Lab: Physical Security Scavenger Hunt

By Drs. Anthony Vance and Dave Eargle

There can be no information security without physical security.

Note: This lab can be completed in a group of up to four members. Before you make a submission on Canvas, all of your team members should join one of the already-existing “Physical Security” groups on Canvas.

To earn full credit for this lab, your team must complete 6 of the 11 items below.


Submit one single solitary pdf with documentation of all completed items for your team.

For each accomplished item in your single solitary pdf, include:

  1. Prominent header-text indicating which item you have completed
  2. Conclusive photo-documentation of completion.
  3. A sentence or more describing the feat.

Item 1: Successfully open one of my locks via both (bumping) and (SLP and/or raking)

I need to witness it, and you have to do each method twice. Twice is the rule to let both me and you know that it wasn’t just luck.

Item 2

Either a or b but not both.

Item 2a: Photograph an Unlocked, Unattended Terminal


lab 5 1

Item 2b: Shoulder-Surf to Get a Legible Photo of a Screen in Use


lab 5 1

Item 3: Go Dumpster Diving to Obtain a Photo of Sensitive and/or Potentially Valuable Information

Note: Please specify the information, but redact the information in the attached photo.

While it is not illegal to dumpster dive in CO, you can still get in trouble for trespassing, so be mindful and don't trespass. See Colorado : State v. Hillman, 834 P.2d. 1271 (1992), which says that trash curbside / in front of house / outside fenced area of property is public.


lab 5 1
lab 5 1

Item 4: Take a Picture of Sensitive/Potentially Valuable Information Left in Someone’s Car


lab 5 1
lab 5 1

Item 5: Gain Access to a Pre-approved Restricted Area

Take a picture of yourself in the restricted area and document how you did it (e.g., tailgaiting). Get permission from a manager, etc. before entering the restricted area. For example, you might explain to a manager that you are doing a class assignment and you would like to test whether their employees will prohibit you from entering the restricted area. Only proceed with the test with the manager’s approval.

Note: You have my permission to attempt to gain access to my office without picking the lock (please lock the door on your way out). It doesn’t count if I am in the office. Otherwise, it counts.


lab 5 1
lab 5 1
lab 5 1

Item 6: Enter a Pre-approved Restricted Area by Disguise

For example, use a clipboard or fake ID. You can double-count this one with #5.

Item 7: Get a photo of an ID badge that is good enough to make a duplicate, and make a duplicate

Note: Bonus points if you actually make a passable counterfeit badge.

Item 8: More Unattended-Computer Mischief

Either a or b but not both.

Item 8a: Access Saved Passwords in a Web Browser on an Unattended Computer

This website has a list of helpful tools to recover passwords from web browsers:

Item 8b: Install a nuisance-yet-benign browser extension into the web browser of an unattended computer

e.g, nCage or Cloud to Butt

Item 9: Photo Document the Security Cameras in a Building and Establish a Route through the Building without Being Recorded

The route-establishment can be drawn out, but it’s coolest if you video-record doing it.

Item 10: Install a False Keylogger on a Public Computer

Pretend that a USB drive is a keylogger. Plug it into the back of a public computer, and leave it for a day. Retrieve it later. Take a picture of when you leave it, and when you return.

Important: Do not use an actual keylogger unless you have prior approval from the device owner.

Item 11: Obtain the Password Hashes from an Unattended Public Computer

Note: This Item uses Cain, which is installed on the lab VM. It can be downloaded from However, this file will set off all sorts of virus detection alarms and warnings, both in the browser and on your computer. Cain is not a virus, and is the official site to obtain the file from. But you can use Cain to do *virusy* things, so it gets flagged.

You are the virus

lab 5 1

Obtain the password hashes from an unattended public computer. In Windows 7/10, the password hashes are contained in two files (you’ll need both):



Since these files are protected by the operating system, boot from a Live CD/USB Linux distribution, such as Kali. From within Kali, copy the SAM and system files to a USB stick.

Password hashes can be dumped from the SAM file using a number of tools. For this lab, use Cain.

Run Cain (ignore any messages about the Windows firewall). Click the “Cracker” tab, and click within the right-hand pane to give it focus. Click on the + button in the toolbar and select Import Hashes from a SAM Database. Select the SAM file you obtained. Next to the Boot Key (HEX) field, select the System file you obtained. This will yield a hex string that you must copy and paste into the Boot Key (HEX) field.

Include a screen shot of the hashes below to prove that you’ve done it.

Note: Include a photo of the hashes, but don’t actually crack the hashes.


lab 5 1

Note: This attack will not work on any computer in Leeds. A student of mine who worked for LTS tried it out (successfully) and showed his LTS buds, who have since password-protected the boot process for... most physical computers in the building.