Getting Started in Physical Penetration Testing: Walk Before You Run
Physical penetration testing is a crucial element in assessing and improving the security posture of any organization. Often likened to its digital counterpart, cyber penetration testing, physical penetration testing requires a meticulous approach to identify and exploit vulnerabilities in a building or organization's physical security. But before embarking on a covert mission, one must understand the importance of conducting thorough physical security audits. This blog post aims to guide budding physical penetration testers on how to start in this field, emphasizing the necessity of security audits as a foundation for successful penetration testing.
As someone who has done this for nearly two decades, I know it can be a lot of fun and exciting. Its a rush to break into a high security area and steal something important. The first time you’ve bugged a board room and you’re sitting in your hotel room listening in on confidential meetings is a thrill, but this is not where you should begin with physical pentesting.
I have taught literally hundreds of students over about two decades how to get into this line of work, and the things that you need are exactly the same as anything other profession:
Know the tools of the trade
Have experience in what you’re doing, especially when things go wrong
Know how to help the client as this is the ultimate goal
In physical pentesting, you cannot afford to get caught or the game is over … so how do you get actual real world experience before you get experience ? The best answer I can give you, is to first do some audits.
The Importance of Physical Security Audits
In physical penetration testing, every potential vulnerability must be identified and assessed. This process is akin to a cyber penetration tester who meticulously checks for a range of vulnerabilities like XSS, SQL injections, firewall configs, etc. Just as in cyber security, where overlooking a single vulnerability can lead to a breach, the same holds true for physical security.
Think of any complexed task from cyber pentesting, inspecting a car, or organizing a big public event and realize just how many things you would put on a checklist of things to check, verify and then double check … now ask, whats on your physical security checklist? Have you even thought about such a list, let alone created one?
Physical security audits are the preliminary step where a pentester compiles a comprehensive list of all possible security flaws within a building's physical setup then goes and assess the building, without trying to be covert, to verify if they have actual weaknesses.
This exercise is vital for several reasons:
Familiarization with Diverse Security Aspects: It provides an opportunity to familiarize oneself with various security elements, ranging from door locks, CCTV placement, access control systems, to employee security habits.
Baseline Knowledge for Covert Operations: By first learning how to test these security measures overtly, pentesters can acquire the necessary knowledge and experience to later execute these tasks covertly and more effectively.
Comprehensive Security Perspective: Such audits allow pentesters to view the security infrastructure holistically, ensuring that no potential entry point or security lapse is overlooked.
A physical security audit will usually only take 1-2 days per building and can be done with only 1 or 2 people. The idea is to simply walk through the building during working hours (and perhaps later in the evening) and locate and test all the things on your list that you would hae attempted to abuse during a real pentest.
The shorter time and smaller team size will also help you to sell these things more than a two to four week black team engagement with 3-6 people, which means you can do far more of these and gain that much more experience for you and your team.
You are not trying to be covert here, you will likely be given a guest ID badge and you are simply moving through the building checking off the things on your list. Far more boring than a covert engagement sure, but when you are first starting out, it will teach you how to test things , which will then become how to test them quickly and covertly.
Use these audits as your first step into the world of physical security and the more experience you gain through auditing, the better you will be at black team engagements later on.
The List
As a budding physical pentester, what is your current list of all physical security weaknesses and vulnerabilities?
When starting in physical penetration testing, one of the primary tasks is to create and continuously refine a list of potential physical security vulnerabilities. Think about the myriad ways a building or organization could be compromised. Do you have a comprehensive list? Is it exhaustive? How will you test each item on your list, and how will you do so during a physical pentest without being detected?
Drawing a parallel to the cyber realm, consider the OWASP Top 10 for web application security weaknesses. Just as these top 10 vulnerabilities provide a framework for cyber security professionals, your list will serve as a guide in the physical penetration testing domain. It's about not just identifying these vulnerabilities but also understanding how they can be exploited and mitigated.
Before you jump into pentesting, consider what exactly you are actually testing and go make yourself a list. This list should include all the weaknesses of a organization in general, but also how will you go about testing these and which have priority ?
Remember your goal is to test everything, and you cannot do that if you get caught on day two. So prioritize what you will test, in what order and by what method. Also include backup methods in case your go to wont work for a specific engagement.
Some examples that might be on your list:
Are their cards cloneable?
Is the card readers wired with a tamper switch and does it actually work properly and is actively monitored?
Is the reader running encryption on the backend … as in really running it and not just says that it could
Is the building or certain areas master keyed and if so, is there a list of where those keys are?
Do external doors close within 5 seconds from being fully opened?
Are security cameras noticed if they are obstructed or disabled?
Does the building have keyboxes around it with access to the building and if so are they secure?
Does the building have zones of security or do guest badges get you access everywhere?
Do employees wear badges?
Do employees stop unknown people inside the building or do they simply not care?
Are windows on upper floors left open outside of business hours?
Do employees wear badges outside the office?
Are incorrect ID badges notices if you try them on a reader?
Does the building share entry methods with other companies?
Do you know the cleaning staff and have they ever been vetted?
Does the cleaning staff have access to everything?
etc, etc
This list will likely be massive once you really get started with it, and realize you want to test as many of these things as you can. Prioritize them of course, and rank them on what is least and most likely to get you caught but make your own list.
As you do more security audits you will quickly learn how to effectively test all these things without trying to be covert, which will give you the experience to do it covertly later on.
Beyond Tailgating: The Depth of Physical Penetration Testing
A common mistake among novices in physical penetration testing is the over-reliance on tailgating — following someone through a door or gate. While this can be an effective technique, relying solely on it is akin to a cyber hacker only using a single type of exploit. Successful penetration testing involves a much broader scope.
The Three Key Aspects Clients Care About
Clients are not just interested in whether you can get inside; breaking in is only the beginning. They are primarily concerned with:
Actions Post-Entry: What did you do after gaining access? Did you manage to access sensitive areas, retrieve confidential information, bug sensitive rooms, or identify internal security weaknesses?
Persistence: Can you maintain prolonged access to the building? Is there a way for you to repeatedly enter the premises without detection, indicating a long-term vulnerability?
Detection: Were you caught during your attempt? Evasion of detection not only showcases skill but also highlights gaps in the organization's surveillance and employee vigilance.
What Gear To Get
Now that you understand the need of physical auditing and going through to test all the things you are hopefully going to include on your ever expanding security list, the question of what gear to get changes light.
You are trying to get gear that will accomplish tasks for you to verify things on your checklist. By doing audits, you get to test them out in the real world without the stress of doing so covertly without any forgiveness if you mess up. It will also help you to better understand what gear works well for you and in what environments and which pieces of gear you cannot use or simply dont work.
By the time you have done a few audits, you will likely have a huge bag of gear that you have used enough times to understand how it works, and become familiar enough with it to actually use it in a covert manner.
Client Vetting for Physical Pentest Teams
This is something i really want clients to start asking when they are vetting a potential physical pentesting team. More often, I see clients simply use the exact security team for web or cyber pentesting for physical pentesting … and why not? Well they are a completely different set of skills for one and being good at one in no way says you are good at the other.
One line I have heard for many years is a derivative of,
”We have a 100% success rate of infiltration”
If a team boasts a "100% success rate of getting inside," clients should follow up with, "But what did you accomplish?" The value lies not just in the breach but in the depth of the analysis and the actionable insights provided post-breach.
A guy with brick will likely have a 100% success rate of getting into a shop / bank / location, but if he is immediately caught, thats not exactly a success story for him. What matters is what did you do after you broke in and what security weaknesses did you uncover … and perhaps most importantly,
HOW DID YOU HELP THE CLIENT TO RESOLVE THE ISSUE?
One of the most important questions I rarely hear clients ask is what method did you discover to fix the security flaws you found? If your only recommendation is “spend a million dollars here or there, than this isn’t valuable to most businesses. If you didn’t have a good answer for your client, its just as bad.
You must help the client resolve the issues you discover, and you can only discover these issues if YOU TEST EVERYTHING!
Remember, if its not in the report, the client will assume its not an issue.
Conclusion: Building a Foundation for Successful Penetration Testing
For those embarking on a career in physical penetration testing, remember that the journey begins with understanding the full spectrum of physical security through comprehensive audits. It's about building a foundation that allows you to assess, exploit, and provide valuable feedback on an organization's physical security measures. Just as in cyber security, physical penetration testing is an art that combines skill, creativity, and a deep understanding of the target environment. Begin with the basics, understand the full scope of potential vulnerabilities, and always aim to provide comprehensive, actionable insights to your clients.
Another method for training is to use your own office as a training ground for practicing embedded recon and mission planning as I outline here
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private one on one Instruction - Book time to get private and personalized instruction on physical penetration testing