Physical Site Mapping Using OSINT

Introduction

As a security analyst, penetration testing is performed in order to understand if a business’s organisational security is up to par. This normally requires some form of network and web application testing used to identify vulnerabilities before they can be exploited by a threat actor. Remedial advice is then given to the organisation stating what measures should be implemented to prevent such attacks.

In some instances, physical access to data, equipment, systems and other business resources may be necessary as breaching the organisation may be difficult to do remotely. Cases like these require the analyst to take a different approach.

Attack simulations are a common security exercise where consultants are tasked with attacking the organisation on both a physical and digital level. This process involves threat modelling, recognising security flaws, and exploiting found flaws in the organisation's environment. The company can then use these findings to implement measures to prevent such attacks.

Before the analyst can begin identifying vulnerabilities in the organisation, a reconnaissance phase is conducted. This can often reveal in-depth information regarding the business. Much of this information is known as OSINT or Open Source Intelligence; free, publicly available information commonly found on the internet.

One of the challenges when conducting physical penetration tests is the time limitation imposed. Whereas a persistent threat actor may have weeks or even months to conduct reconnaissance, the window given for security consultants will be significantly shorter. That is why gathering as much relevant data ahead of the engagement is so vital, especially when security measures may limit the number of attempts you can make.

The below contains some example techniques used to perform reconnaissance against a physical site and gather OSINT. In particular, we look at methods of finding floor plans and security device placement.

Planning Applications

Websites that allow you to search for planning applications can provide a wealth of information about your target business. In the UK, if the target has conducted any building projects on their premises, they are required to gain permission before doing so. The business must submit an application to their local council outlining the proposed development. Supporting documents within these applications can include highly valuable location plans showing the site area, the surrounding context and the proposed development in detail.

I have personally used this method to determine on-site physical infrastructure such as CCTV camera placement and models, sensors, fences/gates, guard posts, floor plans and entry points.

Finding the Council

The first step is to locate the local council of the target business. The District, Borough and City councils are responsible for planning applications. Newgate Communications provide a council search tool that can help to identify the correct council(s) as there are often multiple.

https://www.newgatecomms.com/council-map

A list of councils in England is also available to further assist this process:

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/491463/List_of_councils_in_England.pdf

Identifying the Council Planning Application Search Site

After the council has been determined, the next step is to discover their mandatory planning application search site. This can be done using a Google search query, often referred to as a ‘dork’.

inurl:gov.uk intext:search “Application Search” OR “Planning Applications” CouncilName

Replacing the CouncilName with the applicable council, and searching Google with this query will likely pinpoint the planning-application search site.

inurl:gov.uk searches for URL’s that include the .gov.uk extension.
intext:search ensures that the keyword is within the site’s content.
“Application Search” OR “Planning Applications” ensures that either one of these phrases is included within these results using a logical OR expression.

Document and Resource Enumeration

Once on the site, you can perform various searches using keywords, reference numbers and addresses. I personally found that using the business name or the address yields the best results.

Search results for the example business “Vodafone”

The above image shows Vodafone being used as an example business which revealed eleven results regarding various development projects.

Search results for the example business “Vodafone”

Each application summary details the proposed development and whether the application has been accepted or not. Following the “documents” link, you can find a list of the accompanying files which can contain valuable information.

Various site maps for the example business “Vodafone”

Document any information you can; the relevancy of some information may not be immediately apparent and may become useful later. Crucial security features such as CCTV cameras, guard posts and even security providers can be identified in planning application documents like these.

It’s also worth noting, many of the council planning application websites follow identical formats only with some branding modifications. This implies they have been built from a handful of web frameworks. There is definitely potential to automate this enumeration process.

Contractor Key Projects / Case Studies

Your target business may have hired third-party companies to perform services such as architectural work and interior design. These contractors may present and showcase their projects on their website in the form of a case study or previous work. These websites can be located by performing such basic Google searches or dorks.

“Architects” “CompanyName”

“Architects” “CompanyLocation”

“Interior Design” “CompanyName”

“Interior Design” “CompanyLocation”

Replacing CompanyName and CompanyLocation with your relevant target will assist in finding these potential contractors. Notice the quotation marks; these tell Google that the phrase must be within the returned results.

Such websites may contain portfolios of work showcasing photos of the target site, including site plans, technical drawings and images from various angles.

Various site maps for the example business “Vodafone”

Mapping Services

There are many mapping services that can provide a lot of visual information about your target business. Satellite imagery, heatmaps, drone footage, historical images and cycling routes are some of the examples of online services that can be utilised when mapping out a physical location.

Satellite Imagery

Google, Bing, HERE WeGo and OpenStreetMap are a few examples that provide satellite imagery in various formats. Using multiple satellite imagery services instead of solely relying on Google Maps can provide you with different time frames, lighting, quality, and mapping styles which can all lead to a better reconnaissance process. I’ve personally had trouble identifying a perimeter security fence due to dense woodland, switching to a different mapping service allowed me to identify the fence easily.

Google vs Bing vs Apple vs Cartosat

Heatmaps

Strava is an online service using for tracking exercise, commonly used by athletes. Within their mapping service, there is the ability to show heatmaps of activity which can be used to our advantage. Many employees, guards and members of the public that travel within and around the target premises will have their Strava service active, more often than not, without realising. This is usually due to a Fitbit or other fitness trackers collecting GPS data points.

Strava Heatmap

The heatmaps can be used to identify perimeter entrances, common walking paths, and even security patrol routes. Check out this article that explains how Strava was used to uncover US military bases used for intelligence operations:

https://www.wired.com/story/strava-heat-map-military-bases-fitness-trackers-privacy/

Share to Twitter

Share to LinkedIn