Smoke and Mirrors | Red Teaming with Physical Penetration Testing and Social Engineering

In this post, we will illustrate the roadmap of a physical penetration test and advise how to successfully infiltrate into a corporate environment. This post should be able to clarify areas of focus for a successful physical engagement with an emphasis on social engineering. A successful social engineering campaign or physical penetration test may result in a complete domain compromise in a red team, but in the real world, these physical threats often result in loss of intellectual property, profit, and damaged brand reputation. Included in this post will be social engineering techniques, possible scenarios, and methodologies to meet multiple objectives of a physical penetration test.

Reconnaissance

Prioritizing reconnaissance helps identify attack paths, targets, and persona development. On these reconnaissance operations, it is possible to gain critical information such as phone numbers, emails, digital footprint, physical footprint, and infrastructure. For example, some quick digging on LinkedIn can help a penetration tester understand the roles of an employee at a target company. This information may help a social engineer build a persona that helps build trust relationships in a target environment with other victims (employees). Understanding the physical footprint will allow a penetration tester to identify entry/exit points, optimal infiltration times, and assist the tester to develop an operation focused on stealth and efficiency. Ultimately, a successful recon campaign will contribute to a higher probability of successfully infiltrating a target site.

Use reconnaissance to discover information about:

• What to avoid
• Who to avoid
• Who to impersonate
• Who are the targets
• Exterior physical environment (how many entrances)
• Interior physical environment (blueprints or maps)
• What tools can contribute to the success (badge reader models, types of security controls)
• Foot traffic
• Dress code
• How to execute
• When to execute

Objectives

Although objectives and expectations are usually set forth by clients, this can be a framework for general engagements.

• Infiltration (Entry to Restricted Area)
• Infect (Gaining Access to the Internal Network)
• Stealth (Remain Undetected)

In addition to these objectives, secondary objectives should be taken into consideration.

• Exfiltration (Record, acquire, remove sensitive information)
• Physical Control Testing (Lock bypass, lock picking, badge cloning)
• Persistence (Regaining physical access, adding testers to the environment)

Impersonation

One of the best techniques to incorporate in a physical engagement is impersonation. The beauty of impersonation in-person versus over a phone is that your victims are unlikely to question your identity. Except for security personnel, most individuals do not have a reason to question who you are even when provided a false identity. Since it is not expected for anyone to conceal their identity in their own workplace, a tester abuse their environment for impersonation.

Impersonating specific roles that are regarded as authoritative or helpful will often yield desirable results. Impersonating a member of the IT team has a high success rate due to the helpful nature of the role; impersonating a high-ranking executive may lead to demands being fulfilled without pushback.

We recommend business casual in a corporate environment since it's versatile and most corporate roles can be impersonated with a button-down shirt. Both roles we previously mentioned can be associated with a business casual dress code. Ultimately, the clothes you choose to wear will be based on your reconnaissance and intuition. If your role is to be an electrician, plumber, member of the cleaning crew, then you might want to find the types of uniforms that you'll want to use for the impersonation.

Scenarios

IT Staff are the most trusted by most employees at the company. Their role inherently implies a trust relationship, since their job is to help employees in their times of despair. This relationship can be abused to interact with victims who didn't even know they needed help. It's not uncommon for IT to request access to an employee's computer containing sensitive information such as passwords and company documents. By abusing the idea that you intend to help anyone at any time, it minimizes the risk of anyone questioning your actions (even if these actions are malicious). Sometimes, the role of IT Staff even implies some sort of authority over other employees. Combined with the helpful persona, it becomes a very easy role to engineer into a variety of scenarios.

We walked into the Security Office of a client claiming to be IT from the corporate office. Without verification of who we said we were, the Security team plugged us into their internal network. In fact, they were so welcoming, they asked us to stay and fix all the technical issues they were having within their internal network to which we replied that we would submit a prioritized ticket for them.

Another time, we were at an unattended workstation in a corner trying to execute a malicious payload from the USB we had just plugged in. Just when we were finishing up, the owner of that workstation came into the room asking us what we were doing on his computer. We replied, "We were going to run some security updates." The employee then offered us his workstation password while he ran out to do other errands. Once we had finished executing our payload a few more times, we moved on across the office and repeated the process. This time around, we offered my payloaded USB as a security patch and that we had just finished applying some patches to their co-worker's computer. This employee also gladly obliged to our request.

Building Trust

Social engineering is one of the most effective ways to exploit trust because no one is safe from manipulation. This includes security guards, receptionists, members of the cleaning crew, human resources, and almost anyone else you can think of. Successfully social engineering one target increases the success rate of social engineering the next victim because it builds trust in the environment. It also allows the social engineer to gather more information to build their own identity and role. Security guards give off a false sense of security because their capabilities often fall short when a motivated attacker is attempting infiltration. Security guards are generally there as a deterrent, but companies and people feel safer if they're present even if they're not actively checking for suspicious activity. If an attacker gets past security, most internal employees will have no reason to keep their guards up. If an internal employee sees an attacker conversing with security, tailgating into the entrance becomes easier because of the trust being built upon that conversation. In a social setting, it is implied that a criminal would not be casually conversing with law enforcement. People falsely assume that people who converse with security will not attempt unlawful activities. By not intentionally avoiding security and engaging positively with the individual(s) who are meant to keep attackers out, the attacker can continue trust in their environment. Those who observe this trust relationship are also more likely to add themselves in the relationship. By approaching security directly, an attacker is establishing that they have nothing to hide and is not concerned with being identified. If an employee observes this interaction, they will be at ease, which introduces a vulnerability.

Infiltration

The most prioritized objective of a physical penetration test is to infiltrate the target location(s). The reconnaissance should have allowed you to identify your attack path. Whether that be lockpicking, badge cloning, or tailgating, there are contributing factors to make each methodology more successful. In the next three sub-sections, we will give advice to increase the success rate of these methodologies.

Lockpicking

If you are extremely well-versed lock picking, then this method will have the highest success rate. We recommend that you are lockpicking in a way that appears like you’re opening a door with a key. We recommend finding camera blindspots or avoiding survelliance altogether when picking locks. Since lockpicking generally requires two hands while studying the lock, you will likely look suspicious. A successful social engineer can make do even with the most condemning social environment. The general populace is not expecting a figure to pick a lock in public so a well-executed sleight of hand will most likely go unnoticed. Additionally, if you’re dressed up as a locksmith, an electrician, or some utility engineer, it would fit the context of trying to get in a locked doorway. Even having a walkie talkie and saying something like, “The master keys aren’t working, over.”, in public might stop questioning stares if you’re struggling to pick the lock. Stealth is being maintained and the disguise is disposable.

Your roles during your engagement may change so it is important to adapt to each point of the engagement. Although lockpicking and other lock bypass techniques are an invaluable skill to have for physical engagements, I'm not proficient at lockpicking and as such, do not rely on it. As a good rule of thumb, I encourage you to look up the laws concerning having lockpicks around the target location.

If lockpicking isn’t a viable option, other lock bypasses that might work. This includes under the door tools, air dusters, shims, and lever openers. All lock bypass tools look suspicious and will be extremely difficult to pull off during normal business hours. For the execution of lock bypasses, we recommend avoiding normal business hours for OPSEC reasons.

Badge Cloning

Badge cloners are an excellent choice for gaining entry to a building. Depending on the type of card reader that is being used, it is possible to clone an employee’s badge and enter a building that way. There are ways to clone badges with or without victim interaction.

Scenarios

Cloning with victim interaction requires engineering the social context of why the target should let you clone their badge. In previous engagements, we’ve impersonated building security and ask to validate a badge. This is the equivalent for asking someone’s password so framing the encounter is extremely important. We've posed as security and when we request for something, the demand relates to a security measure. Note that we are abusing the authoritative relationship of this role. We've told target employees that we need to scan their badge to make sure certain features are working for the updated card readers being installed. We also approach these employees near the end of the business day as they're leaving the premise. This way the employee will not likely reach out to anyone internally to verify (since it will be pushing the end of the business hours), and they are likely going to oblige to any request that will allow them to leave. It is also likely that most employees will still have their access badge around their neck or clipped on to their hip. You could even frame your encounter that you are scanning their badge due to a security violation of having their badge around their neck when they are exiting the building.

To avoid raising suspicious when asking someone for an access token, you can redirect the suspicion on them. Consider for a moment that if their badge is malfunctioning, it might present a larger security concern for the firm. Now the request to verify their badge is somewhat warranted and the employee might feel as if they are doing their part in securing their workspace.

Alternatively, badge cloning can be performed without victim interaction. One way is to get close enough to an employee in an elevator. In a packed elevator, it's not uncommon to shift around and accidentally brush shoulders or get close enough for the badge cloning. You could also follow employees into a coffee shop close enough behind them to clone it while they’re in line. Cloning without interaction with the target will maintain a certain level of stealth when you are cloning the badge. Always keep the range capability of the badge cloner in mind.

Tailgating

Tailgating is generally the best method to gain entry. There are multiple methods of tailgating that we've used to be successful on our engagements. The most success we've had is to tailgate without the victim noticing. We encourage emphasis on executing tailgating methodologies quickly, quietly, and out of sight.

It is also possible to take a more direct approach when tailgating. Our testers like to act out talking on the phone with someone as they're tailgating. Generally, the person you're tailgating will not interrupt you to ask or to verify your identity out of not wanting to appear rude/inconsiderate.

Scenarios and Considerations

Security awareness training against tailgating is often taught at corporations, but most employees fail to keep it at the forefront of their mind. Security trainings use the example of how an intruder might tailgate by having their hands full of items which will encourage other people opening the door for them. This scenario exploits people's nature of wanting to help and plays on empathy. This appeal to empathy often times will get an intruder through the door. Since this example is commonly introduced during security awareness training for employees, using this scenario could put an employee on high aelrt. You can de-escalate this situation by admitting how guilty you might look while mentioning the security awareness training. As an effort to remediate the situation, offer that you will show him your badge once you set things down in your office. The target might decide that you do not impose a threat and let you on your way. If the target refuses to let you in, you can say, "I will escort myself to security." This could de-escalate the situation as you are showing that you have nothing to hide.

We’ve found high success rates in what we like to call reverse-tailgating. This is a slightly modified approach at standard tailgating where instead of someone holding the door for you, you hold the door for someone else. If someone has opened the door, you can hold the door for the next person entering. This establishes trust and familiarity now that you’ve been seen and you’re impersonating an employee who’s practicing bad physical security awareness. Although you're not necessarily making security conscious decisions for in this situation, most indiviudals will not see you as a threat.

Other infiltration methods such as targeting the cleaning crew for entrance, directly social engineering the receptionist, and directly social engineering the security guard can be successful depending on the environment. We’ve found that impersonating an employee working from another branch traveling to the target location to work as well. We have found that using your real identity can help establish trust if the role does not require complete impersonation. The receptionist generally will not check against your identity. You can request them to call up the supposed "point of contact" (which you will at least have the name of via OSINT done during the reconnaissance phase) or mention that you have that "point of contact's" number and call them up yourself. Since the role of a receptionist is to help guests and other visitors, they make an excellent target. As long as you're dressed to belong in the environment, there should be no reason for the receptionist to be suspicious of your presence. If the receptionist has you wait in the lobby, you could excuse yourself to the restroom. (If the restroom is inside the working space of the building, you're trying to gain access to, you have foothold). If anyone confronts you, there are multiple scenarios that you might be able to use to de-escalate a situation. Some of these scenarios include retrieving a forgotten item, getting lost within the space, or just needing to grab something from the printer. These scenarios mainly depend on the physical layout of the location, but adaption is key.

Vishing and Phishing

With proper OSINT, you can target almost any individual in the firm. A well crafted phishing email or an internally spoofed number that communicates the arrival of your tester can help aid the success rate for infiltration.

FireRTC is a great service for spoofing phone numbers.

Initial Foothold

There are a couple of techniques that can be used for an initial foothold. We will go over a few just to spark some creativity from you for your physical engagements. The USB drop is a popular method for initial foothold, however, a lot of security training is based around it. Read more about the infamous Pentagon compromise through a USB drop here.

Setting up an SSH dropbox is a recommended route if you just want to get in and get out. You’ll be able to plug it into any Ethernet port and have the dropbox call back to a device remotely. The SSH Phone Home project provides simple instructions on how to build an SSH dropbox with inexpensive materials.

Generally, in conference rooms, there will be ethernet ports plugged into the PBX phones and workstations. This also allows a tester to directly plug in a portable laptop to conduct attacks directly against the internal network. This is all assuming that there is no network access control against devices being plugged into the ethernet. In my experience, however, these controls are generally inconsistent even if it’s through a MAC whitelist. There are also measures around this that can be done via MAC address spoofing. You can generally find the MAC address of a PBX phone or a printer by playing around with the configurations.

In Kali, you'll be able to spoof to a MAC address of your choice (a whitelisted one).

# ifconfig eth0 down
# macchanger -m 00:d0:70:00:20:69 eth0
# ifconfig eth0 up
# macchanger -s eth0

Additionally, you can get creative and use wireless keystroke injection/logging against vulnerable keyboards. The JackIt project has a list of vulnerable keyboards and mice that allow an attacker to inject keystrokes into the keyboards and run arbitrary commands. This means that there is a possible attack vector for invoking powershell or other payloads through hta, vba, html, and wmi commands.

If you have physical access to an unencrypted workstation, we’ve found success booting from a USB through the BIOS. This allows you to boot onto a machine into a live instance of (Kali) and mount the Windows filesystem onto the live instance of Kali. From there, you will be able to dump in-memory hashes that can be passed and cracked across the domain.

Stealth

Doing as much reconnaissance as possible will allow you to understand the environment the most. By having more intimacy with the environment will allow you to then understand what’s normal and what’s abnormal. Maintaining stealth comes from understanding social environments.

Stealth is more of a mindset than it is a trait or a set of actions. Adapting to a successful mindset is criticalto maintain stealth. You might think you’re a physical penetration tester who's primary objective is to infiltrate buildings while trying to "pwn" enterprise networks. We think this kind of mindset hinders your efforts in a successful engagement because of how motivated you'll be to overcome security controls. It is more important to get in the mindset of who you are going to impersonate (an eletrician, an employee, etc). As a result, don't underestimate the effectiveness of casualness. Most target locations and target audiences will be casually interacting with each other. If your interactions are casual, people will likely reciprocate their interactions casually. Social engineers love to appeal to urgency to get people to do what they want. Upon evaluation, this technique is rash and upsets the balance of normality in any given environment. Imagine going up to a banker and demanding to be let into the vault. Now imagine going up to a banker and casually asking to be let into the vault. Neither scenarios will work without modification, but the first scenario is likely to get security called on you whereas the second scenario might be treated as a light-hearted joke. Not many people are seeking an adrenaline rush in their day to day jobs. A casual request will likely be treated with a casual response. A bold demand will likely raise eyebrows.

If someone catches you plugging in a payload into their unattended and unlocked computer, avoid acting nervous or scared as if you were caught doing something you weren't supposed to. Use this as an opportunity to transform initial suspicion into something positive like offering assistance. When confronted, tell the person who caught you that you were just performing security updates. Perhaps ask them if they've changed their password recently to completely reframe the scenario before you’re even being questioned. You’re not building trust at this stage, you’re establishing that a trust relationship is already there. Reinforce the trust you have built by making other people feel like they are being helped.

Other subtle mannerisms will play into your stealth operations. This would include the way you compose yourself. We try not to give too many tips that might bias your social engineering role because that would imply that there is one right way to achieve stealth. The post intends to give you tips and advice to improve your own techniques.

Persistence and Exfiltration

Physical persistence and physical exfiltration will require a prolonged operation that focuses primarily on stealth. The longer you’re in a target location where you don’t belong, the probability of being detected or caught incrases. As a result, we like to do our exfiltration and persistence as we infiltrate the target location. We talked about how faking a phone call can be used to promote stealth and deter unwanted interaction. Your phone can also be used to record the internal footprint of a location and sensitive documents. Since social media is so prevalent everywhere, it is even more of an exuse for someone to take pictures of ordinary objects such as food or staplers (lol). By placing your lunch (or stapler) next to some sensitive company information, you'll be able to take pictures of these documents without raising an eyebrow.

One place we love to look is the proprietary bins, trash cans, recycle bins. Employees don’t think their information is sensitive enough to discard in the proprietary bins. As a result, we encourage you to sit down at their desk and dig through their trash. If someone asks you why you’re digging through their trash, you can explain to them that you lost your check and might’ve thrown it in their bin by accident. Proprietary bins generally have locks on it, but it's worth checking if it is actually locked. (Proprietary bins are generally located in the supply/printer room.)

Establishing persistence can be approached in a few ways. One way is the technical control which involves testing against doors. This method involves using a piece of tape to tape a door’s latch bolt so that it can’t be properly closed all the way. This is an excellent way to set up persistence in staircases and exits. Another method is to establish familiarity by walking and re-tailgating in through a reception area. When you do this enough, you have established a sense of belonging in the environment in which other people who have seen you will not question opening or holding the door for you. Persistence can also be achieved in the sense that you are introducing more physical penetration testers to the environment. If there is more than one intruder, it becomes much more difficult to remove your reference.

Conclusion

A lot of what we covered might just be things that were in the back of our minds. There might be some points where you, the reader, have thought were some pretty obvious tips. The challenge for any physical engagement is to consider all options and choosing the best one. Adapting to the situation as obstacles come in play in a split second is what makes a clean and successful engagement. Being able to think through how to control a situation is incredibly difficult under pressure. That is why it’s necessary to have a plan and some information before you perform an engagement. We are constantly thinking about how to circumvent physical controls without the need for technical tools. Take what you need from this post and apply it to your physical engagements. We have yet to find any compilation of resources that do a thorough walkthrough of physical penetration tests, so we used this opportunity to give assemble our own list of what has helped us.

Manfred Chang

Read more posts by this author.