As a computer security person mostly, the other side of security is often overlooked by me (and probably others) this is just a small document to outline some physical risks for a company and things you should be awear of when performing a penetration test.
This is by no means a definitive list, but hopefully will show you various attack vectors for an outsider. Hopefully you will find something new or it will inspire someone to explore a new technology/technique. Maybe it will serve as a good checklist of things to prepare before a test.
I think the first and most important thing to get before any pentest is your “get out of jail free card” this is a document to be signed by the company authority and the penetration testing team outlining the allowed and disallowed methods and areas allowed to be tested.
A good template to build upon is available here: http://www.counterhack.net/permission_memo.html
You should carry this with you each time you visit the target company and make sure you have copies made just in-case something happens to the original!
Access Control
Most forms of access control can be bypassed, usually trivially. some of the common forms of granting access are:
Locks
Locks are everywhere, they come in a variety of sizes, shapes and flavors. and pretty much every one can me bypassed. Generally speaking in a penetration test destructive entry techniques aren’t allowed, however you might be in luck with non-destructive entry.
Lock picking is a great thing to know how to do regardless of penetration testing and easy to learn. You can pick up a beginner set of picks and cutaway practice locks from http://www.ukbumpkeys.com which are more than adequate for the majority of locks. I would also recommend “the ultimate challenge lock” from http://learnlockpicking.com. This is a lock with un-screwable plugs above each pin allowing you to re-pin it into different configurations, and also comes with some security spool pins (which aren’t much harder to bypass once you know the technique)
RFID
This is the latest technology being adopted my seemingly anyone who needs access control, from bank cards, oyster cards, passports and everything in between… pets have been chipped with RFID and even some people. The beauty of it is that it’s cheap and easily deployable… also for us security people, easily hackable.
With just the latest smart phone with NFC (a similar technology) you can read, clone and replay RFID data https://github.com/ikarus23/MifareClassicTool. There are also a variety of devices to do just that readily available on-line. Ebay for example: http://www.ebay.co.uk/sch/i.html?_sacat=0&_nkw=rfid+copier&_frs=1.
How do you tell if a company is using RFID? if you see people swipe a badge or key-fob near a box attached to a door but not actually touching the box, it is more than likely RFID.
Bar-code
Some companies give the employee’s badged with a bar-code on it. This is a great alternative to RFID (and possibly cheaper) the good thing is if you need to issue a guest pass rather than possibly sacrificing a RFID card (not getting the badge back) they can easily type the persons details into a computer that will generate the bar-code to be printed onto paper (most likely put in a plastic lanyard case)
Attacking bar-codes you need 3 things. Firstly you need to know what type of bar-code is being used… a great place to find this out is at http://www.dlsoft.com/barcode_types/identify_a_barcode.htm. Then you will need to decode the bar-code. There are a lot of on-line resources to do just this, two I have used in the past are: http://www.onlinebarcodereader.com & http://zxing.org/w/decode.jspx. Now you will be looking to create your own bar-code for printing, I’m guessing with altered details, your name or a modified guest pass with the current date. some tools to do this are at http://www.barcode-generator.org or http://barcode.tec-it.com.
Magstripe
I’m sure everyone is awear of masgtripe technology, it’s known mainly from bank cards alough is often used in general access. Readers and writers for this are readily available, a simple google will bring up results like “http://www.mag-stripe.com“, again ebay is a great place. If your looking for a more DIY version they can easily be ready from the head of an old tape player (http://hackaday.com/2012/04/18/reading-credit-cards-with-a-tape-head/)
CCTV
You may encounter CCTV, especially in UK which has the highest CCTV density in the world! One simple thing you should do is try to find “blind spots” places that aren’t able to be seen by CCTV. This however isn’t always an option.
Some CCTV cameras are wireless and can be intercepted, weather it’s IP or analog, both are easily hackable with a quick google (e.g. http://jhwilbert.com/projects/signalhijack/) Your best bet here is trying to identify the make/model of the camera and finding out how you can “tune-in” to the signal.
There is sometimes the option to blind (or destroy with enough power) a CCTV camera with a lazer. heres a tutorial with some great examples: http://www.naimark.net/projects/zap/howto.html
If you can’t do these but temporarily need to stop the guards seeing whats happening a TV-B-Gone might be the device for you (http://www.adafruit.com/products/73) These send out the signals for a list of “off-codes” for TV’s, However if the CCTV is storing the feed either on a computer or other medium you will obviously still be in there.
Social engineering
OK… where to start with this one?! This could be an entire series of blog posts. My advice would be to read, read, read then practice an equal amount! two great books to get you started I would recommend are:
The art of deception – http://www.amazon.com/books/dp/076454280X
The art of human hacking – http://www.amazon.com/Social-Engineering-The-Human-Hacking/dp/0470639539/
You need a varied skill set for this, psychology, NLP, reading people, micro expressions, body language and loads more. There is also a podcast I would recommend: http://www.social-engineer.org/podcast/.
If you are still thinking computers and social engineering, there is a great toolkit available at https://www.trustedsec.com/downloads/social-engineer-toolkit. It includes everything you will need to perform a social engineering engagement from setting up web services and reverse connections to generating email templates for you to send to the target.
Dumpster diving
Yea we know, it’s mank, messy, smelly, disgusting work. But it does usually have lots of juicy info in it. it’s worth mentioning.
Audio surveilence
If you can’t gain access to the building it might be worth looking into seeing if you can get direct lign of sight to a room of interest from across the road. If you can you can cheaply build a bug that will get audio by reading a the vibrations of a window. How? with lazers of course! http://www.instructables.com/id/Laser-Surveillance-System-for-under-$20/
If you can get access to the room then bugs are cheap and found online with minimal effort. You could also build one easily and cheaply with little soldering skill e.g. http://www.lucidscience.com/pro-basic%20spy%20transmitter-1.aspx
Bluetooth
I can’t say I’ve had much experience with bluetooth security, other than knowing the basics and what is possible with it. A popular Bluetooth dev board is the ubertooth one available from: http://rfidiot.org/. I’m told that with this you can intercept and modify bluetooth data.
After a quick google I found what seems to be a decent presentation on how to listen in on bluetooth devices (like mobile phone headsets) http://www.willhackforsushi.com/presentations/icanhearyounow-sansns2007.pdf.
On top of this bluetooth keyboards are becoming adopted more and more and of course these can be sniffed – wireless keylogger anyone?
Keyboard
If you can get access to a keyboard it’s usually jackpot.If you already have credentials then game-over really. If you don’t then you most likley want to set up a key logger. These are also cheap and readily available: http://www.amazon.co.uk/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=usb+keylogger
If you managed to get someone away from their computer for just a couple of seconds thats enough to gain further access, The use of the teensy is my prefered method, being cheap and easily programmable, it acts as a keyboard. So the second you plug it in it types what you have programmed it to type! you can get one at: http://www.pjrc.com.
Irongeek was one of the first to think of this great use for it and his writeup/tutorial can be found at: http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle
Hak5 then adopted and modified irongeeks idea, after a while they developed their own device which seems a lot more capable, it however has a slightly higher price: http://hakshop.myshopify.com/products/usb-rubber-ducky
Network
I won’t go into too much detail here (this blog is already long enough) but if you already have access to the internal network it’s also game-over, you’ve won. two products I would recommend for either gaining or keeping network access are the “lan tap” and the “wifi pineapple” both available from: http://hakshop.myshopify.com/ I’ll leave it up to you if you would like to have these in your kit, I for one would love to have them. I highly recommend reading what their about and the documentation to go with them.
In conclusion I hope this has made you think about physical security, possibly you might have learned something. If you have any questions just put them in the comments below.
As always, likes & shares are always much appreciated.