Physical Pentesting Tradecraft: Tailgating, Badge Cloning, USB Drops

Cybersecurity

Physical pentesting is theatre with a payload. This guide covers tailgating choreography, badge cloning workflow under time pressure, and USB drop campaigns that yield real telemetry without leaving the team exposed. Includes the safety brief and the legal kit the operator carries.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 26, 2023 · 10 min read

Physical is high reward, high risk

A successful physical engagement bypasses years of cyber investment. It also ends careers and friendships if mishandled. Every move needs an engagement letter, a get-out-of-jail letter, and a documented safety plan.

Reconnaissance

• Map entry points, smoking areas, and delivery docks across multiple days.
• Identify peak ingress windows, usually 08:45 to 09:15 and after lunch.
• Photograph badge designs from a distance for replica preparation.

Tailgating choreography

The two-person tail is the easiest. Operator A engages the target in conversation while operator B holds a coffee tray and a phone, mimicking arrival rush. The target opens the door for the perceived colleague, not the operator.

Badge cloning under time pressure

1. Carry a Proxmark in a padfolio with a long-range LF coil.
2. Initiate a brief conversation that places the target within 30 cm for five seconds.
3. Confirm capture by haptic vibration, never look at the device.
4. Walk away and write to a T5577 in a private space.

USB drop campaigns

• Use branded USB drives that look like vendor giveaways.
• Place near smoking areas, parking lots, and reception lounges.
• Payload should be a benign callback, never an exploit, unless explicitly scoped.

What you carry vs what you leave behind

• Carry: laminated authorisation letter, plain ID, basic toolkit.
• Leave behind: anything illegal in jurisdiction, branded operator gear, prior engagement artefacts.
• Wear: clothing that matches the building tier, never a fancy hoodie.

Inside the building

Once inside, the operator is on a clock. Plant a network implant in the first 15 minutes, photograph badge readers, and exit before shift change. Lingering invites questions you cannot answer.

Implants worth planting

• LAN turtle or shark jack for transparent network capture.
• Plugable USB-C dock with a hidden raspberry pi for an internal C2 foothold.
• BLE beacon for later proximity confirmation from outside.

Detection

1. Tailgating analytics on door sensors with thresholding.
2. Camera review on USB drop locations after a campaign disclosure.
3. Network device fingerprinting at switch ports.

Remediation

• Anti-tailgating turnstiles at primary entry points.
• FIDO2 keys so cloned badges never reach the network.
• USB control via MDM, application allowlisting on all endpoints.

Carry the authorisation letter twice. Once in your wallet, once in the operator paired with you.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.