For anyone who has been following this blog you hopefully understand that a physical pentest is not simply getting inside the building once. The client very likely doesn’t care if you managed to get into the building once via tailgating or through an open window, they care about three things:
What can you do once inside
Can you come and go as you please into the building (eg persistence)
Can you get away with it without being caught
Today i am going to focus on the concept of persistence; the ability for an attacker to create a method for entering into the building at will many times.
There are many instances of a physical pentest when you will need to return to the building. This may be because you didn’t bring the right gear, the gear you have has decided this is the moment its going to stop working, you need to return later in order to get to a specific location, etc.
Realize that even with the best embedded recon you likely will have gaps in your knowledge about a building, eg
exactly where the server room is
alarm systems in sensitive rooms
where the CEO’s office is located
etc
For all these reasons and more, you will need to create a method of persistence for yourself in order to return to the building when it is most advantageous to you.
What follows are some methods you can use in order to achieve persistence.
Cloning a Physical Key
Physical keys, while old-fashioned, still form the first line of defense in many organizations. Cloning a physical key can provide unrestricted and continuous access to secured areas. The process entails:
Key Impressions: Using a blank key and a file, testers create a duplicate by marking the places where the key pins touch the blank. This attack does not require you to be inside the building, but instead to have access to the lock for a few minutes at a time. This attack does not have to be performed all at once, but there are pros and cons to distributing this attack over several days.
3D Printing: Advanced strategies might employ 3D printing to create an exact replica of the key from a photograph.
Key Copying: If you happen to be inside the building, look for someone’s physical keys they left on their desk (it always happens). If you happen to know which key belongs to the building than you have a few options:
Always take two good pictures of the key, one from the side and one from the front (get both the keyway profile and bitting), this will help you to create a clone later
Steal the key, if possible, to create a metal copy (this takes about 5 min so ensure you have that much time alone with the key).
Cloning an ID Badge
ID badges that utilize RFID or NFC technologies can often be cloned using specialized devices. Here's how:
Scanning: Testers employ scanning devices to remotely gather information from a target's ID badge. One of the first things you want to know is the card reader using LF or HF. If it is LF, it is almost certainly cloneable, if it is HF it will probably be cloneable, though you may need a few extra steps.
Replication: The acquired data is then used to create a cloned ID badge that can bypass security systems undetected.
The tools used for cloning ID badges vary, however in my opinion something like the I-copy xs (specifically get the xs series) is the easiest for beginners to use, but eventually i recommend getting yourself a proxmark with all the bells and whistles such as the bluetooth attachment.
The ability to clone ID badges represents a significant vulnerability, and thus organizations are encouraged to employ multi-factor authentication to enhance security.
I have written a post about cloning badges, their technology and more you can read about here
Replacing a Physical Lock with One You Control
In a more audacious strategy, pen testers might replace the existing physical lock with one that they control. This technique requires meticulous planning and execution:
Selection of Lock: Choosing a lock that is identical or similar to the existing one to avoid arousing suspicion.
Installation: Stealthily replacing the lock without alerting the security personnel or leaving obvious signs of tampering.
Remote Access: Some sophisticated locks allow for remote access, providing the pen testers with a controlled entry point.
I have written about a method of how you might replace a lock in Europe via first breaking it, you can read about breaking the lock for replacement here
Continuous Monitoring
After gaining persistence, it is crucial to maintain a low profile while constantly monitoring the system for any updates or changes in the security protocols. While you may think that you have gotten into the building and gained persistence without anyone taking notice, this may not be the case and you should never assume this. Always keep an eye out for changes in security posture after making entry into a building; the following may help you
Feedback Loop: Establishing a feedback loop to understand the ongoing activities and security measures. Have guards changed their behavior since you previously arrived? Are the devices you left inside the building (such as drop boxes) still active and allowing access? If you have compromised surveillance camera network or left listening devices inside do you notice any security related odd behavior?
Devices offline: Sometimes the devices you leave behind will simply stop working, this may be because of an innocent error, someone unplugging something, or security has discovered you. When your devices go offline, make serious note of this and do extra recon before returning to the building.
Tailgating: A Valid but Insufficient Method
Tailgating involves following an authorized person into a secure location, effectively bypassing security measures without alerting the personnel. While this method is indeed a valid entry strategy, it falls short in ensuring persistence for a physical penetration tester for the following reasons:
Limited Access: Once inside, the intruder might still face barriers to critical areas, as they lack the necessary credentials.
Increased Suspicion: Repeated tailgating raises suspicion, potentially alerting the security team.
Unpredictability: Relying on tailgating is unpredictable as it depends on the actions and habits of others, which can change daily.
In the context of persistence, tailgating should be used in order to discover, or gain access to, other methods of entry that allow for persistence (any of the above methods for example). You should never simply rely on tailgating as your sole method of entry.
For a comprehensive penetration test, tailgating should be utilized alongside other strategies to ensure not just entry, but also persistent access over time.
Conclusion
Gaining persistence during a physical penetration test is a calculated and critical maneuver, highlighting potential vulnerabilities in an organization’s security posture. By employing techniques such as cloning physical keys and ID badges or replacing locks, testers can identify loopholes and provide insights into enhancing the security matrix.
Organizations should view the persistence phase as an opportunity to unearth deep-seated vulnerabilities, subsequently steering corrective actions to foster a more secure and resilient environment. It is a call to advance from traditional security measures to a more fortified, multi-layered security approach that stands robust in the face of evolving threats.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.