On a recent physical penetration test, I encountered a curious, but not uncommon, scenario. The target organization sat spread across multiple, disconnected floors in a shared, third party-owned high rise. The large first floor lobby was a public space and included a central guard desk (which really only functioned as an information kiosk). The target did include a reception desk of its own to which all visitors were directed to report. Unfortunately, the desk sat on the 20th floor. The second floor, where a large portion of the target organization’s office space could be found, was accessible by two public escalators. This became my primary focus, and the engagement was ultimately a quick and painless breach.
This situation got me thinking about the common pitfalls we encounter and the simple tools and techniques we apply to exploit them. We have covered some innovative methods as well as some complicated approaches to beating physical security measures in earlier blogs. I’ve also covered some basic onsite recon techniques, so I won’t waste any time there. My focus in this write-up will be on simplistic breaching. And since the controls and processes we encounter tend to be common across certain types of buildings and sites, that’s how I’ll approach the subject.
Note: I did not take or create any of the pictures used in this post. They have been poached from Google search results.
High Rise Controls
In a shared high rise environment, we typically focus our initial efforts on the lobby. Obviously, every situation is different, but many cases are similar to the setup described above. These setups usually include a public lobby, a central guard or reception desk, and multiple exterior points of public ingress/egress. Occasionally, certain elevators and escalators will include badge readers set for certain floors or organizations within the facility. There will be exit points for stairwells (possibly exit-only exit points). Finally, the actual doors to the target space(s) in high rises are almost always controlled in some manner, be it a badge reader, pin code lock, or brass key.
High Rise Exploitation
Tailgating is your best friend in a high rise environment. Each of the controls described above can be beaten with a well-timed tailgate. Use the public lobby to your advantage. Find a place to loiter, be it a bench or open walkway. Look like you’re on the phone while keeping an eye out for individuals wearing or carrying badges for your target and heading in the direction of a controlled door or elevator. If there’s a public restroom near your target, even better. Simply follow at a reasonable distance, and as they walk through the door, act as if you’re hurrying to catch the door.
If you miss an opportunity or you’re confronted, don’t panic. It’s easy to backtrack out of failed tailgates if your timing is off or you miss the door (or if your mark has above average security awareness). When they inevitably ask where your badge is, smile and put your hand to your belt; act surprised when it’s not there, but don’t oversell it. Then leave the area, re-post, and try again.
Branch Controls
When I use the term “branch,” I’m referring to sites that include standalone and shared-facility subsidiary locations (ie: bank branches). These are typically smaller sites with limited numbers of employees. Tailgating isn’t going to cut it in most cases; even if you get in the door, you’re probably not going to get very far before you’re confronted, especially if there is a gatekeeper of some kind. People are going to be too familiar with each other and their daily routines to permit you unrestricted access. You may find a loose door to sneak in, but without a valid reason to be on site, you will be confronted.
Branch Exploitation
For physical penetration tests conducted against branch locations, we find that the most consistently successful (and simplistic) breach method is the “call-ahead.” Using a little open source intelligence gathering, identify the branch manager or receptionist. Have a second team member call from a spoofed number (it’s not terribly hard to find HQ phone numbers in most cases), letting them know you’ll be sending IT folks to perform some seemingly innocuous task (inventorying computers, performing upgrades, etc.). Give a short time frame (“They’ll be onsite within the next fifteen minutes”) so your target won’t have a lot of time to dwell on the likelihood of a possible scam. Depending on how that phone call goes, have the breach team make a follow-up phone call to verify the arrival time (and get a feel for whether or not the attempt will actually work).
Email notification is another possibility and can be used very effectively in place of the initial phone call. Using the same open source intel gathering techniques, identify the email addresses of your targets and a reasonable source of authority (Director of IT, etc.). Always end your email with a line like, “Thank you for your cooperation.” Forceful but polite, and it doesn’t indicate a need to respond or question. Take the time to craft the email well. Always have the breach team make the follow-up call in this scenario as well.
We use KingPhisher to successfully execute this particular attack on a regular basis. And, though we haven’t had a chance to test it out yet, the new calendar invite function would probably be an even better fit for this scenario.
Campus Controls
Campuses by definition are much more open than other sites; collections of stand-alone facilities separated by large tracts of open space. Despite the welcoming nature and feel of most campus-type locations (and we’re not limiting ourselves to universities in this case), campuses are increasingly making use of monitoring technologies and tightening perimeter controls in response to the rising number of mass shootings in recent years.
Campus Exploitation
Getting through the exterior perimeter of a campus location can be as easy as walking onto the site. However, many corporate campuses make use of extensive barbed wire topped-fences to keep trespassers out. Unfortunately for many of our targets, a lot of the time, the directional barbed wire is angled the wrong way. Though the photo on the left doesn’t include barbed wire, it gives the general idea; exterior on the left, interior (target) on the right.
Occasionally, people see conspiracy theories in situations like this (“They’re keeping us in, man!”). In my experience, it’s simply a combination of ignorance and apathy.
If you can identify inward-facing fence toppers during your open source intelligence gathering (IMINT phase), make sure you bring along a rubber mat or thick blanket in your go-bag. Climb the fence, drape the material over the barbed wire, and shift to the other side. You still need to be careful not to injure yourself, obviously. This type of breach is almost always better at night which happens to be the best time to attempt our next breach method.
As previously mentioned, we’re going to assume the on-campus target is a standalone facility. Some of the techniques already covered, particularly tailgating, are likely to be wildly successful in most cases involving this type of facility. Let’s suppose, for one reason or another, that your target is more security aware than the average business. Or, because we began the test at night to bypass the fence, there’s no one to tailgate. In that case, start to think in three dimensions.
While conducting your IMINT prior to arriving on site, keep an eye out for roof exits on your target facilities. And, if you can get a good view of the site in StreetView, try to identify drainpipes, exterior ladders, and fire exits. If you can get to a rooftop with an exit, there’s a fairly decent chance that the exit door will be unlocked. It wasn’t more than a few weeks ago that Shadowman, Digby, and Steiner shimmied up a drainpipe to kick-off a very successful physical pentest.
A couple of caveats with roof/fire exit penetrations: Even if the entrance isn’t locked, it may be alarmed. Definitely be ready to cheese it, and be sure to have your letter of authorization ready in case security is able to respond to the alarm before you can extract. And obviously, climb at your own risk. I would advise avoiding this particular tactic on anything but a single story target. Finally, don’t shimmy unprepared. If you’ve never climbed a ladder if your life, stay off the wall; and if the pipe isn’t secure, you may get ten feet up only to have it pull off of the wall and leave you seriously injured. Be careful.
Conclusions
A good physical penetration tester can make equally effective use of complex and simplistic breach techniques. Sometimes, all it takes is a tailgate to get into the most secure facilities, and that is really the point. Demonstrating the ease with which low-hanging fruit perimeter vulnerabilities can be exploited is critical to getting targets to adjust their security programs. As you move from the recon to the planning phase of your next penetration test, be sure to keep these simple techniques in mind.
