Access Granted
Practical Physical Exploitation
Ralph May
Black Hills Information Security
TRAVIS WEATHERS
BOLO
Optiv Security
AGENDA
Rules of engagment
Goals & objectives
- DO
- Host a call to determine what the client wants from the assessment.
- Ask what keeps the client up at night.
- Ask who else should be involved in the planning process.
- DON'T
- Assume that getting DA, planting a device, and accessing the Data Center is the client's end goal.
- Forget to inform client stakeholders that the planning and execution need to remain confidential.
- Forget to capture information about facility ownership, security, and incident response planning.
Do's and Don'ts of Planning
authorized actions
Actions are always determined by the client's intent, and they should align with the engagement type.
| Engagement Type | Intent / Goals | Authorized Actions |
|---|---|---|
| Facility Breach (Opportunistic Approach) | Gain access to the power XYZ distribution plant | Badge Replication Badge Cloning Seruptitous Entry Access Control Bypass Lock-picking Social Engineering Tailgating / Piggy-backing Digital Exploitation? (e.g., remote red team) |
| Social Engineering | Influence security staff to grant access to the facility | * Impersonation of employees/vendors Badge Replication Tailgating |
| Tailgating | Assess newly installed anti-piggybacking controls | Badge Replication Tailgating / Piggy-backing |
* Impersonating a local/federal government employee/agency is against the law and will land you in jail
prohibited Actions & Areas
| Engagement Type | Authorized Actions | Out of Scope / Off-limits |
|---|---|---|
| Facility Breach (Opportunistic Approach) | Badge Replication Badge Cloning Seruptitous Entry Access Control Bypass Lock-picking Social Engineering Tailgating / Piggy-backing Digital Exploitation? (e.g., remote red team) |
Removal of employee/client documents/electronics Accessing the CEO's office Picking the loading dock door |
| Social Engineering | * Impersonation of employees/vendors Badge Replication Tailgating |
Impersonation of local/federal government employee/agency Escalation/redirection, if discovered |
| Tailgating | Badge Replication Tailgating / Piggy-backing |
Tailgating into doors past the initial point of ingress/egress |
While certain engagement types typically involve specific actions, allow the client to determine what is authorized based on their comfort level.
response planning
Must have items (ideally on a single page):
-
Who:
- Who are the practitioners that are authorized to perform testing?
- Who are the primary and alternate (client) contact points should something go wrong?
-
What:
- What actions are authorized to be performed?
- What is considered to be out-of-scope or off-limits?
- When: When does the testing window open and close?
- Where: Where will testing take place? Be sure to specify client occupied floor(s) on mult-tenant facilities.
- Signature: Ensure that an authorized client representative signs the document. This is not always the same person that hired you.
Authorization & Access Form / Letter of Authorization
Remote Recon
GeospatiaL RECONNAISSANCE
| ACTION | ACTIONS | NOTES |
|---|---|---|
| Arial Map Analysis | - Determine the general layout of the facility/campus. - Determine employee density through analysis of the parking lot/structure size. - Identify nearby establishments that employees may frequent. - Traffic patterns in and out of the area |
Use various mapping sources (.e.g, ArcGIS, Bing, Google Maps/Earth, etc.) |
| Street View Map Analysis | - Identify camera placement & viewing angles. - Chokepoints that can be leveraged for badge cloning - Areas that might be best situated for in-person surveillance - Parking and facility ingress/egress points |
Can you determine the location of trash recipticals or security staging locations? |
GeospatiaL Reconnaissance Camera placement & viewing angles
GeospatiaL Reconnaissance Chokepoint Identification
Social Media / Website
| ACTION | INTENT | NOTES |
|---|---|---|
| Instagram: Badge Brand & Layout | Search company name, address, and hashtags and follow the rabbit hole. | The intent is to make a replica badge before ever stepping foot on-site. |
| LinkedIn/Company Website | Identify personas that can be used during social engineering. | Capture names, department structure, contact information, technologies, open positions, subsidiaries, other locations. |
Social Media
ENVIRONMENTAL
Understand the location and prepare for any compliance-driven safety requirements:
| Industry | Regulating Organization | Might Need |
|---|---|---|
| Power Distribution | OSHA Part 1910 | Hardhat, Gloves, Safety Glasses, Boots, etc. |
| Healthcare | NIOSH/OSHA/CDC | Mask, lab coat, safety glasses, gloves, etc. |
on-site Surveillance
Considerations
- Once you're compromised, the engagement is compromised
- Only perform actions that are needed to meet engagement objectives
- Only carry the tools required to perform a specific task(s)
- Have a method to log your activities
- Blend into your environment
- Have a plan to defuse confrontation
- Carry the authorization letter in your front pocket
- Communicate with your primary contact prior to performing any on-site actions
Security Posture
- Roaming guards, stationary, both?
- When are the shift changes?
- Are guards on-site 24/7 or only during business hours?
- Confirm/analyze camera placement and viewing angles.
- Lighting - particularly in and around ingress/egress points.
Access Control Types
Digital Access Controls
- Is the company leveraging cloneable technology (HID Prox, iCLASS, Indala, etc.)?
- If iCLASS SE readers are used, legacy support might be enabled.
- If multiCLASS SE readers are in place, it's possible that the building has been retrofitted, and multiple technologies may be supported.
Easily Bypassed Controls
- Doors that may have a REX sensor
- Unprotected / easily accessible crash bars
- Exterior doors that are missing latch guards
- Weak mechanical locks***
EMPLOYEE Analysis
- Badge exposure policy?
- Are employees concealing their ID cards as they exit the facility?
- How are the badges typically worn (e.g., hip/neck, clasp/lanyard)?
- Operating Hours:
- Morning arrival window?
- Lunch?
- When is COB?
- After-hours cleaning crew?
- What is the general business attire?
- Backpacks/briefcases allowed?
- Cellphones?
- Does it look like employees tailgate each other?
Threat Profiling
PRIORITIZATION
Compilation of remote & on-site recon to determine the most likely path to success with the least resistance while remaining within the limits and intent of the engagement.
PRIORITIZATION - Examples
| Attack Scenario | Observations | Effort | Risk |
|---|---|---|---|
| Badge Cloning | - Employees expose badges outside the facility - Facility uses cloneable access card technology - Coffee house directly adjacent to facility |
- Off-site staging is possible - Cloning efforts can occur in line or at multiple chokepoints - Long-range reader required |
- Risk of discovery if too close - Risk of discovery off-site - Chance of RF interference - Chance of capturing third-party access card crendentials |
| Social Engineering | - Building is adequately hardened (e.g., bio-metrics, anti-piggy backing controls, etc.) - XYZ service vendor performing facility repairs - Limited access widow for testing |
- Telephony spoofing for pre-validation (client employee) - Telephony spoofing for pre-validation (XYZ vendor) - Pose as XYZ oversight manager - Create a replica vendor ID card/business card, etc. - Off-site validation |
- Direct exposure to security guard - Only one chance at success - Pre-validation fails - BOLO |
| Surreptitious Entry | - Access to unprotected door on second story balcony | - Use of ladder/rope/grappling hook - Limited to after-hours |
- Roaming guards - Possible view from a wide-angle security camera - Exposure from overhead lighting |
scenario development
Badge Cloning
| Engagement Goal | Required Tooling | Timeline | Cover Story |
|---|---|---|---|
| Gain access to the production floor and access intellectual property | - HID Prox reader w/doppelganger for cloning - Proxmark3 / iCopy-XS for writing card data - Replica ID Card - Method to unlock / shell workstation or drop-device - Authorization Letter |
Complete: Create Replica Badge (found on Insta) 08:00-08:30: Arrive Coffee Shop for cloning 09:00-11:00: Write cloned card data, validate drop device works, finalize cover story 12:30-12:45: Enter the facility during lunch, identify the production floor location, and plant the device/shell workstation if possible 13:00: Depart facility |
Sent from XYZ department to investigate malfunctioning widget that was generating alerts. |
Unauthorized Access
intent
- Fully understanding the client's intent, contract, and authorization letter prior to performing any actions remote or on-site will mitigate 95% of issues and 99% of legal complications
- Don't get complacent:
- Read the scoping and authorization documents once more before you attempt to enter the facility.
- Communicate with your primary contact prior to performing any on-site actions
CONSIDERATIONS - Facility Size
- Large Tenant > 100 Occupants
- Larger facilities allow a phased approach to internal operations.
- Small Tenant < 100 Occupants
- Smaller facilities will often require an atomic approach to internal recon and exploitation to minimize exposure.
scenario execution
- Never leave a facility in a less secure state
- Do NOT deviate from the plan!
- Ensure that you have a copy of your authorization letter
- Have a method to log your actions in real-time
- The longer you're on-site, the more likely you are to be caught
- Do NOT deviate from the plan!
- If you're unable to achieve your goal within the time allotted, depart (or have an alternate time)
- If you were successful, do not go back in (unless required by scope)
- If your nerves get the better of you, find a restroom and relax
- If no one else is walking around talking on their cell phone, don't do it
- Don't get carried away! Do NOT deviate from the plan!!!
interior reconnaissance / ACCESS
I'm in now what?
Tips for success:
- Note turnstile, mantrap, elevator, and stairwell placement (card access required?)
- Fire evacuation map:
- Identify alternative points of egress
- Are goal locations depicted on the map?
- Note guard/receptionist situation
- It is okay to leave and come back
- Remember to blend in:
- Don't carry a bag in the middle of the day if no one else is
- Don't talk on the phone if others are not
- Badge placement and attire should match as best as possible
Post-Exploitation
goals
- Remember that goals are predefined
- If you identify a significant issue, discuss options with your client
- This could alter/increase goals and subsequently LoE
- Better to call out critical issues in real-time vs. post-mortem
- Sometimes it makes sense to transition from an evasive engagement to a collaborative/exhaustive walkthrough
Business impact
If you're in, the impact of access has been illustrated.
| Goal / Intent | Example Scenario | Impactful Evidence |
|---|---|---|
| - Access to People - Concerned about active shooters |
News organization wanted to see if it was possible to access reports while on-air. | - Photographs inside the newsroom - Photographs near/around the motor pool |
| - Network Compromise - Damage to SCADA equipment |
Power Distribution company wanted to see if it was possible to gain physical/remote access to SCADA equipment. | - Drop device planted within the SCADA environment - Photographs of equipment / office space |
| - System Compromise - Loss of money / ransomware |
Client wanted to see if it was possible to gain access to air-gapped systems inside of a SCIF. | - Pre-boot authentication? Kon-boot? - Mock ransomware install - Bidged drop device (e.g., ethernet to wifi with secure tunnel) |
exit
GET OUT!
Reporting
Documentation TIPS
- Don't wait until after the engagement to start the report
- Have a system for logging your actions:
- Cellphone photos work great
- At a minimum, precise times of entry and exit should be collected
- Log when and where you were for recon and what was observed
- Cellphone setup tips:
- Dim screen to barely visible
- Disable shutter noise, notifications, and vibration
Narrative - Executive Summary
Be clear and to the point:
- We assessed XYZ facility during this timeframe
- Access was granted through the use of XYZ method
- Access was possible due to XYZ security gap
- We were/were not confronted by employees
- We recommend the following remediation steps
Narrative - Attack scenario
Be clear and to the point:
- Create a site map that illustrates the following items:
- Points of egress
- Camera placement
- Compass direction
- Any other areas/objects that are relevant (e.g., smoking areas, areas where badge cloning occurred, etc.)
- Without going into exhaustive levels of detail, discuss the actions in a way that allows the client to reference surveillance footage.
- Example: On September 15, 2023, at 13:33 Eastern, XYZ entered the facility through door E2 using a cloned access control card...
- Example: ...After planting a drop device under the desk in room 103, XYZ departed the facility through door E1 at 13:55 Eastern, ending on-site actions.
defendable timeline
Avoid legal issues & prevent "he said/she said" situations
- While needed for the report, keep a detailed log of your actions
- Be able to defend your work and timeline with evidence (e.g., meta-data contained within photographs)
- Ensure that you're remaining within the confines of the authorization letter
Three Days / Tampa, FL
- Project Scoping, Legal Protections, Documentation
- Remote Reconnaissance
- Digital Surveillance
- Serruptitous Entry Tactics
- Badge Cloning & Replication
- Post-Exploitation
- Live Physical Exploitation (CAPEX)
Tooling Available
Practical Physical Exploitation Kit
- Long-range RFID readers running doppelgänger
- Common Bypass Tools
- Proxmark3 / iCopy-XS
- Blanks Cards (iClass & T55x7)
- Post-Exploitation Tools
Everything you need to get going, without the fluff and endless days of resourcing, soldering, and troubleshooting.
Read about our SHENANIGANS
