This document discusses physical penetration testing as part of a red team assessment. It defines physical penetration testing as evaluating physical security controls and procedures at a target facility. The methodology involves planning and intelligence gathering, followed by breaching physical security measures to gain access. A case study example demonstrates bypassing access controls, alarms, and sensors to access different floors within a building. The document concludes that physical intrusions require creativity and lateral thinking, and that red team assessments provide a comprehensive way to evaluate organizational security.
7. ¿Why?
No matter what security measures have been implemented in
digital controls (firewall, IDS, etc.) when physical access is
possible
8. General Phases
1. Planning and Intelligence: Obtain information about the
building, physical security controls, etc. and elaborate
intelligence task with that information to plan the attack
2. Breach: Access to the target building facilities
10. Red Team exercises
Controlled but real intrusion in a organization, using physical,
digital or social vectors to obtain the most important asset of
the company
11. Definition
Evaluation of security
controls and the
effectiveness of blue
team
Multidisciplinary team:
Specialists in physical,
logical and social
engineering security
Adversary mindset:
Combined, silent and
high-impact attack
Red
Team
12. Penetration Testing
vs Red Team
Penetration Testing (Digital) Red Team
Finding, evaluating and exploiting
vulnerabilities in one dimesion
Finding, evaluating and exploiting only the
vulnerabilities that make possible obtain
the goals
Static methodology Flexible methodology
No matter attacker´s profile Obtain the attacker's profile
The security team normally are warned
about the test
Without notice
Office schedule 24 hours
Just finding and exploiting the
vulnerabilities
Measure bussiness impact of successful
attacks.
13. Information Gathering
Social & Physical Intrusion
Take Control of Devices
Network Access
Get Access to Servers
Search Assets
Exfiltrate Information
General Phases
16. Planning and Intelligence
• Information Gathering
– Understanding the company and their most important assets
– ¿Where are those assets?
• Reconnaissance - Passive
– Walk around the building
– Driveway
– Windows (lateral, interior, exterior, parallel opening)
– Exits
17. Planning and Intelligence
• Reconnaissance - Active
– Surveillance of employees and guards
– Uniforms and badges
– Locate elevators
– Blind sectors of cameras and sensors
– Walk around the public area of inside the building
– Locate the boardroom
– Wireless networks
– Emergency maps
• Intelligence
– Evaluate conversation opportunity with staff
– Gathering information about employees
18. Breach
• Bypass of access control
– Lock Picking
– Tailgating
– Key pad
– Biometric
– Badges
• Contactless
• Smartcard
• Magnetic
– Not controlled physical Access
• Windows
• Garage
19. Breach
• Bypass of sensors and alarms
– Motion sensor
• PIR
• Photoelectric
• Ultrasonic
– Magnetic sensor
– Communications systems inhibition
• Bypass of surveillance systems
• Social Engineering for obtaining physical access
20. ¿And then?
• Exploitation and access to the corporate network (Red Team)
– Physical backdoor (PwnPlg, Raspberry, etc.)
– External device (Keylogger, Network Sniffer, etc.)
– Access to unprotected computers (Kon-Boot, etc.)
– Call Interception (Telephony and VoIP)
– Kioskos and hardware device
• Obtaining confidential information (Objetive)
Red Team
45. Bypass of Access Control
Bypass of RFID Access Control
1. Read employ card
2. Clone employ card
If fail:
3. Analyze
4. Change content
or
Emulate / Brute Force
68. Conclusions
Requirement of creativity and lateral thinking in implementing
real physical intrusion.
Red Team approach as a solution to conduct a comprehensive
integral security evaluation in an organization.