04.07.2024
8 min
2388
Physical penetration testing (pentesting) is an effective way to verify the reliability of critical infrastructure facilities, including telecommunications cabinets, server rooms, and other outdoor devices. In this case study, a team of experts combined industrial mountaineering skills and technical testing to assess the facility’s security level.
This project included social, external, internal and physical testing. Part of the team was engaged in remote testing, while we focused on physical pentesting and further testing of the internal infrastructure.
It is worth noting that this work was performed by qualified penetration testing specialists with practical experience in industrial mountaineering.
After drawing up a document for law enforcement agencies in case of emergencies (Special permission from the Customer to carry out such work), my colleague and I conducted an initial reconnaissance.
During the reconnaissance phase, experts found out
Location of the object
The way to get to the “brains” of the control units (The purpose and approximate location of the street cabinet were informed to us by the Customer)
Type of locks on the protected circuit (We studied the protective mechanisms used on the websites of manufacturers of street server cabinets)
Possible security systems
Passage of people, cars, law enforcement officers, etc.
After this stage, preparations began for the direct execution of the work:
Prepared equipment for working at height (The photo does not show everything that was used – there will be a description and photo of the tools during the article)
Prepared equipment and gadgets.
The tested locks are similar to those that hang on doors, which prevent intrusion into the protected circuit.
During testing of a similar lock, it was found that opening takes about 20 minutes under ideal conditions. The experts also determined that one method of opening is to remove the protective metal ring with pliers, followed by removing the plates of the larva’s secretion, which allows you to open the lock with a regular flat screwdriver. Another method was used to save time, which will be discussed a little later.
Emergency scenarios and methods of responding to them were developed (for this, an authorization letter from the customer was requested to be released in case of detention)
GoPro was charged for photo/video recording (video for the Customer)
In the morning at 9:00 there was a general assembly in the office, where they checked everything they needed, adjusted their equipment, and packed their backpacks. At 1:00 p.m. they arrived at the facility, where they first began manipulating the lock, since there was no other way to get in.
The essence of the opening is simple, starting from the end, turn the plates until they stop, and as soon as the pattern of the secret is formed, a certain pin will enter the groove, which will allow you to turn the larva.
After 15 minutes in the cold, my hands stopped obeying, and the idea of opening the semicircular lock with master keys fell away. The second method was used, as in the pictures.
But it turned out to be not so easy to do it in the field, given that the lock turned out to be of much higher quality than the tested one. Therefore, only hardcore, exclusively by agreement with the Customer, will continue.
ATTENTION! THE ACTIONS DESCRIBED BELOW ARE GIVEN EXCLUSIVELY IN A FAMILIAR FORMAT!
The structure of the lock was described above, where the presence of thin metal elements and plastic was detected. Therefore, the idea arose to simply melt the padlock. Using special dry fuel (unfortunately, the thermite ran out), which was initiated remotely, it was possible to melt part of the lock, which can already be considered a small success.
After that, for a successful opening, my partner and I used a certified explosive package (firecracker) with a remote electric igniter.
As a result, the lock gave way (we had to additionally tinker with the mounting), and we penetrated the protected object.
On the territory of the protected object, a climb was made up a building about 40 meters high, using certain design features that allowed this to be done without the involvement of special equipment. After that, two anchor points were mounted for securing the ropes, which allowed the partner to safely climb to the roof of the building using a safety system.
Motion sensors were installed on the roof of the building, which were instantly triggered. From that moment on, the reaction time began.
Once on the roof of the facility, we began looking for cabinets with control systems.
The work was quite long and standing on the roof was too suspicious and cold.
Therefore, for further work, we installed a hardware backdoor using Raspberry Pi. The Raspberry Pi automatically connected to our portable Wi-Fi hotspot (smartphone), as well as to our partner’s laptop.
At this stage, internal pentest work was carried out, since Port Security protection was not detected. Scanning and attempts to exploit network services were performed.
After the work was completed, 40 minutes after the motion sensor was triggered, emergency vehicles were seen waiting for the team below. A customer representative was nearby, who resolved the issue with the operatives ahead of schedule.
I would like to highlight key recommendations for companies that have telecommunications cabinets on the street:
Use of alarms on each communication cabinet/electrical panel.
Use of more reliable locks.
Mandatory protection of ports on switches and servers both programmatically and physically.
Development of Information Security departments or use of outsourced SOC services.
Regularly conducting similar exercises to increase the level of security and increase the speed of response of physical security services.
