A few months ago, I wrote a post about some of the simple techniques we use to get around common perimeter security controls, and I realized today that I’ve gotten you onto the property and left you high and dry! So, I would like to remedy that today and discuss some of the more successful tactics we use in our day-to-day work to get around interior controls. As in the previous post, the emphasis will be on simplicity. Shove knives and lock picks are important tools for physical pentesters to have, but there are other, often overlooked, skills and techniques that can be used to supplement door bypassing tools.
A long while back, @coldfusion39 wrote a post on using a can of air to beat request-to-open door sensors. It works incredibly well, and it’s a very simple solution. His write-up is very thorough, so we won’t retread old ground. Needless to say, it’s a fantastic and easy option.
Over the past few weeks, Jamcut and I have spent some time looking into bypassing (or at least diminishing the effectiveness or reliability of) magnetic door-open sensors. The idea is simple. If you’re able to get inside during the day, but you’d like to return at night to pillage (and are worried about getting caught by a simple door alarm), plant a magnet against the interior of the door frame for an exterior door, preferably one that’s out of the way. Smoke area doors or lunch patio doors work really well for this.
If the frame happens to be wooden, a short bit of duct tape will get the job done too. Note that the magnets should be pretty powerful (and obviously, small enough not to draw a lot of attention). We picked our set up on Amazon, but there may be cheaper options.
One Pin, Two Pin…
If the last decade in security has taught us anything, it’s that people hate having to remember complex passwords and passcodes. And it isn’t just individuals; organizations are just as guilty at establishing norms that fly in the face of best practices. Though some organizations are phasing out pin code locks in favor of modern RFID-enabled locks, they are still are very common in government and research facilities among others. The locks themselves tend to be vulnerable to a number of bypasses (reuse your door sensor magnets!), but in many cases, a bypass isn’t even necessary.
On a fairly recent physical pentest, our goal was to breach the laboratories at a research facility owned by a large manufacturing group. After getting inside the target and locating the floors on which the labs sat, we noted that each was protected with a Simplex push button lock. After guessing a pin code for one of the labs (“0000”), digby was able to breach each of the others due to the fact that the code was the same for each room on his floor.
When guessing four-digit pin codes, this Lifehacker article provides a good jump-off point. The data is old, but it’s definitely still useful (and relevant).
We addressed drain pipe shimmying in the last Bypass post. Today, I’d like to apply the same thinking process to the Interior. We tend to think in two dimensions once we get inside a facility. We read maps in 2D and floors are generally laid out that way, so, of course it’s only natural. There are definite benefits to paying attention to the ceiling, however.
Drop ceilings can be a physical pentester’s best friend. On a recent penetration test, I was tasked with breaking into a shipping/receiving space for a manufacturing company. While certain sections of the facility operated 24/7, the main office did not. The office space included an open vestibule with a drop ceiling (at about ten feet) and no cameras/motion sensors. The walls in the vestibule were glass with large aluminum frames/spacers between the panes which made for excellent footholds. The interior doors of the vestibule were also of glass (providing a good view of the space therein) and required card access to open.
Stepping up onto the window frame near the interior doors allowed me to life and shift one of the ceiling panels. This provided a clear view into the interior of the ceiling. Sure enough, the wall between the vestibule and office space did not run floor-to-ceiling. Grabbing the edge of the interior wall, I pulled myself up into the ceiling space (less-than-gracefully), moved a ceiling panel on the other side of the wall, replaced the initial ceiling tile, and then lowered myself into the office space.
I know we keep coming back to this in most of our physical posts, but I can’t stress enough just how unbelievably effective a well-executed tailgate can be. Jagar did a write-up on the double-tailgate technique last year, and I highly recommend giving it a read.
Tailgating becomes even easier once you get past perimeter and gate controls. Most organizations, even when there are interior access controls in place have an assumed level of trust for folks on the inside.
Given that the technique is easy enough to pull off, I just wanted to include a handful of recommendations that can improve the effectiveness of an interior-oriented tailgate.
- Don’t forget your recon: What are people wearing coming in and out of your target area? You always want to look the part. Are there offices on the other side? Build a back-up pretense in case you’re stopped at the door (“I left my bag at my desk…”).
- Never linger: Loitering outside of a door is a good way to draw attention to yourself and make people nervous. It’s a lot more convincing to approach a door with a little speed from afar (“Hold the door!”) rather than creepily standing next to the door waiting for someone to walk through.
- Be prepared to talk: Be pleasant and always thank the person for holding the door for you. There will be people who ask where your badge is, so hopefully you’ve done your reconnaissance and replicated a badge.
- Look for stairwells: Interior exit-only stairwells are great targets for reverse tailgates. Stairwells tend to be in out-of-the-way corners, so lingering is less of a no-no. People coming out are also not as likely to notice you sneaking in behind them (how often do we turn around to make sure a door has closed behind us?).
- Be confident: This really goes without saying and applies to physical pentesting in general. If you can convince yourself that you belong there and your demeanor will naturally reflect that attitude.
It is important that, as physical penetration testers, we are able to identify and exploit the most common physical security weaknesses in a swift and effective manner. Complex bypass techniques are impressive and important to know and understand but not at the expense of our lesser tools and techniques. Tailgating and a pocket full of magnets can be extremely effective and shouldn’t be discarded in favor of sexier tools and techniques.