Darknet Diaries - 125: Jeremiah
Episode Date: October 4, 2022Jeremiah Roe is a seasoned penetration tester. In this episode he tells us about a time when he had to break into a building to prove it wasn’t as secure as the company thought.You can catc...h more of Jeremiah on the We’re In podcast.SponsorsSupport for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.Support for this show comes from Snyk. Snyk is a developer security platform that helps you secure your applications from the start. It automatically scans your code, dependencies, containers, and cloud infrastructure configs — finding and fixing vulnerabilities in real time. Create your free account at snyk.co/darknet.
Transcript
Discussion (0)
There's this story of a guy named Michael Fagan, and it fascinates me.
This is a story that took place in June 1982 in London.
Michael was 30 years old, and he was an interior painter.
He had a wife and six children, but times were tough for him,
and he was having trouble supporting all those kids, and he wasn't mentally stable.
His wife couldn't take living with him anymore, and she left.
And that was the night of June 7th, 1982.
Here's Michael, in his own words, saying what happened next.
My nerves were pretty bad.
They were going up and down.
Was it going through this breakdown?
And I'd walked around the streets of London, and I'd suddenly come across Buckingham Palace.
So this audio is from a BBC interview they did with Michael in 1993.
Now, Buckingham Palace is where the Queen of England lives.
It's a huge building, three stories tall, 775 rooms,
and at night it's clearly closed to the public.
But the palace is in the heart of London, running along some public roads. Michael was
walking down one of those roads. And I could see the window open. It was there subconsciously to
do it probably. I just hopped over the wall, up the drainpipe and in. Wait, what? He just hopped
the wall, climbed up the drainpipe and got in through an open window on the second floor of Buckingham Palace?
That should not be possible.
I walked around the palace for about an hour,
looking at the pictures on the wall, paintings.
But it wasn't how I would have imagined it.
I don't think people imagine it the way it is.
Dusty and squeaky floorboards.
Very ordinary.
I don't think they spend too much on sort of decoration.
Maybe they have it done up now.
Maybe it was due a re-deck.
Past a few doors.
I came across a throne room.
They evidently do the knighthoods in there and whatever.
Went in there, that was quite interesting.
I had a little sit on the throne.
I'm walking about willy-nilly, actually.
I'm not hiding.
Didn't you see any security staff?
No, not up to now, not up to this point.
Went into Prince Charles's private secretary's office,
I found out later,
and there's all these presents around the walls.
Presents that people send in from the far reaches of the globe.
You know, sort of teddy bears and cups.
And there was this bottle of wine from California.
And I was so thirsty, I couldn't find a tap.
I didn't actually intend to steal anything.
Took the bottle down from the shelf,
and I couldn't find a corkscrew.
I was sitting on the desk with my feet up,
pushed the cork into the bottle,
and drank it out of the bottle.
And then all of a sudden, I thought,
my God, where am I?
I'm in fucking a panacea.
Oh, no.
What am I doing here?
I mean, it was just like,
as if my brain had arrived in a tARDIS.
It was, you know, how do I get out?
So as I walked out into the passageway,
I saw a security guard with a dog.
And I looked round the corner and I stood back.
He went into a room and I found my way out there
and I made my way downstairs, out the window,
across the grounds at the back and over the wall.
And I'm walking up the Mall five minutes later.
And I thought, as I got to sort of towards Nelson's Column,
I thought, my God, Billy Buckingham Palace.
What a crazy story.
Michael Fagan just popped into Buckingham Palace,
drank some royal wine and left.
Incredible.
What if he was a spy or there to cause harm to the place? This place should have been much more secure than this.
This shouldn't have been possible. But things got worse for Michael. His wife took the kids,
and he stole a car to try to find her. But he ran out of gas and got arrested for stealing the car, and he was out on bail and more distraught than ever.
July 8th came along, and he couldn't sleep at all that night.
And at 5 a.m., he goes for a walk down the road
that goes towards Buckingham Palace.
He was just trying to clear his head and take a walkabout.
I think I knew what I was doing at that point.
Started walking towards Buckingham Palace.
About five o'clock, I see all these women cleaners going to work.
The intent's there now. I'm going to get in there and I'm going to see the Queen.
One direction, nothing's going to stop me. Through St James Park, up over the wall,
into the palace,
saying good morning to the servants
as I'm walking past them.
I don't know how the hell I found a room.
I really don't know how.
People have said to me,
you know, how did you find it out of all those rooms?
I really don't know.
I'm in the Queen's bedroom,
so to make sure it's the Queen,
I walk to the window.
She's looking very small in her
bed she was asleep was she yeah walk past it but it looks too small to be the queen so go go over
and i draw the curtain back just to make sure and suddenly she sat up what are you doing here
so i said well i was dumbstruck to be honest honest. I was thinking what to say.
Get out, get out.
She jumped out of bed.
What are you doing here?
And walked out of the room.
I stood there.
Maybe I sat in the corner of the bed.
All this about long conversations.
I mean, a lot has been said about what went on in that room.
This is the truth, you know.
She just said, get out, and that was it.
The footman came in and they looked at each other and said,
oh, my God, what have we got here?
I just think there was a rebellion going on in my head.
Do you think you were actually trying to get caught
when you went in that second time?
Yeah. Yeah.
Just to make that statement of,
you know, I am. I am. The guy snuck into Buckingham Palace twice and with the second time getting all
the way into the Queen's bedroom while she was asleep. Creepy and incredible.
The chaos he could have caused was huge.
He was arrested and he went to court at the Old Bailey.
I was actually charged with stealing half a bottle of wine.
It was just unbelievable, actually,
to be tried at No. 1 Court Old Bailey.
The Hanging Court intimidated me.
I mean, people had been sent to Australia from there.
They'd been sent to the gallows from there.
And there's me for half a bottle of wine.
The jury found him innocent of wrongdoing,
and he was not sentenced to any jail time.
However, the judge found his mental health to be something to worry about.
So they sent him to do time in a psychiatric ward. And while there, he wasn't able to go home and see
his wife or kids, which caused him more stress. But he eventually got to go home. But he wasn't
well, though. He was arrested a few more times for fighting at the pub and dancing in the streets
naked. And certainly Michael Fagan isn't the kind of man to fade quietly from the public eye.
He even made a record, a version of the Sex Pistols song, God Save the Queen.
God save the queen, a lovely human being.
What future can I dream?
Don't tell me what I want.
Don't tell me what I need.
Who planted the man in and who planted the seed?
He finally divorced his wife, but got custody of his kids and spent a lot of time just being a dad.
Sarah's in her first year of school and someone said,
her dad broke into Buckingham Palace.
And she just turned around and said, yeah, and your dad hasn't, has he?
These are true stories from the dark side of the internet.
I'm Jack Recider. This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service
that finds and removes personal information
from hundreds of data brokers' websites
and continuously works to keep it off.
Data brokers hate them because Delete.me
makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy
scouring the internet for my name
and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetiaries and use promo code Darknet at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash DarknetDiaries and enter code Darknet at checkout.
That's JoinDeleteMe.com slash DarknetDiaries and use code Darknet.
Support for this show comes from Black Hills Information Security. Thank you. give them a call. I'm sure they can help. But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security
world-class in security training. You can learn things like penetration testing,
securing the cloud, breaching the cloud, digital forensics, and so much more. But get this,
the whole thing is pay what you can. Black Hills believes that great intro security classes do not
need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their
webcasts to get some world-class training. That's BlackHillsInfosec.com. BlackHillsInfosec.com.
So let's start out with you telling us your name and what do you do?
Yeah, my name is Jeremiah Rowe and and I'm a solutions architect for Senac.
So what drew me to Jeremiah is his background in penetration testing.
Companies have hired him to see if they have any security holes
and if he can find them and break into their buildings or network.
Because if someone could just walk into your building, that can be bad.
So companies want to test how hard it is to break into their buildings.
How good is their security? And these stories of how people break into buildings always fascinates
me. And today, Jeremiah brought us a penetration test story. Now, when Jeremiah was a kid, he liked
building little websites, and this was the seed that made him decide to go into a tech career.
He went into the military and then got a job at Geek Squad,
troubleshooting customers' computer problems.
But then he landed a better job where he learned more about technology,
and this got him into cybersecurity,
and eventually he took the OSCP certification.
This is an advanced cert that quizzes you on
how to use hacking tools and exploitation techniques,
and it's a pretty serious exam that you have 24 hours to complete.
Well, he passed that, which gave him new opportunities.
I was able to transfer that over to a government contracting role,
which I got hired for out in the D.C. area.
And from there, we really primarily focused on conducting network-level penetration testing, web application penetration testing.
We were both the internal pen test team and the internal red team operations all in one for this organization.
This taught him how to think like an attacker, not just any attacker, but one that would attack government networks and systems.
Attackers like this have a lot of resources
and sometimes stop at nothing to get into certain networks.
So Jeremiah learned how nation-state actors would think
and was able to try some pretty wild things to gain access into facilities.
I think they even had ex-military working on his team too,
like ones who were trained by the military to hack into things.
And yes, the military trains troops to be hackers.
I mean, there's the Army Cyber Command, just to name one group.
So learning from people like this really gave him some interesting insight.
Now what Jeremiah did there was internal red team assessments.
That is, he was attacking the contractor he worked for itself
to try to find vulnerabilities in the buildings and the network.
See, this Washington, D.C.-based contractor that he was working for
did a lot of work for the federal government.
And it was growing and expanding.
And there were offices and remote locations and scattered all around.
And here's the thing.
When other nations want to hack into our government,
they don't always go directly towards the government's networks.
They might attack a contractor
and try to get into the contractor's network,
which might give them access into the government's network.
Because if a contractor is doing work for the government,
then it must have some sort of access to the government, right?
So this is sort of coming in through the side door kind of attack.
Jeremiah knew this, and this is why he was tasked with attacking the company he worked for,
to try to find ways a nation-state attacker might get in and what damage they could do.
At some point, Jeremiah found a remote satellite office, which did a lot of business for the federal government. And he wanted to conduct a penetration test on this office to see if it was vulnerable.
Basically, we came up with the idea. We wanted to go and test out this location. We felt that there
were risks to the organization and to the clients that we work with through this organization that maybe weren't being addressed or thought of.
And so we wanted to conduct a nation-state style of an attack
from a physical perspective just because physical assessments
or physical red team operations or physical pen tests
just really
aren't done all that much. And we wanted to take it upon ourselves to go ahead and conduct one
towards this satellite location. And when you pitched this idea to them, they said,
okay, go for it. We'll speed ahead. Not at all. Nobody wanted to do it. Nobody liked it. Nobody liked the idea.
It was very risky. And of course, this is a risk adverse organization. I think it's fair to say
that government as a whole is fairly risk adverse. And see, to me, this is backwards thinking. How
can you say you're risk adverse without looking to see what risks you even have? If you're going
to claim to be risk adverse, then you better be out there every day
looking for any and all risks that your business faces
and re-evaluating them constantly.
And you won't turn down a security assessment
because you're afraid of what it might uncover.
In a way, I think people are scared of things being found.
I think people know that things are kind of there, but nobody really wants the big red punch in the face
to show you the things that are there.
Okay, yeah.
So it's embarrassing when you realize
that you've got a few security holes in your business.
And I suppose that embarrassment can be pretty bad.
Like what if the pen test found some major security hole and saw
evidence that someone had used that hole to get in and steal things? Now the business has lots of
consequences they may face. They would have to notify their customers or may lose some government
contracts. They may be fined or sued and they may get a lot of bad PR if it turned out that the
security was really bad.
But I guess it's still better to know that you've been hacked to not know at all.
Or what if a penetration test ended up damaging the network?
Like what if by trying to exploit a server
they accidentally took that server down?
Now there's a network outage.
So I guess there are some risks to doing a penetration test,
but I still think it's important to do these tests,
especially on big businesses and government contractors,
because I've seen news article after news article
about how foreign governments have hacked into our government
through a contractor, and that's how they got access.
So contractors should take their security very seriously.
And Jeremiah had to convince them
that testing this remote office was important.
Yeah, I think, quite honestly, our convincing argument was one, persistence, and two,
naming those very things that you just mentioned, right? Really painting a picture as to what could
potentially happen should there be things in these locations that we don't know about? That persistent argument that we would make over and over again
ultimately led to the decision to give us the green light
to go ahead and conduct this, right?
Because, so this is just a saying that I have,
which is, you know, the best defense is good offense.
And unless you're putting things and stressing them and really challenging what is
there from a technical capabilities perspective, you really don't know what's possible within that
environment. So it wasn't easy, but he got the green light. The business said, okay, you can try
to break into that remote office physically and through the network, but we have some rules.
Not installing any shells or backdoors or malware on physical devices itself.
They didn't want to have to clean up any malware left behind or cause any damage to the network.
A lot of companies have a strict configuration change policy.
Things need to be approved by a committee when installing new stuff
on production servers. So they didn't want him to just come through and
plop a whole bunch of hacker tools into a network that's heavily in use.
It could cause things to break.
So they wanted to have as little impact as possible while still trying to prove the point of impact.
And so that was kind of our bounds.
That's what we had to play within.
But from an operational perspective, we were kind of given some wide latitude as to how
we were going to plan this out.
And to be fair, other than the time of day when we wanted to go and scoping a few things out prior to it,
we kind of also left it up open to a target of opportunity for what we would do when we were there as well.
Because we didn't know what was going to happen.
We didn't know how this whole thing was going to play out.
We could have at some point had the cops called on us and we could have potentially gone to jail or we could have, we just didn't know. So Jeremiah and his team started coming up with their own objectives.
Basically, can you get access to this location? When you do get access, what can you see?
From what you see, what types of scenarios can you play out? And out of those scenarios, how risky are they? And then separately, can you obtain access to devices that are on the network?
Can you obtain access to the network itself?
Is there information that you can obtain from this operation that would potentially compromise any contracts that we were working on, sort of all of the above.
Okay, so he's all set and ready to begin the test. Now, he wanted to conduct this test like
he was an outsider. Yes, he did actually work at this company that he was testing,
but he had never been to that building before and wasn't going to use any internal resources
that he had to get information to help him break in.
This test had to be as if he didn't work there.
So he started by simply Googling the location.
Of course, this landed him on Google Maps, which he started noting all the relevant information that he saw there.
What surrounded the building, were there any coffee shops that were attached to it?
Were there any other third parties that were also in those buildings?
What access did they potentially have?
Were there satellite aerial images of the location?
What were the entry points to that building, the ingress and egress points?
How many people went to and from the location? Who worked
at that location? When was the normal scheduling for when people arrived? When did they go to lunch?
That sort of thing, right? Okay, so he's picked up quite a bit from Google. And now it's time for
him to take it to the next step. Drive to the building and do some light surveillance and take notes along the way.
I went there to take a look at what was happening, when people would generally show up when they were
leaving, where their locations were for when they would smoke. And I was in my vehicle, I parked,
and I would hang out and just watch.
And then I drove around the building itself,
and then I would note locations on a map that I had with me
as to what I thought that was based off of what I was seeing.
And then I ultimately left for the day
and took that information back to add to the portfolio
that we were putting together for the location.
He takes the intelligence he's gathered and regroups back at the home office.
I was working with another individual, call him BC.
I was working with BC and we both collaboratively decided to go about
checking every external egress point just to see what we
could see. Walking around the building's perimeter just to see what we could notice, if there was
anything open, what locations we could actually get into the building from, and then to kind of
follow that breadcrumb trail to see where it led.
Okay, so that's the grand plan,
just to walk the perimeter and see what doors are opened.
It's not a bad plan.
Often the front entrance is where all the security is,
so trying to slip in through a side door or back door bypasses all that.
So that was plan A.
Plan B was to walk directly into the front of the location, the front doors.
Do you have any idea what's in those front doors, like a security guard or another locked door?
No idea. No idea how the layout is.
We assumed that there was some sort of foyer that was there, but we had no clue.
We had never been there before.
So Jeremiah and BC have their plans.
And BC has also done a few of these penetration tests before.
This was a junior to me at the time.
And so I was bringing him along as,
one, a backup to look more realistic like I belong,
like I had company.
The more individuals that you've got with you in a
party, the less likely you are to be challenged. And so that was a benefit towards the location.
But separately, it allowed me to spread the workload that was involved in checking
things to see what was there. They pick a day when they're going to go there and start preparing for it.
Yeah, so we decided that the best way to dress was obviously business casual
to make sure that we were both groomed professionally.
We got haircuts the day before.
We made sure that we were kind of wearing polos and slacks and
we're looking very sort of business casual. I mean, the haircuts were specifically for
this engagement? In a way, yes. But at the same time, we kind of wanted to look like we were
blending into everybody else within the environment as well.
I wonder how that worked out with your junior.
Was it your idea?
Like, hey, man, get a haircut.
Why? I'm fine.
No, we want to look this part.
And maybe you had it in your head like, man, this guy really needs a haircut.
I could use this as an excuse to tell him to get a haircut.
Yeah.
So the best thing about this particular guy is he kind of got it too because he is also
former military.
And so he was totally cool with making sure that he was well-groomed, had a haircut, and
well-dressed for the event.
In addition, we had separate laptops to conduct red team operations,
so we had those with us.
I had Lockpick set and Raspberry Pi, as well as Bash Bunny,
and I had a network star tap.
What's it called?
Landstar.
Landstar, thank you.
I had a Landstar just in case I wanted to tap something in there.
I also had actually a mobile version of Kali Linux installed on a burner phone that I had.
And that was about it.
So it's now the day of. It's go time. With their equipment
and fresh haircuts, they drive to the building. There are no gate guards or security to just get
on the property. So they're able to drive right into the parking lot, park the car,
and they immediately split up and walk around the outside perimeter of the building.
That's exactly what we did. Yeah. So BC um, BC went to the right, I went to the left
and we both walked around the perimeter of the building and just sort of, we each had a copy of,
uh, the aerial photography that we had marked up and, uh, he had a folder, I had a folder that was
inside of it, uh, that was, uh, inside of our bags. And as we were walking around, just kind of,
uh, checking doors along the way
to see if they're open, to see if they're locked and or if we could get access to them.
They'd walk around tugging on every door they came across to see if one opened. Jeremiah tugged
and tugged but he didn't find a single door that opened. He came around the back side of the
building and that's where he saw. coming around from the other side.
Jeremiah told him that he didn't find any doors open.
And he let me know that on one of the doors on his side
actually happened to be open.
So together they walked back towards that door that B.C. found open.
It was a back door, but it was a door to a stairwell that led to
all the floors in the building itself. And this door was just kind of left open, and it was by
sheer happenstance. It was most likely due to a particular implementation flaw in the physical door itself
in that someone didn't actively make sure that it was shut.
Otherwise, it would have been locked, which in this particular instance,
it was open, hanging out, and there was a crack, and we were able to open the door.
So they slip in through this partially open door that wasn't locking properly
and go into the stairwell.
At this point, they need to make a decision.
Go up the stairs or just try to go to the first floor?
Yeah, yeah.
So we didn't want to mess with the door on the first level to begin with.
We knew that the contractor that we worked for had offices on the second and third floors.
And so we wanted to, we knew that we could gain access to the first floor through the front of
the building anyways. So what we did is we walk into this stairwell and we took photos of the
open door, just kind of as it was, Took photos of us inside of the stairwell.
And of course, going to the second and third floors.
Now, in a lot of office buildings, the stairwell doors are locked from the stairwell side.
You can go into the stairwell from the office, but you can't go into the office from the stairwell.
And they were walking up the stairs, expecting to face this and trying to think of ways that they could bypass the door and get into the office. Perhaps wait for someone to come out or maybe get some lock picks out and try
to pick the lock. They'll have to see when they get there. But when they got to the second floor,
they just tried pulling on the door and to their surprise, it opened. We could and we could get
direct access to those floors as well, which were supposed to be secured floors.
So they got into the second floor office,
took pictures of themselves in the office,
and got right back into the stairwell.
And then they went up to the third floor,
and again, that stairwell door opened right up for them,
and they got in.
Yeah, so we walk in,
take a quick photo to show that we were in the floor,
and then we just kind of walked right back out.
They walked all the way back down the stairs and out of the building. They regrouped and made a quick photo to show that we were on the floor and that we just kind of walked right back out. They walked all the way back down the stairs and out of the building.
They regrouped and made a new plan.
The goal of a pen test is to identify as many exploitable vulnerabilities
or findings as you can and then present that
and have them fixed as much as they can be fixed.
So they were able to successfully get access into this building.
And so that was kind of check one.
Now let's test another avenue.
So they regroup at the front of the building
and this time go in through the main entrance.
They have no idea what might be there.
And they know the office they want to get access to
is on the second and third floor.
And there should be some kind of thing to stop them
from getting just directly into the office and roaming free.
But where and what exactly would stop them, they didn't know. Stay with us, because after the break,
they head inside. This episode is sponsored by SpyCloud. With major breaches and cyber attacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited spycloud.com to check my darknet exposure
and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and your organization at risk
and what to remediate is critical for protecting you and your users from account takeover, session hijacking, and ransomware.
SpyCloud exists to disrupt cybercrime with a mission to end criminals' ability to profit from stolen data.
With SpyCloud, a leader in identity threat protection, you're never in the dark about your company's exposure from third-party breaches, successful phishes, or infostealer infections. Get your free Darknet Exposure Report at spycloud.com
slash darknetdiaries. The website is spycloud.com slash darknetdiaries.
Jeremiah and BC open the doors to the front of the building and walk in,
with their goal to get into the second and third floor offices.
And as we were going through, we didn't initially see any kind of front desk on the first floor.
We did see some stairs that were spiraling down,
kind of from the second and third floors in the center
of the building in the foyer. They look around and see some elevators, which tells them there's
two ways to get to the second floor, the stairs in the foyer or the elevator. They also looked
around in the lobby of the building there and noticed a few ethernet ports on the walls.
And they wondered if that connected to anything,
but they just took a mental note of that and decided to go up the stairs to the second floor.
And so we were able to move up to each floor.
And we noticed as we got to the second and third floors,
there were doors to either side
that would grant access to the business operations of this contractor.
Now, the entry doors were closed, and they had locks on them that you utilized from your key card
to unlock the door so you could go in, and that was for authorized employees for those locations.
Okay, so just by walking by the office doors,
they could see that you need a key card to get into that door.
And on one of these floors was a person sitting at a desk in the lobby,
but on the other floor, there was nobody in the lobby.
There was public seating kind of in the lobby on each floor as well.
And we both sat down on one of the couches
just so we could figure out what it was that we wanted to do at this point.
We kind of pulled out our computers.
We're looking like we were kind of collaborating together for work.
This gave them an opportunity to just sit in front of the door of this office
and watch what was going on.
Since nobody was in the lobby to really bother them,
they could act like they're working on something right there in the lobby,
but really scouting around, watching what's going on,
like seeing how people get in and out of this office,
or are there opportunities to tailgate behind someone as they come in or out,
and that sort of thing.
But as they were looking around, they noticed that in this lobby,
there was a kiosk, a little computer that lets visitors check in
or gives them information or something.
Well, this was curious.
An unattended computer in the lobby?
What's a couple of pen testers do with that?
Well, they start messing with it.
It was running some kind of software that lets users only use this one app.
But they were able to figure out a way to close that app
and get into the operating system on that computer.
We were able to access the underlying Windows OS that was running on it. And from there,
there was an exposed USB port on the back of it. We were able to plug in a Bash Bunny
to execute the previously written script.
Okay, so a Bash Bunny looks like a normal USB stick. But when you put it into a computer,
the computer asks, hey, what are you? And the Bash Bunny says, oh, hi, I'm a keyboard.
And the computer's like, oh, okay, got it.
I'll let you type stuff if you want.
And so the Bash Bunny has this preloaded script,
and it says, okay, here are some key presses.
And it sends a pre-created set of keystrokes to the computer.
Well, the computer thinks it's a keyboard,
so it just starts accepting these keystrokes.
And you can do things like open
up a command terminal or a program and then start typing commands in that. In the case of Jeremiah,
he made the script open up a word program and start typing on the screen. And it was just enough
so that he could take a photo to prove that he has control over this computer. Because I mean,
if you can open up a program on a computer and start typing words on the screen, then you have control of that computer, right?
So while this kiosk computer didn't have an actual keyboard connected to it,
Jeremiah could prove that it's not locked down,
and he's able to plug a keyboard into it and take control of that computer,
and nobody would stop him.
They also noted that this kiosk had an Ethernet connection to the wall.
And this is interesting because this Ethernet jack
might be on the same network as the computers inside this office,
and you don't even need to go in the office to get into the network.
But they didn't plug into this Ethernet jack.
They wanted to see if they could get into the office now.
And after examining the doors for a little while,
they understood that there's a key card reader there
and you need to swipe your key in order to get the door to unlock.
But they wanted to see if that was true.
So they walked up to the door
and tried pulling on the handle.
They should have been locked,
but as we pulled them,
the doors were just unlocked at this particular day.
So we were able to open the doors as they were
and walk right into the floor.
So that's another photo that they took that was going in the report.
They were able to walk right in through the front door,
go up the stairs and just open the office door and go inside the office.
Now they were in an office where there's a whole bunch of private information around.
And now that they're in this office,
they might as well try to see what kind of private information they can obtain.
So at this point, we took pictures of us freely being able to open the office doors from the
lobby and us walking around in the internal office space.
As we walked through the office, we noted, again, other network ports, printers, network
TVs, projects that were being worked on. So things that were
written on whiteboards, labels that were labeling files that were just out in the open space,
different IP addresses. As we walked through, we were able to kind of map out the IP address schema
from IP labels that were written and addressed to the printers
that were around the office space, looking for any other kind of information that could
be leveraged in some way.
And so the whole time we're walking around, keep in mind, we didn't have our badges on
like at all.
We walked by many people saying hi to folks. We even at one point went into
the employee break room and grabbed some coffee and kind of hung out there for a few minutes just
to see if anybody would challenge us at all because we were not wearing our badges again.
And nobody said anything at any point. And people kind of said, hi,
how you doing? Nodded at us. But for the most part, nobody ever challenged us.
I think what worked here is they looked at the part and acted with confidence.
If they dressed differently than the other workers or look suspicious in some way,
like the way they were moving around, it would have made them more likely to be stopped.
And there's something that makes us more accepting of someone
if they're already past the security barriers.
If they're in the office, they must belong there, right?
Or else they wouldn't have been able to get in.
As they were moving around, they saw an open conference table,
a little spot where people can gather to do work,
but not quite in a conference room.
So we sat down at this table, a little spot where people can gather to do work, but not quite in a conference room. So we sat down at this table and we noticed that there were some Ethernet jacks on the wall.
We both had cables that we brought with us. And so we plugged into the wall.
Now, finding an open Ethernet jack could be a goldmine. They saw the Wi-Fi networks were in this place,
but they didn't know what the Wi-Fi password was.
But you don't need a password when you're plugging into a port on the wall.
All you need is a cable.
So plugging in could potentially get you access into the internal network.
These Ethernet ports can be configured a lot of ways, though.
They might give you internal access or they might give you no access at all. It's not a sure thing that just because you're physically in the office
means that you're going to be able to plug in and use the network. And a properly configured office
will make it so you can't just walk up and plug into any Ethernet port. But they plugged their
computers into the Ethernet jacks and saw that the ports were alive and gave them IP addresses.
Then they quickly scanned around the network to see what was on this network, but there were no
other computers on the network. All they could do was access the internet. Nothing internal in the
office. Okay, so this might be a sign that this company was using NAC. NAC stands for Network
Access Control, and it means
that when you plug a computer into a port, the router takes a look at your MAC address of your
computer to see if that computer should have special access. A MAC address is the hardware
address on an Ethernet port, which is on your computer. So this network was checking the
computer's MAC address to see if it was allowed on the network. And if so,
it would give you special access. But if not, it would just give you very restricted access.
In this case, since the router didn't know Jeremiah's computer's MAC address,
it just gave him very restricted network access, sort of like guest access. And I guess this is good security. You want your Ethernet ports to require users to check for some authorization
before giving them network access.
Because you don't want anyone to just be able to walk up
and plug their computer into any Ethernet jack
and get full access to the soft underbelly of the network.
So if you were a penetration tester
and noticed that this network had NAC to restrict your access when you plug in,
what can you do to bypass this?
Well, you could find a MAC address that is on the allow list, and you could change your
computer's MAC address to be one of those, and you might be able to get in.
So what we did is we noted a couple of the printers that were there in those locations,
and we went to those printers, and we were able to look up the Macs online for
the style printer it was. See, what you need to know about Mac addresses is that the first part
of the Mac address is assigned to a vendor. So if you had Cisco equipment, every single Ethernet
port on all Cisco equipment starts with the Mac address 9436CC. And then the second half
of the MAC address would be different for every Ethernet port, making them all different. So
Jeremiah saw which types of printers they had and looked up what that vendor's MAC address started
with and then changed the MAC address on his computer to be the same as what the printer
started with. And then he tried plugging the Ethernet cable back in to see if he would get a different IP,
and boom!
This gave him a totally different IP,
which gave him totally different access,
which was the access he needed
to get to the inside of this network.
We were ecstatic.
We were super excited,
just because, well, one,
we were able to accomplish a goal
and that was to get access to the network.
And being able to conduct a network access bypass
with something so simple as changing your Mac,
one was super exciting and it was like,
we totally got a finding out of this.
It's crazy.
There are other ways to configure NAC.
I think they got lucky that this worked.
And the network team had to find a more secure way to check if a computer should have this sort of network access,
such as having a certain registry file on that computer or something like that.
So we gained access to the network.
We, again, took screenshots and photos of our steps of what we did to get access to it.
We showed that we had access to it. We showed that we had
access to it. We showed that we had an IP. We showed that we were able to navigate the internet
while being connected to the network. We kind of packed up. We disconnected, put our laptops back
in our bag, and we went around the floor just to kind of look for any additional target of opportunities that we may not have noticed before.
As we were walking around the floor, we noticed there were kind of actually two separate situations of individuals who had just kind of walked away from their laptops and left them unlocked and kind of open at their desks.
We took photos of us sitting at those computers,
kind of pretending to plug in a device because, again, our organization was very risk adverse
and we didn't want to overstep any boundaries
of what we've been allowed to do up until this point
because we wanted to be able to conduct these kinds of operations again in the future.
So instead of plugging anything into these particular laptops,
we just kind of sat down and showed that they were unlocked
and we could mess with them if we wanted to.
And, oh, by the way, here's a Bash Bunny.
We just got done plugging one into a kiosk.
We could plug it into here too, sort of a thing.
And so we took photos to prove impact
instead of actually having to conduct something on those.
They were already unlocked.
We already had access to them.
Someone had walked away.
So we left that floor as we were kind of walking out.
We went to the elevator and as we were walking to the elevator,
there was someone from the other side of the floor
that was also walking to the elevator and also happened to be going up.
So we rode with them in the elevator, kind of, you know, said hi, our pleasantries sort of things, nodded.
And we got off on the third floor.
And as they walked out, I decided I was going to impromptu follow this person and try to see if I can do tailgating to see if they would challenge me at all,
to see if there were any kind of issues there.
And sure enough, he walks up, scans his badge,
and opens up the door, holds it for me.
And I'm like, thanks, appreciate it,
and just kind of walked on in.
And he never challenged me, this particular individual.
Jeremiah saw that his co-worker, B.C.,
stayed behind in the lobby
and was walking towards a different set of office doors.
Jeremiah tried to loop around towards the other doors to let BC in.
But when he came around the corner, BC was already in the office.
Apparently, those other doors didn't require a badge to get in, and BC just pulled on them and got right in.
So, I didn't even need to tailgate in, but I did and kind of proved that that was possible.
But the doors themselves weren't locked either. So we could just open the doors on that floor too.
Another finding for the report. Yeah. So while we were on the third floor, we kind of focused on
doing intelligence gathering. Were there any kind of programs that we could identify
that were being worked on that maybe shouldn't be public information?
What other things could we obtain about the programs?
As we were walking around, we were taking photos of whiteboards,
of desks, of paperwork on desksks of files, the file names, trying to collect and obtain as
much information about these programs as we could so that we could then go back and see
who these potential programs belong to or what level of sensitivity should really be associated with this kind of information?
We also noted kind of network ports on this floor, whether or not there were people who were at their desk with their computers unlocked or if they were away from their desk and they were locked. We just noted those things as well and carried on with that or use the carryover of the previous floor
like hey if they weren't there we could have also done it on this floor too um and hey by the way
there were these exposed network ports in the public accessible zone um inside of the office
location as well these are the ip addresses that were associated with printers on this location
um that sort of thing,
right? So we were walking around just very much trying to collect as much information and data
as we could as to what was being worked on within the location. Once they gathered enough information,
they packed up their stuff and headed to the office, down the steps and out the front door.
Not a single person challenged them the whole time. And that was a pretty successful day for us.
One, our team hadn't conducted a physical penetration test to this measure since I'd been there.
And two, we wanted to prove an impact to the organization.
And three, we wanted to make it successful enough
that they wanted to conduct these kinds of things going forward
because there are really huge impacts, right?
Like if you break these things down,
there are really huge impacts to the organization
and who the organization works with
that could be potentially compromised here
from a number of avenues,
not only for internal business operations,
but also potentially things that affect the government
and the Department of Defense in some way.
Should certain programs be compromised
or think of any kind of code
that might be worked on at these locations
that might be incorporated as part of a
end product for a certain entity, right?
If there's malicious code that's added to
a software development lifecycle that's
being conducted within the confines of
this location, that could be almost like a
time-based malware
or a time-based backdoor that gives someone access
to something after the fact,
maybe six months to a year down the road
if they wanted to leverage it.
So there's a lot of implications from this kind of a thing.
Definitely. So you put that in the report
and you submit it and how is it received?
So this was something that hadn't been conducted before.
They were, to put it frankly, everybody kind of had a no shit moment.
Because it was certainly an avenue that most people didn't think about.
It was an avenue that was foreign. And again, not many people think like
malicious entities and or what they might go through or what the things that they would try
to accomplish to prove their goals. So obviously, this kind of showcased the ability of the malicious
entities to obtain unfettered access to a location. And this was
very much a no-shut moment for leadership. So what they did after the fact, we found out,
was obviously they went through that location, spoke with the facilities management,
asked questions as to why these doors weren't locked. The next time we were there, the doors
were very much locked. And oh, by the way, we didn't have access to it via the badges. And a lot of things were fixed that we had
previously pointed out after the fact. Leadership was particularly surprised when
they saw how easily they got control of that kiosk. They didn't know it was possible to take
over that computer in the lobby.
So they just removed it from the lobby.
And they were also really surprised
to see them sitting at someone's computer
at an unlocked workstation
and how they were able to plug into Ethernet jacks
and bypass NAC to get into the inside network.
The leadership was impressed by Jeremiah and BC
and allowed them to do further testing
to help keep that place secure.
Since then,
Jeremiah has moved on to a different company called Synac, where he conducts offensive operations.
All right, very cool. Thank you for sharing this with us.
Thanks, man. Thanks for having me. It for sharing this penetration test story with us.
This show is made by me, the Dreamweaver, Jack Reisider.
Sound design and original music was created by the acrobat, Garrett Tiedemann.
Editing helped this episode by the frame maker, Damien.
And mixing is done by Proximity Sound.
Our theme music is by the premier
Breakmaster Cylinder. Hey, pop quiz. What weighs more, a gallon of water or a gallon of butane?
Water weighs more. Butane is a lighter fluid. This is Darknet Diaries.