January 31, 2022
Assessment Type: Covert Physical Penetration Test / Wireless Penetration Test
Target Type: Commercial - Corporate Office
Dark Wolf Solutions offers a variety of service offerings from our penetration testers - often these service offerings involve threat simulation from not only the roles of criminals attempting to access networks remotely, but also the threat of physical compromise via social engineering and attempts to circumvent physical and electronic access controls. As we kick off some new blogs here at Dark Wolf, I will be focusing on sharing snippets of “War Stories” from our experiences.
The primary goal of this particular service offering was to access restricted floors, wiring closets, server rooms, offices, production network(s), shredder bins, hard copies of sensitive information, to test the security awareness of both contractors (security guards, cleaning crew, etc.) and employees, and to plant a rogue AP (access point) to allow us to remotely connect to the network.
When traveling for these types of assessments, we always consider the location of a client’s facilities. Often, we’re fortunate enough that these locations are adjacent to a hotel, café, food court, or a shared facility in general. How does this help, other than the convenience of a nap or food in between efforts? To a malicious actor, one can use this to conduct passive reconnaissance to gather useful information which is anything from the target facility’s dress code, ingress/egress points, security camera placement, style of lanyards and badges used–if any, tailgating awareness of employees, or to simply find names of employees. In this particular instance, we realized just how fortuitous we were when we began to gather information on this target.
Onsite Covert Entry Penetration Test
How fortunate were we? Very! The hotel was directly across from the target facility, with a handful of coffee shops and restaurants connected to the building. One café had large untinted glass windows facing directly into the lobby of the target facility. So, during the morning rush, we had coffee, sat and watched with the best front-row seats imaginable. By simply people watching from the coffee shop, we were able to covertly capture photos of employee badges, determine the type of badge readers used to access a restricted elevator, and see how folks interacted with one another.
As this target was the main corporate office, our usual guise of being from corporate IT or an auditor wouldn’t work. We needed credentials. In the lobby were at least four unarmed security guards in each corner of the open floor plan. Entrance into the lobby wasn’t an issue, but going any further was. The facility used electronic turnstiles, which required valid credentials before allowing you to proceed to the elevator. Each elevator also required valid credentials for whichever floor you were attempting to gain access to.
Once we had a solid idea of the dress code and general security awareness of both the employees and the security guards, we decided to go ahead and prepare some tools in our hotel room. We configured some USB keyloggers and our rogue access point (that we would ultimately attempt to plug into their DHCP (Dynamic Host Configuration Protocol) enabled production network via a vacant and active network jack and/or by changing the MAC (Media Access Control) address on the rogue AP to match something like a VoIP (Voice Over IP), just in case there was any sort of MAC filtering).
Using some of the photos we had taken during our passive reconnaissance phase, we were able to visually duplicate two badge credentials each. One was a contractor badge and the other an employee badge. We had noticed a couple of varying badge designs in use and wanted to make sure that if we got to the target floor(s), that our badges matched - so, it is nice to have a plethora of options to switch between when able. In addition to the badges, we had a couple of lanyards to choose from our tool bag and found ones to also match what many employees were wearing.
Earlier, during our active reconnaissance phase, we had used an RFID (Radio-frequency identification) diagnostics card to passively confirm the badge reader was operating at 125kHz - this helps us to determine what kind of proximity cards are being used throughout the building. We printed our newly forged identities onto some blank low frequency badges, in hopes to eventually write valid credentials to them; if we were fortunate enough to clone a legitimate badge.
We noticed the computer monitors at the main guard desk in the lobby were visible from the exterior side of the building, on the sidewalk. To not draw attention to ourselves, Brent and I took turns taking pictures of each other in front of the building, while making sure to zoom in on the computer monitors. While later reviewing these images, we were able to determine the main cameras that were monitored as well as the areas they covered. There were also other details given such as operating system versions, VoIP phone versions, and much more.
Once inside the lobby of the target facility, we stood around and waited, with the “We are waiting on someone” excuse, in case we were challenged by anyone. Using our phones as a prop, I pretended to be speaking to a point-of-contact, making lunch plans. If you have seen any of the talks from wehackpeople.com, you will know that Brent and I believe the best time to tailgate or get physically close enough to copy badges is when lunch is starting or when everyone is leaving for the day. Employees are often eager to get out of work and this allows us to exploit the distractions of hungry people and/or the end of the day haste. It was close to lunch time, and we took advantage of this by improving on the guise of “We are waiting for our PoC to join us in the lobby for lunch. No worries.” Standing in blind spots in the lobby was easy enough, but again, the goal of this engagement was to gain access to their network, plant a rogue access device, and try to bypass electronic and physical access controls – all of this also included social engineering as the medium toward compromising the target(s) and a solid evaluation of the client’s onsite security.
While pretending to be on the phone, we walked around and noted how often people did or did not pay attention to what we were doing – specifically the security guards. Brent installed a badge cloning device that would allow us to copy any badges that are scanned on one of the badge readers. However, it was purposefully installed in a way that made it very obvious that the device was there and clearly out of place. We watched as several employees routinely went about their day ignoring the “eye sore” of a device. Some noticed the device, gave it a look or two, and proceeded to badge in anyway.
While we watched the amount of legitimate employee badge scans rack up on the poorly-installed cloner, we decided to also target the security guards. One security guard sat behind the desk in the lobby, surfing TikTok. I decided to walk over to him and our conversation went something like this:
“Sorry to bother you, but while waiting for some folks to meet for lunch I noticed the badge turnstiles! Those are great. I’m curious about the cards you guys use, do you happen to have one of the blank badges behind there?”
At this point, Brent arrived and helped bolster the social engineering attempt, “Did you find out if they are those new HID badges?” He asked me, walking up to join the discussion.
“Not yet, I just asked about them.” I replied and then directed my attention back to the security guard. He had been looking around for a blank badge.
“Sorry, there aren’t any back here.” He did not seem suspicious and so far had no reason to question the two people who looked like they belonged there.
“No worries. Actually, could I just see the back of your badge? That will tell me what kind you guys use.” At this point, I had palmed my small badge cloner and reached with my opposite hand toward the guard. The guard sat there for a moment, contemplating my request, pulled out his wallet, removed his access badge and handed it over. I flipped the badge over and pretended to read the back of it, squinting my eyes, supporting the badge with both of my hands and utilizing my device to copy it within seconds. “Right on! It is the HID-ABC-LUL model.” I smiled, turning to Brent for confirmation, then returning the badge back to the security guard. “Thanks man. We may have to look into getting something like that at the XYZ location.”
“The point of contact is here!” Brent interrupted me and nodded toward someone on the other side of the lobby, who looked important and appeared to be leaving for lunch.
“We will be here most of the week, so I am sure we will see you around.” I waved goodbye to the guard as Brent and I left the building and made our way across the street to a cafe.
After some time, we went back to the hotel room, where we were able to copy the security guard’s badge credentials onto our blank employee and contractor badges that we had made earlier. That evening, we decided to verify that the badges worked and if they could be scanned at multiple readers during the same time. The security guards during the night shift noticed us as we entered, but we just nodded and kept walking toward the turnstiles, scanning our newly cloned badges, successfully accessing the elevators. Next, we had to authenticate with the access controls inside the elevator. This was the true test to see if we had access to the target floors or not. Success! We scanned the badges, entered the floor number, and were on our way up to the target floors!
The cleaning crew was hard at work but kept to themselves most of the time and acknowledged us as employees just working late. We exchanged some brief pleasantries and immediately found an unoccupied cubicle; the perfect place to plug in our rogue AP. The client’s network utilized DHCP, so getting access to the production network was just a matter of plugging in. After we kicked off some network scripts, we then began plugging in keyloggers on key computers, picking wafer locks on shredder bins, and gaining access to C-Level executive offices, wiring closets, and data centers by bypassing electronic access controls via latch slipping, under-the-door tool, and request-to-exit bypasses.
While walking around the target floors, we managed to harvest passwords and additional sensitive information via a poorly executed “Clean desk” policy. We observed Post-Its with local and domain credentials written on them that would later grant us additional remote access to the entire production environment, security systems, and more. We worked well into the night gathering information, attempting to set off alarms by propping open doors for extended periods, and more. After gathering what we needed and not being challenged by anyone, we decided to call it a night, and to prepare for the next day’s entry during regular production hours.
Without going into too many details, the baseline issues were simple:
Lack of security awareness from the security guards, employees, and cleaning crew
DHCP was enabled on the network with no controls for detecting rogue devices
WPS-enabled wireless access points that enabled us to capture handshakes, crack them, and gain access to both the guest and production networks
Poor enforcement of “Clean desk” policies
Shredder vendor used poor locks on their shredding bins that allowed us to easily gain access to several sensitive hardcopies containing network details, client details, IP addresses, financial information and more
No response to access control alerts from doors being forced or propped open
So, what can be learned from this war story?
If you know me, having heard any of our conference presentations or interviews, or having read any previous war stories, you know that we enjoy targeting security guards. Why? They usually hold the keys to the kingdom, and once you’ve established a rapport with them, you no longer have to worry about pesky inquiries as to who you are or what you are doing. There have been far too many times where we have been able to simply sway the guard into handing over their keys. But, there is another reason: Many security guards are willing to help an “auditor” or someone from ”corporate” doing inventory. How do I know this? I have used similar guises several different times, without compromising my cover.
Teach your guards to NEVER hand their keys, badges, etc. over to a random “employee” or “contractor” who just so happens to mention other employee names or carry themselves as if they are supposed to be there. Guards are one of the first layers of security, but too many companies often depend on them to be the primary eyes and ears, where the whole employee body should also be contributing.
Make sure that your guards are alert and aware – Guard work can get boring, which enhances distractions (phone, Internet, conversation etc.). Make sure that the guards understand their roles and responsibilities.
Always double-check and never be afraid to validate the identity of someone.
Someone doesn’t have a legitimate badge visible or isn’t escorted? Escalate.
Did someone piggyback? Ask them to badge in and verify a successful result.
Employees rarely pay attention to badge details or authentication attempts. Teach your employees of the dangers of tailgating, keeping an eye out for malicious devices or people standing too close to them, and not to get in the habit of holding the door open for people who do not badge in. It is okay for them to ask questions. And if they are not comfortable in doing so, they need to know who they can easily and quickly access to come ask those questions to a potential stranger. It should never just be ignored because the employee doesn't want to or doesn't know how to deal with it.
Don’t forget about locks on doors and cabinets leading to restricted and sensitive areas. Keep in mind that you get what you pay for. If you’re in need of high-security locks, or aren’t sure if what you have in place is sufficient, contact your local locksmith, or, have us come take a look at them, and the security posture of your entire facility. It doesn’t matter how great your electronic access controls are if you can bypass them because of a cheap, or poorly implemented physical lock.
Provide robust security awareness training – Again, a good security culture, social engineering countermeasures and enforced standards can prevent a potentially dangerous and damaging compromise. When it comes to physical security, it is more than information that could be at stake.
You don’t have to be paranoid, but in the age of hacktivism and terrorism influx, skepticism and awareness are traits every employee should have. Hackers do not care how hard your network is, if they can just walk in and ask for the keys to the building.