A physical penetration test is an evaluation of the security controls that exist in a physical environment to prevent unauthorized access. These security controls could include the implementation of badge-controlled doors and elevators, security cameras, security guards, and even man traps. The primary objective of this assessment is to identify weaknesses within these controls and attempt to circumvent them as an on-site attacker would. If you’re new to performing a physical penetration test or have little experience doing so, here are a few things that should help you get ready for your next engagement.

Be the insider

Be the insider. Always remember that fitting the profile and blending in as an insider is one of the most critical things you can do to be as successful as possible with accomplishing the objective. Once you have a lay of the land, conduct reconnaissance on the target, and plan out your attack, it is also going to be necessary to have the proper tools to carry out the job.

Fit a Profile for Impersonation

While you’re on-site, you want to make sure that you’re blending in with the employees of the organization to minimize the chances of being approached by security or other employees. For example, these are some things that you can equip while performing your assessment:

  • Fake badge look-alike
  • Look-alike clothing
    • Industry or company specific attire
    • Compliance Auditor
    • Pest Inspector
    • Printer Technician
    • AT&T Technician or Service Member
    • UPS Delivery Personnel
  • Pack of cigarettes or E-cig (Public smoke areas, yep you smoke if you did not before)
  • A cup of coffee

Toolkit Arsenal

In many cases when performing a physical penetration test, you will end up in situations where you’re going to need an extra set of tools to accomplish your goals. For example, you may need to get access to a door that might not require much effort to lock pick, or you may end up a situation where you’re able to plug into the network. These are some tools that you may want to consider adding to your arsenal prior to going on your physical penetration test engagement.

  • Mono Scope or Binoculars
    • Useful in cases that you want to observe security guards and high traffic areas from a long distance without being spotted.
      • Vortex Optics Solo Monocular 10×36
  • Cameras
    • Important equipment for taking photos of client documents, facilities and the area you have gained access to. Photos are used for evidence and documentation in later reporting.
      • Cell Phone Camera
      • Spy PEN Camera/Recorder
      • Miebul or Hanpeng Recording Spy Watch
  • Cables
    • Power, Cat5/Ethernet Extenders, Console, HDMI, USB/USB Extenders, etc.
  • Switch
  • Power Bricks
  • Motion-Sensor Bypassing Tools
    • Compressed Air Duster
    • E-Cig (try blowing smoke near the sensors)
  • Wire Close Hanger
    • Always comes in handy when least expected
  • Lock Picks
  • Bypass Tools
    • Bypass Drivers
    • Quick Jim
    • Quick Shims
    • Stretcher Under Door Tool
  • Technical Tools
    • Laptop(s)
    • Mouse and Keyboard (Pocket Size)
    • Drop boxes (pcDuino3, Gigabyte Brix, Raspberry Pi, Odroid, etc)
    • USB drive(s)
    • USB Rubber Ducky or Teensy
    • LANturtle
    • BashBunny
    • Packet Squirrel
    • Wifi Pineapple
    • CrazyRadio PA (Mouse Jacking)

Conclusion

Physical penetration test engagements can be rather intimidating on your first time, or even if it’s been awhile since your last assessment and you’re getting ready for your next one. In some cases, consultants draft up a list of potential scenarios that could occur so that they’re aware of how to respond. In reality, many organizations simply just don’t have physical security controls in place. Additionally, employees generally do not feel empowered enough to walk up and confront an unknown visitor, so unless you’re walking into an extremely secure environment, there may not be a high chance that you’ll get confronted.

Most importantly while conducting this assessment, take notes of any and every piece of information about the environment and potential security flaws observed, even if you don’t use all of that information later. During these engagements, it’s not uncommon for consultants to get so deep into what’s going on that they can’t remember some of the initial observations when entering the facility.

Reach out to us on Twitter (@vonahi_security) if you have any questions!