Project Puchufy

Physical Penetration Test Methodology

Purpose

The purpose the Physical Penetration Test Methodology is to test how secure a physical location is, such as an office, data center, or warehouse.

The goals include but not limits to:

  • Find weak spots in locks, doors, cameras, and employee awareness.
  • See how easy it is for an attacker to enter restricted areas without permission.
  • Improve safety and security by giving the organization clear steps to fix problems.

Scope

Same as every security testing, the scope of the engagement must always be pre-defined by stakeholders to ensure that the tester will only access areas and processes that have been authorized.

Generally, the this testing applies to:

  • Buildings and offices – Entry points, lobbies, restricted rooms.
  • Access control systems – Key cards, biometrics, locks.
  • Security staff response – Guards, cameras, alarms.
  • Human element – How employees react to strangers or social engineering.

Out of scope:

  • Any illegal activity without written approval.
  • Causing damage to property or harming people.
  • Real theft of company assets.

A signed Rules of Engagement (RoE) document is required before testing begins.

Roles and Responsibilities

  • Client/Stakeholders – Provides permission and defines testing boundaries.
  • Test Lead – Plans and manages the test, keeps team safe and compliant.
  • Tester – Performs physical entry and social engineering tasks.
  • Observer/Scribe – Documents actions, evidence, and findings.

Tools

Common physical testing tools:

  • Lock picks – Test mechanical locks (legal only with approval).
  • RFID cloner – Test access card security.
  • Proxmark3/Flipper Zero – Clone or test RFID badges.
  • USB rubber ducky – Simulate rogue USB attacks on unlocked computers.
  • Flashlight – Check dark areas, utility rooms, or ceilings.
  • Binoculars – Observe security patrols from a distance.
  • Camera/Phone – Document findings (photos and videos).
  • Notebook/Tablet – Record notes and timestamps.
  • Two-way radios – Team communication during testing.

Methodology Steps

Planning

  • Get written permission and signed agreements.
  • Define clear objectives, such as:
    • Testing after-hours security.
    • Checking if employees challenge strangers.
  • Identify target areas:
    • Main entrances
    • Server rooms
    • Loading docks
    • Employee break rooms

Reconnaissance (Information Gathering)

Collect information before visiting the site:

  • Look at the building layout (Google Maps, company website).
  • Watch staff routines like lunch breaks or shift changes.
  • Identify delivery entrances or unlocked side doors.

Testing Entry Points

Test physical barriers:

  • Try using authorized access cards or test RFID vulnerabilities.
  • Check if doors close properly or can be forced open.
  • Look for tailgating opportunities.
  • Document how easy or hard it was to get inside.

Social Engineering

  • Attempt to trick employees into granting access:
    • Pretend to be maintenance staff, delivery person, or IT support.
  • Use simple pretexts like:
    • “I’m here to fix the Wi-Fi.”
    • “Can you hold the door? My hands are full.”
  • Always remain polite and safe, and never threaten anyone.

Internal Movement

Once inside:

  • Locate sensitive areas like server rooms or finance offices.
  • Test for unlocked equipment:
  • Unattended computers.
  • Open filing cabinets.
  • USB ports without restrictions.
  • Record findings without stealing or damaging property.

Exit and Safety Check

Leave the area without alerting staff unless part of the test plan. Make sure:

  • All doors are locked behind you.
  • Nothing was broken or left behind.
  • Testers are accounted for and safe.

Reporting

Write a clear, simple report with:

  • Photos or videos of vulnerabilities.
  • What was tested and how.
  • Actions taken documented chronologically.
  • Recommendations for improvement.

Safety and Legal Rules

  • Always carry authorization documents during the test.
  • Stop immediately if:
    • Anyone feels unsafe.
    • There is a risk of physical harm.
    • The situation goes beyond the agreed scope.

Physical Pen Test Checklist

Before the Test

  • Written permission signed by client.
  • Defined objectives and scope.
  • Safety plan reviewed with team.
  • Tools packed and tested.
  • Emergency contacts ready.

During Recon

  • Observed staff routines.
  • Mapped entrances and exits.
  • Identified security camera locations.
  • Logged suspicious vulnerabilities.

During Testing

  • Checked all entry points (main and side doors).
  • Attempted tailgating.
  • Tested card reader or RFID security.
  • Attempted at least one social engineering scenario.
  • Recorded internal movement paths.

After Testing

  • Verified no damage or missing items.
  • Reviewed notes and evidence.
  • Created clear step-by-step report.
  • Presented recommendations to client.

References

CISA – Physical Security Basics
NIST SP 800-115 – Security Testing
OSINT Framework