Physical Pentest
Desiderato Merriwether
Red Teams are to simulate adversaries attacking systems. Many actions can't be done (or at least very hard to) with just some computers and Red Teams often have to go on-site and break in (legally). What I've seen so far is people succeeding in not getting caught. However, I haven't seen anyone talk about what to do when caught. It may just be some suspicion or even being chased by security (possibly armed).
This is the golden rule of Red Teaming! If you don't have your Permission to Attack with you, it's like driving without a driver's license. That said, if you are caught during an engagement, I recommend the following:
Present the real Permission to Attack. If a guard has not bought your fake slip, then it's time to hand in the real slip. If the guard believes you, it's time to pick up and leave the perimeter. A real attacker would have been stopped at this point. If the guard did not believe you, ask them kindly to talk to their supervisor. If they insist on not believing you and calling the police, so be it. You're not a criminal, so don't worry about it.
Follow the police's orders. They'll take you with them to the station, where you can explain to the police that you are part of a Red Team Engagement, and that you have a permission to break into the company. They will double-check that, calling whoever is listed as the person who signed your Permission to Attack. In the happy case, they'll pick up the phone, explain that you are really hired to do that, and you'll be free to go.
In the not-so-happy case, they won't pick up because it's 4 in the morning and their phone has no battery. Should this happen, you will probably spend the night in the police station. Worse things have happened. Call your employer in the morning, and they will reach the contact at the customer's company for you.
A very bad idea. Probably the worst you could do. If the guard calls the police (they likely will), the costs could rise quite a lot and it would not make the customer happy to know they now have to pay the police for an unnecessary manhunt as well. However, you should absolutely include in your report if getting away from the perimeter after getting caught would have been a trivial effort or not.
That would miss the point of a Red Team Engagement. Once you have a "Just continue"-pass, you are not simulating how a real attacker would act. You would just go through the stuff of the company with their permission.
There's a flip side: what to do if you discover a physical pentester. When I was working at a bank, I happened to notice the iconic metasploit cli welcome banner flash up for a second on a desktop in the middle of a cube farm.
Physical pentesters are a part of life at a bank, and the rules of engagement are very clear beforehand. There are rules and procedures for both parties if someone notices a pentester. This keeps everyone safe.
Because imagine the situation: if metasploit is running, all it would take would be the attacker running a pre-made script and it could be "game over" for the bank. If you see the banner, it is likely already too late. That means that that person's fingers need to be off that keyboard and the network cord pulled/wifi turned off as soon as possible. Like, immediately. That means rough physical interaction. Not waiting for security to arrive. And that's a safety problem.
It turns out that in this case, the pentester messed up by exposing himself like that and the engagement would have been prematurely ended, but by following protocols, the engagement continued under the defined scope and everyone was safe. The test was not about being able to get in, but to simulate a malicious insider.
Abstract: This white paper offers a comprehensive overview of physical penetration testing, an often neglected yet crucial component of cybersecurity. It examines the definition of physical penetration testing and highlights its distinctions from other forms of penetration testing. It emphasizes the significance of physical security by exploring its potential advantages for companies, especially those in regulated industries, and addresses the challenges associated with its implementation. Additionally, it provides an exploration of the methodologies and tools employed by physical penetration testers throughout the process of breaching organizations by accessing their secured buildings.
However, as technology advances, so do the methods of attackers. In addition to cyberthreats, physical threats can also be used as a way to exploit vulnerabilities and gain unauthorized access to systems and data.
Physical penetration testing is designed to identify weaknesses in the physical security controls of an organization and simulate how a real attacker would try to gain access to restricted areas or information. This type of testing may include using social engineering techniques (such as impersonating an employee), attempting to enter restricted areas without authorization or stealing company assets.
When comparing physical penetration testing to network penetration testing, there are notable differences in scope and execution. Network penetration testing primarily focuses on identifying vulnerabilities and weaknesses in digital systems, networks and software. It involves simulating cyberattacks to assess the security posture of an organization's digital infrastructure.
Social Engineering
Social engineering is the practice of manipulating people into divulging sensitive information or performing an action that allows an attacker access to a secure area. This can be accomplished through various tactics such as sending phishing emails or vishing calls to employees and tailgating employees through access-controlled areas.
The incorporation of social engineering techniques distinguishes physical penetration testing from other forms of cybersecurity and penetration testing methodologies. This form of testing aims to assess the vulnerabilities present in both physical infrastructure and employees.
Through social engineering testing, organizations can determine where their employee awareness training is working and where more attention is needed to help prevent future physical and cyberbreaches.
Physical/Technical Bypass
In addition to social engineering, physical penetration testing involves the use of tools and techniques that can bypass physical or technical security measures. This aspect of testing aims to uncover vulnerabilities in locks, access control systems and other security mechanisms that could be exploited by adversaries.
One common method of bypassing physical security measures is lockpicking. With this method, skilled testers can demonstrate how easily traditional locks can be manipulated or bypassed, highlighting the need for more robust locking mechanisms. Another bypassing technique is radio-frequency identification (RFID) cloning, where testers clone RFID cards or badges to gain unauthorized access to secured areas.
Similarly, Bluetooth hacking can be employed to exploit vulnerabilities in Bluetooth-enabled security systems, granting unauthorized entry to restricted spaces. While the methods mentioned are some of the more common approaches to physical penetration testing, there are numerous other techniques designed to simulate a physical exploit.
Destructive vs. Nondestructive Testing
Covert entry is another widely accepted approach among the physical pen testing community. In gaining entry, it is understood by these professionals that they should be as nondestructive as possible.
Testers sometimes exploit preexisting vulnerabilities in locking mechanisms. They may also exploit weaknesses in building codes or the technical functions of physical security measures, usually attempting to operate as covertly as possible.
Physical pen testers strive to think like the adversaries they safeguard against, which means they envision the different destructive ways that potential attackers could disrupt organizations. For example, a tester may simulate an attack by activating or turning off the water in the fire suppression system. This approach, while potentially troublesome for the business, allows testers to identify and address vulnerabilities before malicious actors can exploit them.
Advanced Persistent Threats
Advanced persistent threats (APTs) can utilize physical means to breach an organization's security. While APTs are commonly associated with sophisticated cyberattacks targeting networks and systems, they can also employ physical tactics to gain unauthorized access or compromise sensitive information.
Physical penetration techniques, such as social engineering, covert entry and tailgating, can be used by APT actors to bypass physical security measures and gain physical access to restricted areas. These are targeted attacks that are designed to remain undetected for long periods.
For example, an APT actor may impersonate an employee or contactor, using social engineering techniques to gain entry to a secure facility. Once inside, they can plant malicious devices, tamper with equipment or conduct reconnaissance to gather valuable information for further exploitation.
By incorporating physical tactics into their overall attack strategy, APT actors can increase their chances of success and evade detection. This highlights the importance of considering both physical and digital security measures in an organization's overall security posture.
There have been known cases where APT actors have utilized physical means as part of their attack strategies. One notable example is the Stuxnet worm, which was discovered in 2010 and attributed to a joint effort by intelligence agencies, likely including the United States and Israel.
Stuxnet was designed to target Iran's nuclear program and specifically aimed at compromising industrial control systems (ICS) used in uranium enrichment. The worm is believed to have been introduced physically into the Natanz nuclear facility, possibly through an infected USB drive or other means, and then propagated within the facility's network to disrupt its operations.7
c80f0f1006