Interview with a Pen Tester: Physical Penetration Testing

Question: What does a physical penetration test include?

Answer: So it varies a lot from client to client. Some of the most significant differences are whether it's a daytime operation or a nighttime operation. Typically we'll start with finding out what is needed by the customer, and we will do some open-source intelligence or OSINT gathering information about the facility. That could come from things like Google Maps, for example, or from other different sources.

Then we will typically do a reconnaissance mission, and for that, we're looking for ingress/egress points in and out of the building. Are there gates for cars? Are there cameras? How do they get into the building? Are they using badges as a keyed entry? Is it multiple locations? We're collecting information, collecting video and photo evidence, and getting a lay of the land. From there, we put together a plan.

When it's time for execution, we try to exploit whatever vulnerabilities we saw during the Recon phase. Depending on the engagement, it might involve climbing over barbed wire fences or talking our way past a security guard or an employee, or just getting close to people. If it's a badged entry, we can skim those badges from a distance and then reproduce them and use them to get in. So it varies depending on the engagement. 

Question: Are there different levels of physical penetration testing?

Answer: The differences come down to what the priorities are for the client. It might be breaking into a farm, for example, or it could be a utility company or a business. There may be people there 24 hours a day, or there may be people there only during standard business hours. So each client is going to have different security controls in place. Everyone's a little bit different, and they all require their level of planning.

An office building, for example, during the day you've got valuable things there. You've got employees. You want them to be safe, and you want their personal belongings to be safe. I've worked in places before where people have just wandered in off the street and wandered around taking purses or cell phones off desks. And this was in the suburbs where you wouldn't expect that to be a thing. So during the day, an office building might want us to test their security. At night, however, they wouldn't care as much about it. For example, a warehouse would have valuable stuff there overnight and would be concerned about people breaking in and stealing it. So we kick things off by working with the client to understand what their priorities are.

Question: How does a physical penetration test done by ethical hackers compare to an actual attack by bad actors?

Answer: As I mentioned before, I think a common one that you see in office environments is people walking in off the street and stealing stuff, like a purse or a wallet. I even had an instance where people were coming in and breaking into the office kitchen to steal food. So, I would say unauthorized access, and sometimes it can lead to theft.

Something else that I've seen in my past is people dropping off keyloggers once they gain physical access. A USB keylogger is a little device about the size of a flash drive. So they unplug a keyboard, plug the keylogger in and then plug the keyboard back into the computer. And then they just leave, and they might come back a day or two or maybe a week later to try to retrieve that device. If they're successful, sometimes it will have passwords, or sensitive information picked up from the keyboard while the user was typing. Then they can use that info for additional access into the system. 

As far as physical security, it depends on the goals of the bad guy. Let's take a typical criminal organization. Their goal is frequently money, so they'll often do physical tasks, such as skimming for credit cards for ATMs or other payment systems. People don't realize the same website that sells the card skimmers for ATMs, and other card payment systems also sells skimmers for RFID cards, where essentially you put a fake front on top of an RFID entrance panel. And then, instead of stealing someone's credit card number, you're stealing someone's badge that allows them to go into a building. There have been incidences of bad guys skimming badges for building entry and then trying to go in at night to steal whatever they can get their hands on - laptops or anything that looks of value to them.

Another capability we apply in a lot of engagements is using under-door tools. This is something that is becoming more and more of a threat. You'll often see in hotels in large cities or office buildings, the door handle to your hotel room or in an office building is mounted vertically or has some sort of weird little latch around the tip of the door handle. This is to prevent these under door tools which are being used more and more commonly. So we base our methodology on what the common threats are.

Question: Many of the tools brought with our pen testers on physical engagements are intentionally simple. Talk about a time when a simple tool overcame even the most advanced technology.

Answer: Oh yeah, we have a video of me using an under-the-door tool. This was part of an engagement that we had with a University. I used this tool about three feet away from a student at the University who didn't even look over at me, or if they did pay attention to what I was doing, I was wearing some work clothes, and they just thought that I must be a worker. Behind this door, there were all of the University's switches, routers, firewalls, etc. So essentially, all of their fancy next-generation security equipment was subverted by a piece of wire and string that cost a couple of bucks.

Question: Why do organizations need physical penetration testing? You mentioned the student near you that didn't notice or didn't pay that much attention. Training is a big piece, but why is this still a threat, and what organizations need to practice? ‍

Answer: Yeah, again, I think it goes to the point that you can buy all of the most excellent cyber defense mechanisms, but they can all be subverted if you don't properly lock your doors or don't use the proper physical security. Often, people think they have adequate protection in place, but they don't realize that the bad guys, the people trying to break in, don't think in the same manner. So many people think, oh when I go to the office, I go through the main door and this stairwell and then there's a big security door, and I have to show everybody my badge. So they feel like security is in place. However, that's not how a bad guy thinks. A bad guy thinks, so I can go ask to use the bathroom, and then from the bathroom, I can go through a side maintenance elevator and see if I can ride that three floors up and never have to go to that security desk. Everyone thinks of that straight-through pathway, and no one's thinking of these other passageways that come to light when you have a physical pen test. We get in there with the mindset of an attacker and show you, hey; you have an elevator. We can ride this elevator three floors up, and now we're on the floor that we weren't supposed to be on. Or hundreds of other examples that people don't always think of because they're not thinking like a bad guy. They're thinking of how an average person would try to go to their office or how an average person would try to walk through a building.‍

Question: Testing people is also a part of our engagements, how do you test employee awareness on an engagement?

Answer: So it can involve social engineering and, I think, personal security. What's going on around you? Is somebody suspicious following you a little close that you've never seen before? Are they asking weird questions? That type of thing. Are they trying to do something that typically isn't a common ask from, say, a customer or something like that? And so a lot of that is training. You want to train people to ask questions and question people they don't recognize, especially if they're trying to access something they shouldn't access. Be aware of your surroundings. So I think the goal with a lot of it is to train people to have a certain level of paranoia, but hopefully not be too paranoid.

That also brings up something that we did for a client of ours in the past. I believe it was their third or fourth physical pen test that we did. Our contact was saying, "Hey, you always come in with this laundry list of things like making sure that the person is following proper procedures, that their name badge is visible, that they're following everything that they're supposed to be doing. We want to test that our employees are doing that." So after we had completed the whole regular physical pen test, I was the rookie on the team at that point, and I dressed up in full business casual. They gave me a full lanyard with a fake name badge and everything. But at this point, I wasn't testing their physical infrastructure. I was wearing an earpiece and just walking around inside their office, not following proper procedure. So instead of having my name badge visibly worn around my neck, I put it in my pocket, and I walked around until somebody challenged me. Then when somebody did challenge me, I got their name, reported it to their supervisor, and said, "Hey, so-and-so noticed that I was not following your proper procedure and challenged me on it as they should do. Make sure you give them some sort of reward for doing a good job." We also got some statistics on how people don't typically challenge as much as they do in the afternoon at lunchtime. Maybe employees need to be reminded to be more vigilant at lunchtime. They sent me inside this office as a "malicious insider" to see if people would check and see if they notice somebody not following proper procedure. Are they going to say something? Are they going to report it or not?

Question: Do you have any humorous yet teachable moments? What are some experiences where you have learned something that helped you in future engagements?

Answer: Always check if the door is locked first. This wasn't an engagement that I was on, but some of the other team members told me this story of how they had this elaborate plan to try to get past these doors. They showed up at 2:00 AM so that nobody on the street would notice them. Only to realize that nobody had locked the doors to the facility they were trying to gain entrance to. They were trying to use that under-the-door tool, and they struggled with it for about a minute until they tried the handle, and sure enough, someone forgot to lock that door that night.

Also, make sure to judge the height if you're going to jump off something, especially while full of adrenaline. If you're trying to break into a place and jump from a tall height, you might injure yourself. I now know this. I didn't think about it when I was doing the pentest because I was full of adrenaline. I'll just leave it at that. That's all the details I'll give.

Question: While every organization should consider physical pen testing as part of their overall security program, is there an organization or a specific industry that needs it most?

Answer: I think it would be good if every organization did it on some level. It doesn't have to be super elaborate or complicated, where I'm using fire escape ladders and climbing up the sides of buildings. Still, every organization that takes up physical space will need some sort of physical security. You have to look at your threat model and think about what level of physical security you need? What are your targets for? If you're a bank, you're a target for a bank robber; therefore, you're going to have to have excellent physical security. If you're a huge part of research and development worth millions of dollars, that would be a massive cash grab if somebody got it; you're also going to need very good physical security. So you need to look at what threats you're facing to look at the level of physical security you're going to need to implement.

But even if you're operating a small business, the last thing you want is someone to break your windows, go in and take everything and then shut you down for a week, because that one week of lost business can be the difference between keeping the lights on and you know shutting down.

One of the most important things to a business is their business and intellectual property, trade secrets, things like that. If somebody gains physical access to your facility, it doesn't necessarily have to be some advanced cyber intrusion with a big elaborate plan. It could be as simple as walking by a desk and seeing a memo from the CEO talking about something important, something that's for specific eyes only. If clients value their intellectual property, if they value their employees' privacy and security, as well as their customers, then I think all of those are excellent reasons to have a physical pen test.

Question: What kinds of things does the client learn after they have had a physical pen test done? What's the takeaway for them?

Answer: Often, they see these unknown unknowns come to light, so they don't know what they should even know about. We will shed light on these things, and they'll be able to take that away and think in new directions. To give an example from a recent test done, the client had bought a costly security system with keypads where you type in a PIN. A gate slides open and allows you into the secure facility. They didn't realize that there is a keyhole at the top of that pin pad so that if someone needs to do maintenance on it, they can open it with the key, do some maintenance, and lock it back up. This key is standard and can be bought on Amazon. You just need the serial number or the company name that made the pin pad, and for $20, you can own the master key. So they had all of this great security, and because they don't think like a bad guy like we're paid to do, they had no idea that the master key was readily available out there on Amazon. 

Along those lines, another thing customers often learn is how doors are supposed to be hung. There's a little latch with a plunger thing. The plunger thing is not supposed to go in the same hole as the latch, but that's almost always the case, defeating the door's internal security mechanisms. Again, unknown unknowns.

Another takeaway for clients is that the people component is pretty essential.

A client learns that doing frequent training with employees for this type of thing is very important to a good physical security model's overall success.

Question: It must be kind of fun getting to play the bad guy while knowing that you have your get-out-of-jail-free card. Have you ever been caught?

Answer: Yeah, so we had a client that had several locations. It was primarily a nighttime operation, and we had completed maybe three of the sites at this point and were on number four.

The local Police Department was notified before us doing this engagement partially for everybody's safety and for the Police Department to use it as a training exercise. Long story short, I managed to get into one of the buildings at the 4th location and found myself setting off a silent alarm and very much on camera in a very well-lit area.

And I kind of had a feeling I was going to be caught quickly. I was running around doing what I needed to do. And then tried to get out of the building, and as soon as I did, the police met me and packed me into a squad car. They took me down the street, we chatted about the job, how frequently we do it, and things like that. They were pretty interested, but my heart was racing. It's the first time I've been in the back of a squad car. It was an exciting experience, and then they let me go since I had authorization, and everybody was well informed beforehand.

Question: What do you think is your best edge as a social engineer? Is it having a useful tool with you, rocking a legitimate uniform, exuding confident behavior, or how you engage with other human beings? 

Answer: The best edge for any social engineer in general, whatever you're doing, is the ability to stay level-headed and be confident in what you're doing. Many people don't realize what adrenaline does to your body, that it clouds your ability to think clearly. By staying level-headed, you can assess the situation because you're continually taking in information - what the person is saying, how their body language is, where they're looking, their hand position, etc. You need to be continually taking all of that in, assessing it, and then making decisions based on that info. It's tough to do when you're full of adrenaline, and you can't really, truly understand it until you're actually in the situation. You always hear those stories about how ridiculous criminals are, for example, the guy who robbed a gas station and then left his wallet with his money and ID on the counter. You just don't realize that you cannot think clearly if you're being flooded with adrenaline, but if you can slow down, take long breaths and calm yourself while continually assessing the situation, that will be just as good as any top disguise. If you're wearing a full disguise trying to match with everybody else, but you're shaking and nervous, and your voice is cracking, people are going to recognize that something's up.

There were two of us on an engagement recently, in the middle of the day, and we got past the guards and into the building. We split up, and we're both wandering around this enormous three-building office campus, and it's a maze.

I have no idea where I am, so I'm walking down these massive cube farms. I go down one row, and there are a couple of guys having a conversation towards the end of the row. I get to the end, and it's a dead-end, so I have just to turn around and walk back out. I'm the only person there besides these guys, so it's super shady. As I'm walking back past them, they ask if they can help me. I said, "No, I'm over there," and pointed in some random direction and walked away. That turned out to work. Meanwhile, my teammate had a different experience. 

After we split up, he turned a corner, thinking he was going down a hallway and hit a dead end, also. When he turned back around, an employee asked if he was lost. He said, "Oh yeah, I'm supposed to be meeting somebody, and I think they're in whatever building that he rattled off." She proceeded to walk him around and did a fantastic job of questioning an unknown person. Then she tried to help find the person he was supposed to be meeting; she even had the person paged on the intercom system. This person was, of course, not there. Then she took him to all the conference rooms looking for this person, and the whole time he was trying to get out of the situation without just making a break for it down the hallway. He kept playing the role, told her he could walk around and look for himself, and even tried to tell her that he would just head down to security and check with them. She said, "Oh, I'll walk you!" She did a fantastic job. So when they got to security, he faked a phone call and walked out the front door. Effectively, he social engineered his way out of the building without setting off all the alarm bells. It was an adrenaline-inducing experience; he was terrified he was going to get caught. But it was a great example of an employee doing exactly what she should do. 

Question: What else would you like people to know about physical pen testing engagements?

Answer: I feel like people often lack visuals of what we're doing. People might have the ingrained image of Tom Cruise coming down from the ceiling trying to break in somewhere, when a lot of times, we're going up to doors and jiggling the handles to see if they're locked or not. Or people think of the movie Die Hard with someone crawling through air vents, which doesn't work very well in real life. Instead, we're usually taking a piece of metal wire and a string and pulling doors open. So it's usually something much more straightforward than a super-sophisticated spy technique that will get us through the door. Or even through a window. I read an old report before redoing a physical pentest where the team had brought into this super secured facility. They were walking up the sidewalk to the building and noticed an opened window, and two of our guys just jumped up and climbed through. I never even touched the door and got into a secure building.

So it's usually no air vents, no dropping down from the ceiling. It's more straightforward things that are getting us in.

On the same note, daytime engagements are often even more straightforward. We'll walk in wearing street clothes, or if it's an office environment, we walk in wearing a suit and tie.

A lot of it is just making it look like you belong there. So that very simple concept is very effective at getting you in the door.

Tailgating, for example. We were on an engagement recently where tailgating got us into every building that we were supposed to get into, and I think it was so successful because we looked like we belonged there. We have dressed the part, and people held doors open for us, and we just walked right in. So it's often the simplest thing.

Question: Any final thoughts?

Answer: My final thought is to remind people that you can only do this if you have explicit written permission from whoever owns and runs the building. A couple of years ago, at the Super Bowl, there was an incident where some Youtubers grabbed some high visibility vests and a ladder. I decided to try to get in and walk around the Super Bowl, but they recorded all of it. Then they put it up on YouTube to brag and say, "Oh yeah, look at us. We're so great. We got in!" Then they were shocked when the police showed up at the door saying, "Hey, thanks for uploading that video of you committing a crime. Made it easy to find you." So definitely only do this if you have written permission; otherwise, the penalties are very severe. And don't upload your crimes to YouTube.