Air-gapped networks are only as secure as the physical access controls protecting them. This article covers three physical penetration testing techniques covered by the CompTIA PenTest+ PT0-003 exam: tailgating vs. piggybacking for unauthorized entry, RFID badge cloning with tools like Proxmark3 and Flipper Zero for persistent authenticated access, and USB drop attacks using Rubber Ducky HID injection.
Tailgating and Social Engineering Tailgating occurs when an attacker follows an authorized person through a secured door without their consent, while piggybacking involves the authorized person knowingly allowing entry. Social engineering tactics, such as pretending to be a delivery person or carrying heavy boxes, can exploit human courtesy.
Badge Cloning RFID badges can be cloned using devices like Proxmark3 or Flipper Zero. The attacker captures the badge signal at a distance, then replays it to gain entry. Smart cards with cryptographic authentication are more resistant but still vulnerable to relay attacks.
USB Drop Attacks Attackers leave USB drives in parking lots or lobbies, hoping employees will plug them into corporate computers. The Rubber Ducky, a USB device that appears as a keyboard, can execute pre-programmed keystrokes to install malware or exfiltrate data.
Lock Picking and Bypass Tools Physical testers may also use lock picks, bump keys, or shims to open doors. Environmental reconnaissance, such as checking for unlocked windows or exposed wiring, is critical.
Documenting Findings Testers must carefully document physical access methods without violating laws or causing damage. Photos and logs should be taken with client authorization to avoid legal issues.