Kali also facilitates attacks where the intruder has direct physical access to systems and the network. This can be a risky attack, as the intruder may be spotted by an observant human, or caught on a surveillance device. However, the reward can be significant, because the intruder can compromise specific systems that have valuable data.

Physical access is usually a direct result of social engineering, especially when impersonation is used. Common impersonations include the following:

• A person who claims to be from the help desk or IT support, and just needs to quickly interrupt the victim by installing a system upgrade.
• A vendor who drops by to talk to a client, and then excuses himself to talk to someone else or visit a restroom.
• A delivery person dropping off a package. Attackers can buy a delivery uniform online; however, since most people assume that anyone who is dressed all in brown and pushing a handcart filled with boxes is a UPS delivery person, uniforms are rarely a necessity for social engineering!
• Trades persons wearing work clothes, carrying a work order that they have printed out, are usually allowed access to wiring closets and other areas, especially when they claim to be present at the request of the building manager.

Dress in an expensive suit, carry a clipboard, and walk fast; employees will assume that you're an unknown manager. When conducting this type of penetration, we usually inform people that we are auditors, and our inspections are rarely questioned.

The goal of hostile physical access is to rapidly compromise selected systems; this is usually accomplished by installing a backdoor or similar device on the target.

One of the classic attacks is to place a CD-ROM, DVD, or USB key in a system and let the system install it using the autoplay option; however, many organizations disable autoplay across the network.

Attackers can also create poisoned bait traps: mobile devices that contain files with names that invite a person to click on the file and examine its contents. Some of the examples include the following:

• USB keys with labels such as Employee Salaries or Medical Insurance Updates.
• Metasploit allows an attacker to bind a payload, such as a reverse shell, to an executable such as a screensaver. The attacker can create a screensaver using publicly available corporate images, and email CDs to employees with the new endorsed screensaver. When the user installs the program, the backdoor is also installed and it connects to the attacker.
• If you know that employees have attended a recent conference, attackers can impersonate a vendor who was present and send the target a letter insinuating that it is a follow-up from the vendor show. A typical message will be "If you missed our product demonstration and one-year free trial, please review the slideshow on the attached USB key by clicking on start.exe."

One interesting variant is the SanDisk U3 USB key, or Smart Drive. The U3 keys were preinstalled with Launchpad software, which automatically allowed the keys to write files or registry information directly to the host computer when inserted, to assist in the rapid launch of approved programs. The u3-pwn tool (Kali Linux | Applications | Social Engineering Tools | u3-pwn) removes the original ISO file from the SanDisk U3 and replaces it with a hostile Metasploit payload, which is then encoded to avoid detection on the target system. Unfortunately, support for these USB devices is reducing, and they remain vulnerable to the same degree of detection as other Metasploit payloads.