Chapter 6
How to Use the Information You Gather
As organizations become aware of security weaknesses, they tend to (at least attempt to) mitigate them. What this means for the penetration tester is that assessments that would have been fairly easy a few years ago are now far more challenging. Because radio traffic is an area where most organizations do not place a focus on security, it provides a great resource for gathering intelligence. This is not just theory; the authors have used information gathered by profiling radio traffic to increase the success of many penetration assessments, as shown by the included case studies.
Who is Guarding the Guards?
The information in this book is especially valuable when the target organization has a guard force that uses two-way radios. By listening to radio traffic on the guard frequency, it is usually possible to learn the schedule of the guard rounds as well as any regular movements. Knowing where the guards are is invaluable when you wish to avoid them. Knowing the number of guards on duty on any given shift will also give you an idea as to plan your penetration assessment. Obviously, attempting the assessment when the fewest possible number of guards is on duty is generally best. One exception is of course if there are a small number of guards during off business hours, it still may not be the best time as any movement will be seen as abnormal and will draw attention.
Learning the schedule of the guard shifts is also valuable. Note whether the shift changes are staggered, i.e. not all guards end their shifts at the same time. If all the guards change their shift at the same time, this can present an opportunity as their posts may not be as well guarded as they are in the middle of a shift. Like any of us, guards may become tired and less attentive and diligent towards the end of their shift, presenting another advantage for the penetration tester.
While monitoring traffic on the radio, write down guards’ and dispatchers’ names, and make note of the guards’ lingo. This information is useful for social engineering. Knowing peoples’ names gives the appearance that you belong, and allows you to claim that a guard directed you to go into a restricted area. Saying “the guard told me to go here” will not be as effective as saying “Bill Smith told me to go here.” (Assuming, of course, that there is a guard names Bill Smith.) Peppering your conversations with guard and other organizational lingo will also give the appearance that you belong, and will help you gain the trust of people within the organization.
Tip
Regardless of whether or not you are using radios for reconnaissance of the target, a scanner tuned to police frequencies is great to have during any physical penetration test. Monitoring the police frequencies should allow you to quickly know if you have been detected, and the police have been summoned. This way, you can immediately call your point of contact at the target, and be prepared to meet the police. Of course, laws and regulations differ as to the legality of monitoring police frequencies, so be sure to consult legal counsel before monitoring police frequencies.
Monitoring Phone Calls
Keep in mind that legally monitoring telephone communications can be a difficult, so prior to monitoring any telephone traffic, be sure that it is legal and that you have the proper authorization. Far more sensitive information is spoken over the phone than on two-way radios, and if you are able to grab telephone traffic you will likely learn a great deal about the operations of the target organization, including names, client information, and financial data. Credit card, banking information, social security, health information, and other highly sensitive information are commonly relayed by phone. Testing whether this traffic is secure should be a priority during a physical penetration test if within scope.
Note
Remember, criminals, by definition, do not follow the law. This means that they have tools and methods at their disposal that we, as professional security practitioners, do not. While there are many criminal methods that we cannot test without breaking the law ourselves, it is still of the utmost importance to understand the methods and techniques used by the criminals. Thinking like a criminal is often the best way to learn to defend against criminals.
For the penetration tester, being able to monitor the telephones at a help desk or call center can be the Holy Grail, especially if the help desk is involved in password resets. Gathering usernames and passwords as well as the names of people within the organization can make a penetration test fairly simple. Listening to help desk calls will give valuable insight into if and how the help desk verifies the identity of the caller, as well as organization specific technical terminology.
A DTMF decoder, described in more detail in Chapter 7 is a device that decodes the sound of telephone touch tones and displays them numerically. This is a great tool while monitoring telephone traffic as it makes it easy to grab voicemail passwords. Additionally, some radio equipment uses DTMF codes to transmit coded messages.
Wireless Cameras
Wireless cameras are commonly found in areas where it would be difficult or expensive to run cables. Areas to look for wireless cameras include stairways, the parts of the parking lot furthest from the main building, and around the perimeter of a large property.
While the advantages of being able to capture the camera feed and view it are obvious, there is also a large amount of information that can be gathered by studying the cameras themselves. For fixed position cameras, it should be simple to determine what they are monitoring. A camera high on a light pole over a parking lot is there to provide a panoramic view, and a camera pointed towards a door is obviously monitoring that door.
Once you have gained access to the wireless camera feed, you will know what the guards can see. Note the camera coverage and look for blind spots to exploit during a physical penetration test.
Pan Tilt Zoom (PTZ) Cameras
PTZ cameras are becoming more common, and allow a user or program to physically move the camera remotely.
Follow the movement of the camera to determine if the camera is being controlled by a human or by software. If software is controlling the camera, you will see controlled and consistent movements, while if a human is controlling it, you will see more spontaneous movement. If the camera is being controlled by software, then it is possible that the camera feed is not being actively monitored. Conversely, if a human is controlling the camera it can almost be guaranteed that the image is being carefully watched.
View the feed at night to determine if the cameras are night vision capable, and also watch to see if there are any times of day that glare makes the camera useless. If there is a time when glare is affecting the camera, then that may be a good time to attempt physical penetration.
Note the focal length of the camera, and if it is a wide or narrow angle lens. See if the image provides usable detail. It is not uncommon that cameras are placed far enough from the target that they do not provide a great deal of information to the guard.
In general, cameras are a poor detective control. It is easy enough to lose focus while watching television, so imagine trying to pay attention while watching the feed from a bank of cameras focused on an empty parking lot. Cameras, however, are one of the best ways to determine what happened and gather evidence after a crime has occurred. As a preventative control, cameras can be useful as they may send an attacker on to a softer target.
Tip
While it is easy to zone out while watching camera feeds, there are many smart video systems on the market that detect movement or changes in the feed and alert a human, allowing them to investigate. As with all types of technology smart video systems have also gotten cheaper. Being able to alert on motion is a feature now found in many low- to mid-level video systems.