physical penetration testing (rootedcon 2015)
Post on 09-Jan-2017
243 Views
Preview:
TRANSCRIPT
PhysicalPenetration Testing
In Red Team Assessment
¿Physical Penetration Testing?
ME
EDUARDO ARRIOLS
• Security Consultant
• Co-Founder of HighSec
• C|EH, E|CSA and other
• Twitter: @_Hykeos
• Blog: http://highsec.es
1. Introduction
2. Methodology
3. Practical Case
4. Conclusions
1. Introduction
2. Methodology
3. Practical Case
4. Conclusions
Definition
Evaluation of physical security controls and procedures
of the target facilities
¿Why?
No matter what security measures have been implemented in digital controls (firewall, IDS, etc.) when physical access is
possible
General Phases
1. Planning and Intelligence: Obtain information about thebuilding, physical security controls, etc. and elaborateintelligence task with that information to plan the attack
2. Breach: Access to the target building facilities
PhysicalPenetration Testing
DigitalPenetration Testing
SocialPenetration Testing
Attack physical devices connected to the network
Phishing, Watering Hole…
Tailgaiting, Impersonification…
Red
Team
Integral Security
Red Team exercises
Controlled but real intrusion in a organization, using physical, digital or social vectors to obtain the most important asset of
the company
Definition
Evaluation of securitycontrols and the
effectiveness of blue team
Multidisciplinary team: Specialists in physical,
logical and social engineering security
Adversary mindset:Combined, silent and
high-impact attack
Red Team
Penetration Testing vs Red Team
Penetration Testing (Digital) Red Team
Finding, evaluating and exploiting vulnerabilities in one dimesion
Finding, evaluating and exploiting only the vulnerabilities that make possible obtain
the goals
Static methodology Flexible methodology
No matter attacker´s profile Obtain the attacker's profile
The security team normally are warned about the test
Without notice
Office schedule 24 hours
Just finding and exploiting the vulnerabilities
Measure bussiness impact of successful attacks.
Information Gathering
Social & Physical Intrusion
Take Control of Devices
Network Access
Get Access to Servers
Search Assets
Exfiltrate Information
General Phases
1. Introduction
2. Methodology
3. Practical Case
4. Conclusions
Way
Planning and Intelligence
Breach
Defining Targets and Scope
Information Gathering
Preliminary Analysis
Reconnaissance (Passive and Active)
Intelligence
Planning and Analysis
Practice
Execution
Planning and Intelligence
• Information Gathering– Understanding the company and their most important assets
– ¿Where are those assets?
• Reconnaissance - Passive– Walk around the building
– Driveway
– Windows (lateral, interior, exterior, parallel opening)
– Exits
Planning and Intelligence
• Reconnaissance - Active– Surveillance of employees and guards
– Uniforms and badges
– Locate elevators
– Blind sectors of cameras and sensors
– Walk around the public area of inside the building
– Locate the boardroom
– Wireless networks
– Emergency maps
• Intelligence– Evaluate conversation opportunity with staff
– Gathering information about employees
Breach
• Bypass of access control– Lock Picking
– Tailgating
– Key pad
– Biometric
– Badges• Contactless
• Smartcard
• Magnetic
– Not controlled physical Access• Windows
• Garage
Breach
• Bypass of sensors and alarms– Motion sensor
• PIR
• Photoelectric
• Ultrasonic
– Magnetic sensor
– Communications systems inhibition
• Bypass of surveillance systems
• Social Engineering for obtaining physical access
¿And then?
• Exploitation and access to the corporate network (Red Team)– Physical backdoor (PwnPlg, Raspberry, etc.)
– External device (Keylogger, Network Sniffer, etc.)
– Access to unprotected computers (Kon-Boot, etc.)
– Call Interception (Telephony and VoIP)
– Kioskos and hardware device
• Obtaining confidential information (Objetive)
Red Team
1. Introduction
2. Methodology
3. Practical Case
4. Conclusions
Practical Case
Practical Case
Rooted Technology S.L.
Elevator
Ground floor
Rooted Techonolgy S.L.
Elevator
Garage
Rooted Techonolgy S.L.
Elevator
Objetive floor
Rooted Techonolgy S.L.
Equipment
Equipment
Planning and Intelligence
Reconnaissance (Pasive)
Using Google, Maps and Street
Reconnaissance (Pasive)
Using Google, Maps and Street
Reconnaissance (Pasive)
Using Google, Maps and Street
Reconnaissance (Pasive)
Using Google, Maps and Street
Reconnaissance (Pasive)
Using Google, Maps and Street
Reconnaissance (Active)
Using civil drones
Reconnaissance (Active)
Night Reconnaissance
VS
Reconnaissance (Active)
Night Reconnaissance
VS
Information Collection
Dumpster Diving
Information Gathering
Shoulder Surfing
Information Gathering
Social Engineering
Information Gathering
Interception of radio communications
Breach
Bypass of Access Control
Bypass of RFID Access Control
Bypass of Access Control
Bypass of RFID Access Control
1. Read employ card2. Clone employ card
If fail:3. Analyze4. Change content
orEmulate / Brute Force
Bypass of Access Control
Bypass of RFID Access Control
Internal Reconnaissance
Reconnaissance of Internal Security Measures
Bypass of Security Measures
Bypass of Alarm System
Bypass of Security Measures
Bypass of Magnetic Sensor
Bypass of Security Measures
Bypass of Magnetic Sensor
Bypass of Security Measures
Bypass of Motion Sensor
Bypass of Security Measures
Bypass of Motion Sensor
Nothing
Minimal change
Alert
Bypass of Security Measures
Bypass of Motion Sensor
Bypass of Security Measures
Bypass of Motion Sensor
Bypass of Security Measures
Bypass of Motion Sensor
Bypass of Security Measures
Bypass of Photoelectric Sensor
Bypass of Security Measures
Bypass of Photoelectric Sensor
Bypass of Security Measures
Bypass of Alarm System
Bypass of Security Measures
Bypass of Alarm System
Bypass of Security Measures
Bypass of Magnetic Card / Keypad Access
Bypass of Security Measures
Bypass of Magnetic Card / Keypad Access
Bypass of Security Measures
Bypass of Magnetic Card / Keypad Access
Elevator
Garage
¿How do we do it?
Elevator
First Floor
¿How do we do it?
Elevator
Ground floor
¿How do we do it?
Elevator
Ground floor
¿How do we do it?
1. Introduction
2. Methodology
3. Practical Case
4. Conclusions
Conclusions
Requirement of creativity and lateral thinking in implementing real physical intrusion.
Red Team approach as a solution to conduct a comprehensive integral security evaluation in an organization.
Questions
top related