10. While performing the initial onsite recon of a building, an important thing to remember is sometimes, “The path least traveled is the path of least resistance”. Main building entrances usually have several layers of security such as cameras, security guards, and access control doors, making it significantly harder for an unauthorized person to gain entry. Instead, look for secondary entrances such as a loading dock or maintenance door where access controls are typically more lax, or at least less actively monitored.
9. Pack light, travel fast. Although in theory it might seem like a good idea to be prepared for any situation you think you might encounter on a physical penetration test; 9 times out of 10 the best way in will be the simplest. Knowing this, there is no need to carry around a backpack full of spy gear. Not only will it make you stick out like a sore thumb, but it will slow you down and limit your mobility. A middle ground between carrying around nothing and carrying around “the kitchen sink” is to pack two kits: one with the bare essentials that can fit in your pockets, or in a small bag, and have another more populated toolset in the car or stashed someplace close by. If you do find a need for a specialized tool, you can always go to retrieve it.
8. Just because a building has security guards does not mean it is more secure. It is fairly common for an outside third party security company to be hired to provide security guards for a company. These security guards usually work long hours for less than adequate pay, and have little to no security background other than the introductory training they received after being hired. In most, but not all cases, these working conditions produce a less than diligent security guard; thereby making it easier to social engineer or totally circumvent the security guard sitting at a company’s main entrance all together.
7. The average work day starts at 9:00 am and ends at 5:00 pm; this does not apply when performing a physical penetration test. Unless the rules of engagement restrict the testing time to normal business hours, attempting to gain entry to the target building during afterhours has its advantages. Aside from the lack of employees inside the target building, it is very common for a company hired cleaning crew to work during these off hours. This provides a great target for tailgating or social engineering your way into the building.
6. Blending in with your surroundings means the difference between a successful and an unsuccessful physical penetration test. Determining the daily dress code for the target company usually occurs during the initial onsite recon phase, but general assumptions can be drawn long before arriving at the target building. Not every situation requires business casual attire; if the target building is a warehouse or factory, a T-shirt, boots, and jeans would draw far less attention than trying to blend in while wearing a button up shirt and dress shoes. The more you look like you belong, the more people will believe you do.
5. All commercial buildings must adhere to their respective state fire codes. Although the main purpose of these codes are to allow safe egress in case of a fire, they also assist physical penetration testers. To put it simply, all commercial buildings must have doors that are not locked from the inside and are relatively easy for firefighters to open from the outside. Additionally, if the building has more than one floor, there must be some type of fire escape or stairwell leading to the exterior of the building. Knowing this, these fire escape doors are often completely unlocked or easily shimable from the outside; once inside the internal stairwell provides direct access to all the buildings floors, as well as even less secure interior doors.
4. Physical penetration tests are very dynamic in nature. Due to numerous elements such as human nature, workplace culture, and time of day, it is almost impossible to script how you will gain entry into the target building. The window of opportunity could present itself during the first five minutes onsite, during the recon stage, or after hours of waiting for a delivery to the loading dock. The moral of the story is just because you had planned to perform recon for the first day onsite does not mean you should turn down a juicy opportunity to walk right through a propped open side door. Being able to make split second decisions and deviating away from your original plan of entry is what separates a good physical pentester from a great one.
3. At some point during your physical penetration test someone will stop and question your reasons for being there. Whether it is a friendly secretary just trying to help, or the Chief CSO making sure you are there for legitimate purposes, I have found the best course of action is to claim ignorance. Everyone, at one point or another, has been “the new guy” in some form or another. Playing off an emotion others can relate to is a very effective form of Social Engineering. It is a lot easier for a person to believe you are peeking into empty offices because you are, “late for your first meeting with so-and-so, but you don’t know where their office is because you just started a week ago.” Make sure to then introduce yourself, make some small talk, thank them for their help; and before you walk away shake their hand. This form of physical contact helps reassure the person questioning your motives that you are a friend and do not pose a threat. In more cases than not, ignorance is truly bliss.
2. Things are not as hard as they seem –they really aren’t. On more than one occasion I have found myself sitting outside the target building, watching employees enter and going over every worst case scenario in my head. Even if the target building has a high tech badge system with guards and cameras does not mean you should expect to be strip searched as soon as you walk in the door. Why spend all day waiting for the perfect tailgating scenario to present itself when all you need to do is to pretend to be late for a meeting, or left your access card badge upstairs in your office, or just having an argument on the phone. Social Engineering does not have to be a complicated con game; your lie just has to be believable.
1. Always have a copy of your Letter of Authorization on your person, as well as in your backpack, car, and hotel room. Having multiple copies actually serves two important purposes. First it ensures you will always have immediate access to your LoA if you ever need to present it; and second, rain, sweat, and over diligent security guards can all wreak havoc on a piece of paper. I have gone as far as laminating a copy just in case; I’d much rather be safe than sorry. Your Letter of Authorization is commonly referred to as your, “get out of jail free card,” and just like in the game Monopoly, having it can mean the difference between “going straight to jail” or “just visiting.”