Tag Archives: World Wide Technology

May 16, 2013

SSL Strip – Breaking Secure Websites

Aamir Lakhani wrote a overview of how to perform a ssl strip attack. The original post can be found HERE

SSLSTRIP LAB

Before beginning the lab, make sure you have Backtrack 5 R3 VM imported into VMWare Player/Workstation/Server/Fusion, or what ever Virtual machine environment you have chosen to utilize.

The following is an excerpt from the VMWare “Getting started with VMWare Player” VMWare Player 4.0 user guide.

Import an Open Virtualization Format Virtual Machine

You can import an Open Virtualization Format (OVF) virtual machine and run it in Player. Player converts the virtual machine from OVF format to VMware runtime (.vmx) format. You can import both .ovf and .ova files.

OVF is a platform-independent, efficient, extensible, and open packaging and distribution format for virtual machines. For example, you can import OVF virtual machines exported from VMware FusionTM into Player. You can import OVF 1.0 and later files only.

You can also use the standalone OVF Tool to convert an OVF virtual machine to VMware runtime format. The standalone version of the OVF Tool is installed in the Player installation directory under OVFTool. See the OVF Tool User Guide on the VMware Web site for information on using the OVF Tool.

Procedure

  1. In Player, select File > Open a Virtual Machine.
  2. Browse to the .ovf or .ova file and click Open.
  3. Type a name for the virtual machine, type or browse to the directory for the virtual machine files, and click Import. Player performs OVF specification conformance and virtual hardware compliance checks. A status bar indicates the progress of the import process.
  4. If the import fails, click Retry to try again, or click Cancel to cancel the import.

If you retry the import, Player relaxes the OVF specification conformance and virtual hardware compliance checks and you might not be able to use the virtual machine in Player.

After Player successfully imports the OVF virtual machine, the virtual machine appears in the virtual machine library.

Your Lab

In this Lab, we are using Virtual Machine based attack hosts.   The Hosts are Linux based Backtrack 5 R3 (based on Ubuntu Linux).   The reason for using backtrack is that all of the modules, and associated dependencies for this lab are preloaded with the distribution. The module dependencies for SSLStrip are (these are already loaded with Backtrack):

  • Python >= 2.5 (apt-get install python)
  • The python “twisted-web” module (apt-get install python-twisted-web)

Additionally to utilize SSLSTRIP you need (Again already in Backtrack):

  • Arpspoof or Ettercap (this lab we use Arpspoof, Ettercap has issues with wireless)
  • IPChains / IPtables
  • Netstat

Additionally when using backtrack or any Ubuntu distribution, it is a good idea to run APT to updates the existing packages. Backtrack has several custom distribution resources pre configured.

#Use this command to update: apt-get update && apt-get upgrade -y && apt-get dist-upgrade –y

Getting Started 

Once your Backtrack virtual machine is installed and booted use the following credentials to log in:

Username: root
Password: toor

Start the desktop environment by issuing the startx command from the terminal session:

startx SSL Strip – Breaking Secure Websites

Note: It is not mandatory that you utilize a GUI desktop.  But for the purposes of this lab it is recommended.  Those not as familiar working in a Linux command shell will likely find it simpler to switch between the multiple terminal windows needed to perform the upcoming operations.

You should now see an environment similar to the following:

desktop SSL Strip – Breaking Secure Websites

For the purposes of this LAB we will only be using a single interface, your virtual machine might be configured with multiple Ethernet interfaces.  We will need to check if there are multiple (virtual) Ethernet interface enabled.

In the upper left hand corner of the desktop click on the Xterm link.

image3 SSL Strip – Breaking Secure Websites

When see a terminal window open on the desktop you are ready to continue.

  1. Use ifconfig to determine what interfaces are on the virtual machine.

Ifconfig | grep “eth” 

This command will filter out all the miscellaneous and just show us the Ethernet interfaces, like below.

image4 SSL Strip – Breaking Secure Websites

If we do indeed have more then one interface enabled issue the command ifdown  with the interface name to disable it.  If there is an interface named eth1 like shown above issue the command:

 Ifdown eth1

The output should be like what is shown below.

image5 SSL Strip – Breaking Secure Websites Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

Leave a Comment

Filed under General Security

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

March 18, 2013

Situational Awareness For Cyber Threat Defense

Aamir Lakhani did a great post on Situational Awareness. The original post ca be found HERE

Illustration Kekai Kotaki Red Dragon 992x712 Situational Awareness For Cyber Threat Defense

Illustration by Kekai Kotaki

Problem

Cisco Systems in their Cyber Security Threat Defense white papers outlines how the network security threat landscape is evolving. They describe how modern attacks are stealthy and evade traditional security perimeter defenses.

Traditional monitoring and reporting tools are no longer sufficient in detecting true threats on the network. Modern security tools and hardware devices such as firewalls, anti-virus, patch management solutions, IPS, and other solutions can only provide a small amount of relief against attacks. Most of these tools seem to be really implemented to fulfill some sort of checkmark for an auditor on a compliance form. Security professional know these tools, although very important, alone don’t provide a full security defense architecture.

Furthermore, as security threats and malware invade systems, security administrators are having trouble understanding the nature of attacks, how they occur, and how to defend against them. Remember you can’t fight what you don’t understand.

“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”

- Sun Tzu, The Art of War (source: http://en.wikiquote.org/wiki/Sun_Tzu)

Cisco ISE 1024x617 Situational Awareness For Cyber Threat Defense

Image Source: Cisco Identity Services Engine

Cisco Identity Services Engine provides true network identification, profiling, and access controls.

Combined as a center piece for Cisco’s TruseSec Solution, Cisco ISE creates a secure ecosystem treating security as a holistic solution.

Federal Cyber Initiatives

New mandates are making cyber security front and center of the news. President Obama recently challenged the nation and the Federal government in the United States to increase its cyber defense capabilities. As Federal IT budgets are getting slashed back in 2013; however, spending for cyber security appears to be increasing in the eyes of the casual on-looker.

Cisco Systems, in their Cyber Threat Defense White Paper discusses how “with increasingly sophisticated cyber attacks like WikiLeaks on the rise, federal agencies require more innovative solutions for maintaining a strong security posture. Additionally, with the evolution of the CNCI (Comprehensive National Cybersecurity Initiative), federal agencies are being required to take a more holistic and collaborative approach to analyzing threat information across the totality of government networks for improved incident response and forensic investigation.”

Being constantly bombarded with continuous threats, how can security professionals even guadge they are being attacked or a threat is posing a clear and present danger (yes that was a Harrison Ford shout out).

NetWitness Situational Awareness For Cyber Threat Defense

RSA NetWitness Logo

Image Source: RSA

How To Solve The Problem

I recommend creating a conceptional framework for Threat Defense Visibility and Awareness program. The goal of program should be to (1) provide a framework that can be built by using products, technologies, and methodologies that are available today, (2) provide network visibility on network health and status in real-time, (3) provide real-time network posture and attack risk baselines, (4) provide a training facility for attack analysis and defense.

What Is Network Visibility?

According to Lancope (source: http://www.lancope.com/), “network visibility focuses on the most complex and dangerous information security threats – threats that lurk in networks for months or years at a time stealing vital information and disrupting operations. This type of solution provides visibility into these threats and context to decipher their targets and potential damage”. Lancope further states on their website, security analysts gain visibility into advanced cyber threats such as:

  • Network reconnaissance
  • Network interior malware proliferation
  • Command and control traffic
  • Data ex-filtration

Lancope Situational Awareness For Cyber Threat Defense

Lancope Stealwatch provides network visibility

Understanding trends, anomalies, and threats of the network

Image Source: Lancope

Network visibility gives security administrators the ability to detect problems because they highlight changes in baseline behavior. Did traffic spike a 100%, did outbound traffic suddenly increase, are more requests being transmitted to new domain on the Internet? All these occurrences can indicate an attack. Network visibility shows network security professionals exactly what is different about today’s traffic patterns than what is normally looks like. Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

December 18, 2012

Beating Signature Based Security – Dynamic Software That Obfuscates Malware

Most Security solutions leverage a combination of signature and behavior based technology (more HERE). This worked in the past however today these solutions are not good enough regardless if you layer multiple products that are built upon similar scanning methods. There are many ways to bypass point Security products such as throttling behavior and masking the known fingerprint of the attack code. A example of a technique used to hide malware from popular Anti-Virus packages is leveraging Dynamic Obfuscation software. Screen Shot 2012 12 10 at 9.53.38 AM Beating Signature Based Security – Dynamic Software That Obfuscates Malware

Obfuscation software was designed to protect source code from piracy by making the original code more complicated to read while retaining functionality. There are commercial obfuscation software packages available for programmers looking to hide their source code which is also obtainable for malware developers. This is bad for anti-virus vendors responsible for developing methods to fingerprint malicious code.

Malware producers can make things even more difficult for Anti-Virus vendors by adding dynamic elements that randomizes malicious code and encryption keys on the fly. For example, a victim accessing a malicious website could see a different variation of the same exploit each session. Dynamic obfuscation provides an endless number of variants making it almost impossible for signature based Security to identify the threat.

There are dozens of examples for commercial Java obfuscator packages. Some common packages are Zelix KlassMaster, Dash-O, ProGuard, Smokescreen, Thicket and Allitori. Popular penetration toolsets such as Metasploit also include malware obfuscating modules such as the VoMM module. Research on VoMM from a few years ago can be found HERE .

Screen Shot 2012 12 10 at 1.16.37 PM Beating Signature Based Security – Dynamic Software That Obfuscates MalwareScreen Shot 2012 12 10 at 1.26.46 PM Beating Signature Based Security – Dynamic Software That Obfuscates Malware

Examples of Java Obfuscation Software Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under General Security, Internet Defense, Penetration / Hacking, Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

December 3, 2012

Hacking the iPhone : Breaking Pins and Passcodes : Booting without approved Apple Firmware

“My buddy Aamir Lakhani is developing a iOS security class and recently posted about hacking iOS devices. This is a very popular subject and want to share this. Also shout out to Tom Bedwell for his assistance with the research. You can find the original posting at www.cloudcentrics.com”

iOS devices can be booted with their own  kernel  and micro operating systems instead of approved Apple firmware. When iOS devices are loaded with a micro kernel, you can run attacks such as bypassing the passcode, decrypting passwords, copying file systems, viewing emails and much more. The following guide describes how to create a RAM DISK, however it may not function precisely as a step-by-step instruction set, since each system is unique and requires some level of customization.

Note: If you run in to trouble when creating a RAM DISK due to unique OS configurations and code versions, don’t despair.

If you want to take the easy way

Download: http://cloudcentrics.com/wp-content/uploads/2012/11/iphone-dataprotection-modifed.zip 

-       and then complete step 11 then proceed to step 20.

Now let the real fun begin

IMPORTANT: Watch the word wrap. Many commands are single line and may be wrapped on multiple lines.

Step 1: Uninstall file system readers

If you have a system tool such as MacFuse or Tuxera, uninstall the program before starting and reboot your machine.

Step 2: Install Xcode from the Mac App Store

Xcode Hacking the iPhone : Breaking Pins and Passcodes : Booting without approved Apple Firmware

Step 3: Download and install Xcode Command Line Tools:

1. Download Xcode from the Apple App Store
2. Launch Xcode and go to preferences
3. Install Xcode Command Line tools and Simulators

Command Line Tools Hacking the iPhone : Breaking Pins and Passcodes : Booting without approved Apple Firmware

Step 4: Open the Terminal App.

Make sure you are in your home directory. In my case the home directory is /Users/alakhani
Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under Bring Your Own Device BYOD, Host And Mobile Device Security, Penetration / Hacking

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

November 29, 2012

Building a Active Identity HID Global Two-Factor Card Authentication Lab : ActivID CMS Overview

Screen Shot 2012 11 27 at 9.58.30 PM Building a Active Identity HID Global Two Factor Card Authentication Lab : ActivID CMS Overview

Many of our customers are investing in multi-factor authentication solutions. The multi-factor industry offers a range of options such as physical cards, certificates and tokens that represent “Something you have” mixed with a pin, password or security phase that is “Something you know”. A upcoming multi-factor technology is biometrics representing “Something you are” however its not as common as having and knowing something. DoD has standardized on Common Access Cards or CAC while civilian agencies tend to use Personal Identification Verification or PIV cards for accessing systems and secured areas. Both card solutions use similar smart card technology however things like the Certificate Authority and what is printed on the cards are different between organizations.

Customers request my team to provide security demonstrations and often ask if the solution being showcased is CAC / PIV / smart card capable. There are a few players in the CAC / PIV / smart card market. One we like is Active Identity (now part of HID Global). Active Identity offers many multi-factor authentication solutions including CAC / PIV and smart card packages that range from the HID reader to the card management system. Active Identity’s flagship card management solution is ActivID CMS, which is a web-based application using Apache Tomcat and IIS. Active Identity does not provide a Certificate Authority (CA) for generating certificates or Hardware Security Module (HSM) for storing master keys however a lab can work without these.

For those who want to build a CAC / PIV / smart card lab, go to Active Identity’s demo download page found HERE and download the latest ActivID CMS. I’m running ActivID CMS in my lab using VMware workstation on a standard windows laptop. There are a lot of steps in the install guide so make sure to download that as well. To summarize the installation steps, you will need to do the following: Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under Physical Security

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

October 31, 2012

Cool Tool : FOCA – Network Intelligence Reconnaissance using metadata

My buddy Aamir Lakhani posted about a really cool metadata tool called FOCA. The original post can be found HERE. Below is Aamir’s post about FOCA. 

I would like to introduce you to one of my favorite network reconnaissance tools. It is called FOCA.

Did you know every time you create a document such as PowerPoint presentation, Microsoft Word document, or PDFs, metadata is left in the document?

What is metadata? metadata is data about data. It is descriptive information about a particular data set, object, or resource, including how it is formatted, and when and by whom it was collected. metadata can be useful to attackers because it contains useful information about the system where the file was created such as:

  • Name of user logged into the system
  • Software that created the document
  • OS of the system that created the document

FOCA is a security audit tool that will examine metadata from domains. It uses search engines to find files on domains, or you can use your own local files.

The first step to use FOCA is to download it.

  1. FOCA can be downloaded at: http://www.informatica64.com/DownloadFOCA (use Google Translate)
  2. You will need to give your email address at the bottom of the screen. You will receive an email with the download link. You will also receive updates on when FOCA is updated.

Using FOCA

  1. FOCA is a Windows only tool. When you install FOCA you may be asked to install .NET Framework or other decencies. 2 Launch FOCA Cool Tool : FOCA – Network Intelligence Reconnaissance using metadata Continue reading
VN:F [1.9.22_1171]
Rating: 4.0/5 (1 vote cast)

Leave a Comment

Filed under Penetration / Hacking, Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

October 29, 2012

Defending Against The Next Generation Distributed Denial of Service DDoS Attacks : DDoS Defense Reference Architecture

Defending Against The Next Generation Distributed Denial of Service DDoS Attacks : DDoS Defense Reference ArchitecturePress around the DDoS attack Operation Ababil has caught the attention of many of our customers. This sophisticated cyber strike used a combination of three separate rootkits targeting webservers, which produced a very high upstream attack method on multiple companies simultaneously. The scary part about Operation Ababil was it was designed to bypass standard DDoS defense methods. This clearly demonstrates there isn’t a silver bullet for addressing advanced DDoS attacks. Distributed Denial of Service DDoS, web application and DNS infrastructure attacks represent some of the most critical threats to enterprises today.  Here is some suggestions for a reference architecture to defend against these an other advanced threats.

Defending Against The Next Generation Distributed Denial of Service DDoS Attacks : DDoS Defense Reference ArchitectureThe best approach for defending against advanced DDoS as well as other cyber attacks is having multiple security solutions using different methods to detect malicious activity for both internal and external threats. For internal threats, it’s critical to have a well-designed and mature security infrastructure that includes components such as firewalls, IPS/IDS, email and content / application security solutions. Similar security standards need to be applied to endpoints as well as in the datacenter such as proper patch management, anti-virus and anti-malware. It’s important to enable DDoS defense features for these tools. For example, some best practices are leveraging ACLs for ingress and egress filtering, rate limiting ICMP and SYN packets as well as verifying if the source IP of packets have a route from where they arrived.

Defending Against The Next Generation Distributed Denial of Service DDoS Attacks : DDoS Defense Reference ArchitectureStandard internal security solutions are important however will not completely protect you from advanced DDoS and other cyber threats. Security administrators need full network visibility to quickly identify anomalies regardless of their location or form of communication. Best practice to identify malicious activity inside your network is monitoring the wire using a NetFlow or Packet capture approach (more can be found HERE and HERE). It’s also important to match identity to devices found. An example is how Cisco offers integration with its flagship access control solution, Identity Services Engine ISE, to network forensic tools such as Lancope, NetWitness and most major SIEMs. Having a tuned monitoring solution will dramatically improve reaction time to internal cyber threats.

Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

Leave a Comment

Filed under Internet Defense, Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

October 15, 2012

Zenprise 7.01 Out Now : What’s New From Previous Version 6.6

Zenprise recently released an upgrade to their flagship mobile device management MDM solution. My team has been showcasing a previous version 6.6 and went through the upgrade to Zenprise 7.01 this week. The Zenprise ZDM upgrade took around 15- 20 minutes, which steps included upgrading the software and java on the hosting server. Here is a comparison of both versions of Zenprise ZDM.

Dashboard: Zenprise 7.01 now includes a dashboard or centralized landing page. From a visual perspective, it’s a great way to quickly identify the state of the system and managed endpoints. The picture below is customized for 6 different reports. Functionality wise, the previous version of Zenprise could accomplish the same things by clicking around.

Screen Shot 2012 10 10 at 12.23.00 AM1 Zenprise 7.01 Out Now : What’s New From Previous Version 6.6

iOS and Android Enrollment: The new 7.01 version of Zenprise offers a dedicated section for device enrollment that includes options such as  MDM server discovery, email or SMS notification. We felt enrollment was a weak spot for Zenprise however this release dramatically simplifies the process. The group enrollment features makes it much easier to deploy the Zenprise MDM software to a larger number of users at once. Furthermore, Zenprise 7.01 can import a CSV file to populate its database for bulk enrollment.

Screen Shot 2012 10 10 at 12.17.26 AM Zenprise 7.01 Out Now : What’s New From Previous Version 6.6

iOS Location Services, Geo-tracking and Geo-fencing: This is a huge feature. Admins can set location service policies to located devices at any given time. Geofencing allows admins to define a geographic perimeter and perform a selective or full wipe upon perimeter breach. We have had requests for Geofencing that range from stopping students from walking off with school issued mobile devices to military secured facilities wiping any device that leaves the controlled area. In high security areas it it possible to wipe a device on-demand as it exists a “safe” zone. Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Bring Your Own Device BYOD, Host And Mobile Device Security

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

October 2, 2012

Defending Against Google Hacking : Know What Can Be Found On Search Engines

Its shocking how organizations are compromised due to administration carelessness such as using default passwords or advertising sensitive information on public sources. Many companies purchase top dollar security solutions however fail at addressing the most common security weakness; enforcing thorough security policies. One popular reconnaissance technic known as Google Hacking (however can use other search engines) can expose confidential information, vulnerabilities and login credentials using Internet search engines. Here are some tips to avoid being abused by Google Hacking or other reconnaissance techniques.

Strong Passwords:

Defending Against Google Hacking : Know What Can Be Found On Search EnginesAnything facing the Internet should have very strict security policies implemented to defend against hackers. For starters, all default passwords should be changed using a strong policy. Strong password formats do not contain words found in spoken languages including changing letters to other characters (IE: Ex@mp1e would be considered weak). An example of a good password format is using the first or last letter of a sentence plus numbers and special characters (IE: This Blog Talks About Many Crazy Things CONVERTED WITH FIRST LETTER OF EACH WORD = tbtamct135@!). Also length, expiration time and number of factors impact password security strength. More on passwords can be found HERE

HERE is an example list of default passwords for popular network devices. It’s common to uncover default logins on small neighborhood wireless networks however my team finds default information on large corporate systems as well using targeted Google Hacking queries. Some examples are searching #-Frontpage- inurl:administrator.pwd or  inurl:odbc.ini ext:ini –csv for Microsoft and ODBC passwords. Some automated hacker tools use Google Hacking queries to gather system information prior to launching exploits and password cracking efforts. Don’t be a victim to weak passwords!

Know What Is Public Facing:

It is key to protect sensitive information such as vulnerability reports, employee information and confidential records. There are great tools available to audit for sensitive information such as data loss prevention products and compliance tools (more on DLP HERE). Crazy enough, sometimes administrators unknowingly let audit results for confidential information leak to public search engines. One example is searching for audit report headers (IE “This Report Was Generated By Nessus”) to identify vulnerable targets without setting off alarms using penetration testing techniques. Another example is searching for phases such as Classified via intext:classified COMPANY to find sensitive corporate information. Its shocking what is out there.

Some fun search terms are looking for cameras using queries such as Linksys inurl:main.cgi or ViewerFrame?Mode= . Be careful, some people don’t know they are in front of a live camera. Seriously, try it! You can move around cameras and see different parts of the world icon smile Defending Against Google Hacking : Know What Can Be Found On Search Engines Screen Shot 2012 10 01 at 1.40.05 PM Defending Against Google Hacking : Know What Can Be Found On Search Engines

Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

3 Comments

Filed under Internet Defense

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

September 24, 2012

Lock Picking Tools : How Much Skill Do You Really Need? Bump Keys, Lock Picks, Lock Guns

Lock Picking Tools : How Much Skill Do You Really Need? Bump Keys, Lock Picks, Lock GunsLock picking tools have made lots of noise with the theme “anybody can use lock picking tools to break into your house”. There are segments about lock picking on popular TV news shows, movies (example The Next Three Days) and websites scaring people like my Mom who called me after seeing something like this (news example HERE). For more information on lock picking, go to a older post found HERE.

I have acquired different lock picking tools over the course of my career but have not spent time mastering the art of lock picking. For those that don’t know, lock picking is an art similar to solving puzzles. There is a competitive lock picking scene that takes lock picking skills beyond the typical professional locksmith. My question however is regarding the average joe criminal as specified in some of the advertisements for lock picking tools.  How easy is it to break into a house with commercial lock picking tools? Can anybody just buy a lock picking solution and walk into a stranger’s house? Lets find out.

The Door :

newlock Lock Picking Tools : How Much Skill Do You Really Need? Bump Keys, Lock Picks, Lock Gunslocks2 Lock Picking Tools : How Much Skill Do You Really Need? Bump Keys, Lock Picks, Lock Guns

I had a friend volunteer his backdoor locks. His door has two locks which are a commercial Padlock and Deadbolt. The locks were installed by a licensed locksmith. Consider this a representation of a typical residential door.

Method 1: Using Standard Lock Pick Kit

photo 3 Lock Picking Tools : How Much Skill Do You Really Need? Bump Keys, Lock Picks, Lock Guns Continue reading

VN:F [1.9.22_1171]
Rating: 4.0/5 (2 votes cast)

5 Comments

Filed under Physical Security

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,