Learn Ethical Hacking (#47) - Physical Security and OSINT - The Forgotten Attack Vectors

avatar

Learn Ethical Hacking (#47) - Physical Security and OSINT - The Forgotten Attack Vectors

leh-banner.jpg

What will I learn

  • Physical security assessments -- what a red team evaluates when testing a building, not just a network;
  • Lock picking and bypass -- how physical locks work, common bypass techniques, and why locks keep honest people out;
  • Badge cloning -- RFID/NFC access card technology and how cards are cloned with inexpensive hardware;
  • OSINT (Open Source Intelligence) -- systematically gathering intelligence from public sources;
  • Social media OSINT -- extracting targeting data from LinkedIn, Twitter, Instagram, and corporate websites;
  • Google dorking -- advanced search operators to find exposed documents, credentials, and infrastructure;
  • Maltego and SpiderFoot -- OSINT automation frameworks for building target profiles;
  • Defense: defense in depth for physical security, OSINT awareness, digital footprint reduction.

Requirements

  • A working modern computer running macOS, Windows or Ubuntu;
  • A practice lock and pick set (optional, for hands-on lock picking);
  • Understanding of reconnaissance from Episode 4;
  • The ambition to learn ethical hacking and security research.

Difficulty

  • Intermediate

Curriculum (of the Learn Ethical Hacking Series):

Learn Ethical Hacking (#47) - Physical Security and OSINT - The Forgotten Attack Vectors

Solutions to Episode 46 Exercises

Exercise 1: Vishing pretext design.

Character: IT helpdesk contractor "David Martinez" (employee ID 5523)
Company context: OSINT reveals company uses Microsoft 365,
  recently announced a "security upgrade initiative" on LinkedIn.
  Target: accounts payable clerk identified via LinkedIn.

Script:
"Hi [name], this is David from Contoso IT support, employee 5523.
I'm calling about the Microsoft 365 security upgrade that was
announced last week -- you may have seen the email from [real CIO name].
We're migrating everyone to the new authentication system today
and I'm calling your department to help with the transition.
Can you confirm you're currently able to log into your email?"

[If yes]: "Perfect. The migration tool needs your current password
to sync your account to the new system. This is a one-time process
and your password will be reset automatically afterward."

[If suspicious]: "Completely understand your caution -- that's
actually great security awareness. You can verify me by calling
the IT helpdesk at [real number] and asking for David in the
migration team. I'll wait."
(Bet: most people will not actually call to verify.)

Why this pretext works:
- Authority: claims IT department, provides employee ID
- Context: references real company initiative (from LinkedIn OSINT)
- Name-dropping: uses real CIO name (found on company website)
- Urgency: "today" and "migration" imply a deadline
- Legitimacy bail-out: offers verification path that most won't use

The critical detail in this pretext is the verification bail-out. Offering to let the target verify you creates a paradox -- the very act of offering verification makes you seem more trustworthy, which means the target is LESS likely to actually verify. A scammer would never invite scrutiny, right? Except this one just did.

Exercise 2: BEC case studies.

Case 1: Ubiquiti Networks (2015) -- $46.7M stolen
  Pretext: emails impersonating executives to finance staff
  requesting wire transfers to overseas accounts
  Primary lever: authority (appeared to come from CEO)
  Prevention: verbal verification on a known phone number
  for any transfer above a fixed threshold

Case 2: Toyota Boshoku (2019) -- $37M stolen
  Pretext: fraudulent wire transfer instructions purporting
  to come from a business partner
  Primary lever: authority + urgency (time-sensitive deal closing)
  Prevention: dual-approval for large transfers, out-of-band
  verification of any change to banking details

Case 3: City of Ocala, Florida (2019) -- $742K stolen
  Pretext: spoofed email from construction vendor with new
  bank account details for an ongoing project payment
  Primary lever: social proof (real project, real vendor name,
  real invoice structure -- everything matched except the
  bank account number)
  Prevention: mandatory phone verification of bank detail
  changes via a separately stored, known phone number

All three cases share the same structural weakness: a single person could authorize a large financial transfer based solely on email communication. The fix in every case is the same -- out-of-band verification through a channel the attacker does not control. Phone call to a known number, not the number in the email. In-person confirmation. A second approver who independently verifies.

Exercise 3: Security program evaluation framework.

Scoring (example mid-size organization):
  Training frequency:    2/5 (annual compliance module + quarterly
                              newsletter that nobody reads)
  MFA type:             3/5 (app-based TOTP for all employees)
  Process controls:     2/5 (informal verbal check for transfers,
                              not consistently enforced)
  Security champions:   1/5 (no program exists)
  Total:                8/20

Highest-impact single improvement: deploy FIDO2 hardware keys
for the finance team (moves MFA score from 3 to 5 for the
highest-value targets, eliminates the primary phishing risk
for wire transfer fraud). Cost: ~$50/key x 15 finance staff
= $750 one-time. ROI: prevents the next BEC attempt from
succeeding. Compare to $46.7M (Ubiquiti) or $37M (Toyota).

Second-highest impact: implement mandatory dual-approval with
out-of-band verification for any transfer above $5,000.
Process control moves from 2/5 to 4/5. Cost: zero dollars.
Just a policy change.

The scoring framework makes something obvious that gets lost in security discussions: the cheapest improvements often have the highest impact. $750 worth of hardware keys. A free policy change requiring phone verification. These are not multi-million-dollar enterprise security platforms -- they're basic operational controls that most organizations still haven't implemented, even after being breached.

Learn Ethical Hacking (#47) - Physical Security and OSINT - The Forgotten Attack Vectors

Episode 46 covered the human factor -- why security awareness training consistently fails to change behavior despite billions spent on it annually. We went through the cognitive biases that attackers exploit (authority, urgency, social proof, reciprocity, liking, consistency -- all from Cialdini's framework), pretexting and full-character construction for targeted social engineering, vishing as the most underrated attack vector that bypasses every email security control, tailgating and physical social engineering scenarios with terrifyingly high success rates, and what actually works instead of training -- phishing-resistant MFA (FIDO2 hardware keys that Google deployed to 85,000+ employees with zero subsequent phishing successes), just-in-time training, security champions programs, process controls, and behavioral nudges that make the secure path the default path.

The core takeaway was uncomfortable but honest: humans cannot be patched. The biases that make social engineering work are features of human cognition, not bugs. The only defenses that actually work are the ones that remove humans from the critical decision -- hardware keys that refuse to authenticate on phishing domains, process controls that require out-of-band verification, systems designed so the secure behavior is the easy behavior.

Today we step outside the building (metaphorically) and then come back in (literally).

Here we go.

The World Beyond the Screen

For 46 episodes, every attack we've discussed has been digital. Terminals, browsers, packets, payloads, exploits, configuration files. And there's a good reason for that -- most of modern security IS digital. But there's an entire category of attacks that vulnerability scanners will never find, that firewalls will never block, and that intrusion detection systems will never alert on. The kind where someone walks up to a door, picks the lock, clones a badge in the elevator, and plugs a rogue device into the network before anyone notices.

Physical security and OSINT (Open Source Intelligence) are what I call the forgotten attack vectors -- not because they're rare, but because organizations consistently underinvest in them. The company that spends $2 million on a next-gen firewall cluster and $500,000 on endpoint detection still has a $12/hour security guard at the front desk and badge readers from 2015 that use unencrypted 125kHz cards. The company that runs monthly phishing simulations and quarterly penetration tests has never once tested whether someone could tailgate through the parking garage door.

The disconnect is staggering. And real attackers -- the ones who actually want to get in -- know it.

Physical Security Assessment -- What Red Teams Actually Test

A physical security assessment evaluates the controls that protect a building, a data center, a campus -- the physical infrastructure that ultimately houses all the digital assets we've been attacking for 46 episodes. Because here's the thing: if someone can walk into your server room, every firewall rule, every encryption scheme, every access control list is irrelevant. They have physical access. Game over.

Lock Picking -- Why Locks Keep Honest People Out

Every physical security assessment starts at the door. And most doors have surprisingly weak locks ;-)

Pin tumbler locks (the standard lock on most commercial doors):
  - 5-6 pins of varying heights inside a cylindrical housing
  - The correct key lifts all pins to the shear line simultaneously
  - Turning force can only rotate the cylinder when ALL pins align
  - Pick attack: insert a tension wrench (slight rotational pressure),
    then use a pick to set pins one at a time
  - Tolerances in cheap locks mean pins "click" into place individually
  - Average time to pick a standard Kwikset: 30-60 seconds
  - Average time to pick a Schlage: 2-5 minutes
  - Average time to pick a Medeco or Abloy: 5-30 minutes (if at all)

Bypass techniques (often faster than picking):
  - Bump keys: specially cut keys + sharp impact = all pins jump to
    shear line simultaneously. Works on 90%+ of consumer pin tumblers.
    A $15 bump key set from Amazon covers most common keyways.
  - Shim attacks: thin metal strip inserted between padlock shackle
    and locking mechanism to depress the latch
  - Under-door tools: rigid wire or hook tool slid under the door gap
    to pull interior lever handles from outside
  - Latch slipping: credit card or shim to push a spring latch back
    into the door frame (only works on spring latches, not deadbolts)
  - Hinge removal: many doors have exposed hinge pins on the
    OUTSIDE (attack side) -- remove the pins, lift the door off

The lesson here is fundamental: locks are a deterrent, not a barrier. A determined person with a $30 pick set from Amazon and a weekend of practice on a transparent training lock can open most commercial door locks. I keep a practice lock on my desk (one of those clear acrylic ones where you can see the pins). It's a great conversation starter and a humbling reminder of how thin the margin is between "locked" and "not locked."

Physical security depends on layers -- locks PLUS cameras PLUS alarms PLUS access control cards PLUS physical security staff PLUS intrusion detection. Any single layer is bypassable. The question is whether an attacker can bypass ALL of them before being detected.

Badge Cloning -- Your Building Access Card Is Not Secure

Most office buildings use RFID or NFC access cards. The two most common types are 125kHz HID ProxCard (the old standard, still everywhere) and 13.56MHz MIFARE cards (the newer standard, also broken). Both can be cloned:

# 125kHz HID ProxCard cloning
# Hardware: Proxmark3 (~$300) or cheaper dedicated cloners (~$50)

# Step 1: Read the card
# Just stand near someone wearing their badge (read range: 1-3 feet)
proxmark3> lf hid read
# Output: HID Prox TAG ID: 2006ec0c44

# Step 2: Write to a blank T5577 card ($2-5 each)
proxmark3> lf hid clone --raw 2006ec0c44
# Done. Working copy of their badge.

# The scary part:
# - Read range is 1-3 feet for standard readers
# - Long-range readers (built into a backpack or bag) extend to 3+ feet
# - The target never knows -- no beep, no vibration, no notification
# - Stand behind someone in an elevator or coffee shop
# - Their badge is on a lanyard or clipped to their belt
# - Your reader is in your bag
# - 5 seconds of proximity is enough

# 13.56MHz MIFARE Classic cloning
# MIFARE Classic uses the Crypto-1 cipher -- broken since 2008
# The cipher was reverse-engineered by Karsten Nohl and colleagues
# Every MIFARE Classic card is now trivially crackable

proxmark3> hf mf autopwn
# Runs known attacks against Crypto-1 (darkside, nested, hardnested)
# Dumps all sectors including access credentials
# Typical crack time: 30 seconds to 3 minutes

# MIFARE DESFire and MIFARE Plus (newer cards) use AES encryption
# These are NOT trivially cloneable -- but many organizations
# still use MIFARE Classic because replacing card infrastructure
# is expensive and the procurement department doesn't know the
# difference between "MIFARE" and "MIFARE Classic"

Badge technology security comparison:

  125kHz HID ProxCard:    NO encryption. Trivial clone. $50 cloner.
  MIFARE Classic:         Crypto-1 (broken 2008). Easy clone. $300 Proxmark.
  MIFARE DESFire EV2/3:  AES-128. Not cloneable with current tools.
  HID iCLASS SE:         AES + secure key storage. Strong.
  SEOS (HID):            PKI-based. Strongest commercial option.

  Estimated percentage of buildings still using cloneable cards:
  65-80% (industry surveys vary, but the majority have NOT upgraded)

The business reality is depressing. Organizations know their cards are cloneable. The Proxmark3 has been publicly available for over a decade. The MIFARE Classic attacks were published in 2008. But replacing an access control system across a multi-building campus costs hundreds of thousands of dollars, and the procurement cycle takes 18-24 months, and the old system "still works" in the sense that honest employees still tap their badges and the doors still open. So the upgrade gets deferred. Again. And again.

USB Drop Attacks

Simple, cheap, and disturbingly effective:

The "lost USB drive" attack:
  Leave USB drives in high-traffic areas:
  - Parking lot (near employee entrance)
  - Lobby or reception area
  - Kitchen or break room
  - Bathroom
  - Conference rooms after meetings

Label them with something irresistible:
  - "Q4 Salary Review - CONFIDENTIAL"
  - "Layoff List - DO NOT DISTRIBUTE"
  - "Board Meeting Minutes"
  - "Executive Compensation 2026"

The USB contains one of:
  Option 1: Rubber Ducky payload (keystroke injection)
    - Device emulates a keyboard, not a storage device
    - Types pre-programmed commands at machine speed
    - Downloads and executes a reverse shell in 3-5 seconds
    - The victim sees a brief command prompt flash

  Option 2: Booby-trapped documents
    - Excel file with malicious macros
    - PDF with embedded JavaScript exploit
    - Word document with template injection

  Option 3: Credential harvesting
    - Fake "encrypted" drive that asks for corporate credentials
      to "unlock the confidential files"
    - Credentials sent to attacker's server
    - Target sees a convincing "decryption failed" error

Red team statistics on USB drop success:
  - 45-60% of people who FIND a USB drive will plug it in
  - Success rate increases with provocative labeling
  - Success rate is HIGHEST in parking lots (people assume
    a colleague dropped it, want to return it)
  - Even security-trained employees plug them in -- "I just
    want to see whose it is so I can return it"

The Department of Homeland Security did a controlled study in 2011: they scattered USB drives in government and contractor parking lots. 60% were plugged into computers. When the USB drives had official-looking logos on them, the success rate jumped to 90%. Fifteen years later, the success rates in red team engagements haven't changed significantly. Training tells people "don't plug in unknown USB drives." Curiosity says otherwise.

Tailgating -- Getting Through Doors With a Smile

We covered tailgating briefly in episode 46 as part of physical social engineering. It deserves more attention because it's the single most reliable physical access technique:

Tailgating scenarios that work consistently:

1. The delivery person
   Props: large box with company logo (printed at copy shop, $3),
   polo shirt in neutral color, clipboard
   Technique: approach a badge-access door while someone is
   entering. Struggle visibly with the box. Someone WILL hold
   the door. Nobody questions a delivery person.
   Success rate in red team engagements: 85-95%

2. The smoker
   Technique: stand outside near the smoking area. Chat with
   employees for 10 minutes. Walk back in with them.
   No badge needed -- you're now "with the group."
   Social bonds formed in 10 minutes of shared cigarette
   breaks create implicit trust. Nobody badges in a person
   they just spent 10 minutes talking to about football.
   Success rate: 90%+

3. The IT emergency
   Props: laptop bag, slightly stressed facial expression
   Script: "Hey, server room emergency -- monitoring is going
   crazy and I need to check the UPS. Can you badge me in?
   My badge is in my other jacket."
   Nobody wants to be the person who delayed a fix during a
   production outage.
   Success rate: 70-80%

4. The new employee
   Script: "Hi, I'm starting in engineering next week. HR
   said I should come by today to pick up my laptop and badge.
   Could you let me in? I'll find HR from here."
   Props: folder with printed papers (looks like onboarding docs)
   Everyone remembers their own awkward first day. Nobody wants
   to be rude to the new person.
   Success rate: 75-85%

The common thread: every scenario exploits social politeness. Humans are wired to be helpful. Holding a door open for someone carrying a heavy box isn't a security failure -- it's basic decency. The problem is that security policies and social norms are in direct conflict, and social norms almost always win. You can train people a hundred times to "challenge unbadged individuals." In the moment, when someone is struggling with a box and makes eye contact, training evaporates.

Rogue Device Deployment

Once inside, the attacker's goal is persistent access. Physical access to the internal network is gold:

Rogue device options:

1. Raspberry Pi Zero W (~$15)
   - Size of a credit card, easily hidden
   - Configure with WiFi to call home over cellular or
     tunnel through corporate network
   - Plug into an unused network port behind a printer,
     under a desk, or in a wiring closet
   - Runs 24/7 off USB power from the network switch or
     a wall adapter
   - Pre-configured with: SSH reverse tunnel, nmap, responder
     (for credential capture), packet capture

2. LAN Turtle (~$60)
   - USB Ethernet adapter form factor -- looks like a dongle
   - Plug it between a workstation and the network cable
   - Man-in-the-middle position on the physical network
   - Built-in tools: packet sniffing, DNS spoofing,
     credential harvesting

3. WiFi Pineapple (~$100)
   - Rogue access point that impersonates corporate WiFi
   - Employees connect thinking it's the real network
   - All traffic flows through the attacker's device
   - SSL stripping, credential interception, session hijacking

Detection difficulty: these devices are TINY. A Raspberry Pi
Zero hidden behind a monitor or inside a cable management panel
can run for months without being discovered. Most organizations
do not inventory their network ports or run regular checks for
unauthorized devices.

OSINT -- Open Source Intelligence

OSINT is the art of extracting useful intelligence from publicly availible sources. No hacking required -- no credentials, no exploits, no unauthorized access. Everything is out there, published willingly by the targets themselves or by organizations that never considered who else might be looking.

We touched on reconnaissance in episode 4, but OSINT goes much deeper. Episode 4 was about discovering infrastructure -- subdomains, IP ranges, open ports. OSINT is about discovering people, relationships, processes, and organizational structure. The kind of intelligence that turns a generic phishing email into a surgically targeted pretext.

Google Dorking -- Advanced Search Operators

Google indexes far more than most organizations realize. Configuration files, internal documents, backup databases, forgotten admin panels -- all sitting on public-facing web servers, indexed by Google, waiting to be found:

# Find exposed documents on a target domain
site:target.com filetype:pdf
site:target.com filetype:xlsx "confidential"
site:target.com filetype:docx "password"
site:target.com filetype:pptx "internal use only"

# Find exposed directory listings
intitle:"index of" site:target.com
intitle:"index of" "parent directory" site:target.com

# Find login pages and admin panels
site:target.com inurl:login OR inurl:admin OR inurl:portal
site:target.com inurl:dashboard OR inurl:console

# Find configuration files
site:target.com filetype:env OR filetype:ini OR filetype:conf
site:target.com filetype:xml "password"
site:target.com filetype:yml "api_key" OR "secret"

# Find exposed databases and backups
site:target.com filetype:sql
site:target.com filetype:bak
site:target.com filetype:db

# Find technology stack information
site:target.com "powered by" OR "built with" OR "running on"
site:target.com filetype:txt "server at"

# Find email addresses
site:target.com "@target.com"
"@target.com" -site:target.com   # emails mentioned on OTHER sites

# Find error messages that reveal internals
site:target.com "fatal error" OR "stack trace" OR "exception"
site:target.com "mysql_connect" OR "pg_connect" OR "ORA-"

Google dorking is legal -- you're using a public search engine to find publicly indexed content. The vulnerability is on the side of whoever left sensitive files on a public web server without authentication. Having said that, accessing the files you find might cross legal boundaries depending on content and jurisdiction. Finding an exposed database doesn't mean you're authorized to download it. In authorized penetration testing you'd document the finding and report it; in unauthorized access you'd be committing a crime.

The Google Hacking Database (GHDB, maintained at exploit-db.com) contains thousands of pre-built dorking queries organized by category: files containing credentials, vulnerable servers, exposed admin panels, sensitive directories. It's the single best starting point for Google dorking research.

LinkedIn OSINT -- The Corporate Intelligence Goldmine

LinkedIn is the single richest OSINT source for targeting corporates. People voluntarily publish their entire professional history, job titles, reporting structure, technology stack, and current projects. For an attacker building a social engineering pretext, LinkedIn is Christmas morning:

What you can extract from LinkedIn:

Employee intelligence:
- Full names, job titles, departments
- Reporting structure (who reports to whom -- reconstruct org chart)
- Recent hires (new employees are prime SE targets -- they don't
  know procedures yet and are eager to be helpfull)
- Departed employees (their credentials might still work)
- Employment duration (identify disgruntled long-tenured staff)

Technology intelligence:
- Job postings reveal the EXACT technology stack
  Example: "Senior DevOps Engineer -- experience with Terraform,
  AWS EKS, Jenkins, Datadog, PagerDuty required"
  This tells you: cloud provider (AWS), orchestration (K8s via EKS),
  CI/CD (Jenkins), monitoring (Datadog), alerting (PagerDuty)
  -- the entire infrastructure stack from one job posting

- Employee skill endorsements reveal internal tools
- "About" sections sometimes describe internal projects by name

Organizational intelligence:
- Office locations and sometimes floor plans (from office photos)
- Vendors and partners (from shared connections, endorsements)
- Internal project names (from employee experience descriptions)
- Security team size (count "security" titles) and tools
  (from security job postings)
- Acquisitions and restructuring (from title/company changes)

Social engineering preparation:
- Shared connections (for pretexting: "John in sales suggested
  I reach out to you...")
- Education history (common ground for liking principle)
- Volunteer activities, interests, groups (rapport building)
- Publication history (compliment their conference talk)

# LinkedIn data extraction approaches:

# Manual (free, slow but thorough):
# - Search "people who work at [target company]"
# - Filter by department, location, seniority
# - Note names, titles, tenure, connections
# - Check "People Also Viewed" for related employees
# - Read job postings for technology stack

# Automated (various tools):
# linkedin2username -- generates username lists from LinkedIn
# Format: first.last, flast, firstl (common AD formats)
python3 linkedin2username.py -c "Target Company" -n 100
# Output: potential Active Directory usernames for password spraying

# CrossLinked -- similar tool, generates email formats
crosslinked -f '{first}.{last}@target.com' -c "Target Company"
# Output: probable email addresses for phishing campaigns

OSINT Automation Frameworks

Manual OSINT is thorough but slow. For large-scale intelligence gathering, automated tools can process thousands of data points across dozens of sources:

# theHarvester -- email, subdomain, and host enumeration
theHarvester -d target.com -b all
# Sources: Google, Bing, LinkedIn, Twitter, DNS, Shodan, etc.
# Output: emails, subdomains, IPs, employee names

# SpiderFoot -- comprehensive OSINT collection
# Web-based interface with 200+ modules
spiderfoot -s target.com -t EMAILADDR,PHONE_NUMBER,DOMAIN_NAME
# Correlates data across multiple sources automatically
# Produces relationship graphs between discovered entities

# Sherlock -- find usernames across 400+ social networks
sherlock targetusername
# Checks: GitHub, Twitter, Reddit, Instagram, TikTok, Facebook,
#          Medium, Keybase, Pastebin, and hundreds more
# Output: list of sites where the username exists
# Use case: find all social media accounts for a target person

# Recon-ng -- modular OSINT framework (like Metasploit for OSINT)
recon-ng
[recon-ng] > marketplace install all
[recon-ng] > modules search
# 80+ modules for DNS, contacts, credentials, social media
# Stores results in a database for cross-referencing
# Can chain modules: domain -> subdomains -> IPs -> hosts -> emails

# Maltego -- graphical link analysis (commercial, free community edition)
# Visual graph of relationships between entities
# Transforms: domain -> subdomains -> IPs -> WHOIS contacts -> emails
# Powerful for visualizing CONNECTIONS between pieces of intelligence
# The "mind map" view of your OSINT data

# Shodan -- search engine for internet-connected devices
# Unlike Google (which indexes web pages), Shodan indexes
# DEVICES: servers, cameras, industrial control systems,
# printers, routers, smart TVs, traffic lights

shodan search "target.com"
shodan search 'org:"Target Corp"'
shodan search 'org:"Target Corp" port:22,3389,445'

# Shodan reveals:
# - What services are running on what ports
# - Software versions (including vulnerable ones)
# - SSL certificate details
# - Default credentials on IoT devices
# - Industrial control systems connected to the internet
#   (SCADA, PLCs, HMIs -- yes, really)

# Censys -- similar to Shodan, academic-focused
censys search "target.com"
# Also indexes TLS certificates, which reveals:
# - Internal hostnames mentioned in SAN fields
# - Wildcard certificate scope
# - Certificate transparency logs

Breach Data OSINT

Previous data breaches are an OSINT goldmine. People reuse passwords across services, so a credential leaked from a 2019 breach might still work on a corporate account in 2026:

# Check if target emails appear in known breaches
# haveibeenpwned.com (free for individual lookups, API for bulk)
curl "https://haveibeenpwned.com/api/v3/breachedaccount/[email protected]" \
    -H "hibp-api-key: YOUR_KEY" \
    -H "User-Agent: OSINT-Research"

# Response includes which breaches, what data was exposed:
# - Passwords (plaintext, hashed, or salted-hashed)
# - Security questions and answers
# - Personal information (address, phone, DOB)
# - Internal usernames (which may differ from email format)

# dehashed.com -- search breach databases by email, username,
# IP, name, phone, password hash (commercial, ~$5/search)
# Returns actual credential data (hashes, sometimes plaintext)

# The attack chain:
# 1. Find target email in breach data
# 2. Obtain their breached password (or crack the hash)
# 3. Try that password on their corporate login
# 4. People reuse passwords. This works more often than you'd think.
# 5. Even if the exact password doesn't work, variations do:
#    Summer2019! -> Summer2026! (increment year)
#    P@ssw0rd123 -> P@ssw0rd456 (increment numbers)

Metadata Analysis

Files contain metadata that their creators rarely think about. Documents, images, PDFs -- they all embed information about who created them, what software was used, and sometimes where they were created:

# ExifTool -- extract metadata from any file type
exiftool document.pdf
# Creator: John Smith
# Producer: Microsoft Word 2021
# Creation Date: 2024-03-15 14:23:07+02:00
# Author: TARGETCORP\jsmith        <-- internal username format!
# Company: Target Corporation

exiftool photo.jpg
# GPS Latitude: 51.5074
# GPS Longitude: -0.1278           <-- exact location (London)
# Camera: iPhone 14 Pro
# Software: 16.3.1
# Date: 2024-11-20 09:15:33

# FOCA (Fingerprinting Organizations with Collected Archives)
# Downloads documents from a target domain, extracts metadata
# Builds a profile of: usernames, software versions, printers,
# email addresses, internal paths, OS versions
# All from publicly available documents on the company website

That TARGETCORP\jsmith username format from a PDF metadata field is pure gold. Now you know the Active Directory domain name AND the username format (first initial + last name). Combined with a LinkedIn employee list, you can generate probable AD usernames for the entire organization. Combined with breach data, you might already have working passwords for some of them.

Defense: Reducing Your Attack Surface

Physical security layers (defense in depth):
1. Perimeter: fencing, lighting, CCTV surveillance with retention
2. Building entrance: badge readers (encrypted cards, NOT 125kHz),
   reception desk, visitor management system, mantrap/airlock
   for sensitive areas
3. Internal zones: additional authentication for server rooms,
   executive floors, R&D labs (PIN + badge, biometric + badge)
4. Server rooms: biometric access, separate HVAC, no windows,
   environmental monitoring, rack-level locks
5. Clean desk policy: no passwords on sticky notes, no documents
   left out, screens auto-lock after 5 minutes
6. Media destruction: cross-cut shredding for ALL documents,
   degaussing or physical destruction for storage media
7. USB port control: disable USB mass storage via Group Policy,
   whitelist only approved devices

Physical security testing frequency:
- Quarterly: tailgating tests, badge cloning attempts
- Annually: full physical penetration test (red team)
- Monthly: clean desk audits (walkthrough after hours)

OSINT defense -- reducing your digital footprint:

1. LinkedIn hygiene:
   - Remove specific technology versions from job postings
     ("cloud experience" not "AWS EKS 1.28 with Terraform 1.5")
   - Limit employee profile detail (title + company is enough)
   - Restrict who can see employee connections
   - Remove departed employees from company page promptly

2. Document metadata:
   - Strip metadata from ALL public-facing documents
   - Use exiftool -all= document.pdf before uploading
   - Configure Microsoft Office group policy to NOT embed
     author name, company name, or file paths in metadata
   - Remove GPS data from all photos before publishing

3. Search engine exposure:
   - Regularly Google your own organization with dorking queries
   - robots.txt for directories that shouldn't be indexed
   - Remove exposed configuration files, backups, and databases
   - Set up Google Alerts for your company name + "password"
     or "confidential" or "internal"

4. Breach monitoring:
   - Subscribe to haveibeenpwned.com domain monitoring
   - Monitor for corporate credentials in dark web markets
   - Force password resets when employee emails appear in breaches
   - Implement credential stuffing detection on login portals

5. Employee awareness:
   - Train employees on what NOT to post (office photos showing
     screens, badges, whiteboards with network diagrams, door
     access systems)
   - Review social media policies annually
   - Remove old employee accounts within 24 hours of departure

The AI Slop Connection

AI is making OSINT dramatically more efficient and physical security assessment more scaleable. What used to take a human analyst days of manual research -- cross-referencing LinkedIn profiles, correlating breach data, building org charts, identifying high-value targets -- AI can do in minutes. Feed it a company name and it produces a structured targeting package: org chart, technology stack, probable AD usernames, email formats, recent hires sorted by vulnerability to social engineering, and recommended pretexts based on recent company news.

On the physical side, AI can analyze photos of building entrances posted on social media to identify access control systems and plan bypass strategies. Employee selfies in the office reveal badge reader models, camera positions, door types, and security guard schedules. AI image recognition can process hundreds of Instagram and LinkedIn photos to build a detailed map of a facility's physical security posture -- all from publicly posted images.

The defense gap is real: organizations invest millions in digital security while leaving physical security to a $12/hour guard and a $200 badge reader from 2015. AI is widening that gap because it makes the attacker's reconnaissance faster and cheaper while the physical defenses remain static. A Proxmark3 costs the same as it did five years ago. A security guard's ability to detect tailgating hasn't improved. But the attacker's ability to know exactly which door to target, which employee to follow, and which badge to clone has improved dramatically thanks to AI-powered OSINT.

What Comes Next

Physical security and OSINT represent a category of attacks that most security programs overlook because they don't fit neatly into vulnerability management dashboards. But they're some of the most reliable attack vectors in real-world engagements. A tailgating success rate of 90% is higher than most web application exploits. A badge clone takes 5 seconds of proximity. A Google dork can reveal more about an organization's infrastructure than a week of active scanning.

The next phase of this arc goes even further into the organizational dimension of security. What happens when the attacker isn't an outsider at all -- when the threat comes from someone who already has a badge, a VPN connection, and a legitimate reason to access the systems they're compromising? That scenario requires a fundamentaly different defensive model, because every perimeter control is already bypassed by definition. And after that, we'll examine how emerging technologies are creating entirely new categories of deception that blur the line between what's real and what's fabricated.

Exercises

Exercise 1: Perform an OSINT assessment of your own digital footprint. Search for yourself using: (a) Google (your name, email addresses, common usernames), (b) haveibeenpwned.com (check every email address you've ever used), (c) Sherlock or a similar username enumeration tool (your most common usernames), (d) Google dorking (your email domain, your personal domain if you have one). Document everything an attacker could find about you. Then identify 3 specific actions to reduce your exposure (remove an account, change a privacy setting, strip metadata from a document). Save to ~/lab-notes/personal-osint-assessment.md.

Exercise 2: Use theHarvester and Google dorking to enumerate a target domain you have permission to test (or use a deliberately vulnerable domain like megacorpone.com from the OSCP labs). Collect: email addresses, subdomains, technology indicators, and employee names. Build a targeting profile document: who would you phish first and why, what pretext would you use (based on the OSINT you gathered), and what technology would you target for initial access? Document your methodology and findings in ~/lab-notes/osint-target-assessment.md.

Exercise 3: Research the Proxmark3 badge cloning workflow in depth. Document: (a) the difference between 125kHz and 13.56MHz access card technologies, (b) which card types can be cloned trivially (HID ProxCard, MIFARE Classic) versus which have real cryptographic protection (MIFARE DESFire, HID SEOS), (c) the effective read range for each frequency and what equipment extends it, (d) what defenses exist against badge cloning (encrypted cards, shielded badge holders, multi-factor physical access with PIN + badge, behavioral analytics). Save to ~/lab-notes/badge-cloning-research.md.

Thanks for reading!

@scipio

stem stemsocial steemstem security programming
0
0
0.000
0 comments