Darknet Diaries - 95: Jon & Brian's Big Adventure
Episode Date: June 22, 2021Jon and Brian are penetration testers who both worked at a place called RedTeam Security. They’re paid to break into buildings and hack into networks to test the security of those build...ings. In this episode they bring us a story of how they prepare and execute a mission like this. But even with all the preparation, something still goes terribly wrong.SponsorsSupport for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET.Support for this show comes from Ping Identity, champions of identity for the global enterprise. Give your users a loveable login solution. Visit www.pingidentity.com/.View all active sponsors.Sources Video: Jon and Brian on ABC Nightline Video: RedTeam Security breaks into a power station https://www.redteamsecure.com/
Transcript
Discussion (0)
Hey, it's Jack, host of the show.
For a while, I was doing photography as a hobby.
I specifically like taking pictures of old buildings.
My town had a lot of old buildings, and sometimes at night,
I would go for a drive looking for an old building to photograph.
I liked going at night because it was quieter,
and I could light it the way I wanted, making extra drama or intrigue to it,
and I just feel more active at night.
I took a drive towards the old part of
town. It was down by the river and the train tracks. There was an abandoned train station,
which was cool, an abandoned factory, but also a bunch of abandoned houses, some of which looked
really interesting. I drove around there, slowly going through the area. It was really quiet.
No cars or people anywhere. I guess this area of
town turned more industrial. There were factories all around because it was right on the river,
and the train tracks made it easy to load up stuff and ship it out. And as I was driving around,
I passed by a facility of some kind. The place was huge. It covered like a few blocks, actually.
It was some kind of food processing plant. One of the larger food distributors in the country was here.
Maybe some kind of cereal was made there or a beverage or something.
It was big enough.
It was a huge property with many big buildings on there.
And this place was fortified like a prison.
Like there were 20-foot fences with barbed wire and a massive guard gate.
I drove up to the guard gate just to take a look, but then turned around
and kept on cruising by. Because across the street, there were some interesting-looking
abandoned buildings. And because nobody was around, I could go as slow as I wanted and just
look at them. I was driving around, and I found an abandoned apartment like a block away. The front
of it had partially fallen off, and you could see through the wall to see the
stairs going up. It was wild. I parked on the street and got out to take a look. I first got
out just to take a look around. I didn't even have my camera out. And not one, but two police cars
swarmed right over to me. They jumped out of their cars and started asking me questions.
What are you doing here? Why are you here at night? Why are you driving around in this part of town?
I was like, what, what, what, what, what?
I don't understand. Did I do something wrong?
Tell me, what did I do wrong?
But they kept grilling me.
They even called in more cops to come.
The situation was getting tense, and I was scared.
There were three police cars here,
and literally no one else for like a half mile in any direction.
Was this a dead drop location that some drug dealers used and the police were surveilling it, waiting for someone just to come?
Did someone come in a crime nearby and my car matched the description?
Surely there had to have been some kind of mix up here.
I explained that I'm just a hobby photographer here to take pictures.
But they didn't seem to think that story was good enough.
They wanted to see my camera and what other photos were on it.
But I hadn't taken any pictures yet, so my memory card was empty.
I asked them if someone had called the cops on me or what this was about.
And that's when they asked me if I had anything to do with that food processing plant a block away.
And that's when it all clicked in my head.
Me driving by that food processing plant,
slowly just checking things out late at night,
and then driving by it a few times,
that was enough to make me look suspicious.
Food companies take security very seriously
because sabotaging the food supply is a serious risk.
So some security guard thought that something wasn't
right with the way I was driving and called the police on me. And yeah, this was such a big company
in this part of town that the police were more than happy to come right away. I was eventually
let go, but it took the police quite a while to be convinced that I was harmless. I think the only
reason they let me go is because there were reports of some other people racing cars like a couple blocks over.
But this taught me a lesson that sometimes you have to be careful about looking suspicious near certain businesses or neighborhoods late at night.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete Me. I don't think I can anymore. Addresses, family members, where you work, what kind of car you drive. It's endless. And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites.
And continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private
by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan
when you go to joindeleteme.com
slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off is to go to
joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries and use code darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security
world-class in security training.
You can learn things like penetration testing,
securing the cloud, breaching the cloud,
digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive, and they are trying to break down
barriers to get more people into the security field. And if you decide to pay over $195,
you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills
and showing them off to potential employers. Head on over to BlackHillsInfosec.com
to learn more about what services they offer
and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
This is the story of John and Brian's big adventure.
But who are John and Brian?
I'll kick it off with that's cool.
This is Brian.
I'm Brian Halbach.
I'm one of the red teamers here at Red Team Security.
Ah, yes, a red teamer.
That means he's an attacker in an attack training scenario.
In this case, companies hire him to attack their computer
networks or try to physically sneak into a building and get into the network that way.
Because companies want to know if there's any way a real bad guy can get in, which means Brian has
to be good at many things. Physical pen testing, red teaming, regular old pen testing. I also
really love social engineering over the phone and in person. And my name is
Jonathan Studebaker. Jonathan is on the same team as Brian. They both work at Red Team Security.
Just like Brian, I do a little bit of everything. Primary background is in networks, internals,
externals, pen tests, web apps, API tests, but also the physicals, the social engineering, phishing, stuff like that.
Now, when you get hired to break into a company's networks and buildings for a living,
it can be exciting. They've got to find ways to hack into the network or sneak into the building,
get past security, and then get access to the most sensitive company information,
and then get out with it. That's why I wanted to bring them on, to hear a story about
when they had to do that. They both are really good with computers. They can write code, take
over computers using exploits, and know quite a bit about tech. On top of that, they're well
trained at bypassing physical security. They're good at getting locked doors open, avoiding cameras,
and being able to sneak past stuff and social engineer their way into
places. And this story they're about to share with us takes place when they were both sort of new
at Red Team Security. So this story was both of our big breaks into physical. This is when
we are earning our stripes and we are on our own. So in the past, I'd always been like kind of the guy in the background. I was the getaway driver in one case or in another case, I was the sheep fed to the lions in essentially a social engineering attempt they knew was going to fail.
But this was the first time that John and I were assigned a full mission and said, all right, you guys are, you've learned everything.
You've practiced, you know the stuff now, now go out and apply it. And
that's what we'll be talking about this time. So a new assignment landed in their inboxes.
A company had hired them to test their security. They wanted to see if these guys could find
weaknesses in their physical security and get in somehow. This one company did a lot of different
things. So I can't even put them in one industry because they spanned multiple industries.
And so we were in charge of getting into
all their headquarters building,
which we deemed to be the last
because that was actually the most protected.
They also had these remote different locations
that people didn't actually work at,
but had sensitive technical things there that needed to be protected. So they had a whole
perimeter intrusion detection system that's supposed to detect if somebody comes up.
They had all sorts of different types of security around these different areas.
And they spent a lot of good money and they have people sitting there monitoring it 24-7. And
that's where we come in, was to point out some weaknesses,
say, hey, you're doing good in this area, but maybe this area can be beefed up a little bit more.
So the assignment seemed pretty straightforward. Try to break into their main headquarters and four other smaller locations. Objective one is definitely no. Can you get in?
Objective two, we actually had two kind of different things we could go. It's either
look for like a network connection, and we had a bag full of raspberry pies that we were able to plug in. Um, or we also had kind of
had calling cards and we would just kind of leave behind a calling card as proof that like, Hey,
we got this far. Uh, cause there were certain buildings that they had already tipped us off
that like, Hey, you don't get into the networking area, but just get into this spot over here.
So we can demonstrate impact to the people
who get to decide budget, which is often a driving factor of these, and just show that we could get
into this area. Now, this was mostly a covert mission. I mean, the company was paying them,
and the director of security knew about this, but pretty much no one else at this company knew
they were coming, which meant that this was
also a test for their security team to see if they could catch these guys as they tried to break in.
Yeah, we had two contacts. We had the director of security and then somebody else that worked
for him that only those two knew that this was going on. Everybody else didn't really know.
I think it's also important to mention how you know, how we communicate with those clients
as we're doing one of these engagements.
And this goes for not just the execution,
but for the recon and the planning stage.
Like, we communicate a lot with our clients
through the entire experience.
You know, as soon as we arrive in town,
we send them a text or give them a phone call
and say, hey, we're here.
We're going to start at this place. You know, we give text updates as we're going. You know,
I think it's a pretty important part to this whole thing to ensure the safety of everybody involved
and, you know, make sure that we don't end up in a sticky situation like Brian was saying,
going in into the wrong door, doing something at the wrong time that could potentially not end well for somebody involved. Okay. Their marching orders were given. They
knew what they needed to do, but there's a lot to do before jumping on a plane and heading to
the location. So yeah, to kind of prepare, we did some mapping out of the facilities and the
different locations ahead of time using the advanced hacking tool
Google Maps.
So yeah, we did a bunch of
OSINT and kind of drew up,
oh hey, these are the different locations
from these old pictures. It looks
like there's cameras here and here.
There's perimeter sensors here and
here. These are the areas
we can probably drive by.
We also look at, you know, social media
of employees, try to figure out, you know, what the dress code's like. Are there any visible badges
that we can see? You know, anything that might be helpful. Like a lot of stuff gets posted on
social media and, you know, Instagram might have a photo of a company party, but it could also provide insight.
Like there is the room and right behind it, you can see, you know, looks like maybe a server closet or something like that.
You know, and so OSINT is a huge piece.
The company websites often have lots of imagery or information that's beneficial.
I like to go to county assessor websites too,
because oftentimes you can find fairly detailed drawings of,
if not a complete floor plan, at least partial, you know,
and it gives you some insight into, into the building and, you know,
an idea of,
of what you're going to be looking for when you go for
the in-person recon. So they spend time collecting information about this company, all which is
available publicly for anyone to see. Anything that might give them a better knowledge of the
building or the people inside. This way they can be prepared. But they didn't find much on social
media. Perhaps this company had a policy not to post about work on social media because that could be a security risk.
And I guess the one really good piece of information was they have a fleet of cars and trucks.
And from these Google photos, we were able to see the color of their cars and trucks.
So we were able to actually get a rental to potentially blend in.
So because they weren't finding any good information online that would give them a clear way in,
they decided to fly out to this place in person to gather more information on the facilities.
So our first trip out there before the trip for us to actually break in
was just us scoping everything out in person.
And so that's what we kind of did first.
And we went and got a rental car and drove to
these locations. Now, what they aim to do here is to get a better understanding of each facility
that they need to break into without breaking into any. Just sort of drive by, take pictures,
watch for patterns of who's coming and going and at what times. Maybe this can give them a better
plan for how to get in. So we were driving around to different locations,
and we waited until their business had closed up.
So we did a whole bunch of nighttime recon.
We went out to each of the five locations.
We were trying to take covert pictures, covert videos.
We were noting all the important different spots of the different perimeter protections they have in place, where the cameras are, the different sensors they have,
and all that kind of stuff and mapping it all out and then in the morning our point of contact
sends us uh via text some nice pictures of our faces that their security operations center took
of us as we're driving around all these different locations what they got busted in their recon phase
this was not supposed to happen.
They didn't go on any of the properties.
They only drove by taking photos in a sort of covert way.
Actually, what they said, what tipped them off was we drove by in the same rental car three times.
And they had a security operator who was watching cameras and said, hey, there's a rental car that is driving in circles around all of our locations.
And that's when they kind of got put on alert to, hey, something weird might be happening.
So their security team were able to use the cameras on the buildings to zoom in and get good, clear photos of both of them driving around.
Their cover was blown.
Yep.
It's like you were trying to be a covert, but you still stood out and you got flagged um so at
that point we're like oh shoot um so we actually went and we switched rental cars they're like hey
they're they're already on the lookout for this car and they're looking they're on the lookout for
us to dress the way we were so we went and we drove i don't know did we drive we drove like
an hour to the closest rental place and then said, hey, we need a new car.
We came up with some BS excuse, got a new car that looked totally different, then also went and bought different clothes.
So now we are in a car that looks like a local car that has local state plates on it. I went to the local Walmart and bought clothes for the
school that was in the same town in hopes that now we're going to blend in a little bit more
because they're looking for somebody in a blue car driving around. And now we are in the white
car and we are wearing, and we have plates of the same state and we're wearing completely
different clothes that hopefully help us blend in.
Because I got a hat for the local school and everything to make it look like I belonged.
And, you know, even though we got caught, it was still super useful information because it let us know that they had really phenomenal security cameras and a very vigilant security and staff who were looking out for things like this.
And so, you know, it really helped us plan for the execution stage, like how we avoid these cameras and how we avoid being spotted.
Because I think when they took those pictures of us,
we were about a block and a half away from the actual building.
And yeah, really phenomenal cameras.
They essentially had a very tall vantage point that they planted this amazing pan-tilt zoom camera on.
And we were probably able to zoom due to also the elevation over half a mile and get a nice clear photo of the both of us
so yeah we realized hey we need to get out of the vantage point of this tower that has this camera
on it also oh my gosh these guys really good and and yeah there's got to be some stress going
through your mind of like oh my gosh do we look like amateurs to this point of contact are we
are we totally burnt like you know you you probably like running through your head like
oh crap we want to look good here and we're not we're already screwing up when we haven't even
started yeah that's kind of exactly what i was thinking. I was like, oh, shoot, this guy's going to hate us.
He's going to be like, oh, we got some amateurs on here.
Because, I mean, we also brought a camera
that has nice long-range zoom on it.
And there's different techniques
that we can use for covert observation.
We just read the situation wrong from our OSINT
thinking that, hey, we know we need to blend in,
but we didn't think that we needed to go full stealth mode
on this whole recon operation.
So yeah, learning opportunity for us.
But honestly, it was just great on them for just being able to recognize that,
hey, there's a weird rental car that's clearly circulating
around our different locations.
Now still at this time, only their point of contact
knows what these guys are up to.
The actual security team inside has no idea that this is just a test and is treating this
very seriously.
So Brian and John took extra precautions to finish up their recon phase without being
caught again and went back home.
They came up with a plan of action.
They told their point of contact everything, how they're going to try to get in, what
weaknesses they saw in the recon, and more.
And at the same time, they waited a few weeks as sort of a cool-down period,
knowing that security team might be on high alert, looking for two guys driving by over and over, wondering what they were up to.
They got their plan approved and a date set for them to come back.
They specifically requested their point of contact notify local law enforcement so the police know that this is a test,
because this was a major business in a somewhat small town and so the police might give extra special
attention at protecting a company like this. So with their plan approved, they started packing
for the execution portion of this assignment. But what do you bring with you to try to break
into a very high security building? Well, John and Brian have a checklist for that.
So we actually have what's called a pack-in and pack-out list
so that we don't actually forget things.
And oftentimes we pack a lot more things than we think we'll need
because we'd rather have it and not need it
than also be like, oh, shoot, we really need this piece of equipment
and then it's a couple thousand miles away.
John, do you have the pack in and pack out list?
Because then we can give you an actual list.
All right. I did find that load out list for this particular one.
So in this case, we brought some long range RFID readers for cloning badges,
like entry access badges. We packed a Landstar. We packed
a Proxmark 3 for cloning RFID cards. We had a very small wireless router. We brought some
shortwave radios for communication, a set of binoculars, a couple sets of night vision goggles.
And we use those for a couple different purposes,
one of which is, I mean, seeing, you know, when it's dark at night. But the other thing they're
really great for is if the client has night vision cameras of their own, they emit infrared light
out of a little LED typically. And you can see that with the night vision goggles. So pretty much stands out
like a beacon. And we use that for night recon in this case. Went to each location with those
night vision goggles and looked around to see if we could see any interesting points of light that
maybe shouldn't have been there that could have been cameras. Bag of raspberry pies.
A bag of raspberry pies. A bag of raspberry pies.
Now, they're not bringing along tasty snacks.
A raspberry pie is a little computer which is super cheap,
and it's about the size of a wallet.
And its small size means you can plug it in and hide it behind a plant or a table
so it won't be seen.
And they've got these things pre-configured to phone home as soon as they're plugged in.
So if they get into a building and they see an open Ethernet port,
they can plug in their Raspberry Pi into the network and potentially have internal
access into this network. Yeah, so all the bypass tools for actually getting in. So we brought some
under the door tools, brought some double door tools. We brought a couple of sets of lock picks,
handheld flashlights, cameras, GoPros.
There's a tool that we refer to as a shove-it tool.
It's also known as like a, what do they call it, Brian, a mini gym.
It's kind of like a slim gym.
It's a thin piece of metal with kind of a hook on it, and we use it to bypass doors.
We brought a bunch of LAN cables.
We also brought a whole bunch of disguise-type gear for social engineering, like safety vests.
Hard hats.
Hard hats.
We brought a couple of ladders
because some of the locations we were trying to get into
had barbed wire fences.
That was really the only access in was going over a fence.
Well, you can't take a ladder on a plane.
Well, so there's a couple of different solutions for that.
So we have a, it's like a periscoping ladder that collapses down to a little, it's about
two feet by 18 inches maybe.
And it'll expand up to 10 feet,
which is typically good enough to get over a fence.
And then we also bring fire escape ladders sometimes
for the getting down
because you can hook them on the top of the fence
and then just go over and get down that way.
Or in the past, sometimes we would have
so much equipment that we couldn't fit the periscoping ladder.
So we would actually go to a hardware store, buy the ladder, buy other equipment, use it for breaking in, and then when we're done, return it.
I just picture this place in your office somewhere that has all these tools and you're just shopping around like, oh yeah, we're going to need that, we're going to need that, let's grab a couple of those.
Yeah.
We actually got a big old storage unit just full of just physical equipment and
yeah, fun stuff, fun toys. So I mentioned the barbed wire fences. So we also brought a heavy
wool blanket. So once we climb up with the ladder, we toss the wool blanket over, set down our other
ladder on the other side.
And then that allows us to get over there without ripping our clothes open or ourselves open.
We brought along a borescope, basically a little camera that interacts with our cell phones, lets us see sometimes under doors or just through small gaps or around corners.
Let's see, we brought some lanyards along.
This is if we were able to successfully clone badges.
We brought a plug spinner, which is a tool if you pick a lock
and if you accidentally pick the lock in the wrong direction
where it's either not going to open the door or unlock the lock.
Plug spinner is a device that's got a spring in it,
and it basically, you pick your lock open and then insert the plug spinner,
and then when you release the spring, it spins it fast enough
in the opposite direction that the pins won't engage again.
So that can be a really handy tool.
It's also really handy to relock a door if you are
leaving. We also brought a hinge pin tool, which is basically a little spring loaded piece of metal.
And so say you get to maybe an interior door, but it's locked and you, you know, say it's their server room and the hinges are mounted on the wrong side.
They're outside.
You can actually use this little spring-loaded tool, pop the pins out of the hinges, and then you can just take the door off.
So we also brought some Shrum tools, which are similar to the Shuvit tool that I mentioned earlier.
Oh, a set of common keys, which we also used on this engagement.
So there's certain keys that are used a lot from, so I'll give you an example, linear and door keying keys. So these are automated gate systems
where you maybe go up and you enter in a pin on a pin pad
and it'll raise your gate up or open your gate.
Well, these door keying and the linears,
they're very frequently keyed using basically a generic key
that you can buy on eBay or Amazon.
And so we brought some of those along and managed to use those on this engagement.
And we also bring along other things like toolkits.
On occasion, something breaks and we need to repair it.
Usually one of our tools is a problem.
So we packed a multimeter in this case. And the reason for that is one of our
long range RFID readers was kind of fritzing out. I think a wire was coming loose. And so being able
to like troubleshoot that while you're there and not having to try to track down a multimeter and
figure out those kinds of issues or, you know, if you need a crescent wrench or something like that. So bring that kind of stuff along.
I believe Brian brought his C-Rat.
It's on this list.
A C-Rat is just an entry tool that's typically used by fire departments.
Only in our case, we're using it to get into places, different places.
It's kind of an all-in-one
entry tool which is a lot of fun it's got the shove it knife um yeah key blade a window breaker
gas shut off lots of other fun stuff um so it's your all-in-one entry tool kind of all right so
you man you guys really packed it in like this sounds like five bags worth of stuff.
Yeah, I think it was probably just two bags, but yes.
We had everything, everything kind of had its own little compartment in its spot,
so we knew where to go to get different items,
so we wouldn't be scrambling in the dark.
Okay, so at this point, they did their recon, created a plan,
got it approved, packed their bags, and flew to this town.
Stay with us, because after the break, it all goes wrong.
This episode is sponsored by SpyCloud. With major breaches and cyber attacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited SpyCloud.com to check my darknet exposure and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and your organization at risk and what to remediate is critical for protecting you and your users from account takeover, session hijacking, and ransomware.
SpyCloud exists to disrupt cybercrime with a mission to end criminals'
ability to profit from stolen data. With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure from third-party breaches, successful
phishes, or info-stealer infections. Get your free Darknet exposure report at spycloud.com
slash darknetdiaries. The website is spycloud.com slash darknetdiaries. The website is spycloud.com slash darknetdiaries.
Brian and John flew to the town where all five target buildings are located.
They arrive and get settled and then start getting to work.
We spent the entire day going around this town
trying to find the employees
of this company and clone their badges. Wow, this would be great if they could get an employee
badge. These little badges typically contain RFID circuitry in them, so when waved at certain doors,
it'll open the door. Brian and John know they will need to try to get past doors, so having a badge
to get in could be gold. They brought an RFID cloning device,
so they really just need to get close to someone's badge, like a foot or two away,
and if they can do that, they can make a copy of it without that person knowing a copy was just
made, which was, normally it's a very feasible activity. It's a lot more difficult of an activity
when there's a pandemic going on, and you're not supposed to be getting within six feet of people.
But our long range reader was on the fritz
and we needed to get about two feet away from them.
So back up a second.
How would you find someone who works there around town?
Oh, so we staked out their headquarters
and we waited for their employees to drive off for lunch
or drive off to other locations throughout the city that they'd have to go to to do their jobs and we would uh
follow them in our car and then we would bump into them around town um because yeah we don't
want to tip our hand yet and try to just you know well everybody at knew everybody at the headquarters uh so we
didn't want to tip our hand there so we followed the employees as they would go around town and
then clone their badges as they were waiting in line at a coffee shop or if they're going somewhere
for a lunch oh that yeah that's villainous if you. Yes, it's kind of it. Follow some poor guy, randomly picked because he was going for coffee, and now he's going to be the door in.
So were you able to get close enough to scan, or what happened there?
So we had several occasions where we thought we were close enough to scan. Our long-range reader is actually in a laptop bag and it vibrates when we get a read. We never got a good read on the employee. It's mostly because, well, because of the pandemic, nobody was going into any coffee shops or restaurants, people were just hitting up the drive-thru or they're going in and out of a shop real quickly. And they were leaving the badges in the car or other areas,
and then we weren't ever able to get a good read, which was very surprising.
Oftentimes, our entry into all these locations is, hey, we just got reads off of five different
employees. Well, the pandemic actually made a lot of companies more secure because of that.
What does it look like if I was your target
and I'm getting some coffee and I look behind me
and I see you trying to read my badge,
what does it look like when you're doing that?
Are you just holding a bag, looking off in the distance?
Or are you sitting at a table with a wire going to a bag and that's
on a chair that you're pushing closer and closer to me? Well, normally, these are pretty good long
range readers. So I don't even have to get that close to you. So if we're in line in a coffee shop,
if I can just step at the right angle to your badge, I can get a read. And so I'll just put
my phone up. I'll be on a phone call and kind
of, you know, pace back and forth as I'm talking on the phone, just naturally as somebody may in a
coffee shop. Try not to disturb everybody else and just kind of pace around until I can feel my bag
vibrate. I don't have to hold it up. I don't usually have to adjust it. I can pull on the
strap and like let it go up and down if needed, if that will help.
But yeah, a lot of times I'm just walking around with my laptop bag, having a phone call.
And if I get close enough and get the right angle and I'm a couple feet away, I'll get a good read.
So despite following multiple people out of the building, they didn't get to clone anyone's badge that day.
And I guess the security tip here is if
you don't want your badge to be cloned, don't bring it to public places like coffee shops.
So they waited for night to hit up the first building. Each of the buildings they're supposed
to test are within 15 miles of each other. And they were going to try to hit all five locations
in the same night. We arranged the locations because we got to pick which order we were
going to break into. And we arranged them in the order that we thought we'd be most to least successful, hoping that we would start around midnight and then about, you know, 4 a.m.
That the SOC team, since it's a 24-hour SOC and they're working 12-hour shifts, that it's hopefully about the end of their 12-hour shift and they're going to be getting sleepy at the end of it. And so we wanted to target our last location in conjunction with when we are thinking the SOC team may be slipping.
The SOC, or S-O-C, stands for Security Operations Center. And this is where people are sitting,
watching cameras and computers for alerts in the network and facility. This was actually a joint
SOC, which watches both physical and network security problems. John and Brian know they have to defeat the people and computers and cameras in the SOC in order to be successful.
So they figured the overnight team is probably smaller and maybe less focused.
Because staring at monitors all night when nothing is happening can be boring to the point where you start getting distracted.
Yeah, so location one was in a residential neighborhood.
And what they're trying to protect in this thing was this shed that held important equipment,
including like radio and transmitting equipment,
that would be bad if it was damaged by an outsider
or if someone was able to put an implant in and take control of.
This was a facility that didn't have
any staff. It was basically just a locked shed, but with a tall fence with barbed wire around the
perimeter. So it was actually in a residential area. We were less concerned also about the
police and more concerned about potentially the neighbors taking matters into their own hands,
because this was also close to around the time of civil unrest in America.
So I was more concerned about the neighbors thinking that I'm some radical super soldier breaking into their neighborhood
instead of just me doing my little security testing.
So I personally was more concerned about the neighbors for this one location than I was about the police. Just because from our recon, it looked like they had very minimal perimeter detections on this.
There's a sign that said there is cameras, but we didn't see any cameras. We scoped out around it.
There's a sign that said it had this other protections, but we never saw anything being
actually actively implemented. They had the signs there to say it's there, but we didn't really think that it was.
We showed up late at night when it's dark, parked a couple blocks away,
and walked up to this area, and that's when we noticed that the gate itself
had such a big gap on it that if you just gave
it a good tug uh you could actually get just pass a whole person through this gate so we never had
to go over didn't have to go over the barbed wire didn't have to worry about setting off any sensors
because once we were past it our point of contact was like, oh, okay, I guess you're already in there.
So we didn't set off any sensors because nothing was ringing at the SOC.
But we hadn't accomplished our objective yet.
Just getting past the fence was not enough.
We needed to keep going.
So that's when we went up to this shed that had all this equipment in it.
Now, even though it was dark out, this little building was well lit.
So anyone watching would clearly see two people going in. On top of that there were street lights making
them visible too. So we kind of needed to be fast because we didn't want to dilly-dally in
this you know good well-lit area where everyone can kind of see us. So yeah we we got through and
kind of put our equipment on the side and they're like, oh, shoot. OK, how are we going to get past this next thing, which is now a set of doors?
There were two doors on this building, but not like a double door.
It was two different doors, which probably meant there were two different areas inside the building to get into.
They came to the first door, which happened to be well lit.
The door was very strong. It had a deadbolt on it.
They looked to see how well it was installed, The door was very strong. It had a deadbolt on it. They looked to see how
well it was installed, but it was hung right. There was no wiggle when you pull. There were
no gaps around the bottom or the sides to slide something into and try to unlock it from inside
or the other side. It's possible they could do something like pick the locks, but that takes a
while and they're standing right under a light. So they just moved on to the other door to see if they could get that open.
The other door was not installed the same.
It had a bit of a looser fit to it.
So John had an idea.
Yeah, so in this particular case,
so with your typical door that you'd find,
say, in even your front door of your house.
So if you were to open the knob and look at there,
at kind of the end of the door, the latch part that seats in the frame,
there's what's called a spring latch,
and then there's what's called a dead latch.
Dead latches have an extra little post that, when's depressed will prevent the latch from being pushed and essentially let you in the door.
You can think of it kind of like if you've ever seen the movies or possibly ever done it yourself when somebody takes a credit card and they stick it in that gap in the door and it goes behind the curved part of the latch and pushes it open.
That's essentially what we're doing. But with a dead latch that's properly hung, it's not supposed to
allow you to push that back in. And in this case, it wasn't properly hung and the dead latch
actually falls into the frame of the door, which then allows that type of bypass tool to work.
That's what we did.
We basically credit carded the door open,
not with a credit card.
We used a mini gym or a quick gym tool for it.
But yeah.
This took John about 20 or 30 seconds to get it open.
And once open, they just both slipped inside.
And we were taking a look around inside
and there wasn't really anything in this side of the shed.
It was mostly empty.
Huh. Too bad.
Nothing in here of value.
No equipment, no computers, no network jacks.
Time to go back out and try that other door again.
But as they were walking out, they looked up at one of the walls.
And there was a set of keys tacked on the wall.
We were like, well, I wonder what those keys are for.
So we looked at them, and sure enough, the keys actually opened up the other door that was properly hung.
The hinges weren't able to be popped.
It couldn't fit an under-the-door tool.
It would have been way too difficult to lockpick.
But the keys were just right there, so we didn't have to worry about using any of those fancy bypass tools.
We could just take the key unlock it and
then get into that actual secured area bingo now they go in the other side of this building
and this side had many valuable things in it and then yeah when we were inside of there
um there were some network devices all the ports were actually occupied and so we weren't going to
plug anything in because we're supposed to demonstrate impact and demonstrate that something
could be done but this was also for some very important equipment and we weren't going to plug anything in because we're supposed to demonstrate impact and demonstrate that something could be done.
But this was also for some very important equipment and we don't actually want to cause any harm.
So took a bunch of pictures, left our calling card, decided not to plug in a Raspberry Pi because in order to plug in the Raspberry Pi, we have to unplug another piece of critical equipment, which we deemed not worth it.
They also noticed a security panel in this facility,
which should be monitoring and alerting when the door was opened. But for whatever reason,
that panel wasn't hooked up properly. So they pretty much knew they weren't detected at all.
There were no cameras and they didn't trigger any alarms. So they gathered their evidence,
took their pictures, locked up behind themselves. And then again, I slipped through that gate. John then slipped past the gate after me.
We got back into our rental car,
let our contact know about everything we did,
and said, hey, we're on to our next location.
The first building was a complete and total success.
They got full access to the entire facility.
When they got back to their car, they had a mini celebration.
Even it felt good.
They told their point of contact what they did,
and they were moving on to the next building. And by the way, the point of contact, which is the director
of security, decided to stay up all night to watch all this go down. He was logged into his computer
remotely from home, watching what the SOC was doing about all this. And so he was texting back
and forth with them, letting them know what the SOC had saw. And so far, they got in and out
completely undetected. This sort of impressed their point of contact,
and he was excited to see what they were going to do in the second building.
They pulled up to it with their car.
This one is in a much more remote area, so there's not really,
there's just fields and fields behind it.
In front of it, there was like a kind of a country road,
and then across it, just more fields and fields again.
And it's another remote location, multiple buildings, but they're all unmanned.
Even during the daytime, they're all unmanned.
Although there was another business that was next door to it,
but they were closed in the evening, so we didn't think it'd be an issue.
So this one was a lot trickier, and we had already done our recon to figure out our approach.
This one was not the same where you can just slip in the front gate.
This one was well-armed, multiple layers of perimeter defense and cameras.
This was actually one of the locations that when we drove by, we pulled into one of the side driveways and they
snapped some nice clear pictures of our face from that driveway. So we knew that those cameras were
triggered to alert somebody if they pick somebody up driving into their area. So we needed to go
with a different approach, which we decided from our recon was going to be from the rear of the facility.
And we thought that this was going to be a great approach because it had two layers of barbed wire fences.
But in the back, some of that fence was old and didn't have barbed wire.
So they parked their car out of sight from the facility.
They got out with their gear and went around back of the building.
But when they arrived
around back, it wasn't what they expected. They have a brand new fence on that area with newer
and taller barbed wire. So that one threw us for a loop. Apparently during that two-week cool-down
period, someone saw this part of the fence was old and didn't have barbed wire, so it was replaced.
This company really did
try hard to keep their buildings secure okay so the guy's original plan was foiled came up with
a new plan uh wasn't really hard to come up with because we we could tell that all the cameras were
focused so heavily on that front entrance that nobody was suspecting that someone's going to
climb over two layers of barbed wire fences through the back, which is exactly then what we were going to do.
Okay, makes sense. The only way to get into this place undetected is to go through where there
aren't any cameras pointed. And so even though that area had two high barbed wire fences,
it was the best choice. It sounds risky, but they came prepared to climb fences. In fact,
it was pretty easy for them. They had their ladder with them, which made it easy to climb up.
And they brought a thick wool blanket to throw on top of the barbed wire, which made it easy to go over.
And then they had an escape ladder that they could just hook on the top of the fence and make it easy for them to get down.
Easy stuff.
They both go over the first fence, no problem. And as we're going up, the next fence actually had a shed in line with the fence that
didn't have barbed wire over the top. So we're like, hey, you know what's going to be a lot
easier than going over a whole nother layer of barbed wire? Let's just climb on top of this
shed and go over it. So that was our next step, which sounds pretty easy. John pops the ladder up.
I climb up on top.
I got my bag full of equipment on me.
John then hands me the fire escape ladder,
which I'm supposed to attach to the side and then climb down.
But in this case, I actually drop the fire escape ladder on the ground.
So now I'm stuck on top of this shed on the other side.
Hmm. Brian made it over both fences, but now he's stuck on top of this shed with no way down.
And this shed is about 12 feet tall, too.
He stands up and looks around.
While on top of this shed, he looks at the neighboring property, which has a building on it.
And that building was owned by a university.
What we kind of forgot is universities have their own police department.
And we never notified the university police department that we were doing this activity, nor did we tell the regular police, hey, make sure you notify the university police.
It was kind of a little oversight. And so I'm up there, and that's when I kind of realized,
oh, shoot, I think there might be university police about 200 feet away from me. There was
a university police car over there, but then it just kept driving. But at this point, my heart rate is up.
Adrenaline is up. I'm on top of the shed and I think, you know what? It's only 12 feet. It can't be that high up. And I jump. He landed hard on the ground, his feet twisted and buckled under him,
and he fell all the way down to the ground like a ragdoll. He doesn't remember if he screamed or not. When I hit the ground that, oh, that was a lot higher than I thought. I should
have climbed down and come up with another plan or done something else because I was in pain.
His feet in particular hurt a lot. He sat on the ground holding them, rubbing them,
trying to get comfortable, but the pain wasn't going away. And then John called over to me from the other side of the fence by the shed
and was like, are you okay?
I was like, I'm just going to sit here for a second.
I think I hurt my feet.
So finally, John gets on top, pulled up the ladder,
like properly gets off the shed and onto the other side of the barbed wire fence.
John checks out Brian.
It was too hard to tell what exactly he heard.
But John helps Brian to his feet.
Brian is able to stand up and move around slowly.
He thinks he can walk it off.
And we're still in the blind spot of the cameras.
We have been informing our point of contact where we are
and he's like, you're what? We shouldn't have any blind spots, but somehow
we had managed to crawl into a blind spot of the camera so we wouldn't be
noticed, which luckily was by
two sets of doors. John goes up and inspects the doors, but has no
luck getting in.
Yeah, I mean, none of our bypass tools worked. We eventually moved to lockpicks, which are usually the thing that we try last because they're slow and not always successful.
And even if you do get in with one, it can also be tricky to leave and leave the building secure because you basically have to pick your way out.
And so they're always our last-ditch effort.
But we gave it a try, and we had limited success.
I think we got a false set on one of the last pins, and I just couldn't get it all the way. And we never got into that building.
And so we are going at the,
this one set of doors for a while and absolutely nothing.
And that's when the campus police actually pulled around again.
But this time decided to do a much closer inspection of the area as they
actually got out with flashlights and we're walking around the perimeter of
the building next to us.
So we did have to hunker down for quite a bit of time.
And it was while we were hunkering down
that all of a sudden I realized,
wow, my feet really, really hurt.
So I'm like, yeah, we're going to keep carrying on.
But I think something's,
I'm starting to get the notion
that something is not right with my feet.
Now, this was quite the secure facility.
They had to climb over two barbed wire fences just to get to this building.
And there's another building here that they want to try to get into.
But the problem is the other building is on the other side of yet another barbed wire fence.
So once the coast was clear, they put their ladder against the fence,
threw the wool blanket up on top, and used the fire escape ladder to get onto the other side.
They both make it over the fence and to the other building.
The whole time, I am aching in pain, and John is trying to be as patient as possible,
but we also can't be slow because we can't get picked up by cameras because we haven't been noticed yet.
They approach the building, trying to stay out of view of the cameras.
Yeah, we had to stay very low because of where we thought they were pointed and the angle
that we assumed that they were pointed at.
We had to stay low to the ground to hopefully not be seen.
They take a look at the door to see if there's a way to bypass it.
And John right away notices a weakness on it. But we had to go a little bit slower this time because, yeah,
on that first location, the security system was there but off. It had little sensors on the top
of the door where when this magnetic connection is broken, it will alert the security center that,
oh, hey, this door has been opened it's not supposed
to be being opened so we had to try to avoid that this time i was going to try to place essentially
some magnets into the correct location some super magnets some very strong magnets into the correct
location so that when john was able to pop this door open hopefully we don't set off the sensor
and yeah john did his magic again.
I was able to get this door open.
Unfortunately, either because of the pain or just not paying close enough attention,
I didn't have it placed right. And I guess the sensor did trigger.
When the alarm was triggered, someone in the SOC immediately saw it
and began looking through the video footage of all the cameras around this building.
There was nothing on the cameras, though.
There were also cameras inside this building, but strangely none were actually pointed at this door.
So the SOC only had an alert that the door was opened, nothing on the cameras inside or outside, and no activity from the gate either.
We were going in the side door. These cameras are all pointed straight down at kind of at a hallway.
So again, I stayed really low to the ground.
And the cameras didn't pick me up.
And somebody investigated the door being opened
and flagged it as a false positive
because they didn't rewind the camera long enough
to see me slipping in through the door.
So that was an interesting one because our point of contact at this point was also watching me.
Well, he had the cameras up himself and wasn't informing the SOC about all the operations going on.
And he watched me and he actually let me know at one point,
oh, hey, I just saw your head pop up on camera.
And it was actually when I tried to pop my head up
and look through a window.
So I know, okay, as long as I stay lower than these windows,
they shouldn't be able to see me.
So yeah, I was trying to find a network jack or something.
But the only way to get to a network jack
was actually to trigger another alarm.
So instead, I found some other important
pieces of equipment, took pictures to demonstrate that if I was a true bad guy, I could have damaged
this. Some bad things could have happened. I hit a calling card then so that they know we were there,
took some nice pictures, and decided to call it quits and get out. Yeah, getting out required getting over some fences still.
And with a hurt foot and the police on the prowl, it's not as easy as the last one.
Yeah.
So at this point, we had to come up with another plan because our regular exfil plan was kind of thrown out the window. So we talked it over really quickly as we were
crouched down behind a shed so that they wouldn't be able to see us and kind of just readjusted how
we were going to exit the area and decided to take a probably a little bit of a longer path.
But yeah, we found another exit point that we thought we could get to
and get out of without being seen.
Climb over both fences
and then essentially run really far to the side
and then all the way up this other side road
so we could get back to our car.
So yeah, we kind of re-gathered.
We did our pack out list,
make sure we didn't forget any gear or equipment
or forget to do anything that we needed.
And it's really hard climbing ladders with two broken feet, I found out.
So yeah, I was still able to do it.
But yeah, getting over that fence the second time is much harder than the first time.
They make it back to their car.
No mini celebration this time.
Brian was in too much pain.
So, yeah, at this point, was I driving or were you driving?
You were driving because I was in too much pain.
Yeah, I think I was driving.
I think at this point you were saying it was okay when your weight wasn't on it and
you wanted to go to the next one and do it if you could. And so we drove to the next location
and got out of the car. So yeah, when we get to the next location, we get out. I said, yeah,
let's do this. Packed up the backpack full of gear, Make it, I don't know, 30 steps. And that's when I had
to stop and I look at John and I'm like, you're going to have to do this one on your own. I'm in
too much pain. I can't move my feet without like having a shooting pain go up my legs at this point.
Brian transfers some of his gear to John's bag and walks back to the car.
Brian will just be on lookout now and sit in the car and keep the point of contact updated while John goes at it alone.
So we kind of adjusted the game plan.
We got out radios and essentially, so at this next location, it was again very well lit.
They had good camera coverage from the front.
It was near a park, as we mentioned before, but the whole backside of it was residential.
And it was on a very major road, very busy.
And so we definitely didn't want to approach from the front.
There was just way too much risk of getting caught. So kind of went through the back, kind of along the fence line that
bordered the residential housing and not well lit back there. So there wasn't a whole lot going on.
I managed to get to the target, and there was a door there.
Again, pretty well hung.
None of our bypass tools worked on it.
I was in contact with Brian the whole time over radio and with our contact through text.
There was an alternate point of entry, but I decided it was too risky to try on my own.
I would have had to go over another barbed wire fence.
And, you know, there's just too much risk involved.
If I would have fallen in, I'd have had, you know, nobody there for me.
Or if anything had happened once I was inside, again, no backup.
So I just tried the one door and unsuccessfully for that one.
But for the client, it was a well-hung door with good coverage of lighting and cameras for the most part in the front part of the building.
So I can't win them all.
John heads back to the car. It's getting late now. It's past 2 a.m. at least.
The point of contact is still awake and watching the SOC, though.
And still, the SOC has not detected them.
They've managed to stay in the shadows just well enough that nobody is aware that two buildings have been broken into and a third has been attempted.
They drive to the last two buildings.
Now, targets four and five are actually very close to each other.
You can see one building from the other, and they plan to just park near one and try to access both at once. Now, these last two
buildings are more like offices, not just sheds of equipment. So if they can get in these, they're
expecting to see desks and regular office equipment in there. And in Building 5 is where the SOC is
located. So the last building they're going to try to get into actually has the people in
there who are trying to watch to make sure nobody gets into these buildings. And it's somewhere on
these two buildings that has those long range cameras that took their photo earlier. So arguably,
these are the most secure buildings they're going to try to get into.
So we were a little apprehensive about this one, or I was at least, because again, Brian couldn't walk at this point.
He was in the car.
We were talking to the client and they wanted me to proceed.
And so in this case, I approached from the back from the recon phase.
We knew where most of their cameras were.
And I approached kind of in the shadows along a tree line and wasn't spotted
at all. The main entry for this, there was a chain link fence and there was another gate
and it had a gap underneath it. And that seemed like a really easy way past the perimeter.
The downside was that there was a camera right next to it.
And I just kind of took a roll of the dice and shuffled my way underneath and ran into the shadows and, you know, looked at my phone, told the contact that was in the perimeter.
And he was like, yeah, they didn't see you.
You're good at this point.
Go to the first building.
And so I kind of sat there, and, you know,
you get nervous during these things.
It's definitely an adrenaline rush, and so I kind of tried to breathe that off a little bit
and then moved to the first building.
First door I tried, I couldn't get in.
None of the bypass tools worked.
Well hung, proper installation.
But the second door popped right open.
No issues, except that as soon as I got inside,
they had motion-activated lighting and significant camera coverage inside this building.
And so as soon as I popped the door open, all the lights turned on, and I found myself staring a camera right in the face.
Yeah, not only did this building have cameras outside, but it had cameras inside
too, specifically pointed at the door that John just opened. What's more is he triggered all the
lights to come on inside and probably was ringing some kind of alarm when that door was opened.
Even if John ducked behind a desk right now, the SOC team could easily rewind the tape and see him
standing there staring at the camera.
So what's a penetration tester do when they've been caught on camera?
Go for it.
I pretty much just kind of sprinted through the building, taking pictures,
trying to find a network port, trying to get into the target locations,
managed to bypass another door with an underdoor tool and get into a secure location.
At this point, I'm looking at my phone and the contact's like, you got about 30 seconds
until the cops are there. And I'm like, oh, shoot. Wait, the actual cops are coming? Oh,
yeah. The SOC has no idea. This is just a test, and are reacting like they normally would.
And as it turns out, the SOC did see the alarm, and they did check the camera footage,
and they did see John getting unauthorized entry into this building,
so of course they would immediately call the cops, and they sprang into action.
So time is ticking now. What do you do in that 30 seconds?
Hide? Go back the way you came? Get on the roof or something?
Well, whatever the protocol is for this, you can throw that out the window because when there's adrenaline pumping
and you're scared, it's really hard to make logical choices. Well, actually, first I ran to
the door in the front of the building thinking that I had another building to go to and that
other door was closer. He opens the front door and looks outside. I heard honking and I heard
something going on and I was like, OK, I'm in trouble. I need to go back out the front door and looks outside. I heard honking and I heard something going on and I was like, OK, I'm in trouble.
I need to go back out the back door that I came in.
What had happened is the person in the sock who saw him at the building quickly jumped in the company's security truck,
went to the front gate, unlocked it for the police and then proceeded to drive to the building, honking and flashing his lights.
This way, when the police show up, they know exactly where to go. There was so much ruckus going on that when John opened the front door, he just
immediately turned around and went back inside and headed for the door he came in through.
So he runs to the back door, gets it open and goes outside. But as soon as he gets out that door,
the security truck comes zooming closer to him. Yeah. So the the truck is coming at me with the lights on. And I mean, I initially ducked down
and tried to hide. There was kind of like a loading dock type situation. And I got as low
and like close to the concrete as I could thinking maybe he didn't see me jump down.
But he pulled up right next to me and, you know,
blasting his horn and flashing his lights.
And so at that point, my only way out was to jump back up on this dock and try to run in the opposite direction that he had come from.
He takes off running like a scared rabbit in headlights.
He darts around the corner and runs directly in front of two police cars.
The gig was up.
He stopped running and put his hands up.
The police get out and start asking him questions.
Yeah, the very first thing that I did, other than putting my hands up,
was I have the letter in my front left pocket, front left cargo pocket.
And yeah, so he opened up my pocket, pulled it out, read it,
made sure I was who I said I was.
And yeah, so then I told them, they want you to fake arrest me, which they did, and took me off property.
And that was kind of interesting because in the car ride over, the police officer is talking to me and he's, you know, asking me all sorts of questions.
He's super interested
in this. He's like, how did you get this job? You know, like, how many of these do you do,
you know, in a year? Like, do you guys do this all the time? Do you do it around here all the time?
There's loads of questions. And so I was just talking to him. It's kind of a fun car ride,
more fun than I would have expected in the backseat of a fun car ride. More fun than I would have expected
in the backseat of a police car.
John just texted me and they're like,
yeah, meet us at this gas station.
So I just drove, I don't know, a mile away,
got to the gas station.
And yeah, the police were really friendly.
They had lots of fun questions,
asked how my feet were doing
because John told them that I got injured.
They were really nice and handled it, the whole situation very well since we were able to communicate with them ahead
of time of what was going to happen. The police took a look at their authorization letter and
called the number there. They spoke to the point of contact to make sure that they should let these
guys go. And yeah, the police let them both go. At this point, it's like 3 or 4 a.m. Brian's feet
hurt really bad, so they decide to go to the
emergency room, which is like a 45-minute drive away. So they originally took x-rays. I cannot
walk on my feet. And they tell me, because the pain's in my heels, and they said, your heels
aren't broken. And I'm like, but I can't walk. They gave him some painkiller meds and crutches,
and they finally got back to their hotel at like 8 a.m and fell asleep
but even though they only got to sleep at 8 a.m they both woke up at 11 a.m to get back to work
and it was really hard to wake up after only three hours of sleep yeah lots of coffee lots and lots
of coffee and some lunch and then we said hey we still have um during our recon there are still
other vulnerabilities that were like pretty prominent
that were like, hey, we want to go at this again. We think we can get in another way during the
daytime instead of doing this whole nighttime operation. See, they were banking on a few things.
First, there would be an entirely different security team during the day, one that wouldn't
recognize their faces or whatever. Second, as far as the security team knew, these bad guys were
caught and they were probably happy and relaxed that they had a successful apprehension of a real intruder.
Third, they didn't test the fifth building at all. How can you pay someone to test their
headquarters and then you just not do it at all? They had to at least try. John was the first to
try to get to the final building. He noticed that one of the buildings was under construction,
so he got a hard hat and vest, put it on, and showed up.
They had an access gate that required either a badge or a pin code.
Construction workers were getting in there.
I think they were even given either a temporary badge or something.
And so I just on foot followed them through the gate once somebody opened it, like returning from a break or something like that, and just walked into the perimeter that way.
Once I was in the lot, it was all torn up because they were doing construction back there.
But I didn't get any questions from any of the construction folks or anybody else and just approached the building, opened a door and found myself in a hallway.
And that hallway, so it was kind of a T.
If you went to the end of it, there was a big garage full of the fleet vehicles.
And the other way went into an office building.
I tried to bypass that door, but wasn't successful.
It was locked.
And so I dropped a USB drop near it.
You know, took pictures and evidence.
Oh, right.
Dropping USB sticks.
They had actually been dropping USB sticks at every building that they entered
just to see if anyone would pick it up and plug it in.
And if so, that USB stick is programmed to just phone home back to John and Brian's computer
and make a reverse connection to that computer, which would give them access to it.
John could only get into the entrance hallway of this building, though.
He wasn't able to get any other door open or go further in.
So he walked back out and was walking around looking for other
ways in. Maybe there was a door left open somewhere else or a window open. In the meantime, I go get on
my crutches, dress like a local college student and go into the front. And I was kind of doing a
similar thing where because there is a pandemic, there is no receptionist. There is no front desk person to social engineer
and talk to. So instead, we adjusted or I adjusted my pretext, which is, well, I'm on crutches.
You can't get to a reception area because it's actually locked off and physically
by two different doors. But there's actually a elevator right away as soon as you enter this
building. So I was going to make it seem like,
oh, I'm on crutches. I need help going up the elevator because people on crutches take elevators.
But it ends up you actually needed to badge in to go up the elevator.
But we have a backup trick, which is we are going to use a set of elevator keys that would work for that whole state that I had in my back pocket.
He waited in the elevator for a few minutes to see maybe someone a few floors up
will call the elevator and he could just go up and get off there.
But since it was a pandemic, the place had minimal staff,
and they saw in their recon that nobody takes the elevator right now.
So he decided not to try the keys and inspect the lobby instead.
He walked around looking for any open Ethernet jacks to plug in a Raspberry Pi or a packet sniffer.
Yes, I was hoping there was going to be one because they had like a little television screen
on a rolling cart set up to like give messages to people who would show up there. And I was really
hoping that there was going to be a computer that I was hooked up to and
I could, you know, attach that Landstar, that network tap that we had talked about.
And I was really hoping I could take advantage of that.
Unfortunately, they used a different system that I was not used to.
And there is no, there is nothing to tap into.
So they did a real good job there.
I did kind of the same thing John did and just dropped
a couple of malicious USBs. John was still walking around the outside of the building,
looking for ways in. As I was walking around the building though, somebody from their SOC
saw me on their cameras and somebody came out and started to confront me.
At which point I basically just, I was kind of walking in the direction of the car
already. And so I basically just pretended like I didn't hear him and kept walking.
And then we got in the car and took off. Now you might think this is it. The engagement is over.
They're done. They head back home. But nope, they don't head home. They saw something that they
wanted to go back and check out. The first location had a big fence around it and a gate.
And they noticed what type of gate control system was used to open and close that gate.
The model was Door King.
There's a certain vulnerability they knew about with this type of gate control system.
And we talked to our contact about it and said,
hey, we noticed this, do you want us to see if we can get it to work?
And sure enough, the common key opened the faceplate to the DoorKing system,
and we were able to find the model number inside.
Quick Google search pulled up that specific model with a wiring diagram,
and then we carry a little jumper wire with us as part of our toolkit. And you just
connect the appropriate terminals that it basically acts like a little button. And we
basically just hot wired the gate and it popped right open. Clever stuff. Another vulnerability
they can put into their report. A fun one at that. A quick fix for this is just to change the key on
the box. These things often
have a sort of default key that you can pick up fairly easy and try. And yeah, once you get in
the control panel, you can open it up. After that, their engagement was over. They got back on the
plane and headed home. And once they got home, Brian saw his regular doctor who gave him an MRI
scan and found out he fractured both heels. So he had to sit out for six weeks. During that time,
they gave a debrief with the client. They learned a bunch along the way. For instance, they learned
that if Brian had tried to use the key in the elevator, it would have triggered an alarm. So
he's lucky he decided not to do that. Next, they learned that every single one of the USB sticks
that they left behind got picked up and turned in. Not a single person tried to plug one in.
The client was also
happy to see that there were ways that they can improve security too. And as far as the SOC goes,
this was a great confidence booster for them to find a live one, get someone caught.
Overall, Brian and John were impressed at the security measures this company took.
Yeah, honestly, one of the best things was just having those diligent workers. So it ends up that
during our recon,
not only did the security operations center notice
that we were driving around with a rental car
with plates from out of state,
but because this was a tight-knit community,
others from the community also noticed something was up
and notified the friend that,
hey, we're noticing something weird and you guys are probably the
target just because we know our city. So yeah, their tight-knit community also helped keep them
safe, which is something we're not used to seeing or hearing. So that one kind of took us for
surprise. But otherwise, they clearly took their door security very seriously because a lot of time, a lot of our simple, easy tricks were not as simple and easy as we were expecting them to be.
I think a lot of the time when you hear about these types of physical security stories, you usually only hear about the successes.
And those are great.
And, you know, like when they happen and it's
secret agent and you get in and you accomplish it and that's awesome. And they definitely happen.
But I would say that there's definitely failures too. And so much of it is thinking on your feet
and just kind of rolling with the punches. No amount of planning that you do is ever really going to be sufficient.
Something always changes along the way. And the other thing that I don't ever hear anybody
mention that does this is how physically and emotionally demanding it is. It is exhausting.
We're up starting an engagement at 10.30 and it goes until 8 the next morning.
And then three hours of sleep and then doing more SE.
And you get the adrenaline going through you, you got your nerves going.
And it's hard work.
It's fun.
But it's hard work for sure.
A big thank you to Brian Halbach and Jonathan Studebaker
for sharing this adventurous story with us.
Recently, they were both on ABC News,
where they showed the Nightline camera crew
how all this looks when they're sneaking into places.
And on top of that, there's another video of some other people at Red Team Security who took cameras with them as they broke into an electrical power station.
If you want to see how this looks in action, check out the links in the show notes or at darknetdiaries.com.
Brian is still with Red Team Security doing these pen tests, but John
has since moved on to another company where he's doing security architecture work now.
If you like this show, if it brings value to you, consider donating to it through Patreon.
By directly supporting the show, it helps keep ads at a minimum, it helps get people to make
the show, and it tells me you want more of it. Please visit Patreon.com slash DarknetDiaries
and consider supporting the show.
Thank you. This show is made by me, the 56k bot, Jack Recider. Sound design by The Shell Prompt,
Andrew Merriweather. Editing help this episode by the VGA supported, Damien, and our theme music is
by the Sound Blaster, Breakmaster Cylinder. And even though astronauts use Linux, because
you can't open windows in space.
This is Darknet Diaries.