While on a business trip in Boston, MA I was asked if I wanted to join a fellow co-worker to test the security of a company at a nearby location. I said yes and took the opportunity to join my co-worker assuming I would be conducting a network or web application pentest. I was later told that I will be physically testing the security of a company. This was a chance for me to be a part of my first physical pentest engagement and learn about such a niche field in cyber security.
Some of you may be asking what is a physical pentest? Well, a physical pentest is where a company hires you to legally break into a build or location to test their security guards and physical security mechanisms. The goal of the operation is usually not to be destructive, but to emulate a malicious individual trying to steal information or gain access to secured location for malicious purposes. A physical pentest involves the same general steps you would take to conduct a network pentest. The steps would look something like this:
During this phase you collect passive information about the target. In a network pentest this could be something like using tools such as the Wayback Time Machine, Shodan.io, or using DNS tools to find sub-domains. On a physical pentest this could involve taking photos, using Google maps to view satellite images, watching security guard movement to learn their routines, or even to note entry points around the premises. There is a lot more that is involved that I haven’t listed that takes place on a physical pentest, but this is what I did on my first physical test.
When it comes to active recon you are directly interacting with the target. In a network pentest this would look something like using
nmap to scan external internet facing computers, but in a physical pentest this could be walking around the building or maybe inside to get a closer look if it is a public building. There are many ways to go about conducting active recon on a physical pentest. Since this phase of recon requires you as the attacker to conduct interaction or take a closure look at the target there is a possibility that you can be flagged as suspicious if not done covertly. In the end this could ruin the entire operation and get you caught very fast.
Now that the recon phase has been completed, we must create an execution plan. In a network pentest you would assess the recon you have collected and decide which computers and possible paths of compromise you can take to move laterally or pivot throughout the network similiar to how you would use Bloodhound or Ping Castle. In a physical pentest you would do the same and take all the collected info and devise a plan to break the perimeter and accomplish the goal.
This is where the fun begins. Now that you can collected all the information you can and devised a plan you can begin to test the security using what ever tools that are needed to accomplish the mission. Some tools that maybe used are lock picks, shimming tools, balloons, can of air, gloves, costume, camera, notebook, ect. Those that conduct physical pentest have different tools in their “Go-Bag” when it comes time test a client.
I was in Boston, MA at the time when I was assigned to conduct this test. I was working with a co-worker who has been in the physical pentesting industry for quite some time and spoken at many conferences and even worked for people like Kevin Mitnick. It was an honor to work with someone that has so much experience on my first physical test. So, I tried to learn as much as I can while I was with my co-worker. The company that hired us was in the heart of downtown and was in a multi-tenet building that was share by a large retail store and some other small businesses. The goal was simple… make it to the fourth floor or above and try not to get caught. If we to make it on the fourth floor or above, then we were directed to stay where we are and call the point of contact.
Before driving to the target location, I was given a single page document that stated the details of what my co-worker and I were hired to test, the data and times we were allowed to test, a final statement stating that if we are caught by police or security guards then they should contact the point of contact which was one of the upper managements at the company we were hired to test. No one at the target company knew we were coming to physically test their security other than the point of contact at the company, my co-worker, and I. We were given three days of testing which is a very small window to conduct a physical test. Since my co-worker also happened to be in town, she booked a room at a sketchy apartment for a few days near the target building since it was the only place that near the clients building that cheap because most of the hotels around the area were costly.
She told me that since she has already been in town for a few days prior to me meeting up with me she went ahead and conducted some recon. She said that she walked around the building acting like a normal citizen discreetly took photos and video of the building. She was interested in things such as windows, the security guard shack, physical security devices, egress doors, and other doorways on the outside of the building. She also sat in a nearby building watching and making note of employees of the target company going in and out, surrounding people, nearby buildings, setting of the local area, and security guard movement. She also walked around the retail store which happens to be one of the largest tenets in the building that we were testing. She made note of interesting doorways and elevators that may lead to the upper floors of the building.
So, I took an Uber to meet my co-worker at her apartment so we can begin the engagement. In order to get to the apartment room that she rented you had to go through this small door in the alley way then ride up an old elevator that had a flickering lights and was sketchy. Once you reach the floor she was on you could smell people cooking in the community kitchen, avoid torn wallpaper, smoke stains on the ceiling, and the thin walls of the neighboring rooms where you could hear people arguing, talking, or watching TV. This would not be my ideal place to stay, but the show must go on… Once I got to her room, we greeted each other an began discussing plans on how to accomplish the goal. She started by sharing what she collected during her recon, and we used tools such as google maps and bing maps to devise a plan. After viewing the satellite images online my co-worker had this crazy idea. In google maps there was a shipping container and a ladder next to it that lead to a ledge my co-worker suggest that I climb up this then once on top of this ledge to use a grappling hook she bought to scale the side of the building. Although this seems really cool and sounds like something out of a James Bond movie, we decided later that this is not the safest option, and we were not willing to risk that.
Once we collected some more recon only, we decided to split up and go do some more recon. When we walked outside near the building split ways so we wouldn’t be suspected to be working together while walking inside and outside of the building. My co-worker headed to test a possible door she found on her earlier recon that would possibly lead her to the fourth floor. I was tasked with walking around each level of the building and jiggling door handles that I suspected that would lead me to one of the buildings stairwell that would then allow me to get to the fourth floor or above. I walked around several floors and found two unlocked doorways in different locations. One door led me to a small room that was about 8ft by 8ft. In this room there was some trash and broken items from the retail store nearb, but there was also another door with a stairwell in it. The only issue was that the door to the stairs has some magnetic security sensors above the doorway. On the front of the door was a fire escape map so I took a photo of it with my phone and marked where I was and began searching for another possible way to the client’s floor. AFter some searching, I found another unlocked door with no labels outside the door led to a room with pipes and electrical components for the building. On the back side of the door was an evacuation plan so I took a photo in case of a fire and so I could mark what doors I tried and which I didnt successfully open.
Now that I’m in this room with all the pipes I noticed that there was a 2-foot-wide gap between the wall and the pipes. These pipes ran all around the building, but only gained me access to the electric and maintenance rooms. After crawling around I found another door in the pipes room that lead to another room filled with the retail stock items. In this same room was a a whole server rack. There were no cameras or security devices in the room and if I was hired to test the security of this specific tenets security then I would have already had access to a server and be pivoting through their network. Since this server was not in scope and not owned by the client I left it alone. I continued to search for another path to lead me to another part of the building but had no success. Since the physical testing contract stated that we can only test during specific hours we had to call it quits for the day. I headed back to my co-worker’s rental apartment, and we shared what we found and the pictures we took to figure out another way we can get access to the upper floors. We then devised a new plan for the next day of testing then I headed back to my hotel to get some rest.
Early the next day my co-worker and I met up and contacted the point of contact from the company we were testing to let them know our plan since we didn’t find a point of entry on Day 1. Our plan for Day 2 was to use ESP Key implant on the RFID readers around critical points around the building.
This device would allow us to clone cards and replay the same card to impersonate a card and get the door to open. Since this is intrusive and requires us to cut the sheilding around the wires behind the RFID readers when we were speaking with the point of contact they decided that they don’t want us to cut or even alter the cords behind the RFID readers. So, this attack vector was now out of scope. Since we were out of options, we decided to use the “Hail Mary” plan which was to use the Otis fire fighter keys control the elevator and get access to the client’s floor. So, we went ahead and printed some signs off that said “Fire Alarm Testing in Progress”. After studying the evacuation map and physically walking around the building we knew exactly where the elevator was that would allow us to get to the client’s floor and placed our signs around the area.
We both went to the elevator and one of us placed the key in the slot and we waited and listened for people to get off the elevator on the floors above us. We didn’t want to impede on anyone doing their job or have people on the elevator when we got on so we waited and listened. The elevator dropped someone off on the floor above us then went down past us and dropped off someone on the floor below us then when the elevator came back up and arrived at our floor. There just happened to be two security guards for the client’s company on the elevator. My coworker with more experience on physical pentest spoke for the two of us and acted as if we were just doing fire alarm testing and ensuring the fire fighter keys were working. The security guard said thats odd because they just had fire alarm testing last week and inorder to even do firealarm testing then they need to get it approved by the building management. The security guard then asked for a business card to prove who we were and my co-worker began looking through her backpack even though we both knew that she didnt have a business card. She then made up a story telling them why each of us don’t have a business card and told the security guards that we can go grab some from our van and meet them at the front desk to sign in. They still didn’t believe us and didn’t want us to leave out of their sight so they told us to just follow them to the to the security desk so they could sign us in and call their boss and speak to our manager.
Once we got back to their guard shack, they called their boss first, and he told the security guards that they already had fire alarm testing and that we must be doing something fishy and to call the police since we were trespassing and had Otis keys. At this point we had to give them our “Get Out of Jail Free” card which was just a contract we had been given at the beginning of the engagement explaining what we were doing and that we were allowed to be on the premises and were testing the security of the building. The security guard then called the CISO of the company and asked if this was true and he confirmed that we were hired to do this test and held us in the security shack until the CISO cam down stairs to get us. When he came down he signed us in and we went us to the conference room to give a briefing on the findings we noted. When we got to the conference room we were met with the head of security, and when he came in the room he was yelling and saying that he was still gonna call the police to have them take the Otis keys and charge us and my coworker refused to hand over the keys and managed to calm this head of security down.
I was sitting quietly and watching this discussion go on and the head of security turned to me and said “Who are you?” and I said “Im the computer guy and this is my first physical pentest… but you’re lucky that I didnt get to the datacenter on the forth floor or access to one of the computers because if I did then I would have been on the network and you would find me” The head of security gave the expression of complete shock was then glad that his security guards stopped me because if I was a real threat actor he would have been in a lot of trouble or possibly fired. We then discussed some ways they can tighten their physical security, some doors that were left unlocked or unguarded, and our findings. After wrapping up discussions I asked the head of security if they could show us the doorway, I was gonna attempt to open, but didn’t because I was unsure due to the ADP magnetic sensor above the door. He walked my through the building and showed me oppisite side of the door and told me that if I would have gotten in then it would have led me straight to the fourth floor. I was so happy that I found this, but also upset that I didn’t risk it and try the door earlier. The client made note of the door and said that they will fix this physical security issue. I was so close to achieving the goal of getting on the client’s floor! Maybe next time.
We may have gotten caught on my first physical pentest, but I still managed to bring value to the customer by discovering that doorway, discussing, reporting my findings to the customer, and learning something myself.