the systems you’re encountering, you can execute your strategies more quickly and efficiently, reducing the risk of detection.

5. Staying Ahead of Security Trends: Security technology is constantly evolving. By regularly researching and testing the latest systems, you stay ahead of new security trends and techniques, which is essential in the ever-changing landscape of physical security.

Practical Example: Magnetic Door Alarms

Consider the case of magnetic door alarms. These devices are designed to trigger an alarm when a door is opened, breaking the magnetic contact. However, some of these alarms can be deactivated using magnets if you know the correct polarity and placement. This knowledge isn’t intuitive; it requires prior research and hands-on testing. By experimenting with these alarms beforehand, you learn exactly where to place the magnets and which polarity to use, allowing for a silent and undetected entry during your actual penetration test.

Case Study: Danish Physical Locks

In Denmark, a significant majority of physical locks, approximately 90%, are of the Ruko style, featuring either traditional pin tumbler mechanisms or dimple locks. This prevalence presents a unique opportunity for physical penetration testers.

1. Focused Lockpicking Practice: Knowing that Ruko locks are widely used in Denmark, a penetration tester can focus their lockpicking practice on these specific types. This targeted practice is far more effective than a broader approach, as it allows the tester to develop a deep understanding of the intricacies and vulnerabilities specific to Ruko locks.

2. Studying Repinning and Snapping Techniques: Ruko locks, especially the euro cylinder models, have certain vulnerabilities like snapping. A tester informed about these specific lock types can study and practice how to repin and snap these locks. This knowledge is crucial in scenarios where covert entry is required without leaving obvious signs of tampering.

3. Preparation of Replacement Locks: In some cases, a penetration test might require the tester to replace a lock to maintain operational stealth. By understanding the prevalence of Ruko locks in Denmark, a tester can prepare by having a variety of these locks on hand. This preparation ensures that any replaced lock matches the common standard, avoiding suspicion.

4. Having Top Section Keys Ready: For Ruko style locks, having a set of top section keys – keys designed to fit most Ruko style keyways – is incredibly beneficial. These keys can provide quick access in various situations, making them a valuable tool in the tester’s arsenal.

Covert Access Training Course: The Final Challenge

The Covert Access Training course, designed for aspiring members of a black team specializing in physical penetration tests, culminates in a realistic final training day. Over the course of a week, students are immersed in intensive training, learning the intricacies of physical security systems, lockpicking, surveillance avoidance, and other essential skills. The pinnacle of this training is a real black team engagement, where students must apply everything they've learned in a practical, high-pressure environment.

The Magnetic Door Alarm Challenge

One of the challenging aspects I see for students during this final exercise is the task of disabling a magnetic door alarm. This task is a critical component of many physical penetration tests, as these alarms are a common security feature in many buildings.

During the assessment, after students have managed to gain entry into a real and active office building, various doors have magnetic door alarms hidden either on their interior or embedded in the frames. Students must manage to locate and disable these alarms, while also deactivating the security cameras and socially engineering the employees, likely at the same time in order to gain entry into valuable areas where they will then have to bug rooms and open safes (among other tasks)

While the concept of disabling a magnetic alarm might seem straightforward in theory, the practical application is often more complex and nuanced and having run this training course for many years, this is an area where students certainly give pause the first time. The reason is simple, bypassing a magnetic alarm correctly will do just that, do it incorrectly and you will set off the alarm.

1. Understanding the Alarm Mechanics: Magnetic door alarms typically consist of a reed switch and a magnet. When the door is closed, the magnet keeps the reed switch closed, completing the circuit. Opening the door breaks this contact, triggering the alarm. The challenge for the students is to bypass this mechanism without triggering the alarm.

2. The Importance of Polarity, Placement, and Angle: To successfully disable a magnetic door alarm, students must understand and correctly apply the principles of magnetic polarity, placement, and angle. The correct polarity ensures that the magnetic field aligns properly with the alarm's internal magnet. Placement is critical as it determines the effectiveness of the magnetic field in keeping the reed switch closed. The angle of the bypass magnet can also play a significant role in mimicking the presence of the door's magnet.

3. Practical Application and Precision: During the final training day, students are expected to apply these principles in a real-world scenario. This requires precision and a steady hand, as any misstep can result in the alarm being triggered. It's a test of not only their technical understanding but also their ability to perform under pressure.

4. Learning from Mistakes: This exercise is as much about learning from failure as it is about succeeding. Students often find that their first attempts at disabling a magnetic door alarm are not successful. Each failure, however, provides valuable insights into what went wrong and how to adjust their technique.

Conclusion

In conclusion, the success of a physical penetration test heavily relies on the depth of your preparation. By researching and testing common security systems, you not only enhance your understanding of these systems but also equip yourself with the knowledge and skills necessary to identify and exploit their vulnerabilities effectively. This preparation is not just about learning to bypass security; it’s about doing so efficiently, safely, and with the highest chance of success. Remember, in the world of physical security testing, knowledge truly is power.

Training Resources:

For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.

• Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists

• Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming

• Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.

• Private one on one Instruction - Book time to get private and personalized instruction on physical penetration testing