All in Physical
It happened once. It happened again.
While we were visiting several customers in Europe, we went to visit one of our customers that always requests for deeper and better assessments on their networks and plans. A large multinational corporation, last year we managed to get their marketing plans after blending in with their marketing staff.
This year, the security director asked us to try to penetrate the Board of Director's meeting. Like last year, blending in proved to be a good tactic.
Sometimes you don't know what you agree to until it's too late. In this particular project we were testing physical security around the customer's building. The customer asked us to try to bypass their physical security measures and if possible reach a certain room and leave a note there.
It sounded like a fun project.
The next 3 weeks were spent researching the target, recon during the day and night, trying to get the right names for some social engineering attack if needed and gear, techniques and planning.
At the end we discovered a vulnerability and we thought we could exploit to get us in. The only problem was that in order to get that potential point of entry we needed to get to the roof.
Sometimes you are in the middle of a recon for a physical assessment and you find a way in, right there on the spot. Do you exploit this vulnerability or just note it for later?
I say go for it.
This was the case a few weeks back. We were performing an on-site recon: we would walk the perimeter and try to go inside the target building and learn as much as we could from atmostpherics and their security measures in place.
After about 40 minutes of roaming inside and outside the building, dressed as business people with a suit and a tie and a cellphone that never left our ears, we thought we had the site main security features, entrances, location of the targets and other details sketched, when I noticed that the service elevator on the far end of the 1st floor had the door open and no one was using it.
A few years back we performed a routine follow-up after a full Red Team assessment. The assessment was stuck after 3 days. Our customer really took our report and suggestions to make their security tighter to the letter.
We were unable to find a way in via their public facing networks. On the physical side, the recon showed us that their guards and general security posture were also upgraded. During the 3 days phyical recon, we observed they put in place not only our suggestions but also hired an expert to make sure their security was tight. It was good to see this.
However, now we had a challenge and since we don't like to give an empty report to the customer...
Sometimes you spent weeks trying to figure out the best way to infiltrate your target, whether digitally or physically.
Sometimes all it takes is a trip to the back of the building.
A few months ago we were performing an initial recon on a new customer. He wanted us to check whether his security team did a good job in setting the perimeter. The finaly target was one of the server rooms inside the building, where their data center was located.
We arrived after hours and after laying low for a few hours, observing and collecting atmospherics, we decided to go around the perimeter to map it. In the past we've found vulnerable points of entries that were no visible from a single OP (observation post).
As we were coming to the back of the building, we noticed that the trash collecting trucks were leaving the building. The gates were open and there was no guards there, only a camera. We layed there observing for 40 minutes and nothing happened. After a brief exchange we went for it.
We needed to access the server room of a security company. The target was one specific server that was not accessible via the internet or their internal network. It was well protected by an air-gap and really tight access controls.
We decided to go at it by hand: break our way into the building, find the server room and mannually disable the server as a way of saying "we were here".
Entering the building was complicated but after several days of recon we managed to come up with a plan that worked.
Once we were inside the building we began looking for the server room. We didn't have much time, people could challenge what we were doing at any moment and while we had a cover story, it would not hold for long, especially since we didn't have time to fake the ID cards or the visitor badges.
At the end, it was a cleaning person that pointed us to the server room. Once we arrived there, we noticed two things: there was a camera on top of the entrance (and we knew that all cameras were being monitored) and the serve room had a commond lock on the door, no ID card reader or keypad.
What?
Yes... These people invested in top of the line security but they had a simple lock on the server room.
A few months ago we had a very interesting physical assesment of the offices of a new customer. The security director wanted to know the current state of their physical security and how aware were their employees of threats.
This is a small startup company, but doing very interesting work in the security field themselves.
The director told us: *you can do whatever you want and exploit any and all vulnerabilities you find. Just let me know immediately.*
The time frame was set to 2 days. So we set to work.
The first day was used for a quick onsite recon. I went into the building where the customer's offices were located, while JD scouted the perimeter.
The main entrace was guarded only by a keycard reader and a locked door. So, I waited *on the phone* for a few minutes until a person working in the building came in and opened the door. I walk right after him, still *on the phone*. He never challenged me or asked me not to tailgate.
In the meantime, JD found that the back entrance was guarded only by a very shiny but easy to pick padlock. It had a nice sign saying
"Restricted Area. No Unauthorized Personnel Beyond This Point".
