Some companies pay for a security assessment to see if their physical building and office are secure. When they secure a building they want to test it to make sure it’s off limits to people who shouldn’t be able to get there, such as a datacenter. Sometimes these assessments are to test employees to see if they would let people in areas that they shouldn’t have access to, such as a random person walking behind a bank teller.

What do these type of pen testers bring to this type of security assessment? Here’s a few different people talking about what they bring.

Vest of Doom

Jayson Street has talked about his Vest of Doom a few times.

About to load my new #VestofD00M v.7.0 :-) for my engagement in France after I speak at @hackinparis & @NuitDuHack pic.twitter.com/aSGUoOnWZ2 — Jayson E. Street (@jaysonstreet) June 22, 2014

He talks about the contents in his DefCon 18 talk and again in his DefCon 19 talk. Both talks are great to watch in their entirety to get a sense of how Jayson gains access to anything.

Contents

A USB drive which when plugged into a computer will grab all password hashes

A USB drive you leave for a user to see if they plug it in (potentially causing persistence)

USB KeyLogger

External hard drive (to grab large amounts of data)

External hard drive (with rainbow tables and malware)

USB Wireless Bridge

Voice Recorder

Ethernet Cables

Various USB cables (A, B, mini, micro, OTG, etc)

Small Computer – Something to fit in a pocket but can be used to connect to networks

Tablet with metasploit

SD cards – presumably filled with malware or for grabbing data

Fake engagement letter – Jayson loves presenting this when asked to test people further

Real engagement letter – If you don’t have permission to do this, don’t try it!

Lockpicks

Screwdrivers

Camera watch or glasses

Pwnie plug

More cameras

Rtfm: Red Team Field Manual

PSP – for times when you might hide out in a closet for 4 hours waiting for everyone to go home.

Fake badges that may get you into doors or past people

Pen Test Backpack

c0ncealed gives a great breakdown of all his pack’s contents in his Physical Pen Test Talk. He goes into what each of these items are used for. A great watch!

Image on the right is a demonstration of how easy it is to swing the pack to the front, pull out a laptop, put the laptop on the pack, and begin doing work. The sling pack being used as a mobile table is really handy because it allows your hands to be free to do other things.

Extra things not mentioned

Binoculars for recon

Blue Painters Tape – cover cameras, peep holes, cover lights, hold items in place etc

Ball Bungee – has many purposes

– has many purposes Carabiner for pack to hang stuff on

What is missing from the list? Let us know in the comments!

Bonus Video: DefCon 22 Video on Elevator Hacking