Penetration Testing mailing list archives
Re: Physical Security - Pen Test
From: Neo <security () spacerat ch>
Date: Tue, 31 Mar 2009 12:03:53 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hack the lock at the backdoor of the company, school, whatever, in the night. The physical door, and you are in. Every further security is disabled this way. If access cards are used, you may want to steal one. Other approach is to use brute force against the physical door, or other ways of lockpicking. Often backup tapes are not physically protected, or at the chiefs home, floating around unsecured. Always a good way to get data. Or you may want to get access to an employees home PC and use his VPN connection. Management employees home pcs are most likely to be less secured than technical staff emplyee ones. You mean "pentest" if you already have physical access? In which case every pentest is futile, because you can reboot the machine with an prepared linux, windows, whatever cd, usb stick and reset the admin/root password. Or simply take the data on harddiscs with you. Or simplay fake a visitcard from a telephone guy, wear a working suite, and let them take to their server rooms. Normally the office girls are really dumb. Especially the blonde ones ;o) my 2 cents Neo THIS IS NOT A INVOCATION/REQUEST/CALL TO DO ILLEGAL THINGS. JUST POSSIBILITIES YOU MAY WANT TO CONSIDER. IN EVERY CASE YOU WILL NEED THE WRITTEN OK FROM THE MANAGEMENT BEFORE BEGINNING PENTESTS. PHYSICAL OR NOT!! iadcc schrieb:
Has anybody ever conducted a physical security penetration test? Do you have a sample test plan you used? I have formulated some Social Engineering tests we could try but anything else would be useful./
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknR6ogACgkQDKoGk2jFdgxiWQCgp3fr0WOl6unQVIbLxjPPHKFy 3+8AniDk6h/4gQu4fKSv9IXEPh8uGBOX =DgQO -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT. http://www.infosecinstitute.com/request_online_training.html ------------------------------------------------------------------------
Current thread:
- Re: Physical Security - Pen Test Neo (Apr 03)
- <Possible follow-ups>
- Re: Physical Security - Pen Test M.D.Mufambisi (Apr 03)
- RE: Physical Security - Pen Test Shenk, Jerry A (Apr 03)
- Re: Physical Security - Pen Test Marco Ivaldi (Apr 03)