Last year in this series, we discussed OSINT, physical entry bypass, and badge cloning. Now we’ll move on to the Physical Social Engineering (PSE) exploits that are high-risk but can quickly result in easy access: the tactics and behaviors of a successful social engineer. 

Social engineering should not be your first option as it can quickly result in a tester getting burned, but it’s a critical part of any PSE test to ensure that organizations know if they need to strengthen their training. 

A Game of Confidence

As always, I’ll remind everyone that using these tips without a clearly scoped contract would be illegal, and Raxis does not condone such activities. Let’s all stay ethical!

If you do anything confidently enough, there is an innate trust people place in you. A successful social engineer observes and mimics the behavior, attire, and mannerisms of their surroundings. Take notice of the small details of people around you – how they dress, how they walk, and what their small talk consists of. This is all key information to have before social engineering someone, as it helps to act as camouflage. 

General Guidelines 

Before we talk about tactics, there are a couple of things to keep in mind when interacting with people you are trying to bypass. Whenever you are preparing to engage with someone it’s always good to have a pretext ready, a reason why you are where you are and why you are allowed to be there. When preparing these and interacting with people, you’ll want to keep the following in mind:

• Check the easy thing. More than once, someone performing a PSE has found a way in just because someone didn’t lock a door or a drawer or even because a card reader was disabled or broken. It is always worth trying the door.
• Confidence. No matter what role you are playing, in the moment, do it with confidence. If you feel anxious, just remember, you are there legally. You are doing nothing wrong and not doing the full test would not be fair to your customer.
• Urgency. Why is it important for you to be there right now? Why can’t it wait?
• Authority. Who permitted you to be there? And how can you fake proof of that permission enough for it to seem plausible?  
• Timing. When are people leaving and entering the most? Usually at opening, lunch, and closing. These are the best times to blend in with a crowd.
• Building Rapport. While you are getting in, what stands out to you about a person? Do they have nice shoes? A nice watch? Did you see them get out of a fancy car when you were arriving? Anything you can complement nonchalantly can help put them at ease about your presence. Helping out or commiserating builds a bond as well. Hold the elevator for them or comment on what a long day it’s been if they look tired. 

Social Engineering Tactics

Tailgating

Tailgating is when you attempt to follow someone into a building to bypass the authorization checkpoint at an entry, most often a badge reader or buzzer. We can do this by exploiting people’s kindness or unawareness. (Yes, it feels kind of messed up, but if your test leads to employees learning the skills to prevent a malicious attack, you’ve done your job well.) 

Regardless of what you do, It’s important that you blend in when tailgating. If you stand out, it will be harder to tailgate someone in and to appear to belong once you are in. Some ideas include:

• Blending in with a crowd and walking in with a group of people
• Having your hands full as you walk up to an entry point (coffee, boxes, donuts, etc.)
• Being ‘busy’ near the door and catching the door as someone else opens it. (Cleaning something up, on the phone with a personal matter, etc.)

Impersonating Someone

Impersonating an employee or contractor is another good tactic, but you can easily be burned if you can’t prove it with some set of credentials. Always be ready with some pretext (forgot your ID today – how you hate Mondays!) or forged credentials to provide a reason as to why you are there. 

An unverifiable pretext is always best, with hard-to-verify being second. And if you must name-drop somebody, you’d better be ready to prove it, fake it, or book it afterward. Some impersonation ideas are:

• Impersonate new hires. People often post on LinkedIn regarding a new position, and people are less likely to have met them yet. 
• Impersonate delivery or service workers. Being a contracted night cleaning crew member, delivery staff, or even an exterminator might lead to access. 
• Impersonating IT. Most people don’t pay attention to the IT staff, and a lot of IT staff work remotely. Maybe you are doing a WiFi survey of the office, performing computer maintenance, or searching for a malicious device connected to the network. 

Pretexting

Now the one we have all been waiting for, pretexting. At heart, pretexting is telling a story or playing a role in the story you created to justify your actions. So yes, lying.  And when planning out your pretexts, its important you consider everything we discussed before and remember that the best pretexts are the ones easy to believe. When prepping for an engagement, it’s good to have multiple pretext options at hand, ready to use at different times. 

• While on a job, I was hanging out in a room across from a client suite at the end of the business day. As it got later, I had several pretexts ready to throw out to justify why I was there and had not left yet; starting with “I am on a call” for the people who just popped in and going as far as “My car won’t start; I am just waiting on a tow truck.”  for those who had questions. I had one person pop their head into the suite, I mouthed to them I was on the phone and they apologized and left. 
• While at another job, I scoped out the building and found that multiple entrances were not viable for entry. I found a company shirt, but it was not suitable for the space I was trying to enter. Regardless, I waited on the stairs at the back door. As it was a winter day, once someone opened the back door I yelled, “Hold the door! It’s freezing out here.” They did, and I walked in.

A pretext can be very simple as the first story above is or more advanced, even with props, like the second.

Deploying Malicious Payloads

Now we are getting into an area that requires direct permission from your client. When we mention leaving “malicious payloads” we’re talking about staging payloads using something like a Rubber Ducky USB to quickly run exploit code on a workstation. Having some of these in your pack and ready to go is wonderful. They are quick to deploy, and you could potentially get a reverse shell.

Another method of establishing access is by deploying a network implant. These devices most often use the customer’s network to connect to an outside system to facilitate persistent access. They can be tiny and use a variety of means to communicate with their command and control systems.

Whatever route you decide on, ensure you have documented where you placed your assets and be sure to make your client aware after the fact so that they can remove them.  

Red Teams and Final Notes

For this entire series, we’ve talked risk levels for each action you take. On a PSE (Physical Social Engineering) engagement, it’s important to try the riskier tactics near the end of the engagement to see if someone will catch the overt actions (hopefully you will pick up some positive findings for your report). 

However, that is not the case on Red Teams. While a PSE is trying to test all physical controls, Red Teams are trying to mimic real-world situations, which does not involve getting caught. Get in, establish access, get out, and remain unseen if possible. 

Thanks for reading, I hope this guide will serve you well. Please come back for more tutorials and guides, including the next in this series about looting once you have gained access in order to show your customer what a malicious attacker could do once inside!