When it comes to physical pentests, there are a variety of different approaches and techniques used depending on the environment and situation. While most people are familiar with the concept of tailgating in order to gain access to restricted areas, the double tailgate can be useful when the point of entry has tailgating detection mechanisms in place.
The scenario where this technique has proven to be effective for our team (on several occasions) is when the main floor of the building requires badge access in order to pass through an optical turnstile, which has a security guard or receptionist nearby. The key here is the optical turnstile as opposed to a physical turnstile. With these, only tailgating detection is provided, but the actual tailgating prevention requires intervention by the employee at the desk, which is the “vulnerability” that the double tailgate takes advantage of.
As the name suggests, two consultants are needed to perform this technique. The way it works is that the first consultant follows a legitimate employee into the target area as they approach the turnstile, while the second consultant closely follows the first consultant. After the legitimate employee swipes their badge and passes through, the first consultant simply swipes a fake badge (or pretends to) and tailgates the employee. At this point, the second consultant should be close enough to the first consultant and also try to swipe a fake badge and walk through the turnstile. This must be done relatively quickly so that by the time the security guard or receptionist looks up in response to the tailgating alarm, they will hopefully assume that the second consultant was the one that had a failed badge read and just wave the legitimate employee and first consultant through to the target area.
Assuming things go as planned, the first consultant should be in the building, continuing with the objective. (Win!) For the second consultant, we have seen a few different outcomes. The most common is where the security guard or receptionist will tell the second consultant to try swiping their badge again, and then proceeds to ask a variety of questions to figure out if there is an issue with the badge. This type of situation is pretty easy to get out of by just making up an excuse like “I forgot something in my car anyway. I’ll be right back” or acting like you just got a phone call. Depending on how gutsy you are, you could make an attempt to just ask for a visitor badge for the day. Who knows, maybe the tailgating alarm will just be ignored by everyone and both consultants can make their way into the building. Yes, this has actually happened to us during an assessment.
It is important to note that this technique only works well for optical turnstiles, while physical turnstiles with bars or doors make this a much more difficult task. If physical turnstiles are in use, other techniques should be used instead. Most organizations that use optical turnstiles do so primarily for their aesthetic looks compared to the metal bars commonly seen on physical turnstiles. However, what they may not realize is their reduced effectiveness for physical security.
Originally authored by Jake
