Somewhere I Belong Part 3

Credits: HopScotch

The theory and practice of social engineering

Part 3: A Breath of Fresh Air

Physical penetration testing is breath of fresh air in the red teaming space as a way to get out of our normal desk space and let us really play the part of a spy. They are my favorite form of test and I hope everyone reading will get a chance one day to do their own physical pentest. This post will be a short story of a physical pentest I performed the other day with some lessons learned sprinked through. The client’s name will not be revealed due to NDA and certain steps may be only discussed at a high level.

The Setup

My client requested myself and one other tester fly to their headquarters and perform as much social engineering and physical pentesting as we can. They had a conference going on at the same time at a hotel close by and performing social engineering there was in scope as well as long as we did not interrupt any on going presentations. We had 2.5 days to perform our tasks and presented and went home on the final day.

Some key areas the client wanted focus on was:

This was a large order for little time as we were only authorized for 45 hours worth a labor. We performed OSINT on the client to see if there was any low hanging fruit, good pretext for phishing/smishing and we discovered their Citrix site with a domain similar to Setup began one week before travel and was performed in AWS EC2/Route 53. We stood up a new EC2 instance and purchased a domain similiar to “”, notice the “.” before login and clientName is missing. We then used Evilginx2 as a psuedo phishing page as it allowed us to capture session cookies as well as credentials and saved us the work of having to mirror the Citrix login page in HTML/CSS. After the custom phishlet was made, we used a free QR code site to create malicious QR codes for Quishing. These were printed as stickers to mark around HQ and the conference. After discussion with my partner, we agreed a fake raffle would be the best way to collect emails and phone numbers for other social engineering attacks.

This leads to lesson 1, come into your engagement prepared so the on keyboard team can perform work the second a user takes the bait. Time was short during the engagement so this prep was crucial.

Day 0.5

We arrived at our hotel. My teammate arrived approximately 2 hours before me and fried our Proxmark, a tool to copy RFID signals, which left us unable to clone any sort of badge. While repairs were being attempted to it, I decided to war drive their campus, or walk around with my phone out and see what their WiFi was, and discovered all of their WiFi was WPA2 with EAP except their guest network which was open. After recording their ESSIDs and type, I grabbed a burger at a local restaurant and attempted to grab a few photos of employee badges to fake but all my attempts were unsuccessful. I went back to the hotel and began setting up a Wifi Pinapple Mark vii. We set their ComPanyGuest network up as a Evil Twin as an Open Network and attempted to setup an Evil Twin Network that would perform an EAP Replay to their main network or attempt to crack their RADIUS credential as most companies use Active Directory as a RADIUS auth server. We attempted to get some more badge photos and failed but have a general idea of design. I went back to the hotel and created a template of the badge and just had to fill in some small text at the bottom.

Lesson 2 is expect for all of your equipment to break. Our Proxmark had set us way back in our testing timeline back and badge photos had gone awful this day which caused a busy day 1 that I will go over now.

Day 1.

After a quick breakfast, my teammate and I split up to perform our tasks. I set up our Evil Twin/ Rogue Access Points at the nearby conference hoping to snag a connection via a Peferred Network List(PNL) connection which is essentially a phone recognizing a WiFi name and automatically trying to connect to it. It was surprisingly easy to set up under a desk as nobody was out in the lobby watching and the hotel staff did not seem to care I was plugging things in. From my teammates perspective, he had to go and print out our raffle poster and pick up supplies for our fake raffle to set up but due to supply chain issues, Fedex required a 3 day notice for printing poster board so we went with a garbage looking piece of paper and notebook next to a fishbowl or as we called it a “phish bowl”. I got a few good guest network connections but due to TLS, I couldn’t get anything important. My suspicion with Active Directory was correct as we got some hashes being sent that I sent off to our on keyboard team so they can run it through our cracking rig. The credentials were cracked in under 5 minutes. I had managed to get us a picture of a badge but it was clipped to a gentleman’s belt as he was in a bathroom stall and another on a woman’s dress. I was getting very sloppy with stealthy photos and was getting some glares by folks so we left the conference area for lunch and to stalk their HQ. We managed to get another clearer picture in the HQ elevator and tailgated into the building. I helped myself to a bottle of water in their kitchen and we left. My teammate went back to the hotel to print badges for us while I went to collect the phish bowl and it was gone. After looking around I overheard the event coordinator talking to someone about it being suspicious and heard they moved it inside a hotel room inside a box so I went to steal it. No one seemed to say anything as the conference hotel staff didn’t seem to care at all. We had collected approximately 38 names, emails, and cell phone numbers before it was moved. We sent the information to our on keyboard team to send out the evilginx2 phishing link using Amazon SMS and AWS Simple Email Service. The day was over and we grabbed the pineapple and went to dinner. This was my first down time all trip so I started working on the presentation.

Lesson 3 is to act natural and act like you belong. My teammate and I were in a lot of spaces we should not have been today but since we were not acting suspicous and were dressed similarly to everyone else, we didn’t arise suspicion at all. This let us tailgate in a building and do a lot more than we should have been able to do at the conference setting up equipment and the phish bowl even though the phish bowl was burned in the second half of the afternoon.

Day 2

A replacment Proxmark had finally come in that morning after breakfast so it was finally time to badge clone. After a very nice breakfast, we spent the remainder of the afternoon trying to get a valid badge read. This was a lot harder than it should have been as we only had about a foot to a foot and a half of distance for the read. We rode the HQ elevator for about an hour without a good hit and I bumped into a lot of people at the conference trying to get a valid read. I even tried the bathroom stall approach again where I attempted to catch someone with their pants down literally. I got uncomfortably close to a guy washing his hands and almost got into a physical altercation but talked my way out of it. I eventually got a valid read on an escalator while my teammate distributed the QR code stickers inside of conference rooms during a break and at HQ. He went to work on creating us badges while I managed the Evilginx2 console. We finished the test with 23 credentials harvested through either Smishing/ phishing, or Quishing with a valid session cookie, username, and password. We grabbed some lunch and took a stroll with our fake badges in their main HQ and surprised the CISO at her office. She was happy and freaked out to see us and complimented our badge accuracy. We wrapped up by finishing and rehursing the day 3 presentation.

Lesson 4, don’t get within a foot of a guy while he washes his hands in a restroom, he will try to fight you. Okay, the serious lesson is don’t be afraid to get on top of people. A simple “excuse me” goes a long way with getting uncomfortably close. Elevators, escalators, and bathrooms make prime areas for badge cloning as well as hallway entrances or exits.

Day 3

We woke up, checked out of the hotel and went over to the conference to give the final talk of the day. The video of us badging into their HQ made everyone gasp and scared which really helped drive the message across. The presentation went amazing and my teammate was pretty happy with the end product.
We went home with the client praising us and secured a retest the following year.

Tips and take aways for phyiscal pentesting

This has been a walkthrough in an out there physical pentest. I hope everyone learned something valuable and keep on studying.