SlideShare a Scribd company logo

Physical Penetration Testing Toolkit Guide

D
data68

A presentation on Physical Penetration Testing, I completed for a college course.

Technology
1 of 12
Physical Penetration Testing A Pen-Tester’s Toolkit ‣ Tina Ellis ‣ March 9th, 2022
What is Physical Penetration Testing? Physical penetration testing is used to identify weaknesses in physical security systems that attackers could exploit to gain access to the facilities. Physical penetration testers (pentesters) are hired by organizations to test standing security policies for the purpose of exposing unknown vulnerabilities. 90% of network security is removed once a threat actor has physical access - Wil Allsopp, Unauthorized Access: Physical Penetration Testing For IT Security Teams Photo Courtesy of DarknetDiaries.com
Five Phases of Physical Penetration Testing Reconnaissance OSINT Intelligence Gathering: ‣ Social Media ‣ Public Records ‣ Attack Surface Data Communicate with Client Scanning and Probing Travel to Location Identify Potential Targets Physical Observations Create Exploitation Plan Acquire Resources Communicate with Client Exploitation Social Engineering Bypass Physical Barriers Bypass Doors Communicate with Client Post-Exploitation Identify Ways to Steal Information: Gain Access to Sensitive Areas Network Jacks in Public Areas Dumpster Diving Communicate with Client Reporting Intelligence Gathered Remediation Suggestions: Training Opportunities Camera Blind Spots Door/Gate Improvements Alarm Evaluations
An Attacker Mindset Pentesters know precisely how criminals might gain access to both computer systems and buildings and employ a variety of tools and methods to gain access to a facility. - RedTeamSecure.com Photo Courtesy of DarknetDiaries.com
OSINT CATEGORY APPLICATION INTELLIGENCE TOOL Social Media Intelligence [SOCMINT] Digital Network Intelligence [DNINT] Vehicle and Transportation Intelligence [VATINT] Mapping and Geo-Spatial Intelligence [GEOINT] Hunting ground for company and employee information. Identify technologies used and vulnerabilities that can be exploited. Track down company vehicle information. Vehicles can be acquired to blend in. Identify possible attack vectors (access points). ‣ Uniforms & Badges ‣ Name & Photo Identification ‣ Coffee & Lunch Hangouts ‣ Network and Systems ‣ Language & Technologies ‣ Possible Attack Vectors ‣ Host, DNS, & Mail Server Info ‣ IoT Device and Open Ports ‣ Public AWS or Azure Buckets ‣ Area Public Wi-Fi AP’s ‣ Vendor Vulnerabilities ‣ Vehicle Recognition ‣ VIN Identification ‣ License Plate Lookup ‣ Internet Infrastructure ‣ Satellite Images ‣ Drone Images ‣ Street View Images ‣ Historical Facility Images ‣ CCTV Live Video Feeds Google, OpenPayrolls, GoFindWho, OnePlus OSINT Toolkit, SkyLens, Social- Search, Melissa Lookups, Company & Employee Social Media Pages, and Job Postings Open Directories CSE, WhoisFreaks, CentralOps, ZoomEye, IntoDNS, Wappalyzer, HackerTarget, Pulsedive, WiGLE, WiFi Map, Shodan, Zoom Eye, Natlas, Public Buckets, CVE Details CarNetAI, VehicleHistory, FaxVIN GoogleMaps, Soar Earth, Wayback World Imagery, GeoHack Tools, FreeMapTools, HawkEye360, Satelite.pro, Infrapedia Map, TravelWithDrone, CCTV Reconnaissance Phase Pentesters use a variety of Open-Source Intelligence (OSINT) tools to gather information about their target. *These are just examples of the OSINT tools available. Actual tools vary.
Scanning and Probing Phase Pentesters travel to the location and begin formalizing the exploitation plan. Physical observations are conducted in person. Night reconnaissance might include locating camera location by using night-vision goggles to see the infrared light emitted by night surveillance cameras. Door, Gate, and Lock Brand information is gathered. SOC location is identified, and any interesting info noted. Resources are acquired: Pentesters scan and clone badges, put together disguises, rent vehicles, and put together their toolkit. Exploitation plan is created: After all the intelligence is gathered an exploitation plan is created and shared with the client. A “get-out-of-jail-free” card is acquired that proves their identity if they get caught Pentesters communicate heavily with the parties. They also notify local authorities of their plan, so that they are not caught off guard. These steps are an important part of maintaining the safety of all parties involved. Photo Courtesy of DarknetDiaries.com
Exploitation Phase This is the phase where pentesters deploy their physical penetration testing plan. To implement this plan, pentesters use a variety of tools and methods, some technical and some not. Social engineering is one non-technical approach that pentesters may employ to circumvent security controls. Pentesters may use impersonation, disguises, badges, and a sense of urgency to blend in or gain access to sensitive systems and information. Physical access may also be obtained by observing the physical layout of the premises and identifying weak areas of security that do not require any special tools. Unlocked doors and unmonitored entryways provide an opportunity for access. Bypassing security controls may also be an option by employing bypass tools such as plug spinners, hinge pin tools, door and gate tools, generic keys, and SEARAT tools. Photo Courtesy of DarknetDiaries.com
The Physical Penetration Tools Long range RFID readers and a Proxmark III for cloning cards Disguises: Safety vests, uniforms, company cars, hard hats, lanyards Multimeter, for equipment testing and failure issues. Camera, flashlight, GoPro, Binoculars Ladders of various heights LANstar, LAN Cables, Small Wireless Router, for Network System Access Raspberry Pi’s – Plug into Network Connection for Network Access Shortwave radios for communication
The Physical Penetration Tools Borescope to see under doors or around corners Night Vision Goggles: See at night and locate night vision cameras Fence keys: Linear & Door King have generic keys available on Amazon Wool blanket to protect your body from barbed-wire fences Door Tools: Double Door Tools, Under the Door Tools, Shove-It Tool, Lockpicks Plug Spinner: Prevents pins from reengaging after lockpick, and re-locks Hinge Pin Tool: Spring-loaded tool used to pop hinges off doors SEARAT: all-in-one entry tool includes key blade, Window-Breaker, Gas Shut-off
Post-Exploitation Phase During the Post-Exploitation phase, the pentesters identify the opportunities where information could be stolen. They do not actually steal anything but take pictures or leave evidence (like a business card), to prove that they could have stolen information. ‣ Gain Access to Sensitive Areas ‣ Network Jacks in Public Areas ‣ Dumpster Diving Photo Courtesy of DarknetDiaries.com
Reporting Phase After the exploitation plan has been executed, pentesters compile their findings and create a report. The report includes any intelligence that was gathered during the reconnaissance and probing phases; a list of detailed steps and methods that were taken during the exploitation phase, as well as remediation suggestions that will improve an organization's overall security program. Physical pentesters “undertake wildly ambitious and incredibly complex activities intended to reveal opportunities for a potential real-life showdown between good and evil - a heavily defended company against a would-be attacker" - RedTeamSecure.com
References Darknet Diaries. (2021, June 22). Retrieved from https://darknetdiaries.com/ Deane, A. J., & Kraus, A. (2021). The official (ISC)2 CCSP Cbk Reference. Sybex. Halton, W., & Weaver, B. (2017). Penetration Testing: A Survival Guide. Packt Publishing. Mike Sheward. (2020). Security Operations in Practice. BCS, The Chartered Institute for IT. Rhysider, J. (Host). (2021, June 22). Jon and Brian's Big Adventure [Audio podcast]. Retrieved from https://darknetdiaries.com/transcript/95/ RedTeam Security, R. (n.d.). Physical penetration testing services: RedTeam Security. RedTeam Security - 5200 Willson Rd. Suite 150, Edina, MN 55424. Retrieved March 4, 2022, from https://www.redteamsecure.com/penetration- testing/physical-penetration-testing Sillanpää, M., & Hautamäki, J. (2020, July). Social Engineering Intrusion: A Case Study. In Proceedings of the 11th International Conference on Advances in Information Technology (pp. 1-5). Young, J. A. (2020). The Development of a Red Teaming Service-Learning Course. Journal of Information Systems Education, 31(3), 157–178. Photo Courtesy of DarknetDiaries.com

Recommended

Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Eduardo Arriols Nuñez
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensicsprimeteacher32
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINTChristian Martorella
 
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...Falgun Rathod
 
Data Security Explained
Data Security ExplainedData Security Explained
Data Security ExplainedHappiest Minds Technologies
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementJoe Vest
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
Osint
OsintOsint
OsintKamal Rathaur
 

Recommended

Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Eduardo Arriols Nuñez
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensicsprimeteacher32
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINTChristian Martorella
 
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...Falgun Rathod
 
Data Security Explained
Data Security ExplainedData Security Explained
Data Security ExplainedHappiest Minds Technologies
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementJoe Vest
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
Osint
OsintOsint
OsintKamal Rathaur
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital ForensicsManik Bhola
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
OPSEC for Families
OPSEC for FamiliesOPSEC for Families
OPSEC for FamiliesDepartment of Defense
 
OpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptxOpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptxanonymousanonymous428352
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
OSINT
OSINTOSINT
OSINTApurv Singh Gautam
 
Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)phexcom1
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security AssessmentsTom Eston
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentationJesse Ratcliffe, OSCP
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Sudhanshu Chauhan
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework👀 Joe Gray
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsNicholas Davis
 
OSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringOSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringJeremiah Tillman
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 
IRJET- A Survey on Object Detection using Deep Learning Techniques
IRJET- A Survey on Object Detection using Deep Learning TechniquesIRJET- A Survey on Object Detection using Deep Learning Techniques
IRJET- A Survey on Object Detection using Deep Learning TechniquesIRJET Journal
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Hykeos
 

More Related Content

What's hot

A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital ForensicsManik Bhola
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)phexcom1
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security AssessmentsTom Eston
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Sudhanshu Chauhan
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
OSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringOSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringJeremiah Tillman
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 

What's hot (20)

A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital Forensics
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
OPSEC for Families
OPSEC for FamiliesOPSEC for Families
OPSEC for Families
 
OpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptxOpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptx
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
OSINT
OSINTOSINT
OSINT
 
Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security Assessments
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensics
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
OSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringOSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gathering
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
 

Similar to Physical Penetration Testing Toolkit Guide

IRJET- A Survey on Object Detection using Deep Learning Techniques
IRJET- A Survey on Object Detection using Deep Learning TechniquesIRJET- A Survey on Object Detection using Deep Learning Techniques
IRJET- A Survey on Object Detection using Deep Learning TechniquesIRJET Journal
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Hykeos
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscapeyohansurya2
 
pres_drone_forensics_program.pptx
pres_drone_forensics_program.pptxpres_drone_forensics_program.pptx
pres_drone_forensics_program.pptxVolgaTC
 
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prev.docx
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prev.docxUMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prev.docx
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prev.docxwillcoxjanay
 
The Need for Drone Forensic Investigation Standardisation (Evangelos Mantas) ...
The Need for Drone Forensic Investigation Standardisation (Evangelos Mantas) ...The Need for Drone Forensic Investigation Standardisation (Evangelos Mantas) ...
The Need for Drone Forensic Investigation Standardisation (Evangelos Mantas) ...DroneSec
 
Road map for actionable threat intelligence
Road map for actionable threat intelligenceRoad map for actionable threat intelligence
Road map for actionable threat intelligenceabhisheksinghcs
 
Securing Your Wearable Tech Brand
Securing Your Wearable Tech BrandSecuring Your Wearable Tech Brand
Securing Your Wearable Tech BrandSimon Loe
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...James Anderson
 
IRJET-Ethical Hacking
IRJET-Ethical HackingIRJET-Ethical Hacking
IRJET-Ethical HackingIRJET Journal
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security IntelligenceSplunk
 
Vulnerability Assessment and Penetration Testing using Webkill
Vulnerability Assessment and Penetration Testing using WebkillVulnerability Assessment and Penetration Testing using Webkill
Vulnerability Assessment and Penetration Testing using Webkillijtsrd
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...Clare Nelson, CISSP, CIPP-E
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfssuser4237d4
 
Internet of Things: Government Keynote, Randy Garrett
Internet of Things: Government Keynote, Randy GarrettInternet of Things: Government Keynote, Randy Garrett
Internet of Things: Government Keynote, Randy GarrettGovLoop
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 

Similar to Physical Penetration Testing Toolkit Guide (20)

IRJET- A Survey on Object Detection using Deep Learning Techniques
IRJET- A Survey on Object Detection using Deep Learning TechniquesIRJET- A Survey on Object Detection using Deep Learning Techniques
IRJET- A Survey on Object Detection using Deep Learning Techniques
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
pres_drone_forensics_program.pptx
pres_drone_forensics_program.pptxpres_drone_forensics_program.pptx
pres_drone_forensics_program.pptx
 
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prev.docx
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prev.docxUMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prev.docx
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prev.docx
 
The Need for Drone Forensic Investigation Standardisation (Evangelos Mantas) ...
The Need for Drone Forensic Investigation Standardisation (Evangelos Mantas) ...The Need for Drone Forensic Investigation Standardisation (Evangelos Mantas) ...
The Need for Drone Forensic Investigation Standardisation (Evangelos Mantas) ...
 
Road map for actionable threat intelligence
Road map for actionable threat intelligenceRoad map for actionable threat intelligence
Road map for actionable threat intelligence
 
Securing Your Wearable Tech Brand
Securing Your Wearable Tech BrandSecuring Your Wearable Tech Brand
Securing Your Wearable Tech Brand
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
 
DarkWeb
DarkWebDarkWeb
DarkWeb
 
IRJET-Ethical Hacking
IRJET-Ethical HackingIRJET-Ethical Hacking
IRJET-Ethical Hacking
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security Intelligence
 
Vulnerability Assessment and Penetration Testing using Webkill
Vulnerability Assessment and Penetration Testing using WebkillVulnerability Assessment and Penetration Testing using Webkill
Vulnerability Assessment and Penetration Testing using Webkill
 
A6704d01
A6704d01A6704d01
A6704d01
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
Internet of Things: Government Keynote, Randy Garrett
Internet of Things: Government Keynote, Randy GarrettInternet of Things: Government Keynote, Randy Garrett
Internet of Things: Government Keynote, Randy Garrett
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 

Recently uploaded

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Physical Penetration Testing Toolkit Guide

  • 1. Physical Penetration Testing A Pen-Tester’s Toolkit ‣ Tina Ellis ‣ March 9th, 2022
  • 2. What is Physical Penetration Testing? Physical penetration testing is used to identify weaknesses in physical security systems that attackers could exploit to gain access to the facilities. Physical penetration testers (pentesters) are hired by organizations to test standing security policies for the purpose of exposing unknown vulnerabilities. 90% of network security is removed once a threat actor has physical access - Wil Allsopp, Unauthorized Access: Physical Penetration Testing For IT Security Teams Photo Courtesy of DarknetDiaries.com
  • 3. Five Phases of Physical Penetration Testing Reconnaissance OSINT Intelligence Gathering: ‣ Social Media ‣ Public Records ‣ Attack Surface Data Communicate with Client Scanning and Probing Travel to Location Identify Potential Targets Physical Observations Create Exploitation Plan Acquire Resources Communicate with Client Exploitation Social Engineering Bypass Physical Barriers Bypass Doors Communicate with Client Post-Exploitation Identify Ways to Steal Information: Gain Access to Sensitive Areas Network Jacks in Public Areas Dumpster Diving Communicate with Client Reporting Intelligence Gathered Remediation Suggestions: Training Opportunities Camera Blind Spots Door/Gate Improvements Alarm Evaluations
  • 4. An Attacker Mindset Pentesters know precisely how criminals might gain access to both computer systems and buildings and employ a variety of tools and methods to gain access to a facility. - RedTeamSecure.com Photo Courtesy of DarknetDiaries.com
  • 5. OSINT CATEGORY APPLICATION INTELLIGENCE TOOL Social Media Intelligence [SOCMINT] Digital Network Intelligence [DNINT] Vehicle and Transportation Intelligence [VATINT] Mapping and Geo-Spatial Intelligence [GEOINT] Hunting ground for company and employee information. Identify technologies used and vulnerabilities that can be exploited. Track down company vehicle information. Vehicles can be acquired to blend in. Identify possible attack vectors (access points). ‣ Uniforms & Badges ‣ Name & Photo Identification ‣ Coffee & Lunch Hangouts ‣ Network and Systems ‣ Language & Technologies ‣ Possible Attack Vectors ‣ Host, DNS, & Mail Server Info ‣ IoT Device and Open Ports ‣ Public AWS or Azure Buckets ‣ Area Public Wi-Fi AP’s ‣ Vendor Vulnerabilities ‣ Vehicle Recognition ‣ VIN Identification ‣ License Plate Lookup ‣ Internet Infrastructure ‣ Satellite Images ‣ Drone Images ‣ Street View Images ‣ Historical Facility Images ‣ CCTV Live Video Feeds Google, OpenPayrolls, GoFindWho, OnePlus OSINT Toolkit, SkyLens, Social- Search, Melissa Lookups, Company & Employee Social Media Pages, and Job Postings Open Directories CSE, WhoisFreaks, CentralOps, ZoomEye, IntoDNS, Wappalyzer, HackerTarget, Pulsedive, WiGLE, WiFi Map, Shodan, Zoom Eye, Natlas, Public Buckets, CVE Details CarNetAI, VehicleHistory, FaxVIN GoogleMaps, Soar Earth, Wayback World Imagery, GeoHack Tools, FreeMapTools, HawkEye360, Satelite.pro, Infrapedia Map, TravelWithDrone, CCTV Reconnaissance Phase Pentesters use a variety of Open-Source Intelligence (OSINT) tools to gather information about their target. *These are just examples of the OSINT tools available. Actual tools vary.
  • 6. Scanning and Probing Phase Pentesters travel to the location and begin formalizing the exploitation plan. Physical observations are conducted in person. Night reconnaissance might include locating camera location by using night-vision goggles to see the infrared light emitted by night surveillance cameras. Door, Gate, and Lock Brand information is gathered. SOC location is identified, and any interesting info noted. Resources are acquired: Pentesters scan and clone badges, put together disguises, rent vehicles, and put together their toolkit. Exploitation plan is created: After all the intelligence is gathered an exploitation plan is created and shared with the client. A “get-out-of-jail-free” card is acquired that proves their identity if they get caught Pentesters communicate heavily with the parties. They also notify local authorities of their plan, so that they are not caught off guard. These steps are an important part of maintaining the safety of all parties involved. Photo Courtesy of DarknetDiaries.com
  • 7. Exploitation Phase This is the phase where pentesters deploy their physical penetration testing plan. To implement this plan, pentesters use a variety of tools and methods, some technical and some not. Social engineering is one non-technical approach that pentesters may employ to circumvent security controls. Pentesters may use impersonation, disguises, badges, and a sense of urgency to blend in or gain access to sensitive systems and information. Physical access may also be obtained by observing the physical layout of the premises and identifying weak areas of security that do not require any special tools. Unlocked doors and unmonitored entryways provide an opportunity for access. Bypassing security controls may also be an option by employing bypass tools such as plug spinners, hinge pin tools, door and gate tools, generic keys, and SEARAT tools. Photo Courtesy of DarknetDiaries.com
  • 8. The Physical Penetration Tools Long range RFID readers and a Proxmark III for cloning cards Disguises: Safety vests, uniforms, company cars, hard hats, lanyards Multimeter, for equipment testing and failure issues. Camera, flashlight, GoPro, Binoculars Ladders of various heights LANstar, LAN Cables, Small Wireless Router, for Network System Access Raspberry Pi’s – Plug into Network Connection for Network Access Shortwave radios for communication
  • 9. The Physical Penetration Tools Borescope to see under doors or around corners Night Vision Goggles: See at night and locate night vision cameras Fence keys: Linear & Door King have generic keys available on Amazon Wool blanket to protect your body from barbed-wire fences Door Tools: Double Door Tools, Under the Door Tools, Shove-It Tool, Lockpicks Plug Spinner: Prevents pins from reengaging after lockpick, and re-locks Hinge Pin Tool: Spring-loaded tool used to pop hinges off doors SEARAT: all-in-one entry tool includes key blade, Window-Breaker, Gas Shut-off
  • 10. Post-Exploitation Phase During the Post-Exploitation phase, the pentesters identify the opportunities where information could be stolen. They do not actually steal anything but take pictures or leave evidence (like a business card), to prove that they could have stolen information. ‣ Gain Access to Sensitive Areas ‣ Network Jacks in Public Areas ‣ Dumpster Diving Photo Courtesy of DarknetDiaries.com
  • 11. Reporting Phase After the exploitation plan has been executed, pentesters compile their findings and create a report. The report includes any intelligence that was gathered during the reconnaissance and probing phases; a list of detailed steps and methods that were taken during the exploitation phase, as well as remediation suggestions that will improve an organization's overall security program. Physical pentesters “undertake wildly ambitious and incredibly complex activities intended to reveal opportunities for a potential real-life showdown between good and evil - a heavily defended company against a would-be attacker" - RedTeamSecure.com
  • 12. References Darknet Diaries. (2021, June 22). Retrieved from https://darknetdiaries.com/ Deane, A. J., & Kraus, A. (2021). The official (ISC)2 CCSP Cbk Reference. Sybex. Halton, W., & Weaver, B. (2017). Penetration Testing: A Survival Guide. Packt Publishing. Mike Sheward. (2020). Security Operations in Practice. BCS, The Chartered Institute for IT. Rhysider, J. (Host). (2021, June 22). Jon and Brian's Big Adventure [Audio podcast]. Retrieved from https://darknetdiaries.com/transcript/95/ RedTeam Security, R. (n.d.). Physical penetration testing services: RedTeam Security. RedTeam Security - 5200 Willson Rd. Suite 150, Edina, MN 55424. Retrieved March 4, 2022, from https://www.redteamsecure.com/penetration- testing/physical-penetration-testing Sillanpää, M., & Hautamäki, J. (2020, July). Social Engineering Intrusion: A Case Study. In Proceedings of the 11th International Conference on Advances in Information Technology (pp. 1-5). Young, J. A. (2020). The Development of a Red Teaming Service-Learning Course. Journal of Information Systems Education, 31(3), 157–178. Photo Courtesy of DarknetDiaries.com