Embed Size (px)
Citation preview
All Your Base Still Belong To Us
Physical Penetration Testing Tales From The Trenches
What is physical pen testing?
! Evaluates building/compound security controls for ! Prevention of entry
! Delay of entry
! Response time of security forces
! Sometimes a specific building or area is the target
! Can be performed in conjunction with a technical penetration test
The Split Personality of Security
• Computer/Network Security • Protects valuable assets
• Typically reports to Technology or Financial Officers
• “You must be really smart”
• Controls designed and implemented by network security professionals
• Physical Security • Protects valuable assets
• Typically reports to Administration or Facilities Organization
• “You’ll get a better job someday”
• Controls designed and implemented by electrical contractors
Should be coordinated; seldom are, but getting better…
Problems and Opportunities ! Security Programs are generally
based on policies and controls
! The assumption is that people are inclined to obey the rules
! That is generally correct, however people’s performance is a variable, not a constant
! A good information security program does not imply a good physical security program – and vice versa.
A Blessing and Curse: People ! People are what really make or
break a security program
! “Theory is as good as practice” in theory, but not in practice – in practice, security policy can become notional.
! People: ! Want to be friendly/sociable ! Want to be empathetic ! Are Inconsistent ! Are Impatient
Human factors should be considered in designing physical controls.
(And can be exploited in penetration tests)
Not a New Thing In 1979, DoE required the 28 largest energy companies at the time to report their R&D expenditures as part of the 10K filings. The Energy companies did not want to disclose sensitive competitive data. DoE wanted to show that their system was secure and contracted out for a pen test. The team was allocated 4 weeks and authorized to use “whatever means hackers would use”.
The team figured: Attacking the system is tough. Attacking the application process was easier: • Chat up the data entry clerks to get accounts • Use accounts to snoop the system storage • Harvest data from unprotected temporary files Success: Data breach in 3 days.
Authorization Letter
! Outlines your authorization to conduct a security assessment
! Signed by your company and customer's security manager
! Multiple copies
Reconnaissance From Afar
! Google and Bing maps
! Lay of the land ! Number of buildings
! Building Entrances
! Controlled Parking?
! Fences, gates, guard stations
! Surrounding area ! Places you can observe within close proximity
! Choose more than one observation spot
On-Site Recon ! License plates are important
! Do a drive at night to verify observation spots
! Watch for security patrols ! Note any patterns ! Have a cover story ready
! Note how employees are dressed
! Where do employees go for lunch? ! ID Cards ! Car decals
Access Cards
Low frequency
! 125kHz
! Small amount of data
! Unencrypted
High frequency
! 13.56 MHz
! Large amount of data
! Sometimes encrypted
How credentials are read
https://media.blackhat.com/us-13/US-13-Brown-RFID-Hacking-Live-Free-or-RFID-Hard-Slides.pdf
No need to worry, it’s a serial connection…
What connection should you protect on a door controller?
doorstrike
a.c. device
doorstrike
a.c. device
Weigand
controllerW
eigandcontroller
User IdentityManagement
Console
Legend
Weigand protocol, RS485 lineWeigand protocol, RS232 line+5-12 VDC relay signal
RS485-to-RS232 Converter
DoorSwitch
Fire Alarm
Interface
DoorSwitch
Data and Device Control, RS485 line
RS485-to-RS232 Converter
Data and Device Control, RS232 line
Device Power
A.C. DevicePower Supply
ControllerPower Supply
Strike and Controller Power
Access ControlManagement
Console
Access Management Controls
User/Data Management Controls
Power Controlsdoor
strikea.c.
devicedoor
strikea.c.
devicedoor
strikea.c.
devicedoor
strikea.c.
device
Weigand
controllerW
eigandcontroller
Weigand
controllerW
eigandcontroller
User IdentityManagement
Console
Legend
Weigand protocol, RS485 lineWeigand protocol, RS232 line+5-12 VDC relay signal
RS485-to-RS232 Converter
DoorSwitch
Fire Alarm
Interface
DoorSwitch
Data and Device Control, RS485 line
RS485-to-RS232 Converter
Data and Device Control, RS232 line
Device Power
A.C. DevicePower Supply
ControllerPower Supply
Strike and Controller Power
Access ControlManagement
Console
Access Management Controls
User/Data Management Controls
Power Controls
The ones we’d want to know about would live here…
Why? Because we can intercept “door open” and “authorized user” signals.
How do we find them?
Use NMAP… $ nmap –sS –v –O 192.168.123.240 –p 1-10000 Host (192.168.123.240 ) appears to be up ... good. Initiating SYN Stealth Scan against (192.168.123.240 ) Adding open port 7/tcp Adding open port 80/tcp Adding open port 9999/tcp The SYN Stealth Scan took 16 seconds to scan 10000 ports. … Interesting ports on (192.168.123.240 ): (The 9997 ports scanned but not shown below are in state: closed) Port State Service 7/tcp open echo 80/tcp open http 9999/tcp open unknown … No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: … TCP Sequence Prediction: Class=trivial time dependency Difficulty=19 (Easy) IPID Sequence Generation: Incremental
Door Controllers
Security Myth #1,017
! If you put a critical asset in the middle of nowhere, you don’t need great security.
!
!
Sometimes, It’s Too Easy
Rear entrance to suite. Not access controlled. Exposed hinge. Pin Already part way out.
List of extensions of everybody at the site! Complete with handy telephone!
Nice warning, but this sign is on the open door to the machine room
This is all one location. We entered the site through the unlocked, non-access controlled back door
Harry Regan
@Geezbox
Valerie Thomas
@Hacktress09
Securicon
@SecuriconLLC
