Steps Before Your Physical Social Engineering PenTest

The time has come to test your physical security via social engineering.  The budget did not support hiring a professional firm or consultant so it comes down to testing yourself.  Here are a few first steps to get you ready.

Get Out Of Jail Free Letter

First and foremost, make sure you have a Get Out Of Jail Free letter from a corporate officer, preferably, the CEO.  The last thing you want is to be in handcuffs as a suspicious person.  People are not as tolerable as they used to be before terrorism reared its ugly head.  This letter will identify you, the company, and that you are authorized to be on site testing the physical security of the company.

Research the Facility

Next, researching the facility.  That does not mean go physically onsite.  We don’t want to give up our appearance just yet.  It is time to show how good your skills in Google-Fu.  Let’s say you have an office in a multi-tenant building.  Search online for who else is in the building.  Learn the names of the businesses and their locations.  Ideally, focus on those businesses that are proximal to your business.

Once you have gained this information, use it.  Create a fake letterhead and write yourself an invitation letter from one of the proximal businesses.  If you are discovered on-site, you can use this letter to throw off any suspicion.  “Sorry, I was trying to find ABC123 Company as I have an appointment there” as you show the letter to the local security officer.

Have a Legitimate Back Story

With your research done, it is time to formulate a good backstory.  The best backstory has pieces of truth in it.  Following the letter from your research, you may want to reach out to one of the proximal companies and actually set up an interview or appointment.  Use your real name.  It will be easier to back up the story with your ID.  The proximal business is not the target of your test so you can be somewhat honest with them.  “I am the Manager of Security for XYZ, we have an office above you on the 5th floor.  I’d like to stop by and discuss some of the issues we have seen in order to be a good neighbor.”  This sets you up to have a legitimate reason for being in the building other than your visiting your own company.

If the building is solely occupied by your company, the story will need to be more creative.  The one backstory to never use is being a government inspector or agent of any kind.  In the US, there are laws making impersonation a crime.  Clergy is another story to not use.  Again, focus on something as real as possible.  Have one of your co-workers call and set up an appointment for you to inspect something.  We have all seen “those from corporate” wandering around.  

Your backstory is only used when you confront an obstacle.  Ideally, you want to try penetrating without the backstory.  Finding open doors, walking around with boxes, being on the phone while walking, all of these create blockers for people to confront you.  The cellphone conversation works great for me.  If someone challenges me while I am on my “call”, I get really expressive with my movements to indicate that this is an important call and how dare they interrupt me.  To the point of saying into my phone, “Sorry Mike, hold on a minute.  I have someone here that needs to interrupt this billion dollar opportunity to ask me a question.”

Be careful to use your backstory wisely.  Don’t try to pedal your backstory after you have already provided another excuse to someone.  They will only become more suspicious.  While you don’t want to give up your backstory immediately, be sure the lines you give are in line with the safety net of the backstory.  Going from the cell conversation above to “I’m here to interview with SoAndSo” will most likely result in some suspicion.

If You Are Known, Find Someone Else

One obvious piece of advice is if you are known to everyone, testing the physical security of your facility will be incredibly difficult.  A suggestion is to reach out to a fellow security minded individual at another company and trade your services.  He tests your facility under your direction and you test his.  All the rules apply as if it was you including the most important, the Get Out Of Jail Free letter.

Don’t be their backstory though.  Set up something that isolates you from the testing.  You can be informed but you want to see how your staff responds to an intruder.  If your doppelganger has you as a backstory, it reduces the testing parameters.

No doppelganger available?  No problem.  Organizations like ASIS are in every major city.  Reach out to the chapter President and make some introductions.  Attend a meeting and network with others.  Within three months, you’ll have plenty of new friends that would be willing to help you in trade.

The Bathroom.  The Bathroom!

The best “Hail Mary” play for the physical pentester is the bathroom.  If you are confronted and you don’t feel it going your way, fall back on the bathroom ploy.  Try to be sincere and in distress at the same time.  I’ve used lines like, “This is extremely different for me to share with a stranger, but I have Irritable Bowel Syndrome and right now, I really need a restroom.  Can you point me in the right direction.”  It makes people uncomfortable to talk about bathroom events.  Most will be more than happy to direct you to the nearest bathroom.  Some people you may have to beg.  Act like you are in pain, do the “dance”, cross your legs.  It all adds authenticity to your plight.

Don’t expect to be left alone once you have been granted bathroom privileges.  The person may wait for you outside the door.  At least you gain some additional time to formulate a new plan.  If I use the bathroom plan, I wait there for 5-8 minutes and then exit using the phone call ruse mentioned above.  

Apply.  Rinse.  Repeat.

One thing to remember is regardless of how many times you have used a technique, it will be new to the person you are using it on.  You must act like it is new to you too.  Think about a magician.  They perform the same trick, every day, on stage in Las Vegas.  But every time they do it, it looks like a new and exciting trick to us.  They act the part.  You must act the part.  Adopt the role.  Research what a method actor does and then become one.

Social Engineering is about faking it.  You fake who you are.  You fake credentials and stories.  After all, a criminal will be doing the same thing to get into your facilities.  Ethically, you are on stable ground because you have no malicious intent like a criminal.  You are trying to strengthen your perimeter against such attacks.

Stay safe and have fun.