Day #3: My Physical Hacking Experience in Brian Harris’ Covert Access Specialist Training

Alexis Lingad
3 min readAug 7, 2024

--

This is a continuation of my physical hacking experience with Brian Harris’s Covert Access training. If you want to read my previous blogs about this then you can read it here:
Day 1: https://alexislingad.medium.com/day-1-my-physical-hacking-experience-in-brian-harris-covert-access-specialist-training-5626353e5525
Day 2: https://alexislingad.medium.com/day-2-my-physical-hacking-experience-in-brian-harris-covert-access-specialist-training-f3e77ab16173

Highlights of Day #3:

  1. Alarm System Identification and Bypassing
  2. Vulnerability Hunting in PACS (Physical Access Control System)
  3. ID Badge Cloning Attacks
  4. Practical Social Engineering

Alarm System Identification and Bypassing

We tackled a lot of different alarm system in here and most of the common exploit for each. The trainer really know what he is doing and if you attend his trainings, you’ll know why I will say this again and again.
One of the most memorable practical activity that we did here is bypassing the alarm systems using magnets. Aside from that, we also successfully bypassed the alarm system of a specific test target building.

Photo image taken by me when my classmate and I successfully bypassed the hi-tech alarm system security of the entrance of the target building.

Vulnerability Hunting in PACS

We had an activity here where we need to find the vulnerability of the card reader that locks the door via magnet so we can enter the building. This is very thrilling since my pentester instinct kicked in like I actually did some OSINT right away by taking a picture of the model and reverse image search it to find the exact model and of course, let my classmates know the exact model. Then from there, I have a classmate who found out how to reprogram that specific model so we can setup a new badge and make it as our entry. The other electrical engineer classmate that we have had an easier way by making a short circuit to it to open the door. Our teamwork is kicking in on this activity and I’m happy to see each other’s strength for the upcoming Friday engagement.

ID Badge Cloning Attacks

In here we talked a lot of things like cloning using the common tools like FlipperZero, I-Copy XS and Proxmark. We also tackled the cloning via long range and via extender. The good thing about this day is the trainer also showed some realistic approach how we can use this in real life engagement. This course is really practical and we got to practice the cloning of badges using I-Copy XS and Flipper.

Practical Social Engineering

In here, we discussed a lot of social engineering techniques. The good thing about this is the trainer gave us a lot of previous experience that he has in each techniques. We also had some activities where we can use our social engineering tactics in real life.

Conclusion for Day #3:

There can be lots of theories and discussion for these especially in social engineering but the good thing the trainer did is in every an hour or so, he’s letting us having a 5 minute break. My attention span is only up to 40 minutes and after that it will start to diminish so this is a good thing. I still love the part that he is letting us practice each techniques before proceeding especially the ones that we will be needing in the Friday real physical pentest engagement. Tomorrow will be about bugging and plantable device and mostly planning with the team on how we can nail the physical pentest of Friday!

--

--

Alexis Lingad

CRTO | OSWP | eCPPT | eCDFP | eWPT | CEH | Author of Cyber Defender | Creator of Hackuna Anti-Hack | WTH Hacker Games Champion 2015&2017 | alexislingad.org