A Tale Of Two Routes

What is the best method for breaching a building? As anyone who reads this blog knows, there are many methods for gaining access to places that are supposedly off limits.

It usually comes down to three factors:

1. What are the actual vulnerabilities of the building

2. What are your skills

3. What equipment do you have

Obviously there needs to exist vulnerabilities, either inherent or ones that you can create in order to take advantage of them and breach the facility. But those vulnerabilities will rely heavily on your skill set in order to be viable methods of entry.

A route, which you can read more about here, in physical penetration testing is a series of exploits, vulnerabiliites or actions you can take to go from the outside of the building to the crown jeweles (eg vip meeting room) with the least amount of resistence and risk to you and your team.

When you are performing recon, it is incredibly important that you outline every last vulnerability and route that you discover, even if you have no intent of actually utilizing it.

This post will discuss how diverse tactics and recon can unveil entirely different attack paths to a client’s crown jewels.

The client in this case was in a shared office building where their organization occupied the uppermost floors. The challenge? To demonstrate how someone with malicious intent could gain unauthorized access to sensitive areas on these floors.

What follows are two routes that were both discovered and exploited into the facility.

Route 1: The Walking RFID

Every morning, the ground-floor café buzzed with employees grabbing coffee on their way to work. During recon it was discovered that not only did this cafe exist, but it was actually open to the public, it was simply assumed that due to its semi remote nature that only employees would actually go there.

Positioned conveniently on the ground floor of the shared office complex, the café was the perfect spot for observation and reconnaissance. I made it my base of operations.

Many employees carried their RFID access cards prominently—around their necks, clipped to belts, or tucked in bags. Recognizing an opportunity, I employed a method that I like to call the walking RFID, using a combination of hidden and portable RFID readers.

• The Setup: A long-range RFID reader concealed in a backpack to target lanyards, another reader hidden in a briefcase for cards clipped to hips, and a handheld RFID extender discreetly palmed for badges left on tables.

• The Execution: Sitting at a table between the cafe entrance and counter, I would observe when the correct employee entered and noted where their ID badge was positioned. I assessed where their badge was located and chose the appropriate tool. Standing in line ahead of those with lanyards, the backpack reader pointing behind me captured their badge. For those with hip-mounted cards, I stood slightly behind and to the side, the briefcase reader doing its work.

During my embedded recon at the cafe, I had noted that the shared building utilized a cleaning crew that showed up onsite at 6pm, while employees filtered out of the building at 5pm, which is a common thing I intended to take advantage of.

After cloning several access cards, I prepared for the second phase. Around 4:40 PM—just before office hours ended—I entered the building. My destination? A restroom on the correct floor to utilize “the tactical bathroom”. This process is something I covered in more depth in this blog post.

• Step 1: Use the cloned ID to get onto the correct floor just before closing time and make my way into the bathroom.

• Step 2: I covered the motion-detecting PIR sensor inside the restroom, ensuring it wouldn’t trigger an alarm. Note that this really only works if the bathroom have private rooms and not a single shared room.

• Step 3: At 6 PM, the cleaning crew arrived and deactivated the building’s alarms to begin their work. When the coast was clear, I exited the restroom, bypassed or picked the necessary locks, and reached the sensitive areas undetected.

This route is something that I have used on many occassions and often works well for shared office complexes with public areas on the ground floor. I would bet that many readers of this blog who have run their own engagements before may have used very similar tricks to gain unauthroized enter into secure facilities, because it is so highly effective.

But now lets consider a different route.

Route 2: The Daredevil

While route one relied on subtlety and social engineering, route two embraced audacity and a different kind of skill. Through recon I had already noted that, employees left the building by 5 PM, while the cleaning crew didn’t arrive until 6 PM. Which I still inteded to take advantage of, but in this case I relied on one more piece of information to complete my route.

One side of the target building was facing another buildings backside which had no windows facing one another (basically a giant brick wall). The target building had many balconies scattered about along with other features that actually made it relatively scalable.

There was one issue though, and that was that on a few of the balconies there did appear to be a few sensors which would have made climbing tricky, sense I would need to simultaniously climb and bypass … but remember, at 6pm the cleaners arrive and shut all of that off.

So the route I had in mind relied on my ability to climb at 6pm faster than the cleaners could clean a floor, which I had convidence I could do.

As someone who has climbed things his entire life, this was going to be my second route.

I parked my car a block away from the target building, on the side where the cleaners entered from and simply waited, once they arrived and all the automatic lights turned on, I hopped out of the car and casually walked to the side of the building i wanted to climb.

After scaling the building and reaching the balcony on the client’s floor I simply used an under door tool to open the door. Admitably, I had checked that these balcony doors would be vulnerable to this when I was already inside the building during my route 1 breach … but after nearly 20 years of doing this I had confidence I would manage to get in regardless with one method or another.

After getting inside the building, and dressed like an employee I once again simply moved to the sensitive areas and accomplished what the client had requested.

The Big Question

Which of these two routes are better?

At the end of the day, both methods accomplished what I wanted, and I could use either to have or create persistence into the building after completing the client’s requests.

The reason I wrote this post and the two things I hope you will take away from it are:

1. Always play to your strengths.

If you are an amazing lockpicker and rock climber but completely socially inept, than route two is likely to be your go to method of entry, as it should be. For you, it has the highest probability of success with little risk of getting caught (alberit some physical risk of falling off the building).

I encourage you to do a personal assessment on your own skills and figure out what you are good at, what you want to be good at and where you are currently on things like:

• Social engineering

• Elicitation

• Lockpicking

• Building Scaling

• Etc

Knowing where you are skill wise can really help map out routes during an engagement, and it will also help you to focus on these possibilities during recon so that they don’t go overlooked.

2. Map Out Every Route & Vulnerability

As I said in this post, if you don’t put it in the report than the client doesn’t know to fix it. Suppose that you are terrified of heights and cannot do a pullup to save your life … well than route 2 certainly isn’t for you, and thats fine.

But if you don’t recognize it as a possible route and include it in your report, EVEN IF YOU DIDN’T TAKE ADVANTAGE OF IT, than the client is neither aware of it, nor resolves it.

During your recon phase, it is vital that you map out all possible routes to include in your report. Rank these vulnerabilities and routes based on how severe they are and then how likely you think attackers may actually take advantage of them.

Remember your ultimate job is not to get into the building, its to help secure it and that can only be accomlished with detailed and good after action reporting and resolution.

Conclusion

No single path tells the whole story. If a team focuses solely on one route, they risk leaving the client unaware of other equally viable attack paths, and while you don’t need to exploit them all, you do need to record them.

When discovering and considering possible routes, keep in mind your own skills and abilities and rank them accordingly. Obviously never take unnecassary risks that you are uncomfortable with, as your own personal safety is far more important.

At the end of the day remember that there are likely many ways to accomplish the mission and it will be up to you to recongnize them and judge how likely they are for both attackers to take advantage of and your own team.

Training Resources:

For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.

• Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists

• Physical Audit Training - 2 day course on how to setup and run a physical security audit

• Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming

• Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.

• Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.

• Private Instruction - Focused learning & training based on your needs .