Most organisations’ typically take a standard approach when it comes to penetration testing each year to satisfy their organizational and compliance requirements. More often then not, this refers to standard systems and infrastructure testing, such as external networks, internal networks and devices, and cloud services and sometimes includes wireless and social engineering attacks, such as phishing and vishing. It covers off the main areas that most auditors and insurance will be looking for but what about the not so common areas that organisation’s typically miss?
We are quite often engaged by organisations’ to perform advanced threat emulation attacks such as physical access testing. In essence, a physical access test is exactly that, it tests the ability for an adversary to gain physical entry into your office or business location(s). You can have the toughest security controls in the world protecting your network, but if an adversary can walk in and plug a device into a network point, it potentially defeats all of those controls. We know humans are often the weakest link and most employee training focuses on electronic threats but often misses these types of attacks which is crucial to include this type of testing into your annual security testing regime.
A physical penetration test typically consists of a 4-stage approach:
Reconnaissance / Preparation
In this phase we will perform reconnaissance or Open-Source Intelligence Gathering (OSINT) from the internet, this is to fingerprint the organisation, what staff are potential avenues, what locations does the organisation have, do they recent case studies about their location, contracts or technologies, what’s posted to social media?, do they have pictures online showing uniforms, lanyards that we can imitate, anything we can use to build a successful scenario.
Pre-staging and Laying Groundwork
Next step once we have the scenario is to pre-stage and generate any props needed for a successful entry. It can be started simply as viewing locations with google images to see if we can identify information on their physical security (such as prox card readers, gates etc.) and we then send a tester to site to physically scout the location over 1 or multiple days, they are looking for the comings and goings over the day, what uniforms are people wearing? What time to staff come and go for the day? When do they take smoko’s or go to get coffee, do big groups go to lunch each day that we can tailgate in with, what sort of deliveries arrive?
After this prestaging we can then look to purchase uniforms and other equipment to ensure that our scenario is completely believable. Most times on engagements, if I have a uniform and lanyard that matches everyone else, it’s a no-questions asked way in. If we are using the scenario of a delivery as an example, we will arrange goods that will be delivered via the tester.
We might also contact reception or other key staff members to make our scenario more believable when the tester arrives on-site, for example we might call them up and say that we have an electrical test and tag person coming on x day, his name will be bla, if you can please give him access, sometimes telling them that someone is coming and dropping names can be equally as effective as not telling them.
We’ve also generated voice synthesis & deepfakes on engagements, taking a video from the CEO or similar online content, then recreating a voice transcript and making a call or sending a fake voicemail email with the recording attachment to an unsuspecting victim to make it seem more legitimate.
As part of this pre-staging process, we will schedule a date and require certain documents to be provided by the client to our tester as well as contact details that the tester will be armed with on the day, in case they are caught or run into another challenge.
Execution
The testing day arrives, our testers will then execute using a variety of social engineering and coercion tactics that we have honed over our many years of experience performing these types of engagements. An end marker will be pre-arranged with the client, whether it be to get on to someone’s machine, open a word doc and take a photo, or maybe the end-marker is to plug in a call home device (such as USB key) or maybe its just photos of the physical location where access was obtained.
Reporting
Our testers will take a myriad of photos and potentially video footage during execution to provide proof of access as well as any times our testers were stopped or questioned, and any observed lapses in security procedures from staff. Our findings will then empower the organisation with practical security processes and controls that they can adopt to prevent similar attacks.
An example from one engagement I performed recently;
Reconnaissance:
I found a post on social media advising that an organisation had a big event coming up for Australia’s biggest morning tea to support the Cancer Council of Australia.
Prestaging and groundwork laying:
I located the name of the CEO, SLT and marketing people for the organisation online and contacted the reception to advise that I was calling from ‘Daniels donuts’, and that the CEO had arranged a number of donuts to be delivered for the biggest morning tea event, and advised them of the time I would be arriving, and confirmed if we could take them direct to the boardroom as we had a large number of boxes..which they assured me would be fine.
To gather the uniform design, I located photos online, such as this one from the Geelong advertiser:
Using this image, I used a t-shirt print service like vista print to arrange a black shirt with a similar logo on the shirt, and arranged an apron with the same design from a service such as spread shirt, for example Adjustable Apron | Spreadshirt.
End Marker
The end marker provided by the client was to plug in a USB device facilitating remote access or to access an already logged in workstation.
Execution
Upon arrival I was warmly welcomed by reception, “I have a whole tonne of donuts here for you!” I exclaimed… She asked me if I was ok carrying the (8) boxes of donuts, “sure no worries”, as she led me up the hallway to their large boardroom, on the way through I noticed a PC left on with no-one in proximity in one of the cubicles off the corridor. I put the donut boxes down on the desk it was sitting on. I asked the receptionist, “would you mind carrying half of these for me?” “Sure!” she said, as she grabbed half the boxes off the desk, while she turned her back to continue down the corridor, a USB device in my pocket was swiftly inserted into the PC. I followed her to the boardroom, put down the donuts and said, I can see myself out and left the room, as she was flustering about unpacking donuts for the group of employees anxiously waiting their morning treat… On the way down the corridor, I stopped at the PC, pulled out the USB device and proceeded out the door, and verified the callback to our command and control (C2 servers) once at a safe distance.
As you can see, lapses in physical security policies can and do very easily lead to entry points into an organisation’s network. I’ve had large amounts of success gaining access to devices, server rooms and installing network implants across many engagements.
So why not give it a go as part of your next penetration testing exercise? My team has over 18 years of penetration testing experience and are regarded as one of the best of the best physical testing teams in Australia, our success rate is 98% so far this year 😊
If you would like more information, you can reach out to me direct, contact me via pentests.nexon.com.au or direct to my team via pentestenquiries@corp.nexon.com.au
Comments