Introduction to physical penetration tests

Depending on your personality the concept of being legally allowed to break into places has a kind of mythical ring to it. You’ve seen it happen in movies and series like James Bond, Mission Impossible, Leverage and a dozen others and you might have wondered is that how it really happens in real life? On some level you already know that the movie depictions are not that close to reality. Why? Mostly due to all those other stories of regular burglary where the break-in is much less sophisticated, yet very effective.

In this blog post I’m going to try and give an overview of physical penetration tests and how to start doing them from my own perspective (European context, we have to worry less about guns). In addition I will focus on the type of tests where a target asks you to ‘casually’ break in and gain access to a room, plant a device or steal some specific information. ‘Casually’, what does that even mean? In my experience it means that you get one or two days for your preparations and one day to execute the attack. Doesn’t seem like a lot, but you’d be surprised how many targets can be breached with minimal preparations, some courage and the fact that you aren’t really going to jail when caught ;)

I’m also no expert on this subject, so feel free to leave corrections as well as additional tips, tricks and personal experiences in the comments. Lastly, not all physical penetration tests will be the ideal take 4 weeks to do your thing type of job. So I consider it good practice to also be able to perform these type of smaller jobs where thinking on your feet is almost mandatory, not to mention fun if you like to practice your improvisation skills.

Before I forget, this information is mostly for your general running off the mill big corporation with standard security and where the target is just interested in an attacker that doesn’t invest a lot of time in the attack. Don’t attempt to access high security facilities with minimal preparation. Even though it might succeed, you will most likely strand at the first door or person that you attempt to bypass.

Defining a physical penetration test

For me a physical penetration test is a combination of physical techniques and tools to bypass physical controls, social engineering to gain access with the help of people who have legitimate access and good old fashioned OSINT / online reconnaissance to gain a better understanding of your target. Keeping that in mind does that mean you can do anything you want? Not really, let’s sum up a couple of items to take into account:

• Ethical considerations
  • Don’t hurt people
  • Don’t do stuff you would not want to experience yourself as a victim
• Legal considerations
  • Companies cannot overrule national law
  • Be aware of national law and the implications for your test
  • Be explicit about causing or not causing damage to their property
  • Ensure having a ‘get out of jail letter’ at all times
  • Be aware of shared property and the legal implications
  • Leave personal stuff alone

There are more items to consider and the above bullet points can be debated a lot if you want to take all the corner cases into consideration, but the bottom line is mainly:

Don’t be a jerk, adhere to the law and the contractual obligations

Let’s focus some more on the actual test, the most important point to keep in mind is ensuring you have the ‘get out of jail letter’ at all times with you. For me that means I print it twice and carry one copy in my back pocket and one copy in my back pack or coat.

Preparing yourself

So the first tool you need to get ready is… Nope, not really what I mean with preparing yourself. I mean prepare yourself, as in you the person reading this blog post. If it is your first time doing a physical penetration test talk with others first and forget about the tools. How did the other persons feel when doing the test? When did they stress out, what brought them comfort? What was their biggest realisation while doing the test? What mistakes did others make and what did they learn from them?

The reason you want to have that understanding is because in the specific instance of physical penetration tests the gap between the ‘theory’ and the ‘implementation’ is huge. That means that when you start to execute these type of tests all your activities are part of a personal journey during which you get to learn a lot about yourself. Reflecting on those learnings is what actually enables you to become better and more creative in a way that fits your personality. Personally I think that everyone doing physical penetration tests should take acting classes or at least an introduction, which is still on my todo list :( Here is an overview of the things I’ve learned:

• You are not lying you are playing a role
  • Sounds weird, but there is a big difference between just lying or immersing yourself in the role that you are playing.
• It is OK to not know stuff
  • When being challenged by people it is OK to not know the answer to their question. New employees, guests, contractors do this all the time.
• You can always go back
  • If you’ve forgotten a tool, don’t try to push it. You can always go back.
• People really don’t care who you are, what you are doing or why you are there
  • When you are walking around in a place you are not supposed to be you might feel anxious and think that everything you do is suspicious. Well, think again, people don’t care about you, which in this case is a very positive thing.
• Applying all the social engineering theory you’ve read about or seen in videos takes time and practice. Accept your failures and move on.
• Applying all the tricks you’ve read and seen to bypass physical measures take time and practice, your ‘lab training’ time is not a substitute for real world practice. Why not? Because in the lab you don’t have to be vigilant about being caught, you are not nervous and above all you know exactly how the measure you are trying to bypass will behave. So practice as much as possible to gain the technical skills, but don’t sweat it if you fail on your first real world attempt.
• Having a ‘get out of jail letter’ will make you behave differently than not having one.
• The stress before the job doesn’t really disappear, it is just replaced with stress that you’ve learned to manage and work with
• You will most probably frame all interactions that you have with people from your own perspective a.k.a “I’m not supposed to be here, why am I being approached?”. Let it go, just hear the other person out. More often than not they want to help you or they are just curious, like you are yourself when you see a new face.

Preparing the test

Since the type of tests that we are focusing on are the ones where we have minimal preparation time it means that a lot of the in depth reconnaissance doesn’t really apply. You’d also be surprised how much reconnaissance you can get done in one or two days. The main drawback for these type of jobs is that I usually discard CCTV or similar protection mechanisms, since there just isn’t enough time to plan around them. Thus resulting in me not caring that my face is on them or that if they where to analyse the incident they could identify all my actions around and within the target facility. The main benefit of these type of jobs is that they are a good introduction to people wanting to learn and practice physical penetration tests. You can experiment and get comfortable since you are supposed to be casual and opportunistic. For example by entering the facility when you notice an open door during the reconnaissance part of the assignment. With other assignments where you prepare and observe for longer periods of time and also try to avoid unexpected situation you would not do that.

Online reconnaissance / OSINT

For this part of the job you focus on the essentials (keeping in mind we have limited prep time) needed to enter the premises as well as the type of equipment you’d need to bring along. For me that usually means:

• Who are they?
  • read their website
    • You might be surprised about some ‘open to guests’ days that companies have.
  • read press releases
  • read up on their industry
• Premise & entrances
  • How many doors / fences?
    • Are they badge based or motion based?
  • Any badges online to know if they could be cloned?
    • either physically look-a-likes or digitally
      • Fun fact: look-a-like does not mean an exact copy. How often have you looked at all the details of the badge of people in your company? Most of us just notice general color and placement of big items like the picture or anti-copy hologram
  • Any suppliers / contractors that they work with?
  • Any shared spaces you could just sit?
  • Do they support indoor Google maps?
• People
  • General idea of their dress code
  • Any decision makers on vacation?
  • Any leaked passwords you can find online?
• Communication
  • Any non official communication online?
    • preferably letters with signatures
  • Are they active on social media or just the regular corporate communication?
  • Do they have active employees on forums?

You might be wondering if some of the above information should be in the next section? Well most of the above information can be retrieved with Google maps, virus total, google, facebook, linkedin and general online search engines. So why focus on the above information?

In the age of digital dominance paper is king, so a lot of time the right letter with the right signature will get you in even if the systems says ‘nope’. Knowing the company, culture and type of people working there will help you improvise when encountering unforeseen situations, specially if the person you are referring to is on vacation so no one can verify your claims. Knowing the lay out and where the doors are situated will help with the physical reconnaissance as well as when you are already inside the target.

This part of your preparation serves as general guidance for your initial attack scenario as well as a better understanding of what you want to achieve with your physical reconnaissance.

Physical reconnaissance

Since we are on a ‘casual’ job, this part serves as additional reconnaissance as well as a potential way in if the opportunity presents itself. Which does not mean you don’t have a plan, it means you have a plan with lack of information. Since the previous preparation should have resulted in a general understanding of your scenario. Here are the things I usually focus on:

• Movement and timing
  • How do employees move, from where to where?
  • What are the peak times?
  • When do contractors and deliveries get in?
    • Are any security measures disabled for them?
• Events
  • How does security handle unforeseen events?
  • Do you see unescorted non-employees?
  • Do you see employees not wearing their badge?
• Behaviour
  • Do people hold the door for others?
  • Are the anti-tailgate beeps ignored by employees?
  • Are they chatty?
• Entrances
  • How many shimmable doors are there?
  • How many movements detection operated doors are there?
  • How long does it take for doors to close, could you tailgate?

All of the above can be performed passively, as in from a distance or by just walking by and chatting with a colleague or being on the phone. Don’t pretend to be on a phone, just call someone, it will save you the painful moment of something going wrong while you pretend calling someone. However we should not forget about active reconnaissance, since actively engaging with them without breaking in will help you to feel more comfortable:

• Ask a guard for instructions on how to get somewhere
• Ask the reception / lobby for information on how to apply for a job or other general information
• Call the reception while sitting outside and see how they handle calling and talking to visitors at the same time
• Linger in the lobby until you are asked what you are doing there and see if they are nice or harsh
  • Usually stating that your are early for an appointment with person X (should be on vacation)  is enough. You can then walk away and come back later or not come back at all.

In the end the physical reconnaissance should give you the information that you were lacking to finish a plan of attack and the scenario you will use to try and access your target. This could be by social engineering your way in or by bypassing a unattended door somewhere. In addition it should have given you enough information to know the kind of tools that you will need.

Tools

So even though there are a lot of cool tools for physical penetration tests, I usually only carry the following by default:

• Something to shim a door
• A screw driver
  • There are those pen like screw driver which are great and most security guards don’t identify them as screw driver immediately.

The rest of the tools really depend on the results of the reconnaissance. You might be wondering about all the cool tools you have seen online or those extensive lock picking sets? I’ve never really used any of those for these kind of jobs. For some reason most companies don’t lock their internal doors and the ones that can’t be shimmed are just opened by employees if you ask them nicely ;) This varies greatly per person, per job, per target. Also yes, there have been times a ‘under the door tool’ would have been awesome to have, or a tubular lock pick, but you will not always be making the right decision, learn and move on.

Executing the test

At this point in time you should have a pretty good understanding of your target, your goals and your attack plan. The thing you have no clue about is the ‘what if it fails?’ part of it all. This was one of my more important lessons when I started doing these kind of tests. What will you do when you encounter an unexpected event, you are being challenged or you are caught? Role playing with colleagues before you go in and also brainstorming about which parts could fail will help you in already having at least some kind of response. All of this should just fit in those one or two days of preparation.

For the actual test there is a pretty big surprise that you don’t really expect when doing your first test. It just works. So I’ve either experienced or seen the following happening:

• Ask to go to the bathroom (which was behind security)
  • Done, no escort or other measure to prevent the person from planting a device
• Show a letter that claims you have an appointment
  • Done, you are allowed in
• Tailgate people into the building
  • Done, nobody asks a thing
• Steal badges from the reception desk, use them to walk into the company
  • *crickets*
• Jump over the security doors, right in the lobby
  • A couple of curious looks, done
• Follow a vehicle into the premises
  • Done
• Ask a person to hold the door for you, while they are walking out
  • Say thank you and receive a nice ‘you are welcome’
• Shim *any* of the external not frequently used doors
  • Get unlucky sometimes, otherwise you are in
• Jump a fence walk onto the premises
  • Might get dirty, otherwise you are fine
• Ring the bell and stick to the ‘I have an appointment’ story
  • You get kicked out or eventually you can just walk around
• Not entering the premises, but connecting the drop device on one of the external camera’s
  • Saved you a whole lot of trouble if they don’t have NAC and you brought a network switch with you

While reading this you might be I call bullshit. However it really is that easy sometimes. Of course like all things in the world, you are reading the best case results at the moment, but you’d be surprised how often these best case results happen. So how does the worst case look like?

• Get caught
  • Stick to your story / plan
    • Carry on
  • Show your ‘get out of jail letter’

That’s the beauty of being legally allowed to break in, you don’t have to be afraid of being jailed for the next 20 years ;)

Conclusion

Luckily more and more targets require better preparation and scenario planning than what I’ve described in this blog post. However most of the physical security in the world is held together by agreements and politeness, not by technically enforced measures. Just like the digital world you need to understand the system if you want to bypass it. You might be thinking I could never do this, but ask yourself the following:

• Have you ever cut in front while waiting in a line?
• Have you ever called customer support really dissatisfied with the goal of being compensated for your bad experience, not just product replacement?
• Have you ever trespassed by accident?
• Have you ever taken something as carry-on (by accident) on a flight?
• Have you sneaked around in high school?

If you have ever done any of the above, congratulations you did your first physical penetration test. you played a role and did not think that you were doing something illegal. The same holds true for when you are hired to do it, you are playing a role and not doing anything illegal.

References

• Books
  • Confessions of a master jewel thief
  • The secrets of the FBI
  • A burglar’s guide to the city
  • The Kevin Mitnick books
  • The Christopher Hadnagy books
• Presentations
  • https://slides.com/edoardorosa/physical-penetration-testing#/
  • https://www.youtube.com/watch?v=P4HIDJ-5lJo
  • https://www.youtube.com/watch?v=rnmcRTnTNC8
  • https://www.youtube.com/watch?v=ChbyaXBKNY8
  • https://www.youtube.com/watch?v=UpX70KxGiVo
  • https://www.youtube.com/watch?v=eft8PElmQZM