Red Teaming with Physical Penetration Testing and Social Engineering

Allow us to illustrate the roadmap of a physical penetration test and advise how to successfully infiltrate into a corporate environment. We will clarify areas of emphasis for a successful physical engagement with a focus on social engineering.

A physical penetration test could result in a complete domain compromise in a red team exercise. In the case of an actual breach, these physical threats often end up in loss of intellectual property, profit, and damaged brand reputation. Reading further, we’ll outline possible scenarios, social engineering techniques, and methodologies to meet multiple objectives of a physical penetration test.

Reconnaissance

Identifying attack paths, targets, and persona development is key for prioritizing reconnaissance. It is possible to gain critical information such as a digital footprint, phone numbers, emails, physical footprint, and infrastructure. A penetration tester can dig a bit on LinkedIn to understand the roles of an employee at a target company. This can help a social engineer build a persona that helps build trust relationships in a target environment with other victims (employees).

An understanding of the physical footprint helps a penetration tester identify entry/exit points, optimal infiltration times, and assists them to develop an operation focused on stealth and efficiency. A higher probability of a successful infiltration of a target site equals a successful recon campaign.

Reconnaissance can discover:

• What and who to avoid
• Who to impersonate
• Who to target
• Exterior physical environment – number of entrances
• Interior physical environment – blueprints or maps
• Dress code
• Foot traffic
•Tools that can contribute to success – badge reader models, various security controlsT
• How and when to execute

Objectives

This can be a framework for general engagements, though objectives and expectations are often set by clients.

• Infiltration – Entry to restricted area
• Infect – Gain access to internal network
• Stealth – Remain undetected

Secondary objectives should be considered.

• Exfiltration – Record, acquire, remove sensitive information
• Physical Control Testing – Lock bypass, lock picking, cloning badges
• Persistence – Repeated physical access, adding testers to the environment

Impersonation

Impersonation is one of the best techniques to incorporate in physical engagement. Your victims are unlikely to question your identity on the phone rather than in-person. Most people do not have a reason to question who you are even when provided a false identity, perhaps with the exception of security personnel. It is not expected for anyone to conceal their identity in their own workplace, though a tester might abuse their environment for impersonation.

Impersonating specific roles that are regarded as authoritative or helpful can yield the most significant results. Impersonating a member of the IT team has a high success rate due to the helpful nature of the role; impersonating a high-ranking executive may lead to demands being fulfilled without pushback.

We recommend business casual in a corporate environment since it’s versatile and most corporate roles can be impersonated with a button-down shirt. Both roles we previously mentioned can be associated with a business casual dress code. Ultimately, the clothes you choose to wear will be based on your reconnaissance and intuition. If your role is to be an electrician, a member of the cleaning crew, or a plumber, for example, you might want to find uniforms that mimic such roles.

SCENARIOS

IT staff are the most trusted by most employees at the company. Their role inherently implies a trust relationship, since their job is to help employees be more productive or work through a tech problem. This relationship can be abused to interact with victims who didn’t even know they needed help. It’s not uncommon for IT to request access to an employee’s computer containing sensitive information such as passwords and company documents.

By abusing the idea that you intend to help anyone at any time, it minimizes the risk of anyone questioning your actions (even if these actions are malicious). Sometimes, the role of IT staff even implies some sort of authority over other employees. Combined with the helpful persona, it becomes a very easy role to engineer into a variety of scenarios.

Claiming to be IT from the corporate office, we walked into the Security oOffice of a client without verification of who we said we were. The Security team plugged us into their internal network. They were so welcoming, they asked us to stay and fix all the technical issues they were having within their internal network to which we replied that we would submit a prioritized ticket for them.

Another time, while at an unattended workstation trying to execute a malicious payload from the USB we had just plugged in, the owner of that workstation came into the room asking us what we were doing on his computer. We replied, “We need to run some security updates.” The employee then offered us his workstation password while he left to take care of other business.

Once we had finished executing our payload a few more times, we moved on across the office and repeated the process. We offered my pay-loaded USB as a security patch that we had just finished applying to their co-worker’s computer. This employee also happily complied to our request.

 

Trust Building

One of the most effective ways to exploit trust is social engineering because no one is safe from manipulation. Security guards, human resources, receptionists, members of the cleaning crew, and almost anyone else are at risk. Successfully social engineering one target increases the success rate of social engineering the next victim because it builds trust in the environment. It also allows the social engineer to gather more information to build their own identity and role.

Security guards give off a false sense of security because their capabilities often fall short when a motivated attacker is attempting infiltration. Security guards are generally there as a deterrent, but companies and people feel safer if security is present even if they’re not actively checking for suspicious activity.

Most internal employees will have no reason to keep their guard up if they witness an attacker conversing with security. Tailgating into the entrance becomes easier because of the trust being built upon that conversation. In a social setting, it is implied that a criminal would not be casually conversing with law enforcement. People falsely assume that if security is taking to the person, they must be clear to be there. Engaging positively with the individual(s) who are meant to keep attackers out,the attacker can continue trust in their environment. Those observing this trust relationship are also more likely to add themselves in the relationship.

By approaching security directly, an attacker is establishing that they have nothing to hide and is not concerned with being identified. If an employee observes this interaction, they will be at ease, which introduces a vulnerability.

Infiltration

Infiltration of the target location(s)is the most prioritized objective of a physical penetration test. The reconnaissance should have allowed you to identify your attack path. Picking locks, tailgating, or badge cloning–each method can be made more successful. Now we’ll will give advice to increase the success rate of these methods.

LOCK PICKING

This method will have the highest success rate if you are extremely well-versed at lock picking. We suggest finding camera blind spots or avoiding surveillance when picking locks tomake it appear like you’re opening a door with a key. Lock picking generally requires two hands while studying the lock, but a successful social engineer can make do even with the most condemning social environmentMost are not expecting someone to pick a lock in public so a well-executed sleight of hand will likely go unnoticed. If you’re dressed up as a locksmith, an electrician, or some utility engineer, it would fit the context of trying to get into a locked doorway. Even holding a cellphone and saying something like, “The master keys aren’t working,” in public might stop questioning stares if you’re struggling to pick the lock. Stealth is being maintained and the disguise is disposable.

Adaptability is key. Your roles during your engagement may change. Although lock picking and other lock bypass techniques are an invaluable skill to have for physical engagements, if you are not not proficient at lock picking and as such, do not rely on it. As a general rule, I encourage reading the laws concerning having lock picks around the target location.

All lock bypass tools look suspicious and will be extremely difficult to pull off during normal business hours. If lock picking isn’t a viable option, other lock bypasses might work. This includes under the door tools, shims, air dusters, and lever openers. To execute lock bypasses, we suggest avoiding business hours for OPSEC reasons.

BADGE CLONING

Depending on the type of card reader used, it’s possible to clone an employee’s badge and enter a building. There are ways to clone badges with or without victim interaction and it is an excellent way to gain entrance.

SCENARIOS

Why the target should let you clone their badge requires victim interaction, so the social context needs some engineering. In previous engagements, we’ve impersonated building security and asked to validate a badge. This is the equivalent of asking someone’s password, so framing the encounter is extremely important. We’ve posed as security and when we request something, the demand relates to a security measure. The authoritative relationship of this role is how it works.

We’ve told target employees that we need to scan their badge to make sure certain features are working for the updated card readers being installed. It’s also good to approach these employees near the end of the business day as they’re leaving the premise. The employee will not likely reach out to anyone internally to verify (since it will be pushing the end of the business hours), and they mostly oblige to any request that will allow them to leave.

Most employees will still have their access badge around their neck or clipped on them. You could frame your encounter that you are scanning their badge due to a security violation of having their badge around their neck when they are exiting the building.

To avoid raising suspicions when asking someone for an access token, you can redirect the suspicion on them. Consider for a moment that if their badge is malfunctioning, it might present a larger security concern for the firm. Now the request to verify their badge is somewhat warranted and the employee might feel as if they are doing their part in securing their workspace.

Badge cloning can be done without victim interaction. One way is to get close enough to an employee in an elevator. In a packed elevator, it’s not uncommon to shift around and accidentally brush shoulders or get close enough for the badge cloning. You could also follow employees to a coffee shop close enough behind them to clone it while they’re in line. Cloning without interaction with the target will maintain a certain level of stealth when you are cloning the badge. Always keep the range capability of the badge cloner in mind.

TAILGATING

Generally, the best method to gain entry is tailgaiting because there are multiple methods. The most success we’ve had is to tailgate without the victim noticing. We encourage emphasis on executing tailgating methodologies quickly, quietly, and out of sight.

You can also take a more direct approach when tailgating. Our testers like to act out talking on the phone with someone as they’re tailgating. Generally, the person you’re tailgating will not interrupt you to ask or to verify your identity out of not wanting to appear rude or inconsiderate.

SCENARIOS AND CONSIDERATIONS

Security awareness training against tailgating is often taught at corporations, but most employees fail to make this a practice. Security trainings use the example of how an intruder might tailgate by having their hands full of items which will encourage other people opening the door for them. This scenario exploits people’s nature of wanting to help and plays on empathy.

This appeal to empathy often will get an intruder through the door. Since this example is commonly introduced during security awareness training for employees, using this scenario could put an employee on high alert. You can de-escalate this situation by admitting how guilty you might look while mentioning the security awareness training.

As an effort to remediate the situation, offer that you will show him your badge once you set things down in your office. The target might decide that you do not impose a threat and let you on your way. If the target refuses to let you in, you can say, “I will escort myself to security.” This could de-escalate the situation as you are showing that you have nothing to hide.

We’ve found high success rates in what we like to call reverse-tailgating. This is a slightly modified approach: instead of someone holding the door for you, you hold the door for someone else. If someone has opened the door, you can hold the door for the next person entering.

This establishes trust and familiarity now that you’ve been seen and you’re impersonating an employee who’s practicing bad physical security awareness. Although you’re not necessarily making security conscious decisions for in this situation, most people will not see you as a threat.

Other infiltration ideas include targeting the cleaning crew for entrance, directly social engineering the receptionist, and directly social engineering the security guard. All can be successful depending on the environment. We’ve found that impersonating an employee working from another branch traveling to the target location also works. Using your real identity can help establish trust if the role does not require complete impersonation.

The receptionist generally will not check against your identity. You can request them to call the supposed “point of contact” (which you will at least have the name of via OSINT done during the reconnaissance phase) or mention that you have that “point of contact’s” number and call them yourself. Since the role of a receptionist is to help guests and other visitors, they make an excellent target.

As long as you’re dressed to belong in the environment, there should be no reason for the receptionist to be suspicious of your presence. If the receptionist has you wait in the lobby, you could excuse yourself to the restroom. (If the restroom is inside the working space of the building, you’re trying to gain access to, you have foothold).

If anyone confronts you, there are multiple scenarios that you might be able to use to de-escalate a situation, including retrieving a forgotten item, getting lost within the space, or just needing to grab something from the printer. These scenarios mainly depend on the physical layout of the location, so adaption is crucial.

VISHING AND PHISHING

With proper OSINT, you can target almost any individual in the firm. A well crafted phishing email or an internally spoofed number that communicates the arrival of your tester can help aid the success rate for infiltration.

FireRTC is a great service for spoofing phone numbers.

Initial Foothold

A few techniques can be used for an initial foothold. Here are a few to spark creativity from you for your physical engagements. The USB drop is a popular method for initial foothold; however, a lot of security training is based around it. Read more about the infamous Pentagon compromise through a USB drop here.

Setting up an SSH Dropbox is recommended if you want to get in and get out quickly. You’ll be able to plug it into any Ethernet port and have the Dropbox call back to a device remotely. The SSH Phone Home project provides simple instructions on how to build an SSH Dropbox with inexpensive materials.

Often, conference rooms have ethernet ports plugged into the PBX phones and workstations. Allowing a tester to directly plug in a laptop to conduct attacks directly against the internal network. Assuming there is no network access control against devices being plugged into the ethernet.

However, in my experience, these controls are generally inconsistent even if it’s through a MAC whitelist. There are also ways this that can be done via MAC address spoofing. Generally, you can find the MAC address of a PBX phone or a printer by manipulating the configurations.

In Kali, you’ll be able to spoof to a MAC address of your choice (a whitelisted one).

You can get creative and use wireless keystroke injection/logging against vulnerable keyboards. The JackIt project has a list of vulnerable keyboards and mice that allow an attacker to inject keystrokes into the keyboards and run arbitrary commands. Meaning there is a possible attack vector for invoking powershell or other payloads through hta, vba, html, and wmi commands.

We’ve found success if you have physical access to an unencrypted workstation, booting from a USB through the BIOS. This helps to boot onto a machine into a live instance of (Kali) and mount the Windows filesystem onto the live instance of Kali. Then you will be able to dump in-memory hashes that can be passed and cracked across the domain.

STEALTH

Performing as much reconnaissance as possible will help you understand the environment the most. More knowledge of the environment will assist you to then understand what’s normal and what’s abnormal. Maintaining stealth comes from understanding social environments.

Stealth is more of a mindset than it is a trait or a set of actions. Adapting to a successful mindset is critical to maintain stealth. You might think you’re a physical penetration tester who’s primary objective is to infiltrate buildings while trying to “pwn” enterprise networks. We think this kind of mindset hinders your efforts in a successful engagement because of how motivated you’ll be to overcome security controls.

It is more important to get in the mindset of who you are going to impersonate (an electrician, an employee, etc). As a result, don’t underestimate the effectiveness of casualness. Most target locations and target audiences will be casually interacting with each other. If your interactions are casual, people will likely reciprocate their interactions casually. Social engineers love to appeal to urgency to get people to do what they want.

Upon evaluation, this technique is rash and upsets the balance of normality in any given environment. Imagine going up to a banker and demanding to be let into the vault. Now imagine going up to a banker and casually asking to be let into the vault. Neither scenarios will work without modification, but the first scenario is likely to get security called on you, whereas the second scenario might be treated as a light-hearted joke. Not many people are seeking an adrenaline rush in their day to day jobs. A casual request will likely be treated with a casual response. A bold demand will likely raise eyebrows.

If someone catches you plugging in a payload into their unattended and unlocked computer, avoid acting nervous or scared as if you were caught doing something you weren’t supposed to. Use this as an opportunity to transform initial suspicion into something positive like offering assistance. When confronted, tell the person who caught you that you were just performing security updates.

Perhaps ask them if they’ve changed their password recently to completely reframe the scenario before you’re even being questioned. You’re not building trust at this stage; you’re establishing that a trust relationship is already there. Reinforce the trust you have built by making other people feel like they are being helped.

Other subtle mannerisms will play into your stealth operations. This would include the way you compose yourself. We try not to give too many tips that might bias your social engineering role because that would imply that there is one right way to achieve stealth. This post intends to give you tips and advice to improve your own techniques.

Persistence and Exfiltration

Physical persistence and physical exfiltration will require a prolonged operation that focuses primarily on stealth. The longer you’re in a target location where you don’t belong, the probability of being detected or caught increases. As a result, we like to do our exfiltration and persistence as we infiltrate the target location. We talked about how faking a phone call can be used to promote stealth and deter unwanted interaction.

Your phone can also be used to record the internal footprint of a location and sensitive documents. Since social media is so prevalent everywhere, it is even more of an excuse for someone to take pictures of ordinary objects such as food or staplers (lol). By placing your lunch (or stapler) next to some sensitive company information, you’ll be able to take pictures of these documents without raising an eyebrow.

We love to look for proprietary bins, recycle bins, and trash cans. Employees don’t think their information is sensitive enough to discard in the proprietary bins. As a result, we encourage you to sit down at their desk and dig through their trash. If someone asks you why you’re digging through their trash, you can explain that you lost your check or something else important to you and might’ve thrown it in their bin by accident. Proprietary bins generally have locks, but it’s worth checking if it is actually locked. (Proprietary bins are generally located in the supply/printer room.)

Establishing persistence can be approached in a few ways. Technical control involves testing against doors. Use a piece of tape to cover a door’s latch bolt so that it can’t be closed all the way making it an excellent way to set up persistence in staircases and exits. Another option is to establish familiarity by walking and re-tailgating in through a reception area.

When repeated enough, you have established a sense of belonging in the environment in which other people who have seen you will not question opening or holding the door for you. Persistence can also be achieved in the sense that you are introducing more physical penetration testers to the environment. If there is more than one intruder, it becomes much more difficult to remove your reference.

Conclusion

The challenge for any physical engagement is to consider all options and choosing the best one. Adapting to the situation as obstacles come in play in a split second is what makes a clean and successful engagement. Being able to think through how to control a situation is incredibly difficult under pressure. It’s imperative to have a plan and some information before you perform an engagement. We are constantly thinking about how to circumvent physical controls without the need for technical tools. Apply what you’ve learned here to your physical engagements. We have yet to find any compilation of resources that do a thorough walkthrough of physical penetration tests, so we assembled our own list of what been helpful to us.