Physical Penetration Test
The objective of the Physical Penetration Test is to attempt to gain physical access to the organization’s facilities by taking advantage of technical and personnel weaknesses. Post-access activities can include a wide range of potential attacks, based on scoping with the target organization. Simply gaining access to sensitive or restricted areas of the target facility is often enough to demonstrate risk to the organization. However, post-access tactics may include media drops, network and device implantation, malicious HID attacks, credential discover, and others. Testers are issued a “get out of jail free card” that should be presented when the testers are exposed.
BHIS has a physical penetration test kit that includes tools that are commonly used on physical penetration test engagements. That said, testers should use situational awareness to improvise when difficulties present themselves. As examples, a carpenter’s square from a local hardware store can be bent to become a very effective crash bar tool. In addition, a length of thick copper wire can be fashioned into a very effective under door tool. Always think creatively about the challenges you face during an engagement.
This engagement typically includes the following elements, although this is not an exhaustive list:
title: Reconnaissance
In the context of a physical penetration test, reconnaissance includes some additional elements. Since the test will occur at an organization’s physical facility, visual knowledge of the facility can be useful in pre-engagement planning. Images of the facility can aid in identifying areas where unprotected access may be present. In addition, opportunities for badge facsimile creation may present themselves through analysis of sites like Glassdoor.title: Unsecured Entrance Discovery
The target facility should be cased to identify unsecured entrances into the building. Unsecured entrances are typically easy to find and pose a significant risk for personnel infiltration.title: Employee Tailgating
Tailgating consists of following an employee into the facility as they enter. This can be accomplished with or without the awareness of the employee. In many cases, a door will close too slowly to prevent an infiltrator from entering behind a legitimate employee.title: Badge Cloning (Visual)
A badge often carries unearned trust when an employee observes the badge on an attacker. Visual badge cloning can focus on the targeted organization, or some service provider expected to visit the organization. Badge examples can often be found on the internet. However, an attacker may need to observe a badge while onsite at the customer facility.title: Badge Cloning (Electronic)
Some of the early electronic badge formats, still deployed today, have weaknesses that allow an attacker to clone a legitimate badge by reading a valid value with a long-range reader, like the Wiegotcha. Once captured, a valid badge value can be written to a new badge and used to access the facility, imitating a legitimate employee.title: Badge Brute Force Attack
Older electronic badge formats are typically issued in sequential blocks. The identifier presented by one of these badges consists of a facility ID and a badge ID. Once a valid facility ID is known, an attacker can attempt to brute force other badge IDs by incrementing or decrementing the badge ID. Brute force can be accomplished by using the Proxmark 3 RDV4 in standalone mode. Brute force attack, after initial entry is attained, can allow an attacker to gain access to restricted areas like a data center.title: Door Hasp Attacks
Unprotected door hasps provide an opportunity to easily open a locked door using a tool like the Sparrows Mini Jim. With this tool, the door hasp can be retracted, allowing the door to open. Often this can be accomplished very quickly and unnoticed by nearby employees.title: Panic Bar Attacks
Panic bars are the horizontal push bars that allow an employee to quickly use a facility exit by pressing on the surface of the mechanism. Where the gap between the door and wall or two opposing doors on the same exit is unprotected, a tool can be used to depress the panic bar from the outside of the door, allowing access to the protected area. Professional panic bar tools exist, but this can often be improvised very easily and cheaply.title: Under Door Attacks
Doors that have an imperfect fit often have a large gap at the bottom or top of the entrance. Depending on the door handle used on the door, a tool can be used to open the door by operating the door handle from the outside of the protected area. Professional under door tools exist, but this can often be improvised very easily and cheaply.title: Request to Exit (REX) Sensor Attacks
The REX sensor, or Request to Exit, is used on electronic locks to unlock the door as an exiting employee approaches. If a REX sensor can be identified from the outside of the entrance, an attacker may be able to activate the sensor by waving a flag or spraying compressed air in front of the sensor.title: Magnetic Lock Attacks
The pulling force of a magnetic lock is inversely proportional to the distance between the magnet and the metallic surface used to lock the door. A short gap between the magnet and the landing surface can make a door easy to open even when locked. Placing thick tape on the magnet or landing surface may reduce the pulling force sufficiently to allow entry.title: Eletronic Lock Implanting
Electronic door locks typically communicate with the door controller using the Wiegand protocol. Wiegand uses a wired interface and data is transmitted in clear text. Because of this, attackers have developed hardware implants that attach the wired interface of the reader. The implant is typically capable of capture and replay of a valid card read. Implanting the interface requires removal of the reader that is often secured using high-security screws. Drivers for high-security screws can be obtained at a hardware store or online. Readers may have tamper switches embedded in them that alert security staff when a reader has been opened. Implant attachment uses punch down connections which pierce the shielding of the wire attached to the reader. Because of the potential for damage, permission should be obtained from the POC before attempting this attack.title: Lock Picking
Lock picking involves operating the pins on a given lock in order to simulate use of an authorized key. Typically lock picking involves use of multiple tools simultaneously. A tensioner is used to keep tension on the lock barrel while operating the pins. A rake or pick is used to depress the pins in the lock in an effort to discover the authorized bitting (cut depth) on the key. Once all pins are correctly aligned, the lock can be opened.
Before traveling with lock picks, the tester should ensure that lock picking is authorized and legal in the locale where the test is to be conducted.When deemed to be in-scope, the following post-access activities may be allowed. Post-access activity should be discussed with the customer on the Rules of Engagement call.
- Malicious HID attacks
- Credential discovery
- Device implant (peripheral)
- Device implant (network)