Penetration Testing mailing list archives
physical security pentesting procedures, tips, audit programs?
From: marc spamcatcher <junk () zounds net>
Date: Wed, 1 Dec 2004 20:41:28 -0600 (CST)
I am performing a pentest of the physical security at a hospital. Can anyone offer procedures, methodologies, tips, etc on this? I plan to break the day into two parts: 1) physical security pentesting 2) physical security assessment Partially because I think I may run out of things to attempt in 1. In 1 I plan to attempt to enter secure areas, plug into the network, take hardware, etc. 2 will be the more standard checks for cameras, guards, etc. I think social engineering will be a big part of 1. A friend lent me a lab coat. :) I did some searches, and below are my notes and what others have said (sorry not to give credit). The hospital was not informed, but a VP will be on the premises to vouch for me if caught. I plan to read Mitnick's book on SE before the next one. Thanks, marc in zounds.net ----------------------------------------------- physical security pen-testing [ ] design audit program link to cobit? divide it up by pen-test and vulnerability assessment actions [ ] read isaca pentest pdf dumpster diving small screwdriver / credit card for opening doors follow employees to lunch, eat near them, take notes plant keylogger? pretend to be the tape storage vendor? :: look for look for for usable copy machines or fax machines, etc. look for passwords on stickies look in trash cans shredded files to reassemble unattended computers with users logged in. Try to find targets: wiring closets computer room telephone equipment IT offices Executive offices network jacks wireless networks backup media pop up ceiling tile, go over wall detect with ceiling motion detectors stand outside secure door smoking until you can tailgate someone (or a group) in. "Once in though, how do you gain access to the swipe card protected area? Simple. Stand near the door and look like a 'little boy lost'. Some nice person always asks if you want to get in." work the receptionist, the 'security guard' Generating fake access badges -------------- SOCIAL ENGINEERING ------------------------------------------- I'm no expert, but I think you should start with some SE goals or targets, and list techniques that are used to attack them. Goals and techniques might be: 1. Gain physical access tester->guard: "I forgot my card today" guard->tester: card 2. Gain credentials remotely tester->helpdesk: "This is Joe Blow CEO, I forgot my password" helpdesk->tester: new password 3. Gain access to sensitive information such as source code, sales/customer history, pricing structure, salary info. tester->engineer: "I'm with the new enterprise QA team and we're doing a source audit" engineer->tester: source code tester->helpdesk: "I'm salesperson X and I can't get into the contact database" helpdesk->tester: contact database access -------- -Write down the contact's name and their department, you can keep this contact for further information gathering later. -Keep refering to them by first name (common name) on the phone, this will sometimes build up an informal environment in which they are comfortable giving you information. -Don't be afraid to ask for a supervisor if things aren't going your way, go all the way to the top if you have to, but don't back down. -Also, if you are not doing this from a business environment, you can try to create an office type dialog to seem more professional. Have a "secretary" call, get the contact on the phone, and then transfer the contact to your office. If you have a secretary making your calls, you must be doing something right, or so they would assume. - will the organisation.s help desk will assist an unauthorised or unidentified user? ------------------ A Physical Penetration Test identifies the security weaknesses and strengths of the client's physical security. The goal of the test is to demonstrate the existence or absence of deficiencies in operating procedures concerning physical security. --------------------------------------------------------- VULN ASSESSMENT --------------------------------------------------------- :: look for cameras
Current thread:
- physical security pentesting procedures, tips, audit programs? marc spamcatcher (Dec 02)
- Re: physical security pentesting procedures, tips, audit programs? ctg (Dec 03)
- RE: physical security pentesting procedures, tips, audit programs? Eric Greenberg (Dec 07)
- RE: physical security pentesting procedures, tips, audit programs? Vic N (Dec 03)
- RE: physical security pentesting procedures, tips, audit programs? Jerry Shenk (Dec 07)
- Re: physical security pentesting procedures, tips, audit programs? Don Lord (Dec 07)
- RE: physical security pentesting procedures, tips, audit programs? xyberpix (Dec 07)
- RE: physical security pentesting procedures, tips, audit programs? Jerry Shenk (Dec 07)
- Re: physical security pentesting procedures, tips, audit programs? Jose Maria Lopez (Dec 09)
- <Possible follow-ups>
- RE: physical security pentesting procedures, tips, audit programs? Todd Towles (Dec 07)
- RE: physical security pentesting procedures, tips, audit programs? Frank Knobbe (Dec 09)
- RE: physical security pentesting procedures, tips, audit programs? Todd Towles (Dec 09)
(Thread continues...)
- Re: physical security pentesting procedures, tips, audit programs? ctg (Dec 03)