What's In My Physical Testing Field Kit 2022
HTML-код
- Опубликовано: 23 фев 2022
- Tune in as Matt Barnett and Brice Self talk gear and tactics for physical penetration tests in 2022.
While these two experts both do the same thing, their styles and tools, in some cases, can be pretty far apart. Watch them hash out the details as they start this mini series off with their entry bags. This episode breaks down the gear used to break in.
SEVN-X
www.sevnx.com 
Хобби
Can you make a videos of you using those tools in real-time so people can get a better feel for them😊
We actually have a few coming out soon, stay tuned. Thanks for the feedback!
Whats the name of that Farmall bag??
Doesn’t look like they make it anymore… here’s a hip bag that looks like it may work too: www.shopcaseih.com/case-ih-utilitarian-belt-bag
Whare did you get that film
www.redteamtools.com/film-canister
Below comments FYI. I want these pen testers to keep it real and honest. Most of the methods/tools in this, and most physical pen testing videos, are not applicable to modern scenarios, modern security has moved on from these old school entry methods.
Saving ya all money and keeping it real. ALL these kind of videos I see are just rehashing old methods from others videos.
It is misleading, I dont know if this is an industry thing bat every technology has or is moving on from these methods and I doubt modern pen testers are carring most of this stuff, if they are they are rarely if ever using them.
Pick set - I love the creeper case, but Id suggest picking off the velcro and tuck the flap, its quieter that way.
Warded picks - Nice to have bet almost never encounter warded locks in any high value locations.
Film - Ive never encountered an office door handle that will open up.
Shove-it tool, hall pass - Most all modern buildings will not have the old locks that are exploitable with this tool.
Lockpicks - Getting in, they are mildly useful, most modern buildings are RFID access. Might be useful to get into desks and server cabinets. That lockpick kit is crap btw.
Shims - Fun but again trying to exploit obsolete security methods.
Gaffa tape - ok, good for many purposes.
Padlock shims - ok, maybe if you are pen testing a locked bike chain. Soda cans are crap, too soft.
Tubular lock pick - Ok, but require a lot of practice and are tricky. Unless you are opening vending machines.
Thumb turner - again, almost obsolete, shop fronts yes, but thats looking more like thievery not pen testing
Traveller hook - too old and obsolete, like shove-it and hall pass.
Plug spinner - you are not picking difficult locks, and certainly not as a pen tester, if you need to spin a lock, just pick it again.
The future, and current is digital. RFID cloning/hacking, OSINT and social engineering are the current methods, I think videos like this are misleading and do not reflect the reality of modern pen testing.
Without any exaggeration, I have used every single one of those techniques you mentioned (minus the padlock shims and plug spinner in the last 6 months) on everything from banks, to corporate buildings, schools, and entertainment venues. Full disclosure: the thumb turner got used to tigger an RTE button so not the exact purpose but it's staying in my kit. We may like to imagine most companies on to these techniques by now, but I assure you, it's just a dream. The world is still very much broken.
@@mattbarnett8265 Thanks for the reply. I wasnt putting shade on you, I love all of these kind of videos. Let me make it clear that I dont work in the security field, I am an enthusiast and groupie, my field is Engineering Consultancy, mainly civil and structural.
If I was 30 years younger Id look to physical assessment as a career, it sounds exciting and it is important. Where I live and work, Canberra, Australia, the CBD has gone through massive 'renewal' with a lot of the old buildings being knocked down and rebuilt. Who ever is doing the security assessment and recommendations is doing it right. The few buildings I have worked in over the last 3 years (hopefully Im not doxxing myself are the 2CA building, which has the Australian Protective Services as a tenant so security and monitoring is TIGHT, and the CQ building which is one of the newest 6 star office spaces in Canberra, check them out on street view and let me know if you see any obvious weaknesses, Id be very interested) are top notch.
All of the Pubic Service departments are also moving into these modern buildings in the city.
As a physical security enthusiast....and a reformed juvenile burglar, all the high security buildings I see, and I do a mental assessment, are not susceptible to most of the methods of attack.
I would be interested in hearing about the type, not location or client, of the businesses or US Gov that you assess. More around things like, when were these buildings built, if they have upgraded their security etc.
One other thing Id like to ask, you say you have used most of the methods in the last 6 months. How many physical assessment have you been involved in in those 6 months? My very limited understanding is that Security Assessing companies do maybe 2 to 4 physical penetration tests per year (from what Ive gleaned from Deviant and the Core Group), that most engagements are digital, phishing, wifi and remote access attacks rather than actually physically getting to the server room?
Sorry for the looooooong reply, and have a good one.
@@markotb All good on the reply. Reading it, I realized something. All of the techniques we cover (or tools more accurately) have two sides to them (no pun intended). There is the 1) what it was made to do and 2) what it can do. I think in some ways you're right, the tools, as designed, don't always work, but they are the right size, shape, flexibility, etc. to "work" in different ways. It's no different than hacking really. A buffer overflow is a buffer overflow, sometimes it works right out of the box, and sometimes it needs modification. Being good at this field requires a high degree of creativity and o-o-t-box thinking. Cheers!