Physical Penetration Testing

  • Do your recon
  • Weaponize your info
  • Execute your plan
  • Get your loot

Recon ideas

  • Information from the internet

    • Company information - Google, LinkedIn, social media
    • People information - Google, LinkedIn, social media

  • Information from the location

    • Visit the location and be discrete and look for
      • Posted phone numbers for security teams
      • Loading Docks and perimeter doors. Pull on doors
      • Can you see anything in the windows
      • Are there Cameras? Can you identify blind spots
      • Are there exposed network ports? What does the WIFI security look like? Is DHCP running?
      • Posted WIFI passwords in the lobby/customer area?
      • See anybody smoking? It's a great way to tailgate inside and let yourself in.
      • Try to resist the urge to take pictures unless you are in the clear.

  • IT help desk can be a great resource

    • Not a great target if it's a physical engagement….
    • But it could be good for any serious adversary

  • If you're going to impersonate a real person, get some good info

  • Call Help Desk and claim you forgot your password
    • When they ask you for something, claim you aren't comfortable providing it
    • Repeat until you have a list of information to hunt for in future SE efforts

Access Control and Hardening

  • Doors and Locks/Keys

    • Lookpicks, Rakes, Jims, Shims, Under-door, Traveler Hooks
    • Tailgaiting and social engineering

  • Badges

    • Badge Cloning Tech (Proxmark) and Theft
    • Badge Reader Attack (ESPkeys)

  • Perimeter Controls (Gates)

    • Climb a fence

  • Windows and Walls

    • Don't do this

  • Security professional and staff

    • Social engeineering can be easier than you think

  • Blend In

    • Dress the part

      • Look how peopleat the location tend to dress
        • Business Casual
        • Construction
        • Street clothes

    • Act the part

      • Walk with confidence
      • Talk on your phone
      • Carry in something big so people hold the door for you

Easy Wins

  • Unattended docs in confernce rooms and open files
  • Post it notes, and signage
  • Network jacks
  • Dumpster Diving
  • Shoulder surfing
  • Tailgating
  • Worn-down keypad buttons
  • Absent security personnel
  • Advantageous terrain and physical security flaws
    • Broken fencing, propped or broken doors, ladders

Case Study: ABC Company

Emulating the Adversary

  • Recon

    • Research a company with Google and Social media
    • Obtain and document employee names, job titles, emails, and phone numbers
    • Obtain and document important corporate phone numbers
    • John drives to the location and takes some notes
    • Maybe pull on a few doors

  • Weaponizing Information - Observed contracted guards patrol once and hour, with no observed variance in time.

    • Observe people holding the door
    • Observe contractors smoking outside

  • Executing the plan

    • Call the location from a spoofed number and begins social engineering attack
    • Bring a huge box with him and tailgates because someone held the door.
    • Clone a badge while chatting in a smoking area

  • Obtain Loot

  • Leverage social engineering and obtain employee information
    • Call help desk and obtain access to accounts by providing gathered information
  • Leverage tailgating or attacks a door and gain access to the facility
    • Access and unattended computer or office with confidential information
  • Small talk and employee or security officer during a smoke break
    • Obtain information necessary for badge cloning and gains elevated access privilages

Social Engineering Examples

  • Urgency, Fear, and Excitement

  • This is " ", (Important position/title). Your boss has been terminated effective immediately and we no longer have access to their payroll system. To ensure you are paid in a timely manner, we need to get some info from you

  • This is " ", (Company Name) department of Human Resources. We have a pressing matter to discuss but need for you to confirm some information prior to us proceeding with this conversation.
  • This is " ", (Important position/title). We sent an email out to you recently about an employee recognition program but didn't get a reply. We've decided we're going to be payed out sizeable bonuses this year. We're going to need some information first so we can safely disclose what you'll be receiving.

Quick Social Engineering pointers

  • Calling In?

    • Build a convincing Cover
    • Capitalize on you victims feeling on authority, fear, excitement and anxiety.
    • Always try to ease suspicions

  • In person?

    • Tale on you phone and appear busy. People like to avoid conflict.
    • Appear to be in need of help. Spill a box of stuff at a building entrance, pick it up, and ask for help with the door.
    • Allow people to let you in to where you need to go. People tend not to report and even participate in tailgating.