![Page 1: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/1.jpg)
PhysicalPenetration Testing
In Red Team Assessment
![Page 2: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/2.jpg)
¿Physical Penetration Testing?
![Page 3: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/3.jpg)
ME
EDUARDO ARRIOLS
• Security Consultant
• Co-Founder of HighSec
• C|EH, E|CSA and other
• Twitter: @_Hykeos
• Blog: http://highsec.es
![Page 4: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/4.jpg)
1. Introduction
2. Methodology
3. Practical Case
4. Conclusions
![Page 5: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/5.jpg)
1. Introduction
2. Methodology
3. Practical Case
4. Conclusions
![Page 6: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/6.jpg)
Definition
Evaluation of physical security controls and procedures
of the target facilities
![Page 7: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/7.jpg)
¿Why?
No matter what security measures have been implemented in digital controls (firewall, IDS, etc.) when physical access is
possible
![Page 8: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/8.jpg)
General Phases
1. Planning and Intelligence: Obtain information about thebuilding, physical security controls, etc. and elaborateintelligence task with that information to plan the attack
2. Breach: Access to the target building facilities
![Page 9: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/9.jpg)
PhysicalPenetration Testing
DigitalPenetration Testing
SocialPenetration Testing
Attack physical devices connected to the network
Phishing, Watering Hole…
Tailgaiting, Impersonification…
Red
Team
Integral Security
![Page 10: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/10.jpg)
Red Team exercises
Controlled but real intrusion in a organization, using physical, digital or social vectors to obtain the most important asset of
the company
![Page 11: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/11.jpg)
Definition
Evaluation of securitycontrols and the
effectiveness of blue team
Multidisciplinary team: Specialists in physical,
logical and social engineering security
Adversary mindset:Combined, silent and
high-impact attack
Red Team
![Page 12: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/12.jpg)
Penetration Testing vs Red Team
Penetration Testing (Digital) Red Team
Finding, evaluating and exploiting vulnerabilities in one dimesion
Finding, evaluating and exploiting only the vulnerabilities that make possible obtain
the goals
Static methodology Flexible methodology
No matter attacker´s profile Obtain the attacker's profile
The security team normally are warned about the test
Without notice
Office schedule 24 hours
Just finding and exploiting the vulnerabilities
Measure bussiness impact of successful attacks.
![Page 13: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/13.jpg)
Information Gathering
Social & Physical Intrusion
Take Control of Devices
Network Access
Get Access to Servers
Search Assets
Exfiltrate Information
General Phases
![Page 14: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/14.jpg)
1. Introduction
2. Methodology
3. Practical Case
4. Conclusions
![Page 15: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/15.jpg)
Way
Planning and Intelligence
Breach
Defining Targets and Scope
Information Gathering
Preliminary Analysis
Reconnaissance (Passive and Active)
Intelligence
Planning and Analysis
Practice
Execution
![Page 16: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/16.jpg)
Planning and Intelligence
• Information Gathering– Understanding the company and their most important assets
– ¿Where are those assets?
• Reconnaissance - Passive– Walk around the building
– Driveway
– Windows (lateral, interior, exterior, parallel opening)
– Exits
![Page 17: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/17.jpg)
Planning and Intelligence
• Reconnaissance - Active– Surveillance of employees and guards
– Uniforms and badges
– Locate elevators
– Blind sectors of cameras and sensors
– Walk around the public area of inside the building
– Locate the boardroom
– Wireless networks
– Emergency maps
• Intelligence– Evaluate conversation opportunity with staff
– Gathering information about employees
![Page 18: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/18.jpg)
Breach
• Bypass of access control– Lock Picking
– Tailgating
– Key pad
– Biometric
– Badges• Contactless
• Smartcard
• Magnetic
– Not controlled physical Access• Windows
• Garage
![Page 19: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/19.jpg)
Breach
• Bypass of sensors and alarms– Motion sensor
• PIR
• Photoelectric
• Ultrasonic
– Magnetic sensor
– Communications systems inhibition
• Bypass of surveillance systems
• Social Engineering for obtaining physical access
![Page 20: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/20.jpg)
¿And then?
• Exploitation and access to the corporate network (Red Team)– Physical backdoor (PwnPlg, Raspberry, etc.)
– External device (Keylogger, Network Sniffer, etc.)
– Access to unprotected computers (Kon-Boot, etc.)
– Call Interception (Telephony and VoIP)
– Kioskos and hardware device
• Obtaining confidential information (Objetive)
Red Team
![Page 21: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/21.jpg)
1. Introduction
2. Methodology
3. Practical Case
4. Conclusions
![Page 22: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/22.jpg)
Practical Case
![Page 23: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/23.jpg)
Practical Case
![Page 24: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/24.jpg)
Rooted Technology S.L.
![Page 25: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/25.jpg)
Elevator
Ground floor
Rooted Techonolgy S.L.
![Page 26: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/26.jpg)
Elevator
Garage
Rooted Techonolgy S.L.
![Page 27: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/27.jpg)
Elevator
Objetive floor
Rooted Techonolgy S.L.
![Page 28: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/28.jpg)
Equipment
![Page 29: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/29.jpg)
Equipment
![Page 30: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/30.jpg)
Planning and Intelligence
![Page 31: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/31.jpg)
Reconnaissance (Pasive)
Using Google, Maps and Street
![Page 32: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/32.jpg)
Reconnaissance (Pasive)
Using Google, Maps and Street
![Page 33: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/33.jpg)
Reconnaissance (Pasive)
Using Google, Maps and Street
![Page 34: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/34.jpg)
Reconnaissance (Pasive)
Using Google, Maps and Street
![Page 35: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/35.jpg)
Reconnaissance (Pasive)
Using Google, Maps and Street
![Page 36: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/36.jpg)
Reconnaissance (Active)
Using civil drones
![Page 37: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/37.jpg)
Reconnaissance (Active)
Night Reconnaissance
VS
![Page 38: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/38.jpg)
Reconnaissance (Active)
Night Reconnaissance
VS
![Page 39: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/39.jpg)
Information Collection
Dumpster Diving
![Page 40: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/40.jpg)
Information Gathering
Shoulder Surfing
![Page 41: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/41.jpg)
Information Gathering
Social Engineering
![Page 42: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/42.jpg)
Information Gathering
Interception of radio communications
![Page 43: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/43.jpg)
Breach
![Page 44: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/44.jpg)
Bypass of Access Control
Bypass of RFID Access Control
![Page 45: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/45.jpg)
Bypass of Access Control
Bypass of RFID Access Control
1. Read employ card2. Clone employ card
If fail:3. Analyze4. Change content
orEmulate / Brute Force
![Page 46: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/46.jpg)
Bypass of Access Control
Bypass of RFID Access Control
![Page 47: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/47.jpg)
Internal Reconnaissance
Reconnaissance of Internal Security Measures
![Page 48: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/48.jpg)
Bypass of Security Measures
Bypass of Alarm System
![Page 49: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/49.jpg)
Bypass of Security Measures
Bypass of Magnetic Sensor
![Page 50: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/50.jpg)
Bypass of Security Measures
Bypass of Magnetic Sensor
![Page 51: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/51.jpg)
Bypass of Security Measures
Bypass of Motion Sensor
![Page 52: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/52.jpg)
Bypass of Security Measures
Bypass of Motion Sensor
Nothing
Minimal change
Alert
![Page 53: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/53.jpg)
Bypass of Security Measures
Bypass of Motion Sensor
![Page 54: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/54.jpg)
Bypass of Security Measures
Bypass of Motion Sensor
![Page 55: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/55.jpg)
Bypass of Security Measures
Bypass of Motion Sensor
![Page 56: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/56.jpg)
Bypass of Security Measures
Bypass of Photoelectric Sensor
![Page 57: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/57.jpg)
Bypass of Security Measures
Bypass of Photoelectric Sensor
![Page 58: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/58.jpg)
Bypass of Security Measures
Bypass of Alarm System
![Page 59: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/59.jpg)
Bypass of Security Measures
Bypass of Alarm System
![Page 60: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/60.jpg)
Bypass of Security Measures
Bypass of Magnetic Card / Keypad Access
![Page 61: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/61.jpg)
Bypass of Security Measures
Bypass of Magnetic Card / Keypad Access
![Page 62: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/62.jpg)
Bypass of Security Measures
Bypass of Magnetic Card / Keypad Access
![Page 63: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/63.jpg)
Elevator
Garage
¿How do we do it?
![Page 64: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/64.jpg)
Elevator
First Floor
¿How do we do it?
![Page 65: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/65.jpg)
Elevator
Ground floor
¿How do we do it?
![Page 66: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/66.jpg)
Elevator
Ground floor
¿How do we do it?
![Page 67: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/67.jpg)
1. Introduction
2. Methodology
3. Practical Case
4. Conclusions
![Page 68: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/68.jpg)
Conclusions
Requirement of creativity and lateral thinking in implementing real physical intrusion.
Red Team approach as a solution to conduct a comprehensive integral security evaluation in an organization.
![Page 69: Physical Penetration Testing (RootedCON 2015)](https://reader033.vdocument.in/reader033/viewer/2022042619/58729a6e1a28ab07208b4787/html5/thumbnails/69.jpg)
Questions