Most organizations have at least one door, cabinet, safe, device, or other asset that they will place behind a lock. The PenTester may be tasked with finding ways to circumvent these locks. If the PenTester is unable to even get into a building because the front door is locked, then the physical PenTest will be cut short.
If there is a door lock, the PenTester will need to evaluate the type, as this will influence the method used to gain access. There are several different types of locks. One of the most common is a standard key lock, which requires the correct key in order for the lock to open. Key locks typically use pin tumblers, interchangeable cores, or wafers under springs used for tension. Bolt cutters and hacksaws may be able to destroy locks that are made from substandard materials or are poorly designed.
Other than physical destruction, the PenTester also has the option to pick the lock. Lock picking uses specialized tools to manipulate the components of a lock in order to gain access. Picking a lock is a skill that requires practice with the right tools. Some vendors sell lock-picking kits that come with an array of tools to make the job easier, but the user still needs to know how to use the tools for them to be effective.
Not all locks use keys. Keyless locks such as combination locks, access card locks, and biometric scanners must be either destroyed or bypassed. Simple combination locks can be brute-forced with enough permutations, but access card locks and biometric scanners are difficult to bypass without the proper item or biometric profile.