The Physical Attack Vector
Gavin Watson, Senior Security Engineer, RandomStorm Limited
In previous chapters, the groundwork has been laid for an attack. Now it’s time for the real fun, getting into the target, and completes the assessment. The physical side of social engineering is an adrenaline filled roller coaster of highs and lows. This chapter will help to make the most of any limited time on-site and hopefully get away without being caught.
Keywords
Dumpster diving; shoulder surfing; rogue access points; props and disguises; badges and lanyards; tailgating
Information in this chapter
Introduction
The previous chapter provided some practical advice regarding how to execute telephone based social engineering scenarios. Real-world examples were discussed, demonstrating their continued effectiveness in many modern-day attacks.
Attacks that begin with telephone calls can often lead to a full compromise of the target’s building, not just to the disclosure of sensitive information. The previous chapter covered some of the techniques used by the authors to achieve such an objective. However, physically breaching the security of a building doesn’t end there, as many other factors need to be considered.
The aim of this chapter is to provide some practical advice regarding physical attacks as part of a social engineering assessment. Topics such as active information gathering techniques through analysing reception areas will be covered.
The various tools of the trade will be discussed including props and disguises, fake badges and lanyards, RFID and magnetic strip cloners, lock picking.
Building on the e-mail and telephone attacks
Chapter 4 discussed how time could be used effectively on an assessment by stringing the attack vectors together; the information disclosed in one attack could then be used to aid in the next. In many assessments this will be the natural progression, with physical attacks against the building being the last scenario based on all previous attacks already accomplished.
Once the telephone and e-mail attacks have been completed, there will be a great deal of information to work with. The reconnaissance should have revealed all the employees, their positions and contact details, as well as all the information regarding the company itself. It has been seen how a single phone call can arrange for a pass or a meeting room, and this can be accomplished without ever setting foot on-site. However, as scarily effective as attacks of this kind are, they will likely fall short in businesses with a higher than average level of security. If the client has mature and tested security controls then the focus might need to be on the attributes of the actual building itself. Therefore, the telephone and e-mail attacks will need to gather information that will be useful in breaching the security of the building and in terms of what to expect once this has been achieved.
It is obvious that as much information as possible should be gathered, but there are some fundamental questions that should be answered if the plan is on attacking the building. These are basic security questions, in this list they work from the outside in.
• Are there any other branches that could be impersonated?
• Are there any other businesses close by?
• Are the grounds protected by a fence or can you walk up to the main door?
• Is there a secure car park with a barrier?
• Is there a security guard or guards?
• Is there a security guard office outside the premises?
• Is the main reception secured?
• How many receptionists are on duty at any one time?
• Does the business implement RFID or magnetic strip controls inside the building?
The majority of this information could be quickly obtained by visiting the site, but if this can be obtained remotely then there is less risk. Additionally, each of the above is an individual social engineering scenario that identifies information disclosure vulnerabilities with that business.
To demonstrate how easily information such as the above can be gathered, consider a telephone call the authors made to a target business’s security office two days before the physical assessment:
| Target | “Hello, xyzsecurity how can I help?” |
| You | “Hi there, this is Steve from the Chester branch. I’m heading over for a meeting but I’ve just been told my pass won’t work in your building, is that right? I’m sure it worked last time I was there.” |
| Target | “Nope, it won’t get you into reception, but they’ll buzz you in and you don’t need a pass to move around inside.” |
| You | “And the car park barrier?” |
| Target | “Same again, they’ll buzz you through.” |
| You | “Excellent, thank you.” |
This information isn’t going to lead to an immediate breach of the building but it is extremely useful. The fact we’re calling the security office obviously tells us they have a security guard, if only to watch the cameras. It was also discovered that to enter reception without speaking to them, a pass is needed. There is a car park and it’s secured with a barrier. Finally, the fact that a pass is not required to move around inside is critical; if access can be gained, it means free movement from department to department, floor to floor, without needing a pass or even to tailgate. This means that potentially an attacker could just tailgate in one of the entrances and be able to move around inside freely. If this is the case, then a tailgating scenario should be attempted at some point during the assessment.
When gathering this information, it is also important to also focus on the employees. As Chapter 8 discussed, the reconnaissance and attacks could also reveal critical information such as the design of their employee badges and what color lanyards they generally wear.
Active information gathering
Although it is possible to remotely and safely gather a great deal of information regarding a building’s security, actually visiting the site will provide the greatest insights. There may be physical security controls and building attributes that couldn’t possibly be discovered through remote means. For example, once on-site it could be discovered that they leave the rear fire door open all day long in summer. Identifying this physical vulnerability remotely would be challenging to say the least. However, this is not just talking about the painfully obvious physical vulnerabilities such as open doors, there is a huge amount of critical information that can be gathered on the target business, the employees and the physical security controls by actually visiting the site. As mentioned above, when testing high security clients it may be absolutely necessary to include a physical reconnaissance stage to fill in the missing jigsaw pieces that remote reconnaissance failed to obtain.
Dumpster diving
Dumpster diving has been briefly mentioned a few times already in this book, and this is hardly surprising as it is a truly classic technique. Strictly speaking, rummaging through someone’s garbage is hardly the pinnacle of psychological manipulation, but it’s not the act itself, it’s how the information is used. Is it legal? That depends on the intention, whether it’s a residence or a business and what country that the act is being carried out. Whether or not taking garbage is considered theft is debatable, but if the garbage is stored on company property then there will certainly be an aspect of trespassing if there is an attempt to obtain it without permission. However, in terms of a social engineering assessment, permission should have been granted to execute such scenarios.
The first challenge to be considered is how to actually get to the garbage. If it has been decided to include this in the assessment, perhaps on the client’s request, then the following fundamental questions will need answering:
• Is the garbage in a secured location?
• How much garbage is there on average?
• Is the garbage separated into different categories?
• Does the business share the garbage bins with any other business?
• Are the bins themselves locked or secured in any way?
• Would you be able to get the garbage out without detection?
A series of e-mail or telephone attacks could be launched to answer these questions. For example, making a call as a health and safety inspector, the garbage collection company, or any other third party that interacts with it in some way. There may be a specific company that collects media or documents for secure and safe disposal.
If some of these questions can be answered, then you may be able to simply walk up and collect the garbage. For example, it may be discovered that there are bins to the rear of the business with no security controls of any kind. Arriving at night and covertly taking the bags away for inspection could be a simple task. Remember that it’s far less risky to take the bags away, rather than spending time on-site going through it all.
If the garbage area is secured, then there may be a need to design an appropriate pretext to gain access. This is where the reconnaissance regarding who normally gains access becomes useful. A basic scenario could be to contact the security guard and impersonate an employee. The consultant warns the security guard that an inspector from the xyzgarbage company will be coming to site to do some basic checks. Then by arriving as the xyzgarbage inspector, the only challenge would be to convince the security guard of the need to be left alone, “I have quite a bit to do, shall I come see you again on my way out?”. Or the engineer could impersonate an employee and explain to the security guard that an important document has been accidentally binned and could they provide access to the area to enable a look through the bins?
What is being sought? Many books and articles will talk at length about finding USB drives, hard drives, scraps of paper containing passwords, network diagrams, documents with lists of employees, etc. This is the obvious stuff and there shouldn’t really be a need for a book to articulate how useful information like this can be. If there is one practical piece of advice the authors can give regarding dumpster driving, it would be to consider ANY piece of business specific information that isn’t already known as being useful. Yes, finding passwords on Post-It notes would be fantastic, but don’t dismiss other potentially key pieces of information. For example, what about finding a printout of an e-mail conversation that someone has binned. Can the knowledge of that conversation be used to advantage to gain credibility? Has an employee thrown away some delivery parcel packaging along with the receipt that’s usually included? As this will contain details of the item and delivery, that enables the impersonation; either of the business that provided the item or the delivery company that dropped it off.
Importantly, it is a case of working through all the garbage and thinking carefully about what is discovered. Is this a duplication of the information that is already possessed? If not, can it be leveraged in any way? The results may prove to be very interesting!
Shoulder surfing
Shoulder surfing is another information gathering technique that is often described as social engineering. However, in the similar way to dumpster diving, it is not the technique itself but the way the gathered information is used. In its most basic sense, shoulder surfing is looking over someone’s shoulder to see what they are doing; typing, writing, etc. For example, an employee may covertly look across at their colleague’s keyboard as they type their password or look at a monitor as an e-mail is being composed.
It could be argued that there would be little benefit in employing this technique, as access to the target building has already been achieved. Having breached the security, knowing an employee’s password may be of some use, but it would be far easier to plug in a device and attack the network remotely. This is true, but the employees are not “always” within the target building. For example, although very much a long game technique, an attacker could shoulder surf an employee using their laptop in a local cafe. If the password could be seen, it could then be used to access the corporate e-mail. This could then be used to launch phishing e-mail attacks.
Looking for passwords is obvious, but remember that a social engineer can potentially use any information to attack the business. Consider the cafe example again, what else could the attacker see? They would be able to see operating system version, the web browser, the software they’re using, and the make and model of the laptop. This is all very useful information that can aid an attacker when launching phishing attacks. Knowing the software used can narrow down the attacks that are likely to work.
Photography
When targeting a physical building, the idea of taking photographs seems like a sensible thing to do. There have been many examples in the movies and television shows where a team of professionals covertly photograph the target building and the associated employees. Is this necessary in modern-day social engineering? The rather predictable answer is that it depends. Generally speaking photographing the building is often not necessary, as a quick visit to GoogleMaps Streetview will provide clear enough shots of the building’s exterior. If online photographs cannot be obtained then resorting to employing time to take photographs instead is only really necessary if there is something relevant to include in the report. The fact is, the client knows what their building looks like, they go there every day. Therefore, including a selection of photographs of the exterior won’t be that useful to them. However, if it is difficult to get close enough to take photos, due to security controls, then doing so proves certain vulnerabilities. In this sense, the act of taking the photographs becomes significant. Another situation where photographs of the building should be included is if they point out a specific vulnerability. For example, a particular assessment performed by the authors revealed an external doorway secured with a cheap pin-tumbler lock. Above the door were three security cameras mounted on a pole, none of which covered the door or the pathway leading to the door. This was an obvious issue and so photographs were included.
If the target site is very high security and the possibility of being caught on camera is likely, then photography can be useful to map out certain security controls. Once the location, direction, make and model of the cameras has been ascertained, theoretically scenarios can be made to avoid them. However, this would only be necessary if planning a “smash and grab” approach whereby all activity needed to be convert. Remember that scenarios of this type are risky, only identify a handful of vulnerabilities, may not map to the client’s actual risks and should always be attempted last.
One of the best ways to use photography when on-site is to capture images of the employees, what they wear, what color lanyard they have and their access badge. This can be easy enough using a mobile phone, just remember to turn it to silent as the sound of the photograph being taken may rapidly give away any operation! As mentioned many times in this book, the smoking area is a great place to interact with employees with minimal suspicion. As the employees tend to be kept quite close together in these areas, capturing images is fairly straightforward.
Reception area
Receptionists tend to get a great deal of focus on social engineering assessments for many reasons already discussed in this book. If a receptionist can be compromised then breaching the security of the business becomes extremely easy. However, this concept should extend to the reception area itself. Generally speaking this is the gatehouse, the point at which any employee, contractor or visitor is screened and hopefully authenticated before being allowed through. Therefore, if fundamental vulnerabilities can be found in the reception area itself, they could be leveraged to great effect in an attack scenario.
There have been cases when the authors have discovered images of the target’s reception on their own social media page. However, it is likely that the reconnaissance will not reveal this information and the only way to obtain it is to physically be there in reception. Does this mean that this information can only be obtained and used at the point of executing an actual scenario? No, there are many reasons why someone might possibly be in reception. For example, being lost and simply asking for directions or perhaps even having mistakenly walked into the wrong business, although be careful not to use the same consultant in the actual attack as the receptionists may well recognize them.
It should only take a few seconds to look around and take note of the important security features. Consider taking note of the following:
• Is the reception large enough and busy enough for you to go unnoticed?
• How many receptionists are there?
• Is there a security guard or guards?
• What do the receptionists hand out to visitors?
• What direction is reception facing? Could you enter unnoticed or will receptionists greet you immediately?
• How many doors are there leading into the interior building? What access controls do they have?
• If there are other doors, how long do they stay open for?
• Is there a lift? If so, does it have access controls?
• Are there any public access terminals?
• Are there any visible network points?
• What authentication controls are there? Single person turn styles, biometrics or man-trap systems?
• Where are the cameras? Do they cover the access controls or just reception?
This all sounds like very obvious stuff but it is surprising how often businesses get the simple stuff wrong. The authors have seen receptions with an RFID secured door next to a lift that requires no authentication at all. Receptions have been seen where an individual is able to enter behind the receptionist’s desk and head up the stairwell without being seen. There have been reception/waiting areas with live network points available. Security breaches have been made possible due to public access terminals with full visibility of the corporate network.
Never underestimate the vulnerabilities that may exist in the reception area as they may be exploited to breach the security of the network or even the security of the building itself.
Public access areas
To a social engineer, a public access area is like a reception but with little risk of being challenged. The business is providing an area with services that can be utilized by anyone. A good example of this would be a hospital; in most cases people can freely walk in and sit in the canteen or various waiting areas without being questioned. These areas present a very serious security situation for that business. In an ideal world that area would be completely locked down with no network connections to the actual corporate network and no services or available information that could be used to attack it. However, this is rarely the case and public access areas tend to be major weaknesses waiting to be exploited by attackers.
In terms of reconnaissance, public access areas are an opportunity for attackers to potentially learn the building layout. They could theoretically stay in that safe area and scope out all the entrances to the restricted areas, sit and watch for when the receptionists change over or when the security guard leaves.
As mentioned in the previous section, public access areas often have public access terminals and network points. Hopefully, the network points should have been disabled or be physically inaccessible; an attacker will definitely be checking if they get the chance. As for the public access terminals, even if they don’t have connections to the corporate network, do they have any passwords that are reused? Perhaps a highly privileged user on the corporate network reuses the local administrator password on that terminal. How is the terminal itself secured? The authors have seen situations where the terminal was “secured” in a small cabinet with a cheap and easy to pick wafer lock.
An attacker could easily pick the lock and tamper with the equipment in any way they saw fit. If they have public access terminals, think carefully about what information they store and what connections they use.
Rogue access points
The next chapter will discuss the various devices that can be used as part of on-site social engineering assessments. These will mainly be devices that can be used to make outbound connections (backdoors). A rogue access point is one way this could be accomplished. If an attacker could plug in a “rogue” wireless access point, they could attack the network from a safe distance, such as the car park or even further with specialist equipment. However, it is worth mentioning rogue access points within this chapter in terms of their ability to remotely gather information.
Instead of gaining access to the building and installing a rogue access point, an attacker could set one up outside the building. If employees were to connect to this wireless network, their traffic could be intercepted and parsed for useful information including passwords. The attacker would set up an open wireless network broadcasting an SSID such as “OpenWifi” or “Free Internet Access.” If they wanted to target employees in the IT department, they could enable WEP encryption, hoping that the more technical employees would be tempted to try and hack into it and use the services.
This type of attack is most effective against businesses that do not have wireless networks, be it for security reasons or general practicality. In such businesses the employees would generally appreciate being able to connect their smart phones or laptops to a wireless network for their own person use. Therefore, a free wireless network would be quite tempting.
This technique could be used by a social engineer to collect usernames and passwords. If an attacker gained access to services such as employee’s e-mail accounts then they could launch very effective phishing e-mails and learn a great deal about potential targets. The websites visited by the employees could be very useful information that could be used against them. There is also the possibility of the employees reusing the passwords on corporate services, which presents a serious security issue.
Can such a technique be used on a social engineering assessment? Generally speaking it’s a gray area depending on whether the assessment is being performed in the public or private sector and in which country. The main issue here is that the attack is likely to gather employee’s personal information (such as personal account passwords) and could breach acts such as the Human Rights Act 1998. Gaining access to employee’s corporate e-mail account is quite different from gaining access to their personal e-mail account.
Props and disguises
Props and disguises are regularly featured in embellished spy movies and television shows. The idea of adorning a fake moustache and thick glasses to fool a security guard in the real world is beyond farcical. However, there are certain items that should be in every professional social engineer’s kit, despite how absurd the idea may be.
If the intention is to impersonate a character on-site, then you clearly need to look the part. As previous chapters have discussed, impersonation is about looking, sounding and acting exactly as the impersonated character would. Therefore, any social engineering kit should contain clothing and items to suit all manner of different characters. This would be everything from smart suits to overalls, clipboards, brief cases, toolkits, etc. Take the time to create a series of uniforms for fake companies and for companies that actually exist, though not the emergency services of course! In addition, think about the finer details, spend the money to have the logos embroidered rather than just printed, include matching baseball caps if appropriate, and even custom lanyards with the company name on.
Props can go a long way to gaining credibility, but remember that they must be thought of as supporting items and not the basis of an attack. Do not create a scenario based on waving a clipboard at a security guard to make the visit look official. The items are there to make the impersonation more convincing and to achieve better credibility so that the main scenario can be executed with increased chances of success. For example, if a clipboard is to be carried, consider printing off a fake letter with the target business’s logo at the top. Any onlooker that sees the logo would likely assign instant credibility, probably without even thinking much about it.
A very common and cliché combination is the workman’s high visibility vest and hardhat. The idea is that most people wouldn’t think to question someone dressed in that way. A social engineer could walk around the target site with a colleague, pointing to rooftops and writing on a clipboard. Any onlookers would assume they are carrying out an inspection of some sort and think little more about it. This technique is quite dated now and most awareness training programs will likely cover it. If the plan is on using this impersonation then think carefully about the details. A common mistake is to purchase brand-new high visibility vests and hardhats, which stand out as somewhat unusual. How many workmen are seen with a pristine outfit? When the authors originally built up the wardrobe of social engineering clothing, they swapped brand-new high visibility vests and hats for used ones. Unfortunately, the used items stank of diesel but at least they looked authentic, because they were. If nothing else, this combination of clothing can be used when dumpster diving as anyone with a legitimate reason to interact with the garbage will be wearing similar if not identical clothing.
Badges and lanyards
We have already mentioned badges and lanyard in this chapter, but as they feature so heavily on physical social engineering engagements, they deserve their own section.
Employee badges generally serve multiple functions such as identification, authentication and authorization. The badge would typically show the individual’s name, position, department, a photograph, the business name, the business logo and other miscellaneous information. The badge itself may also be equipped with RFID or magnetic strip and enable the employee to authenticate themselves to pass certain physical security controls. In secure environments, the employees are told to ensure their badge is visible at all times. Contractors and visitors will likely be given a different type of badge, possibly with a very different format, or their badge may just be a paper temporary badge ripped out of a sign-in book.
As previously mentioned, it is not challenging to covertly take photos of the badges currently in use. As security best practices encourage staff to keep them visible, this task is made all the easier. What is frequently found is that employees continue to wear their badges over the clothes when walking to work, going out for lunch or when they make their way home. Therefore, a social engineer has the opportunity to create a fake badge to gain credibility and make an impersonation more convincing. All that is required is a basic photo editing software package and a very convincing copy can be created. Remember that employee badges are often just a logo (which can be sourced online), a photograph (which can be locally reproduced) and a few lines of text. If the plan is to execute a scenario that involves an impersonation of an employee from another branch, then the fake pass may be all that’s required to prove the identity.
Clearly though, a fake pass will not provide the authentication benefits of RFID or magnetic strip, so this will need to be accounted for in the scenario. If the pass is held up to a reader and nothing happens, try shrugging it off and saying to the person behind that it’s playing up again. Would they challenge someone on that? Probably not, especially if the pass looks convincing and you look irate enough about the situation.
There is a tendency to read the above then decide to make all staff wear the badges backward, so only the featureless card holder is showing. The authors have seen this in practice and it is of course folly, as the social engineer wouldn’t even need to make a fake badge, they would just wear an empty card holder backward. The best defense is to have different formatted badges and different colored lanyards depending on the employee’s position or department. This means that a social engineer would have to work out what color or format goes with which department or risk standing out.
Tailgating
Tailgating is an interesting technique and one regularly used by real-world attackers and professional security consultants alike. The basic premise is to leverage an employee’s access privileges by following closely behind them as they authenticate to physical security controls such as RFID. Most of us are socially conditioned to hold a door open for people behind to be polite and courteous. If the door isn’t held open, the person behind may be offended. If simply not holding the door open could cause offence, then what would challenging the person to prove their identity do?
It is possible to enhance this effect in various ways such as pretending to have an argument on the phone, carrying an apparently heavy item or even turning up with crutches. Anything that can be done to make the individual less likely to want to challenge is for the better.
It is “possible” for a business to defend again tailgating but it’s not easy. The authors have worked with clients that threaten staff with disciplinary action if they don’t literally close the door behind them despite another person waiting to come through it, essentially ending up with a row of people taking it in turn to open and close the door behind them. This method is seemingly effective but only against short game attack scenarios. The employees are all fully aware of the procedure, but new third-party contractors and visitors won’t be. If an attacker could find out when such a contractor or visitor is due to arrive, they could tailgate behind. Additionally, a social engineer could arrive as a visitor with a colleague tailgating behind.
There are other, more expensive solutions such as single person turnstiles or the ultimate man-trap authentication system. These physical security controls are specifically designed to prevent tailgating. For example, with a man-trap an individual has to be authenticated once to enter a small space that can generally only accommodate one person. They then become “trapped” within the compartment until they are authenticated a second time. Some systems will actually assign a weight to an individual’s authentication details, to ensure they’re not literally carrying someone else through the system. Although these systems prevent tailgating they are not without their vulnerabilities. For example, the authors have seen man-trap systems that allow the same card to be used to enter the system multiple times, rather than having to leave first. This means that a valid pass could be used to allow multiple individuals through.
Tailgating has been mentioned a few times in this book already as a technique to be used toward the end of an assessment. The reason for this is that tailgating can be very risky, especially if there aren’t convincing credentials or a good cover story. No matter how much effort is put into preventing a challenge from employees, it could still easily happen. Therefore, by executing tailgating based scenarios at the beginning of test you could jeopardize the entire assessment. Tailgating is an important technique to use but should be attempted last.
The authors have known security companies to base entire assessments around tailgating. For example, the client will say that every year a group of consultants walk around the building and try to get in. This is of “some” value to the client, but as this book has emphasized multiple times, this should only be one among many techniques aligned with the client’s actual risks. Therefore, unless the client’s main risks are from members of the public tailgating into the building and stealing from them, this technique should be an addition to an assessment and not a basis for one.
Tailgating is certainly a powerful technique and one that businesses will struggle to prevent for some time. However, as an assessor think carefully about what vulnerabilities are attempted and how tailgating may fit into the overall approach.
Lock picking
Originally lock picking was not going to be included in this book, as the subject matter has been covered thoroughly and elegantly by authors such as Deviant Ollam in books such as “Practical Lock Picking” and “Keys to the Kingdom”. There is no doubt that if the plan is to break into a building or offices within that building, then a skill such as lock picking can be very useful indeed. However, rather than attempting to condense the vast amount of material into a few pages, it was decided instead to provide a take on the practicalities of using lock picking in social engineering scenarios.
First and foremost, lock picking can “potentially” damage a lock. In the vast majority of cases, the damage will not affect the lock, but the chance is always there. Therefore, it is important to include this in the rules of engagement with the client. They need to be aware of the risk, however small, and make a decision as to whether the technique can be used. The importance of this became very clear with one particular client who stipulated from the very beginning that under no circumstances was lock picking to be attempted. When inquires were made as to why, the client stated that previous consultants had used the techniques without informing them. What those consultants didn’t realize is that if any one lock was damaged and had to be replaced, then every other single lock would also need to be replaced. The cost of doing this was huge in this particular situation. Therefore, attempts to carry out any lock picking were avoided, but as part of the assessment additional security controls in certain areas were recommended, as real attackers wouldn’t care if the locks were damaged or not.
When considering the use of lock picking to access the building, such as an external door, be very wary indeed! It is important to consider whether or not what is on the other side of that door is known. Imagine successfully picking the lock and entering into a packed office with everyone turning around to see. An obvious solution would be to perform the lock picking at night, though assessments performed in this fashion have their own set of risks. For example, what about handing over a “get out of jail free” letter to the police rather than an employee? Additionally, real attackers would likely just break a window or force a door, which is something generally outside of scope for most assessments.
The best use of lock picking is of course inside the building. Most cabinets, cupboard and drawers are secured with cheap wafer locks, most if not all of which can by easily bypassed in seconds. Bear in mind that their objective may be proof of access to sensitive documents, in which case gaining access to cabinets may be essential. Of course, scenarios could be designed to make employees willingly open the cabinets or retrieve documents, lock picking is just one available option.
Internal office doors are generally pin-tumbler locks, and although harder to pick than wafer locks, generally don’t present too much of a challenge.
The biggest challenge faced is not knowing how long it will take to pick the lock. It could take a few seconds, a few minutes, or even longer. Additionally, when someone is crouched down messing with a lock, they are likely to raise suspicion very quickly if anyone sees them. Therefore, only attempt to pick a lock if there’s enough confidence of not being detected. Sometimes, if caught unawares, then explaining they are a locksmith and that the client has lost the keys can be enough, with luck.
Once you’re inside
Sometimes the objective may be as simple as just gaining access to the building or to a particular restricted area. In these situations, the majority of scenarios will focus on the various ways that objective could be accomplished. However, there are many cases where gaining access to the building is just the beginning of the assessment. The client may well want to explore other areas such as how susceptible employees are to social engineering from on-site attackers, or if passwords written down on scraps of paper really do pose a significant risk. This is where multiple scenarios will need to be stringed together and executed seamlessly from one to the other. There is always the possibility of changing tact or creating new scenarios if the opportunity is seen, but be careful to adhere to the client’s objectives and actual risks.
The authors were given the objective of gaining access to a target building and logging onto an employee’s workstation, either by obtaining their password or having them log in. Gaining access to the building was achieved and we moved from department to department attempting a series of very simple scenarios. We approached an employee explaining that we were working with IT department to try and track down some issues they were having. We kept it fairly vague unless we were questioned further. We asked if any of the workstations or hot desks were available. Once we sat down and attempted to login we then approached the same employee explaining that the credentials provided by IT weren’t working, could they login for us? Combined with a polite attitude and throwing in phrases such as “really sorry to bother you again…”, the employees were more than happy to oblige. At this point, if we were real attackers we would have been free to attack the network or install backdoors. As we moved from department to department, we would attempt a different scenario designed to identify a different set of vulnerabilities.
It could be argued that the scenarios of gaining access to the building and those aimed at the employees on-site could be separated. However, assessments are often executed over as little as two to three days, which may have to include reconnaissance and remote attacks. Therefore, unless the client has the budget to span an attack out, there might be no other choice but to execute all the on-site attacks together.
Once inside the building it is a good idea to find a “safe haven” if necessary, to take stock and to prepare for the next scenario. This can be an empty meeting room, a canteen, or if the situation is dire enough, a bathroom can always be used. For example, gain access to the building posing as an electrical engineer, then head to a bathroom to change into a smart suit. The next scenario may be based on an internal audit or as a new starter at the business. A relatively safe area such as a meeting room could be used to prepare or even to attack the network, providing the network points are live. If anyone enters the room, simply apologize explaining that you thought it was free at that time. Canteens are always a good place to prepare an approach as these areas will see traffic from employees, visitors and contractors regularly, so you are unlikely to be challenged.
Summary
The physical attack vector is often a significant part of the overall social engineering assessment. Often, the remote e-mail and telephone attacks reveal information used as a basis for the physical attack. Stringing all the attack vectors together is a good way to use the time effectively and increases the chances of success during the physical attacks.
This chapter has covered the most common “active information gathering” techniques used by attackers. These techniques can sometimes lead to a compromise of security without any prior reconnaissance whatsoever.
Executing physical attacks against a company obviously requires the consultants to be physically on-site. Therefore, any attempts at impersonation become more complicated and may require visual props, disguises and credentials. To perform effective assessments, a full kit of clothing, props, lanyards, badges and credentials should be obtained.
The next chapter will continue the theme of the physical attack vector by covering the various devices that can used to support scenarios.