*All images were obtained from Google maps and are to be used for educational reason only*
I used to play Eye Spy all the time when I was younger. It made car rides go faster, gave me and my friends something to do while waiting in the ice cream line, and as I recently discovered, the game also provided me with a bit of career prep. Imagery Intelligence (IMINT) is essentially Eye Spy for grown-ups, only even more difficult. With IMINT, you don’t know what you are looking for, instead you must be discerning and find the object simultaneously.
IMINT is a very useful tool when it comes to physical penetration tests. For those that are unfamiliar, the basic concept behind a physical penetration test is to get to specific “trophies.” A trophy can be anything from a specific location to particular information or data stored at the target facility. The challenge is to get these trophies without getting caught. We have plenty of other physical penetration posts on the blog. Be sure to check them out!
So where does IMINT come into play, you may ask? IMINT is typically part of the remote intelligence gathering phase of a physical pentest. Using publically available tools like Google Maps/Earth or Bing Maps it is possible to obtain a massive amount of information before you ever step foot in the designated location. The point of focus today is how to exactly analyze these maps.
Let’s start with a random building pulled from a random city. Look at the picture below. What do you see? What is important? When performing IMINT for a physical penetration test, you must consider anything that will be a hinderence or a benefit to you and your team. You need to get into this building and must consider the different aspects that would affect your goal. Start from a high level perspective. Using a bird’s eye view gives you a good picture of the whole surrounding area which is important to consider. Pay special attention to the surrounding structures when looking at this bigger picture. Scoping is incredibly important for physical pentests and you want to be certain not to overstep your pre-defined boundaries. Be sure to bring up any questions to your points of contact before making plans.
For the building in this particular scenario, you should consider the fact that there is foliage near some of the sides of the structure. This may provide a suitable hiding spot should the need arise during the test. However, the amount of roads surrounding the building should also be considered because suspicious behavior may be noticed given the number of passing cars that may be present. The fact that there are other buildings nearby can provide additional aid to you during your onsite recon. Read patchwork’s earlier post that covers onsite recon to see how you can use nearby buildings and structures to your advantage.
Next, see if a StreetView of your target building is available; this will be your new best friend! Google StreetView is one of the greatest tools available to the professional (and amateur) imagery analyst and is easily the most beneficial way to glean information pertinent to the task at hand. For the most part, you should be able to move around the building as if you were really walking in front of it! But don’t get too carried away just yet. Analyzing each part individually will be the most helpful in your search for “I don’t exactly know what I’m looking for yet.” Another thing to be cautious of is using the zoom button too soon. While this will come in handy in time, just like from the bird’s eye view, it is important to start back far enough to get a good understanding of the surroundings before magnifying things. In order to keep track of your findings, be sure to include a small bird’s eye view map of the original image on each new StreetView you capture so that you will have an idea of where the StreetView capture was taken.
Looking at the StreetView capture below, we see multiple potential points of entry. Initial observations show seven garage doors and a possible side door. Trying to find possible ingress points is of upmost importance during IMINT. It will make the onsite intelligence gathering go much faster if you have an idea of where openings are located so that you can save recon time onsite. A helpful feature of Google maps is the ability to see historical data. Perhaps in the image you are looking at, a fence gate is left open. Using the historical data view, you can see if this gate has been left open in every photo taken over the years or if it is normally closed. Using this information, it is easier to decide whether an aspect of an image is commonplace or a rarity.
Another thing to look out for is the orientation of any cars or people caught in the image. Sure, it’s a point-in-time capture, but that doesn’t mean you shouldn’t try to extrapolate additional data. If a person is seen near a door, are they moving towards it or away from it? Not all doors are used for both ingress and egress, and it’s useful to know which are which. The cars in the picture below can also tell a story. A couple of the vehicles have their trunks towards the garage doors. While this may just be for convenience of exiting, it could also mean that that these garages are used for unloading equipment and may be opened more frequently than the garages where the cars are parked facing them. Observe the windows too. Where are the windows located in this building? If you tried to enter through a garage, could someone easily spot you on your approach? This building seems to have windows going all the way up, so if you wanted to enter through the garage you’d better look like you belong or go when no one is around!
Zoom zoom zoom!
Now, the moment we have all been waiting for! Let’s zoom! This is the time when you must look for more intricate details that could make or break the assessment. First consider the lights. There are lights positioned near every single garage. This means it may be harder to penetrate the building at night without raising suspicion. We can also confirm conjectures formed earlier in the process. For example, there is, in fact, a door right near the corner! But, take a look to the right. There’s a camera pointed at the door which could mean that everyone who enters or exits through that door is taped. Remember to say “Cheese” as you enter! While looking at these zoomed-in captures, it is important to note camera locations. Take a look along the left edge of the building, there appears to be a camera there too. But let’s just double check. Zoom in a little more.
That most definitely is a camera. You can safely assume the camera probably gets all the garages from its mount point, but it is also reasonable to consider camera blind spots during these initial observations. While obtaining camera location is important, a little social engineering can go a long way! Most companies have their cameras taping, but only refer back to them after a breach has occurred. Even if someone is monitoring the cameras in real time, as long as you look like you know what you are doing, you should be able to access the building rather easily.
Finally, make sure you take a look at what is behind you while you are in street view. It may not be of much help, but knowledge is power! In this case, it is a bridge. So in other words, don’t run in this direction. (Don’t run at all. That probably wouldn’t end well.)
As mentioned earlier, there are many free mapping tools available that can give you all this information. But, don’t just limit yourself to one. While you may love Google’s StreetView, you may use Bing maps for an isometric view. Experiment with the different maps and see what features you like from each one. Using multiple sources will make your evidence more reliable and understandable.
As you can see, IMINT is extremely important step in the physical penetration test process. Well-executed IMINT can yield a wealth of useful information before the team ever arrives at the target site. It’s always better to be more prepared and be able to identify possible points of ingress and egress as well as camera locations, windows, lights, and surroundings. This will save you valuable time when you get to the target. So, embrace that old Eye Spy game you loved (or despised), and take a whack at some IMINT; you’d be surprised with how much you can find. Happy hunting!
Originally authored by Brianna