All of the attacks are designed to be conducted during normal business hours and among the target organization’s employees. In this way, you can test virtually all of the controls, procedures, and personnel at once. Conducting an attack after hours is not recommended. Doing so is extremely dangerous because you might be met by a third party with an armed response or attack dogs. It also is relatively ineffective because it essentially only tests physical access controls.
Finally, the consequences of getting caught after hours are more serious. Whereas it may be slightly uncomfortable to explain yourself to an office manager or security officer if you’re caught during the day, explaining yourself to a skeptical police officer while in handcuffs if you’re caught during the night might lead to detention or arrest.
You should always have a contact within the target organization who is aware of your activities and available to vouch for you should you be caught. This will typically be the person who ordered the penetration test. While you shouldn’t divulge your plans in advance, you and your client should agree on a window of time for the physical penetration activities. Also, since you will be targeting data assets, you may find yourself covertly working in close proximity to the person who hired you. It’s a good idea to ask your client in advance to act as if they don’t know you if they encounter you on the premises.
Since they know what you have planned, they are not part of the test. Once this groundwork is in place, it is time to begin the planning and preparations to conduct the physical penetration.
Reconnaissance
You have to study any potential target prior to attempting a physical penetration. While most of the footprinting and reconnaissance activities relate to the data network, the tools to look at the physical entities are much the same—Google Maps and Google Earth, for instance. You also have to physically assess the site in person beforehand.
If it’s possible to photograph potential entrances without drawing attention to yourself, those photos will be useful in planning your attack. Getting close enough to determine what kind of physical access controls are in place will be helpful in planning your attempt to subvert them.
The front entrance to any building is usually the most heavily guarded. It’s also the most heavily used, which can be an opportunity. Secondary entrances such as doors leading to the smokers’ area (smokers’ doors) and loading docks usually offer good ingress opportunity, as do freight elevators and service entrances.
Sometimes smoking doors and loading docks can be discernible from publicly available satellite imagery, as this Google Earth image of a loading dock illustrates:
When you survey the target site, note how people are entering and exiting the building.
Are they required to use a swipe card or enter a code to open the outer door? Also note details such as whether the loading dock doors are left open even when there isn’t a truck unloading. You should closely examine the front door and lobby; choose someone from your team to walk in and drop off a handful of takeout menus from a nearby restaurant. This will give you some idea of how sophisticated their security controls are and where they’re located. For instance, you may walk into an unsecured lobby with a reception desk and see that employees use a swipe card to enter any further beyond the lobby into the building. Or you could encounter a locked outer door and a guard who “buzzes” you in and greets you at a security desk.
Observe as much as you can, such as whether the security guard is watching a computer screen with photo IDs of people as they use their swipe or proximity cards to open the outer door. Keep in mind that this exposes you or one of your team members to an employee of the target organization who may recognize you if you encounter them again. If you’ve encountered a professional security guard, he will remember your face, because he’s been trained to do so as part of his job.
You’ll most likely be on the target organization’s security cameras as well. sometimes the smokers’ door or a viable secondary entrance will be behind a fenced area or located on a side of the building away from the street or parking area. In order to assess the entrance up close, you’ll have to look like you belong in the area. Achieving this really depends on the site and may require you to be creative. Some techniques that have been used successfully in the past include the following:
• Using a tape measure, clipboard, and assistant, measure the distance between utility poles behind a fenced-in truck yard in order to assess the loading docks of a target. If confronted, you’re just a contractor working for the phone or electric company.
• Carrying an inexpensive pump sprayer, walk around the perimeter of a building spraying the shrubs with water while looking for a smokers’ door or side entrance.
• Carrying your lunch bag with you, sit down outside and eat lunch with the grounds maintenance crew. They’ll think you work at the organization; you’ll get to watch the target up close for a half hour or so. You may even learn something through small talk.
In addition to potential ingress points, you’ll want to learn as much as possible about the people who work at the organization, particularly how they dress and what type of security ID badge they use. Getting a good, close look at the company’s ID badges and how the employees wear them can go a long way toward helping you stay out of trouble once you’re in the building.
Unless the target organization is large enough that it has its own cafeteria, employees will frequent local businesses for lunch or morning coffee. This is a great opportunity to see what their badges look like and how they wear them. Note the orientation of the badge (horizontal vs. vertical), the position of any logos or photos,
and the color and size of the text. Also note if the card has a chip or a magnetic stripe.
You need to create a convincing facsimile of a badge to wear while you’re in the target’s facility. This is easy to do with a color printer and a few simple supplies from an office supply store such as Staples or OfficeMax. If the badge includes a corporate logo, you’ll most likely be able to find a digital version of the logo on the target organization’s public website. In addition to creating your badge, you’ll want to use a holder that is similar to those observed during your reconnaissance.
Now that you know about some potential ingress points, some of their access controls, what the security badges look like, and how the employees dress, it’s time to come up with a way to get inside.
Mental Preparation
Much like the preparation for the social engineering activities, a significant part of the preparation for a physical penetration is to practice managing yourself in a stressful and potentially confrontational situation. You’re going to meet face to face with employees of your target. If you’re nervous, they’re going to notice and may become suspicious.
Most importantly, you should be ready to answer questions calmly and confidently. If the inquisitive employee is simply curious, your level of confidence may determine whether they go on their way, satisfied with your answers, or become suspicious and ask more questions, call security, or confront you directly. You must always remain calm. The calmer you remain, the more time you’ll have to think. Remember, you’re working for them, you’re both on the same team, you’re not doing anything wrong, and you’re allowed to be there. If you can convince yourself of that, you will carry yourself in a way people can simply sense, you’ll blend in.
It’s a good idea to practice ahead of time with a partner your answers to questions you’ll commonly encounter. For instance:
• I don’t think we’ve met; are you new?
• Who are you working for?
• We have this conference room scheduled; didn’t you check with
reception first?
• Are you lost/looking for someone/looking for something?
• May I help you?
These are just a few common questions you may encounter. Having a smooth and practiced answer for each will go a long way toward keeping your cover. You will also have to think on your feet, however, as you’ll certainly be asked questions you haven’t thought of. These questions will require quick thinking and convincing answers, which is another reason why it is so important to be mentally prepared and remain calm during a physical penetration.
0 comments