Just for the fun of it, I am going to do a series of blogs talking about some of the physical penetration tests I have done. War stories, if you will. Of course we will keep the clients anonymous throughout and hopefully they have fixed these items by now anyway, as it has been some years. For this one we are going all the way back to my first physical penetration test.
This penetration test was against an electrical co-op, i.e. the electricity provider for a rural area in the Southern United States. For this test, I had two targets: their corporate office and an actual electrical distribution unit out in the country, that looked a little like this:
So on day one, my goal is usually just to do some recon. I spent most of the morning at the main office, trying to observe all the various entrances. It is important to understand which entrances are commonly used, because the last thing you need is to go in an unused door that is an alarmed fire door. The other recon I’m doing at this point is to get an idea of how their employees dress, what time they show up in the morning, what time do they take lunch, how long do they leave, do they leave in groups or more sporadically, etc. All of this information can help me during an actual infiltration attempt.
After observing the corporate location for a while, I moved on to the power distro plant. I parked my car up the road from it, and I was in the MIDDLE of nowhere. I remember thinking that if someone saw me at all, I would probably see the wrong end of a shotgun in this area. When I walked up to the sub station, I am trying to just casually walk around, such that if anyone asks, I can say I’m just trying to find a hiking trail or something. There is razor wire at the top of the fencing encircling it, about 12 foot tall chainlink fence, with no obvious weaknesses. I see the control shed (on the left in the photo above) and it is kind of near the fence, so I think maybe I can get a ladder and somehow climb and jump over the fence onto the roof of the structure to avoid the razor wire. Next I started walking around and just lightly pulling on the fence. I am trying to find a section that is loose or not connected. I got about half way around the fence and realized that I am an idiot. There are all sorts of cameras I should have identified initially and I am standing right below one!
I quickly ran back to my car and drive down the road a bit at this point, just waiting for some kind of response. Every white truck I saw I was sure was the company coming in response, but I figured I might as well see what their response time was, so I waited it out. Eventually 30 minutes pass, and I realized that they didn’t see me, either due to those cameras being unmonitored or not altering on motion. So I went back to the hotel to plan for my next day.
The next day I went over my photos and came up with a plan. The initial plan for the corporate office was easy. I got a giant box, waited for lunch hour when a lot of people were coming and going, and walked up to the side door with the box in one hand and my phone up to my ear (on a pretend phone call) in the other. I waited awkwardly outside for a few minutes until someone left for lunch, and I asked them to hold the door for me as they were walking out. Perfect, I am in. I took pictures, found all sorts of sensitive files lying around, got some shells from a conference room, and mission accomplished. On to the sub station.
Once I got to my next target, I basically already had a successful test on my hands, as almost all of my compromise goals were achieved, so I was not as worried. I know the cameras are there, and its just a matter of time until someone drives by, so I have no choice but to just go for it as quickly as possible. One of the things I had considered after the previous night was that the chainlink fence was well-guard at the top, but it was just sitting on top of gravel at the bottom? Hmm… So this time upon further inspection I just tried to move some gravel on the back side at a spot that seemed to be washed out a little. I crawled right under the fence and had complete access. Better yet, the control shed housing all the SCADA equipment was not even locked. The final cherry on top was that the DVR for the security cameras was sitting in that shed, allowing a successful attacker to just take it with them.
If you are interested in a physical penetration test or learning more about them, check this blog out.