Thursday, July 17, 2014

Physical Pentest Gear: The Clipboard

I've done several physical pentests in the past (and current) and one piece of gear that never ceases to amaze me on how useful it is is the clipboard. I'm not talking about your grandfather's clipboard. I'm talking about today's modern clipboard. It has wifi for auto note taking and a camera to transmit pictures. Ok i'm just messing with you it doesn't have all that. But it still is incredibly useful.

I was doing a physical one day and was on the social engineering portion of the test, AKA: me walking around the office trying to get sensitive documents. I came across an empty cubicle that was being used to store a bunch of bankers boxes (think stereotypical cardboard boxes with the handle holes and tops). Well, I peeked inside one of the boxes and giggled at what I found. Thousands of documents with handwritten credit card info dating back several years. That was in one box. One box of about 2 dozen.

I took a couple snapshots with my camera but couldn't get a good photo because of the lighting/not enough time. So I grabbed a couple documents (they were old, just as a PoC) and took a picture of the pile of boxes. The clipboard I was carrying was perfect to quickly stash these papers:

Any clipboard with a similar compartment will do. You can stash a surprising amount of documents in those things. Waaaay more than you need to prove your point.

Once I was back at the hotel I took much better shots, included it in the report and when everything was done and over, I securely mailed the documents back to my point of contact. That "Sensitive Documents Not Stores Securely" finding was a small finding in an otherwise juicy report and that clipboard made my life way easier during the entire SE portion of the test.

There is also the added benefit of having a clipboard in your hand subconsciously insinuates to other people that you are a person of authority, a decision maker, someone that should probably be treated a little better than any old average joe. That thought tends to arise from two different personalities.
1. The person wants to suck up to you (the teachers pet syndrome)
2. I don't want to get in trouble (the teachers ruler syndrome)

There is a third personality type who is tends to hate authority figures but you can usually defuse those types of people by being very confident and most importantly - very polite/kind. Kindness in authority figures tends to be fairly disarming to the vehemently authority-opposed.

So there you go, just like an EDC (every day carry), every object in your blackbag should have multiple uses. I'd suggest adding a compartment clipboard to yours asap.

It may seem like a small and insignificant addition at first, but I guarantee that you will be happy you bought it.

