Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Door Contact Sensors
  • Snooping credentials
  • Prevention
  • Credential Cloning
  • Bypassing electronic locks
  • Battery
  • Magnet
  • Removing power
  • Request to Exit Sensor attack
  • Keypad PIN code theft
  • Button Press Traces
  • Video

Was this helpful?

  1. Physical Security

Electronic Locks

PreviousMechanical LocksNextOther Attacks

Last updated 2 years ago

Was this helpful?

Door Contact Sensors

Door contact sensors are sensors which detect if a door is open or not. Let’s say there’s a reader on one side and a request-to-exit (REX) sensor on the other. If neither the reader or the sensor are triggered, then the sensor assumes a forced entry and triggers an alarm.

So one thing you could do is trigger the REX sensor with a can of compressed air so that the sensor doesn’t go off, and then slip the latch using a traveler hook or slim jim.

To find contact sensors, you can use a magnet on a stick.

It’s also possible to bypass these with a magnet

Snooping credentials

An ESPKey can be installed on an RFID reader, which uses the Wiegand protocol (most commonly used protocol) to snoop credentials.

Prevention

Use a secure protocol like OSDPv2.

Also, readers can have tamper sensors, which are supposed to detect if a reader is dismounted from the wall. However, these aren’t commonly installed. The tamper sensors can be either a physical switch or a light sensor.

Credential Cloning

RFID cards can be cloned, for example using a long-range card reader. Low-frequency cards are extremely easy to clone, but high-frequency cards protect the credentials with a secret, and there’s a handshake between the reader and the card to unlock the credentials.

One thing you can try is to find out the secret to decrypt the credentials, somehow. Or, if you have snooped wiegand credentials from a reader, and if readers support both high-frequency and low-frequency cards, then you can clone the credentials onto a low-frequency card.

Bypassing electronic locks

Battery

You can just drill into the lock, connect a 9V battery to the solenoid, then the lock should open.

Magnet

There are some locks that open if you put a magnet next to them.

DeviantOllam carries around magnets and also a tool which shows the direction of a magnetic field (magnetic search pole), indicating where the magnet should be placed:

Removing power

Magnetic locks need power to keep the doors closed. If the power goes out, then the magnetic lock doesn’t work anymore. You might be able to disassemble to junction box for the magnetic lock and simply remove the power.

Request to Exit Sensor attack

If there’s a sensor which opens the door when someone’s on the other side, then you can get a can of compressed air, turn it the other way around and spray the liquid through an opening in the door. If the sensor is a sensitive enough motion-detecting or heat change detecting sensor, then the door will open.

If the sensor is more advanced and detects thermal, then if you can try to get a hand warmer on a piece of wire through, then it might open

Though actually, babak said that the request to exit sensors are commonly PIR (passive infrared sensors), which detect changes in heat. The compressed air method only works because they’re set to be extremely sensitive to changes so users don’t run into the door.

In fact, you can just vape or spray liquid from your mouth through a gap at the sensor, and it might open.

There are better sensors which aren’t susceptible to this, though. RCR (range controlled radar) sensors detect a change in distance, and they’re usually dual sensors, both infrared and microwave, so you need to activate both in order for it to fire. But passive infrared is the most common.

Keypad PIN code theft

If there’s a keypad with a PIN code, then it would be useful if you could find out someone’s pin code

Button Press Traces

If you put some sort of substance on the keypad (like a powder that glows under UV light), then when someone presses the buttons, they’ll leave a mark on the powder. You can later examine the marks to find out the numbers they pressed (though not the exact combination).

Alternatively, you can just film the keypad with an infrared camera, and the pressed buttons should be a different color due to the heat of the finger that pressed them.

Video

If you set up a video camera, then you might be able to make out the exact numbers from the video. If not, you might still see the motion of the hand and figure out the rough positions of the numbers. This method can be combined with another method, like button press traces.

Note that the extremely popular HID iClass cards have a known master encryption key, which makes them easy to clone. The huntpad that is used by DeviantOllam and Babak Javadi is .

https://www.redteamtools.com/support/ESPKey%20Tool%20Manual%20v1.0.0.pdf
set up to clone these types of cards
Timestamped explanation
Timestamped demo about finding contact sensors
Timestamped demo on door contact bypassing
Timestamped
Timestamped