From Strangers to Insiders: The Overlooked Key to Successful Physical Pentests

Photo by Tetiana SHYSHKINA on Unsplash

Today lets talk about how to make your life either much easier or much harder when doing a physical pentest. This blog post will focus on addressing this by asking the questions

”How much recon did you do and how many friends did you make ?”

This might seem like an odd way to address making your life easier during an engagement, but hopefully by the end of the post you’ll agree.

Lets Talk About Recon

The recon phase of a black team engagement is arguably the most important, and should always be the longest phase. Unfortunately, many people starting out in physical pentesting are so eager “to get inside” they often shorten the recon phase to about 10% of the engagement time.

Each type of recon will grant you different info that other types likely wont (in this list i am ignoring OSINT)

Photo by pure julia on Unsplash

• Long Range Recon - involves observing your target from a considerable distance, often with telescopes or expensive cameras and will often be performed from a hotel room, the back of a van etc. This will tell you things like:

  • when do employees arrive & leave

  • What is the standard dress code

  • Is it only employees in the building

  • How are deliveries handled

  • Employee ID badges

  • IR cameras

Photo by Milena Trifonova on Unsplash

• Short Range Recon - This involves getting close to the building and ideally recording what you see via a hidden camera or phone and can be accomplished by walking a dog around the building, being on “a date” with a fellow teammate , or any similar non suspicious strolling method. Using this you may discover:

  • External security features that couldn’t be seen from long range

  • Lock types on doors and access points

  • Better views on things you discovered from long range

  • 360 degree view of the building (long range often is limited to one angle, eg a hotel room)

Photo by Peggy Anke on Unsplash

• Embedded Recon - This involves getting inside the building, often under real or false pretense such as going into a bank to ask about opening up an account. Wearing hidden cameras or using a phone to record your findings you may discover things like:

  • internal security systems

  • up close look at employee badges

  • better view of inside entrances and exits

  • employee behavior inside

  • building layout

  • MAKE FRIENDS

The Essence of Elicitation in Embedded Recon

During embedded recon, penetration testers immerse themselves in the environment of their target, often unnoticed, blending in. This phase is not just about mapping physical security controls like alarms, cameras, or checkpoints but also about grasping the human element that operates and interacts with these systems. While all of these discoveries are vital to accomplish your assignment, there is a very often overlooked benefit of embedded recon and that is the ability to make friends with employees.

Here, elicitation comes into play as a crucial tool.

Elicitation is the art of extracting information without raising suspicion, often through casual conversation. It's about asking the right questions without seeming to ask them at all. This skill is vital during embedded recon because it allows testers to gather insights that aren't visible on the surface. Information about routines, unofficial practices, or even security loopholes often resides with the insiders—employees, security staff, and even third-party personnel like cleaning staff.

The Role of Elicitation in Uncovering Security Gaps: A Case Study

Understanding the target's security setup is paramount. However, certain critical pieces of information can often elude even the most comprehensive forms of reconnaissance like OSINT or surveillance-based recon. This is where elicitation comes in.

What follows is a summary of one aspect of a real case where we used elicitation to help compromise a company.

After a solid week of traditional recon, we discovered a robust security infrastructure, seemingly impervious to breach. However, during this time, I was embedded inside the target building gaining information and making friends, and it was through one of these new contacts during casual conversation that an unexpected piece of information came to light.

I was able to learn about a billing dispute between the company and their third-party security provider. This dispute had led to a crucial lapse: the security provider had ceased monitoring and maintaining the security systems until the issue was resolved, in this case a disputed rather large bill. This meant that the sophisticated security measures of the company were effectively offline, a vulnerability that could not have been detected through standard recon methods.

All of the high tech security alarms, surveillance , etc were all present and we could see that they were all powered up along with the logo of a reputable security provider and monitoring service … but apparently they weren’t actually being monitored due to this billing issue.

This revelation significantly altered our approach. Instead of devising complex strategies to bypass the security systems, our team could now plan the operation around this window of reduced security, drastically simplifying the task at hand.

This instance underscores the indispensable value of human interaction and intelligence in penetration testing. While technical recon methods are fundamental, the ability to elicit sensitive information through interpersonal communication can uncover vulnerabilities that would otherwise remain hidden, proving that sometimes, the most significant security gaps are not in the systems, but in the fabric of human interactions that surround them.

The Power of Making Friends

Making friends is not just about building rapport but also about opening doors—sometimes quite literally. Building a friendly rapport with insiders can lead to a wealth of information that might be inaccessible otherwise. Here's how making friends becomes an invaluable strategy:

1. Access to Insider Knowledge: Employees and regular contractors like cleaning staff possess a wealth of knowledge about the day-to-day operations and, more importantly, the irregularities and exceptions in security practices. Befriending such insiders can lead to revelations about unguarded entry points, times when surveillance is minimal, or even ways to circumvent security protocols.

2. Facilitation of Movement: Having an insider on friendly terms can facilitate movement within the target facility. This could be as simple as being vouched for in restricted areas or being provided access badges or codes. Such facilitation can significantly accelerate the recon process and provide deeper insights into the security infrastructure.

3. Validation of Findings: Information gathered through technical means or observation can often be validated through casual conversations with insiders. What might seem like an anomaly in surveillance footage could be regular practice, something only an insider could confirm.

4. Unintentional Assistance: Friends made during the embedded recon phase might unwittingly assist the penetration tester. Whether it's leaving a door ajar, sharing a piece of gossip about the security system, or simply being less vigilant around a familiar face, such unintentional assistance can be invaluable.

Cultivating the Skill of Elicitation

Photo by Priscilla Du Preez 🇨🇦 on Unsplash

Elicitation during embedded recon is not inherently deceptive; it's about genuine interaction with a focus on understanding and gathering information. It requires a combination of keen observation, active listening, and the ability to engage in conversations that feel natural. Cultivating this skill involves practice, patience, and a deep understanding of human behavior and social dynamics.

Of course when making friends inside, you have to decide who to pick as choosing the wrong person could compromise the entire assignment. Here I discuss how to pick the right people for elicitation.

If this is the first you have heard about the concept of elicitation, you can read about the concept and methods here.

Conclusion

Traditional recon is vital, having the gear and knowing how to use it is incredibly important to performing a successful black team engagement, but remember that there are pieces of information that each form of recon provides us that the others likely wont.

So when planning out your next engagement, don’t overlook the embedded recon phase, and make sure to make a few friends to make your job easier.

Training Resources:

For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.

• Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists

• Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming

• Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.

• Private one on one Instruction - Book time to get private and personalized instruction on physical penetration testing