Section 03
Intermediate

Locks, Doors & Bypass

Mechanical locks remain the last physical gate between the hallway and the objective. Knowing how they work — and where they fail — lets you identify the cheapest bypass path and write findings the client can act on.

Authorisation & Damage Risk

Lock manipulation can cause damage, especially with snap guns and bump keys. Confirm which doors are in scope, whether destructive methods are permitted, and who holds the master key in case you need to return a lock to service.

Assessment Approach

Identify

  • • Lock brand, model, and grade
  • • Key-control policy (restricted vs. open blanks)
  • • Electronic vs. mechanical split
  • • Keying hierarchy (master / sub-master)

Exploit

  • • Pick, rake, or bump the cylinder
  • • Bypass the latch or strike
  • • Decode keys from photos
  • • Test smart-lock logic flaws

Report

  • • Door ID, lock type, time to open
  • • Whether covert or forced entry
  • • Upgrade recommendation & ANSI grade
  • • Photo evidence of the bypass

Operator Toolkits

Pick Set

  • Tension wrench set (TOK + BOK)
  • Hook picks (short, medium, deep)
  • Rake picks (Bogota, snake, city)
  • Diamond picks
  • Ball picks
  • Warded pick set

Rapid-Entry Tools

Door Bypass

  • Under-door tool (UDT)
  • Shove knife / loid strip
  • Padlock shims
  • Traveler hooks
  • Air wedge
  • Crash-bar bypass rods

Single Pin Picking (SPP)

The most precise method — required for high-security cylinders with spool or serrated driver pins:

spp-walkthrough.txt
text 
1. Insert tension wrench at bottom of keyway (BOK) or top (TOK)
2. Apply light rotational pressure in the turning direction
3. Insert hook pick above tension wrench
4. Feel for the binding pin — the one hardest to push
5. Lift binding pin until it sets (slight click / counter-rotation)
6. Maintain tension — do not release
7. Move to the next binding pin and repeat
8. When all pins set, cylinder rotates and lock opens

Time guideline
  Practice lock:          30–120 s
  Kwikset / basic:       60–180 s
  Schlage with spools:   2–5 min
  Medeco (rotating):     10+ min (if possible at all)
1. Insert tension wrench at bottom of keyway (BOK) or top (TOK)
2. Apply light rotational pressure in the turning direction
3. Insert hook pick above tension wrench
4. Feel for the binding pin — the one hardest to push
5. Lift binding pin until it sets (slight click / counter-rotation)
6. Maintain tension — do not release
7. Move to the next binding pin and repeat
8. When all pins set, cylinder rotates and lock opens

Time guideline
  Practice lock:          30–120 s
  Kwikset / basic:       60–180 s
  Schlage with spools:   2–5 min
  Medeco (rotating):     10+ min (if possible at all)

Raking Technique

Faster but less controlled — best for low-security pin-tumbler cylinders:

raking-notes.txt
text 
1. Insert tension wrench with light-to-medium pressure
2. Insert Bogota or snake rake fully into the keyway
3. Scrub / rake in and out rapidly while varying tension
4. Pins set by probability — some may need SPP follow-up
5. Cycle tension weight if the plug does not rotate

Engagement tip:
  Raking is fast and quiet enough for on-site timing pressure.
  Start with a rake; fall back to SPP if the lock resists.
1. Insert tension wrench with light-to-medium pressure
2. Insert Bogota or snake rake fully into the keyway
3. Scrub / rake in and out rapidly while varying tension
4. Pins set by probability — some may need SPP follow-up
5. Cycle tension weight if the plug does not rotate

Engagement tip:
  Raking is fast and quiet enough for on-site timing pressure.
  Start with a rake; fall back to SPP if the lock resists.

Lock Landscape — What You Will Encounter

Lock Type Pick Difficulty Field Notes
Kwikset Easy Common residential. Standard pins, rakes fast.
Schlage Medium Spool driver pins common. Requires SPP counter-rotation.
Master Lock Easy – Med Padlocks shimable; pin cylinders vary by model.
Medeco Very Hard Rotating pins + sidebar. Non-destructive bypass unlikely.
Mul-T-Lock Very Hard Pin-in-pin or interactive element. Specialised tools needed.
ASSA Hard Sidebar mechanism — resist raking; SPP only.
Abloy (Protec2) Expert Disc detainer — requires dedicated pick & skill.

Bump-Key Attack

bump-key-attack.txt
text 
1. Obtain or file a bump key for the target keyway
2. Insert bump key one pin-depth short of full insertion
3. Apply light tension in the turning direction
4. Strike the bump key sharply with a bump hammer
5. Kinetic energy transfers through pins — cylinder rotates

Counters: anti-bump pins, spool drivers, restricted keyways
Modern prevalence: declining — many commercial locks now ship bump-resistant
1. Obtain or file a bump key for the target keyway
2. Insert bump key one pin-depth short of full insertion
3. Apply light tension in the turning direction
4. Strike the bump key sharply with a bump hammer
5. Kinetic energy transfers through pins — cylinder rotates

Counters: anti-bump pins, spool drivers, restricted keyways
Modern prevalence: declining — many commercial locks now ship bump-resistant

Smart & Electronic Lock Assessment

Many facilities now overlay electronic locks on older mechanical cores. Assess both layers and the integration between them.

Electronic Lock Questions

  • • Is there a mechanical override key, and who controls it?
  • • How does the lock behave on power failure — fail-safe or fail-secure?
  • • Are code/PIN combinations default or shared across doors?
  • • Is firmware updated, or running known-vulnerable versions?
  • • Does the lock audit, and does anyone review the log?

Mechanical Fallback Questions

  • • Is the override cylinder high-security or a cheap KIK core?
  • • Can the override be bumped, raked, or decoded from a photo?
  • • Is the key-control policy enforced (restricted blanks, audited masters)?
  • • Are re-key schedules followed after staff turnover?
  • • Does a single master key open every sensitive door?

Tip — Bypass Before Pick

Before spending time on a cylinder, check the door hardware. Under-door tools, shove knives, and hinge-pin removal often open a door faster than any pick — and lead to a stronger finding about the door frame and hardware spec, not just the lock.

What Strong Defenders Do Differently

Defensive Signals

  • • ANSI/BHMA Grade 1 commercial hardware on sensitive doors
  • • High-security cylinders with patent-protected keyways (Abloy, Medeco, Mul-T-Lock)
  • • Anti-shim plates and latch guards installed on outward-swinging doors
  • • Key-control logs reviewed quarterly; re-key after staff changes

High-Risk Signals

  • • Same cheap Kwikset or Master Lock cylinder on server room and supply closet
  • • Door gaps wide enough for a shove knife or UDT
  • • Smart locks with default admin PINs still active
  • • No latch guards — spring-latch doors loid in seconds

🛠️ Recommended Tools

🔧

SouthOrd Lock Pick Sets

Professional-grade pick sets used in physical penetration testing. The PXS-14 is a solid starting kit for SPP and raking.
🔒

Practice Lock Sets

Transparent and progressive practice locks for developing SPP and raking skills before live engagements.

Related Topics

Physical Security

Return to section overview and tier model.

RFID & Access Control

Electronic credential attacks that complement mechanical bypass.

Covert Entry & Bypass

Advanced door bypass, REX sensor abuse, and alarm-aware techniques.

Flipper Zero & RF Ops

Multi-tool for badge cloning, signal capture, and quick wins.

As an Amazon Associate I earn from qualifying purchases.