The importance of onsite recon is too often overlooked when discussing physical penetration tests. Map analysis and OSINT are both essential to building cover stories and understanding your targets. And of course, the actual act of breaking-in yields the best stories. Onsite recon, however, bridges the gap between the two and should never be rushed or ignored. Different sites and target types call for different tactics, techniques, and procedures (TTPs). The goal here will be to cover some of the more successful TTPs we’ve used in recent engagements. [Disclaimer: all photos were taken from Google Image searches and are not from legitimate engagements]
Corporate Environment, City-Center
One of the most important things to remember when operating in an urban environment is the ever growing presence of Big Brother. Public and private organizations are slowly, but surely, covering entrances, exits, and thoroughfares with cameras. While that doesn’t mean someone is actually watching twenty-four hours a day, it is an important consideration when conducting recon. Make sure to cover your surroundings. For example, many corporations are now building day care centers for their employees. If you see cameras mounted to such a facility, avoid it because there is a good chance it is more carefully monitored than a main building’s entrances and exits.
Making mental notes of camera placement can help you to generate probable coverage maps. Try to find dead spots from which employee movement in and out of the building can be monitored. You want to arrive onsite as employees are showing up for the day, so always plan for an early morning. Also, remember that your phone is your greatest asset; hold it up to your head and have a conversation with yourself as you make your way around the perimeter. No one is likely to bother you. The following are important points (definitely not a comprehensive list) to look out for once you’ve settled into an observation point:
- Are employees holding the doors for one another? (Vulnerable to tailgating)
- Are there badges in use? Are they visible? What do the readers look like?
- Do there appear to be any mantraps?
- Does there appear to be a dress code?
- Are there regularly used exit-only doors?
Once a perimeter sweep of a target block has been conducted, it’s a good time to move onto probing entrances, exits, and lobbies. Most companies headquartered in urban environments maintain front desks with receptionists and/or security guards. Try not to think of these as obstacles; they are excellent sources of information and can be used to your advantage. Guards and receptionists wear badges just like everyone else. Send a team member with an excellent short-term memory in to talk to the desk agent. This is the kind of information (again, a non-comprehensive list) he or she should bring back:
- Shape, color, look, etc. of employee security badges
- Layout of the lobby (elevator banks, escalators, potential stairwells, etc.)
- Any additional interior protective measures (turnstiles, optical beams, interior cameras)
- Placement and demeanor of security personnel (so if they’re angry or unapproachable, try a different route)
- Doors that can be accessed before passing through security
A great approach is to use the “I’m meeting someone for breakfast” story. Dress in earth-toned, upscale-casual (jeans and a polo), and walk up to the desk with a friendly and slightly confused demeanor. Angry or nervous people are remembered, and so are bright colors. If you have a beard, keep it for recon and shave it for the breach.
“I’m supposed to meet my uncle for breakfast, but I’m not sure if he works in this building or across the street, and he’s not answering his phone.” Make sure you have a name ready to go and that you know the address of your target building as well as one of the buildings in the immediate area. For names, go with a common first name and less-than-common last name. You want a name that isn’t actually going to appear in their registry, obviously. But you also don’t want it to be so outrageous that it raises suspicions. In other words, John, Mike, Steven, and Mark make great first name choices. Avoid Black, Smith, or Johnson for last names. Have a spelling in your head before you walk up to the desk.
While the receptionist or security guard is looking up your fake uncle, be sure to get a good look at the lobby. If you have a pen cam or equivalent piece of technology, this would be a perfect opportunity to use it. Otherwise, keep your eyes open. When the receptionist or guard inevitably informs you that the person for whom you’re looking doesn’t work there, respond with a slight sigh. “Thank you anyway. I’ll try the other building.” Pull our your phone as you walk away and pretend to give your fake uncle a call. As you exit, be sure to walk in the direction of the second building you mentioned in your approach. You don’t have to go inside, obviously, but any suspicions you may have raised should dissipate if your exit path matches your story.
Once you’re comfortable with the amount of data collected, gather the team at an offsite rally point (hotel room being the obvious choice), and pool your information. Create badges and develop an appropriate breach approach plan based on the observations and notes of your recon team.
In the next post, we’ll move out to the sticks and look at conducting recon against a rural target with a bigger footprint.
