physical penetration testing (rootedcon 2015)

PhysicalPenetration Testing

In Red Team Assessment

¿Physical Penetration Testing?

ME

EDUARDO ARRIOLS

• Security Consultant

• Co-Founder of HighSec

• C|EH, E|CSA and other

• Twitter: @_Hykeos

• Blog: http://highsec.es

http://highsec.es/

1. Introduction

2. Methodology

3. Practical Case

4. Conclusions

Definition

Evaluation of physical security controls and procedures

of the target facilities

¿Why?

No matter what security measures have been implemented in digital controls (firewall, IDS, etc.) when physical access is

possible

General Phases

1. Planning and Intelligence: Obtain information about thebuilding, physical security controls, etc. and elaborateintelligence task with that information to plan the attack

2. Breach: Access to the target building facilities

PhysicalPenetration Testing

DigitalPenetration Testing

SocialPenetration Testing

Attack physical devices connected to the network

Phishing, Watering Hole…

Tailgaiting, Impersonification…

Red

Team

Integral Security

Red Team exercises

Controlled but real intrusion in a organization, using physical, digital or social vectors to obtain the most important asset of

the company

Definition

Evaluation of securitycontrols and the

effectiveness of blue team

Multidisciplinary team: Specialists in physical,

logical and social engineering security

Adversary mindset:Combined, silent and

high-impact attack

Red Team

Penetration Testing vs Red Team

Penetration Testing (Digital) Red Team

Finding, evaluating and exploiting vulnerabilities in one dimesion

Finding, evaluating and exploiting only the vulnerabilities that make possible obtain

the goals

Static methodology Flexible methodology

No matter attacker´s profile Obtain the attacker's profile

The security team normally are warned about the test

Without notice

Office schedule 24 hours

Just finding and exploiting the vulnerabilities

Measure bussiness impact of successful attacks.

Information Gathering

Social & Physical Intrusion

Take Control of Devices

Network Access

Get Access to Servers

Search Assets

Exfiltrate Information

General Phases

1. Introduction

2. Methodology

3. Practical Case

4. Conclusions

Way

Planning and Intelligence

Breach

Defining Targets and Scope


Preliminary Analysis

Reconnaissance (Passive and Active)

Intelligence

Planning and Analysis

Practice

Execution


• Information Gathering– Understanding the company and their most important assets

– ¿Where are those assets?

• Reconnaissance - Passive– Walk around the building

– Driveway

– Windows (lateral, interior, exterior, parallel opening)

– Exits


• Reconnaissance - Active– Surveillance of employees and guards

– Uniforms and badges

– Locate elevators

– Blind sectors of cameras and sensors

– Walk around the public area of inside the building

– Locate the boardroom

– Wireless networks

– Emergency maps

• Intelligence– Evaluate conversation opportunity with staff

– Gathering information about employees

Breach

• Bypass of access control– Lock Picking

– Tailgating

– Key pad

– Biometric

– Badges• Contactless

• Smartcard

• Magnetic

– Not controlled physical Access• Windows

• Garage

Breach

• Bypass of sensors and alarms– Motion sensor

• PIR

• Photoelectric

• Ultrasonic

– Magnetic sensor

– Communications systems inhibition

• Bypass of surveillance systems

• Social Engineering for obtaining physical access

¿And then?

• Exploitation and access to the corporate network (Red Team)– Physical backdoor (PwnPlg, Raspberry, etc.)

– External device (Keylogger, Network Sniffer, etc.)

– Access to unprotected computers (Kon-Boot, etc.)

– Call Interception (Telephony and VoIP)

– Kioskos and hardware device

• Obtaining confidential information (Objetive)

Red Team

1. Introduction

2. Methodology

3. Practical Case

4. Conclusions

Practical Case

Rooted Technology S.L.

Elevator

Ground floor

Rooted Techonolgy S.L.

Elevator

Garage


Elevator

Objetive floor


Equipment

Reconnaissance (Pasive)

Using Google, Maps and Street

Reconnaissance (Active)

Using civil drones

Reconnaissance (Active)

Night Reconnaissance

VS

Information Collection

Dumpster Diving


Shoulder Surfing


Social Engineering


Interception of radio communications

Breach

Bypass of Access Control

Bypass of RFID Access Control



1. Read employ card2. Clone employ card

If fail:3. Analyze4. Change content

orEmulate / Brute Force

Internal Reconnaissance

Reconnaissance of Internal Security Measures

Bypass of Security Measures

Bypass of Alarm System


Bypass of Magnetic Sensor


Bypass of Motion Sensor



Nothing

Minimal change

Alert


Bypass of Photoelectric Sensor


Bypass of Alarm System


Bypass of Magnetic Card / Keypad Access

Elevator

Garage

¿How do we do it?

Elevator

First Floor

¿How do we do it?

Elevator

Ground floor

¿How do we do it?

1. Introduction

2. Methodology

3. Practical Case

4. Conclusions

Conclusions

Requirement of creativity and lateral thinking in implementing real physical intrusion.

Red Team approach as a solution to conduct a comprehensive integral security evaluation in an organization.

Questions