Getting Started with Physical Penetration Testing
Office Edition
Physical penetration testing revolves around simulating real-world attacks on physical spaces, such as buildings or facilities, to identify security gaps. Intrigued about starting in this field? Your current workplace is an ideal playground to hone your observational skills and kindle your curiosity.
Physical pentesting involves many skill sets such as: lock picking, RFID cloning and attacks, social engineering, etc. However, two skill sets that i often see completely overlooked, and possibly the easiest to practice, are planning and recon.
The recon phase of pentesting will, or at least should, be the longest phase of a physical pentest, and while being arguably the most important phase, it is commonly overlooked when new pentesters are training.
Remember that unlike a cyber pentest where you may have multiple or even infnite attempts at compromising a system if you get caught by the security team, in physical pentesting, you may only have one chance, or a very small number of tries. This is why recon is so important, a single missed alarm, guard, etc may ruin your engagement.
Your Office: A Training Ground
Physical pentesting will always involve two components: Humans and Locations.
Understanding the vulnerabilities of a location begins by observing and analyzing the mundane and everyday. The familiar corridors, doors, and stairways you walk through daily can be your initial lab environment.
Put yourself in the shoes of a physical penetration tester who has been hired to assess the security weaknesses of your own office building. This is something anyone can do, and is excellent recon and planning practice.
Here are some things as a physical pentester you should try to discover and observe for your training session.
1. Observation:
Routine Audit: For the first week, become hyper-aware of your surroundings. Document entry and exit points, the types of doors (are they electronic or manual?), locations of cameras, and other security devices.
Employee Behavior: Understand the daily routine of your coworkers. When is foot traffic the highest? When is the office relatively empty?
Vulnerability Spots: Are there secluded spots? Maybe certain hallways or rooms that are less frequented and thus less observed.
Key Locations: Where are the places that a physical pentester would be interested in such as: server rooms, printers, key boxes, extra employee badges, etc. Are these locations guarded or otherwise difficult to gain access to?
Research: After identifying things like alarms, security cameras, etc do some research on various vulnerabilities, weaknesses and other issues these systems may posses.
2. Imagine Unauthorized Entry:
Weak Links: Every establishment has its soft spots. Find them. Perhaps there’s a back door with a weaker lock or an easily accessible open window.
Night-time Scenario: How would the setting differ if you were to attempt unauthorized access during late hours? How about during broad daylight?
Security Layers: Are there multiple layers of security? For example, after the main door, are there additional security checkpoints?
Third Parties: Does your company use third parties such as: cleaning companies, security companies, etc? Who are they, what do they have access to and when are they onsite?
3. People Watch:
Badge Behavior: Keep a tally. How often do you spot someone without a badge? What's the general attitude toward badges? Is it treated with importance or indifference?
Interaction Points: Observe places where employees tend to converse or gather — near the coffee machine, printer, or water cooler. How often do discussions lead to distractions that could be exploited?
Unfamiliar Faces: How do employees react to strangers or new faces? Is there a sense of alertness or general apathy?
Foreign Objects: How do employees and security respond to strange objects such as key loggers, MiTM devices, etc?
Missing Objects: How do employees and security respond to missing objects such as files, laptops, USBs, etc?
4. Ask "What if?":
Unexpected Scenarios: Role-play in your mind. What if the power went out? How would security be compromised? How would you exploit such a situation?
Lost and Found: Imagine if an outsider posed as a janitor or maintenance person. Would they gain more access? How would their presence be treated?
Emergency Situations: How would the dynamics change during a fire drill or any emergency? What vulnerabilities would arise?
5. Entry and Exit:
Day vs Night: Given what you have learned so far, is this engagement better to be performed during the day, when the office is full of people, or at night when you may be battling with alarms and sensors?
Grand Entrance vs the Back Door: Is your office easier to tailgate through the front door or clone an employee’s badge, or is it safer to sneak in through a window or back door?
Where are the Less-Monitored Access Points?: Are there entrances or areas like service doors, basements, or side entries that might not be as heavily surveilled or secured as the main entrances?
Getting in vs Getting out: Are their different security requirements for getting into the building vs getting out? If you tailgate in, do you need a badge to get out? Are there 5 methods for getting into the building but only one way to get out (or vise versa)?
Identifying Common Rule Breaks
While every office has its protocols, human behavior tends to veer towards shortcuts or complacency over time.
Badge Off:
Comfort vs. Compliance: Over time, employees might feel so at home that badges feel more like a formality. Highlight the importance of always wearing one.
Temporary Badges: How are visitors or temporary staff treated? Is their badge different, and how closely is it monitored?
The Friendly Tailgater:
Politeness vs. Security: Being courteous can sometimes compromise security. Holding doors is good etiquette, but what if the person you’re holding it for isn’t authorized to enter?
Cultural Norms: In some cultures, not holding the door can be seen as rude. How do you strike a balance between cultural etiquette and security?
Unattended Access Points:
Environmental Factors: Sometimes, doors are propped open to allow ventilation. But does this open up an easy path for intruders?
Shift Changes and Deliveries: Times when there are shift changes or deliveries might see doors being left open for longer durations. These intervals can be vulnerability windows.
In Conclusion
Physical penetration testing is not just about locks and doors but understanding human behavior, spotting vulnerabilities, and continuously updating one’s knowledge. Starting with familiar grounds like your office makes the learning curve smoother. With curiosity as your guide, the world of physical security is both challenging and rewarding.
Remember that when you are trying to learn skills of physical penetration testing, don’t neglect planning and recon. No matter how good you may be at things like lock picking, you will fail if you cannot plan out an engagement and you don’t know how to gather useful information.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.