1. Tailgate

Most of the time it’s easy enough to just walk in to a company, determined and stern. The path of least resistance is hard wired within us, follow this instinct and act like you’re supposed to be there.

I’ve tail gated behind cars and people alike. How many people walk into massive shared complexes where an unusual face is more common than not? Once you’re inside you can then proceed to skim or obtain a badge to clone later on.

2. Proximity Card Skimming and Long Distance Access Control Attacks

Using devices like the Proxmark you can start with the HID Prox and eventually copy and even modify other types of proximity cards.

For attacking the actual controls themselves, you can use a BLEKEY, or an ESPKEY. These devices allow you to interface directly with the reader, and can be installed in a matter of minutes not hours. These devices are small, well designed and inconspicuous if installed properly As Mark Basesggio creator of the BLEKEY comments that most access controls sucked in 2016 and I’d say that nothing much has changed; they’re dated and vulnerable. Easy to skim and clone.

You can rig up a nice long distance RF reader like Bishop Fox outlines below:

Image from Bishop Fox

Cost of acquiring the the hardware fluctuates on Ebay but it’s amazing how many of these HID proximity systems are used when looking at large and small businesses, corporations, health care institutions and municipalities; including secure sites like data centers, and the wiring/server closets in many offices.

Remember that access controls are often overlooked or not prioritized according to the rules of standard Red Teaming and Penetration defined by corporations themselves. Red Tape can often completely stop a company from even considering a Physical Breach Simulation.

3. Social Engineer

Ah, the good old fake letter, solid pretext and a friendly call to the building before you even land , can have sold as as a security guard, or pest control. You arrive onsite, already verified with the right gear and the proper attire. Get on that LAN, and drop a device or grab some hashes and get Domain Admin before Lunch.

Evil Maid: Gain access to the laptop when unwanted by dressing the part ,and install your favorite backdoor of choice.

4. Physical Access Control Bypass & Lock Picking

Arguably obtaining as many universal or “bump-able ” keys is the name to this game. Simple non secure keys can be copied with a high resolution photograph and a 3d printer.

Master keys can be copied and abused to bypass doors, and gain access to shared building stairwells and elevators.

In the world of physical security assessments, most large consulting companies don’t want to take on the responsibility, of scratched tumblers and potential damage to locks in event and the definitive element of uncertainty that comes with a Red Team Physical Penetration Test. This simulation is not logical but real.

Sometimes you can bypass certain sensors from the outside, with a can of compressed air. Depending on the sensor, keys and overall security posture of the building, different techniques may apply.

5. WiFi credential harvesting and Internal Network disclosure, badge identification and corporate mobile device

You can target a building’s local coffee shop for an incognito and effective way to gain access to a GUEST or improperly configured wireless supplicant on a device connected at one time, to the corporate network. DNS information, usernames and even passwords can be disclosed on a Rogue/Evil Twin network. Being onsite gives you the ability to sniff and perform long period of OSINT recon anonymous and covertly.