Spot the Spy
Understanding Embedded Reconnaissance
Today, we're diving deep into an essential aspect of physical penetration testing: embedded reconnaissance.
The recon phase of any engagement will, or at least should, be the longest phase and arguable by a lot. In physical penetration testing the number of “do overs” and “retries” is far fewer than a cyber pentest and sometimes there simply is only one attempt allowed; meaning if you get caught, its game over. Because of this, the more recon you do, the better chance you have at a successful engagement.
While there are many types of reconnaissance, embedded recon is a necessary component when possible. This technique involves gaining access to a facility as a normal user or customer under false pretenses to understand its security measures, such as alarms, REX sensors, security personnel, and overall employee awareness. In other words, we'll be discussing how to blend in, identify vulnerabilities, and strategize for a successful security audit.
An example of embedded recon for a bank might be going into the branch office under the guise of someone interested in opening a bank account. As a potential customer you are completely allowed to be there and as long as you act normal, there should be nothing noticeable about your presence. You aren’t pushing boundaries, or going to places you’re not suppose to, just getting vital information about the building, its employees and security.
Crafting a Convincing Cover & KIS
At this stage you are not actually trying to get beyond the “normal or allowed” areas of the building. As such, your cover story should be as simple as possible, or KISS - Keep It Simple.
Going back to the bank example, if i can walk into the lobby as a potential customer, why would you craft a cover of being a maintenance man, which may have employees stop and ask why I am there and for work order. Also, a bank employee questioning a potential customer is less likely than them questioning someone who looks like they have been hired by the bank to do a job (maintenance man).
That said, there may be instances where it isn’t possible to do a walk through because the building doesn’t have customers or foot traffic for unauthorized people. In which case you may need to craft a story … BUT REMEMBER … the teammate who crafts this story must stick by it for the engagement. If you pretend to be a lost tourist on day 1, you cannot come back as a delivery driver on day 5.
The Importance of “The Escape Clause"
Even with a solid cover story, there may be times when someone stops you and questions your presence. This is where an "escape clause" becomes essential. An escape clause is a well-prepared and convincing response or excuse that explains why you need to leave or escape the situation without raising suspicion.
For example, if you're posing as a maintenance worker, your cover story could be,
"I'm here to check the air conditioning units. We had a call about a strange noise."
While your escape clause, if pressed could be,
“Sorry isn’t this 56 fake street? Oh, sorry google sent me to the wrong address, I’m suppose to be a block away; thanks you just saved me a lot of paperwork to my boss.”
This excuse, if possible can be backed up with details such as work orders or other documentation that supports your statement.
The escape clause should be tailored to the specific situation and must align with the chosen cover. It's wise to have a few variations prepared, depending on who questions you. If a security guard asks, your response may need to be more detailed compared to a casual inquiry from a staff member.
The escape clause may be one of the most important aspects of social engineering, because it effectively gives you extra lives if / when you get caught. The better your escape clause is, the more extra lives you have on the assignment.
As I tell my students, never even approach the target building without an escape clause even if you have no intention of going inside, because you never know who you might bump into or see while being nearby.
Understanding Alarms & Sensors
With all of that said, once you are inside a target building, what are you suppose to actually do? Well, you are looking for information that will help you succeed at breaking in later.
Alarms and sensors are primary defense mechanisms for any secure facility. By learning the types of alarms and sensors installed throughout the building and how they function, the Black Team can devise strategies to circumvent or manipulate these systems.
Learn how these alarms and sensors function before hand, what their weaknesses are and when various alarms are going to be a problem for you. For example, motion detectors are never a problem in a bank during the day but certainly are at night.
Also, look on stores like Amazon as well as looking around your local area to see what are the most common alarms and sensors in use in the area you will be operating in.
Once inside the target building, your job will be to identify as many of these as possible to better understand what security is in place and what methods of entry are likely to succeed and which will likely fail.
image taken from https://i.imgur.com/glUpBmd.jpg
A typical easy win are Request to Exit Sensors (REX), which are usually motion or thermal sensors designed to unlock or even open a door from the secure side if a person is attempting to exit the door. These sensors are usually placed just above the door and as a result can be manipulated from the insecure side, often with a can of compressed air or any physical object that you can squeeze through the door to trip the motion sensor.
Employee Awareness & Social Engineering
Evaluating employee awareness is another critical component of embedded reconnaissance. The majority of successful breaches are not purely technical but exploit human vulnerabilities through social engineering.
Observe how employees interact with security measures. Do they hold doors open for others? Are they vigilant about verifying identities? Do they leave computer screens unlocked when stepping away? Are they wearing badges or is this measure relaxed? Noting these behaviors can reveal exploitable weaknesses in the human element of security.
This is also an excellent chance to get a good, close up photo of employee badges & badge holders for cloning or printer later.
If employees don’t wear badges, impersonating an employee becomes much easier and if they also don’t lock their computers when leaving their work station, this too helps the physical penetration tester.
Evaluating Guards & Security Personnel
Security personnel play a vital role in maintaining the security of any facility. Understanding their routines, shift changes, and monitoring habits can provide insights that help the Red Team develop a more effective penetration strategy.
Monitoring security personnel's response to anomalies is another important aspect. For instance, triggering a minor alarm and observing the response time and procedures can give you a good idea of the effectiveness of the facility's security personnel.
I once broke into a bank that had a short one way turn style with pressure sensors and alarms making it impossible to jump over it without setting off a momentary alarm. But because so many employees would trigger the brief alarm off by placing their bags on the pressure detector while swiping their badge, the guards stopped paying attention when the alarm went off … this would be very good information to discover during embedded recon.
Inspecting The Doors
When conducting an embedded reconnaissance mission, one element that must not be overlooked is the integrity of the doors within the facility. While seemingly mundane, doors can be a significant point of vulnerability if not properly secured. This also includes checking for dead latches and alarms that are embedded within the door and door frame.
What is a Dead Latch?
Image taken from https://www.amazon.com
A dead latch is a security feature found in many modern door locks. When properly engaged, the dead latch prevents the bolt from being pushed back into the lock, thwarting common bypass methods such as hooking or shimming the door latch.
Many doors however are built either without a dead latch at all, or with an improper strike plate (the metal piece on the door frame) that is to large that doesnt push the dead latch inwards when the door is closed rendering it pointless.
Any door that doesn’t posses a working dead latch is vulnerable to hooking and shimming the door plunger (think of the Hollywood credit card trick to open a door).
Documenting and Planning
When doing embedded recon, always attempt to get photo or video of what you see. This prevents you from having to recall everything and it makes things much easier when sharing your findings with the rest of the team.
It also helps if you encounter an alarm, sensor or lock you aren’t familiar with so that you can later look it up or ask your team what it could be.
Conclusion
Embedded reconnaissance is a vital tool in a physical penetration tester's arsenal. It allows a Black Team to observe, understand, and plan around the security measures in place at a target location. When done well, it provides the foundation for a successful penetration test that will ultimately improve the target organization's security posture.
In the end, remember that this sort of work requires good planning, attention to detail, and a deep understanding of both human and technological aspects of security. It’s all about striking a balance between being invisible and attentive, creating a sound plan that will identify the weak links in a facility’s security chain. After all, even the most technologically advanced security systems can be undone by a single human error.
Remember Never Skip Recon Day(s)
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.