114

Following people into a large RFID protected residential building is ridiculously easy, as not everyone knows everyone else. Just the other day I was let in with a rifle (an airgun, but how could have they known).

But standing helplessly in front of the door, looking in sorrow at the lock, is not the best role to play as it attracts questions like "who are you" or "who are you visiting".

What is a more appropriate behavior when waiting around for someone to enter?

Vorac
  • 1,817
  • 3
  • 20
  • 27
  • 44
    Wait for people to come out for a smoke, smoke with them while talking to them. When they go back in, you join them. – Jeroen Nov 15 '18 at 13:15
  • 18
    "but how could have they known" - Not sure where you're located but if you can buy an air rifle and carry it around without much bother then that likely means you're in a place where the locals know what air rifles look like and you happened to run into one. – Freiheit Nov 15 '18 at 20:27
  • 76
    If someone carrying a rifle tried to follow you into a building, would _you_ challenge them? – Jeffrey Bosboom Nov 15 '18 at 21:29
  • 15
    What has become of pushing every button on the doorbell panel? Someone always opens... – Damon Nov 17 '18 at 18:39
  • @Damon it sounds like OP is asking about an apartment building. If there's anything like a doorbell panel, it would probably connect to building management, who would be more cautious than a typical resident would. – user2752467 Nov 19 '18 at 09:08
  • 9
    @JustinLardinois in North America and the UK, at least, the buttons connect to each unit, and management is not involved in any way. – schroeder Nov 19 '18 at 16:26
  • @schroeder I suppose it varies by region; that's not common in the part of North America I live in. – user2752467 Nov 20 '18 at 07:35
  • 2
    New, [relevant xkcd](https://xkcd.com/2077/) – Draco18s no longer trusts SE Nov 26 '18 at 22:41
  • Don't. Bypassing security is announcing yourself as a threat, and eventually someone will take that seriously. (Hopefully before a real threat gets in the same way) – ShadSterling Apr 11 '21 at 09:43

6 Answers6

164

There are some basic social engineering approaches to use that work in most situations, not just tailgating:

  • urgency
  • authority
  • curiosity
  • pretexting

Urgency

Be someone with a specific task to perform that needs to be done right now. The classics are a delivery person with full arms and someone looking to pick someone else up. A family member needing to check on an elderly resident. People want to be helpful and they don't think that you will be around long enough to be a threat.

Authority

Be someone who the gatekeeper has no right or reason to refuse. Fire marshal, utilities inspector, law enforcement, building security, process server. Lots of studies of people being let in with a just clipboard and a high-visibility vest.

Curiosity

To get close to someone, be very interesting in such a way that they want to know more. Dress up as a clown to deliver a telegram.

Pretexting

Establish a shallow relationship that appears to be deeper. Smoking with people outside on their break is classic. The smokers will assume you are also an employee (why else would you be there?)

Combinations

But these work even better in combination. A fire marshal in an awful rush. A clown who claims he was at the last company party (and knows a few important names). The more combinations you can combine, the more effective the process is — an authority figure, in a rush, to do something interesting, who claims to have a preexisting relationship. If you go over the top or try too hard, it will backfire, though.

Maya
  • 125
  • 5
schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 247
    So you are saying a smoking clown with with a fire axe on his back and a police cap on the head hodling 6 packages with a cliboard lying on top demanding to enter the building to check on his elderly mother because he is worried that there is a gas leak would not work? I guess, I'll have to send everything back then. – problemofficer - n.f. Monica Nov 15 '18 at 15:08
  • 84
    *"Lots of studies of people being let in with a just clipboard and a high-visibility vest."* - for most large buildings I've worked/lived in, all you'd have to say is "I'm here to work on the AC (or heater)" and they'll roll out the red carpet for you. – Lord Farquaad Nov 15 '18 at 16:05
  • 12
    I suspect combinations are a bad idea. You want to avoid making the mark think too closely. Each of the examples seems to be a normal individual and a lazy thinking mark will let them in. I think you are right with the last sentence that combinations can backfire, but I think the threshold for decreasing your chance of success is lower. – Ross Millikan Nov 15 '18 at 16:44
  • 63
    This is a good answer. I would also add "social awkwardness," as in people will avoid interacting with you if they think it would be awkward. For example, you could wait for someone to approach the gate then walk in with them while talking continuously on your cell phone-- most people won't want to interrupt. – John Wu Nov 15 '18 at 19:36
  • 28
    @John that's definitely something you could combine. A guy with a vest and clipboard (or suit and clipboard, depending on the place), on the phone with a confident nod toward the security guard as he walks in would be pretty solid. – Cullub Nov 16 '18 at 04:13
  • 5
    "Be someone who the gatekeeper has no right or reason to refuse." Or more precisely, they think they have no right to refuse. A process server has no special rights to bypass security. Even a cop, absent a special situation, doesn't have the right to demand entry. – Acccumulation Nov 16 '18 at 16:11
  • 10
    There was a _surprising number_ of delivery people that seemed to somehow dodge security and show up at our office reception without any issues. Eventually I found out that they gave candy to the security officer on our access gate to let them pass so they can deliver the burguer/pizza/whatever without needing to wait for someone to let them throught. Our CEO wasn't happy. – T. Sar Nov 16 '18 at 17:42
  • 2
    It's worth mentioning that there is always a chance someone will break the norm and stop you to make an inquiry, and if you are impersonating an official (not necessarily even a cop) you could face a serious criminal charge. – John Wu Nov 18 '18 at 09:20
  • 3
    The smoking one is always the easiest (if you smoke). I've been at my job for four months, having regular chats with colleagues with whom I don't work directly and with whom I've never spoken inside ... well, I assume they're colleagues anyway, and they assume I'm one. None of us has ever actually checked (as far as I know). – Lightness Races in Orbit Nov 19 '18 at 13:51
  • 9
    As an ex-pizza-delivery-driver of many years I can confirm there is not a building that cannot be gotten into by holding a pizza box and walking like you're on a mission. I've done this to get back stage at concerts a few times. – Tiny Giant Nov 19 '18 at 17:22
  • Yes, [hit them with an undeniable combination punch](https://i.stack.imgur.com/9Wbev.jpg) - sweet, non-intimidating, smoker, dangerous tattoos, wet - and obviously must get out of the cold, but doesn't speak the language. They're certain to be so befuddled they'll write you into their Will. Me: "That's great, you have everything you need except what it takes to get into the building". – Rob Nov 21 '18 at 02:26
  • *Lots of studies of people being let in with a just clipboard and a high-visibility vest* → there are good examples in the videos of these guys: https://www.youtube.com/watch?v=GyvRamX1VyA. – WoJ Jun 11 '20 at 09:19
83

Just stand outside the door at some distance talking on your phone. Don't look at the door, don't look at the person coming to open it, don't look like you want to get in. Don't ask to be let in. Don't engage in conversation. Just let the person open the door and go through. Then in the last second before it closes and lock, you calmly walk through still talking on your phone.

Wearing a costume or high-vis will make you... well, highly visible. In some places you might need the costume and the excuse to get in. But in a lot of places, just blending in like an unmemorable nobody is quite enough. Dress like you belong, don't ask, just walk.

As a disclaimer I should note that I have no professional experience with this. But I do use it all the time to get into my office when I forget my RFID tag.

Anders
  • 64,406
  • 24
  • 178
  • 215
43

The main element, as you've said, is to not look like you're waiting for your mark to arrive. What you need is a prop that gives a visual indication why you're standing outside the door.

Useful props (that would explain your presence) would include:

  • Cigarette or e-Cig.
  • Lunch-bag(s).
  • Coffee(s) from a local distributor.
  • Box of doughnuts.

Having a bulky item or two of something (one in each hand) is especially useful because it would explain why you can't reach for a pass.

Story-time. I was working for a company that had access passes. A local hoodlum bought himself a cheap suit and tried to tailgate into the side-entrance. He was stopped by a member of staff as per the company policy. The hoodlum brazened it out by asking him "was it because he was black?" and the member of staff immediately apologised. The hoodlum demanded his manager's name (so he could make a complaint) and received even more profuse apologies.

The 'mark' then helped him to take laptops out of the conference suite and load them into the back of an unmarked van.

Moral of the story? Social engineering simply requires confidence

Richard
  • 939
  • 6
  • 9
16

Buy one of these: doordash bag

Look rushed, and knock on the window/door until someone lets you in. Once inside ask for a random name, and have a screenshot of the doordash app on your phone. (Preferably with the name showing)

If you're feeling ambitious:

Become a legitimate employee of doordash (it's not difficult), and then order food to that building from yourself with instructions to go and find someone specific at the company you are targeting.

Have the "customer" leave specific instructions as to where in the building they are. "I'm in the far east corner, in the meeting room. Just show this to the receptionist and tell her that [the CEO] said to let you in". If you encounter further locked doors show the note to the receptionist and ask if they can help you out: "Could you help me find that room?" "My phone is out of data, do you have wifi I could log into?" etc. etc.

0112
  • 265
  • 1
  • 6
  • 4
    I can see this working, but if you "become a legitimate employee of doordash" wouldn't that make you more traceable after whatever nefarious activity you've gained access for has been discovered? – James Bradbury Nov 19 '18 at 09:20
  • @JamesBradbury You don't become an employee, you just get enough stuff to look convincing enough, like a uniform or bag. You can't be traced if you aren't with the company. It's all about keeping up appearances. – shadowmanwkp Nov 19 '18 at 11:15
  • 2
    @JamesBradbury that is certainly a risk if you do not wish to be traced. For a hired pentest however, this approach may make more sense. – 0112 Nov 19 '18 at 14:07
  • 6
    @0112 I feel that "becoming a legit employee of doordash" is a very clever idea, but it may expose the pentester to legal liability (https://www.nytimes.com/1997/02/17/opinion/revisiting-the-food-lion-case.html). I suspect "doordash" or similar companies would quickly tire of being associated with security breaches. – emory Nov 19 '18 at 15:12
  • @emory All good points. – 0112 Nov 19 '18 at 16:42
1

People are helpful by nature. Approaching a door with your hands full, for example with a huge gift wrapped box, will encourage people to open the door for you, no questions asked.

Teun Vink
  • 6,788
  • 2
  • 27
  • 35
0

Residential building? "pretend" to be a tradesman - you don't even need a costume or fake ID in many cases.

I know of a number of residential buildings in my area where on a weekday before 12:00, pressing the TRADE button on the access panel just opens the door.

Instant access and no subterfuge. Of course it depends on the building, but if it has an access option like this...

Baldrickk
  • 101
  • 3