Darknet Diaries - Ep 41: Just Visiting
Episode Date: June 25, 2019Join JekHyde and Carl on a physical penetration test, a social engineering engagagement, a red team assessment. Their mission is to get into a building they shouldn't be allowed, then plant a... rogue computer they can use to hack into the network from a safe place far away.This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code "DARKNET".This episode was sponsored by Hostinger. Go to https://hostinger.com/darknet and use code DARKNET to get 15% off a hosting plan and check out this week’s free feature.For more information visit darknetdiaries.com.
Transcript
Discussion (0)
Hey, it's Jack, host of the show.
A few years back, I went to Silicon Valley to do some training.
While visiting, I decided to visit Google.
I didn't know anyone there, and they didn't know I was coming.
I just wanted to, like, park and walk around the building and see what it looked like.
A co-worker and I used Google Maps and found it.
There it was, the main headquarters for Google.
Actually, they call it the Googleplex.
The place where emails are stored, browsing history, map locations.
It's all there.
Not to mention the source code for so many products, too.
And if that data isn't in these buildings,
the people who work in these buildings have access to that data.
So we find the place, we pull into the parking lot.
No guard gate in the parking lot, no guard
gate in the parking lot. Cool. We parked the car. And as soon as I get out, there's a bunch of
bicycles just parked everywhere. No chain or locks. And these bikes are all super colorful. Red seat,
yellow body, green fenders, blue handlebars. I've heard about these. These are the free G-bikes.
Googleplex is so big and employees need to get across the campus.
So they put these free bikes everywhere for employees to ride.
And I have no idea why every single bike isn't stolen every night from this place.
But whatever.
My friend and I walk past these bikes and up to the Google offices.
The campus reminds me of a university.
Instead of one giant office building, it's many smaller buildings spread
out all over the place, with sidewalks going everywhere. We walk onto the campus, between some
buildings. We get among the buildings, into a courtyard. There's a sand volleyball court, with a
game being played right in front of me. And I can see across the street, there's a Google Athletic
field, where a soccer game is going on. There are people on Google bikes just whizzing by us, and we found a giant Android robot statue.
I took a selfie, and we hung out on the campus for a minute.
A lot of engineers and technical people were just walking on past us.
I wondered what they did.
Security seemed non-existent.
I decided to go into one of the buildings.
So I followed someone inside an office.
But it didn't matter because there was no badge reader or security to keep me from just walking
in by myself. It was weird. It was too easy. Like I was walking into a trap or something. So I just
turned around and walked out. I went into another building. This was a cafeteria of some kind. It
seemed like there was free food for employees. And I don't know, but it seemed like anyone could just walk in and grab a burger. The experience was wild. I've never
seen a corporate environment like this before, and it made me question my lame office job.
But it was super fun to visit the Googleplex. The next day after training, because we had so
much fun at Google, my friend and I wanted to go to the Facebook campus to check it out.
Google Maps made it look like the campus was in a similar style.
11 buildings all spread out
with a central courtyard and sidewalks everywhere.
We cruise on into the parking lot.
No fence or guards to keep us out.
Cool. We park.
And here at Facebook, we see a ton of blue bikes.
Just like at Google,
these are free bikes for Facebook
employees to use to get from building to building. We decided to try to go into one of the buildings.
We walk on up, grab the handle, doors unlocked. Right on. We go in, but immediately a security
guard asks us what our business is. We say, uh, we're just here to use the bathroom. She tells us
no. And to leave, there's no restrooms here. We beg her to use the restroom,
but she says no. We have to go. We decided to walk around the buildings and try to find a way
into the center courtyard. But this campus is a little different. Between each building is a high
security fence, keeping you from going into the courtyard. We go around to the next building,
same thing, big fence, locked, Can't get in. Next building.
Another fence. Locked. At this point, I'm becoming really curious what's in their center courtyard
and amongst their buildings, and I want to get in and see it. So I say to my friend, okay,
the next gate we get to, if it's locked, I'm going to just wait there and tailgate someone in.
He says okay and waits for me down at the end of the sidewalk. I stand near the gate,
looking at my phone, trying to be inconspicuous. Someone comes up to the gate. They swipe their badge. The gate opens. I follow him into the courtyard. Yes, it's working. I close the gate
behind me. Then I realize I'm trapped. To get into the courtyard, there's another gate. You need to
get through two different gates to get in. One uses a badge and the other uses
something else. And when the guy ahead of me saw that I tailgated him in, he quickly went through
that second gate and closed it behind him. I was now stuck between the two gates. I couldn't get
into the courtyard because that gate was locked. So my only option was to go back out the same gate
I came in. So I did. Security of Facebook thwarted my half-assed attempt at
getting in. Not bad. But if I was a professional social engineer, I bet this would have gone down
totally differently. These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries. This episode is sponsored by Delete.me. I'm not going to be fighting this alone anymore. Now I use the help
of Delete.me. Delete.me is a subscription service that finds and removes personal information from
hundreds of data brokers' websites and continuously works to keep it off. Data brokers hate them
because Delete.me makes sure your personal profile is no longer theirs to sell. I tried it and they
immediately got busy scouring the internet for my name
and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private
by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan
when you go to joindeleteme.com
slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off is to go to
joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries. use code Darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help. But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud,
digital forensics, and so much more. But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive, and they are trying to break down
barriers to get more people into the security field. And if you decide to pay over $195,
you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills
and showing them off to potential employers. Head on over to blackhillsinfosec.com to learn more about what services they offer and find links to their
webcasts to get some world-class training. That's blackhillsinfosec.com. Blackhillsinfosec.com.
Today, we're going to hear from a social engineer named Jack Hyde.
So my name is Jack Hyde, and I am a physical penetration tester and social engineer.
I work with a red team of technical hackers, and I gain physical access to buildings so that we can use that access to exploit their, maybe it's personal information
we're after or credit cards, stuff we shouldn't get our hands on.
Yep, yep. You got it. Jack Hyde is going to share a story with us about how she broke into a
building. And I always think it's fun to tag along with these kinds of stories and listen to what
their job is like. So Jack Hyde is her hacker name, you could say. Kind of like a play on the whole Dr. Jekyll and Mr. Hyde story. One person, but two different personalities. But Jack wasn't always doing this kind of work. I studied journalism in Dallas and I got involved with the Dallas hackers community because they were making some waves.
And I was introduced to the concept of penetration testing first.
And then a friend told me about physical penetration testing.
And I was like, you get to break into buildings for a living? That's crazy.
And he was like, yeah, well, I don't, I don't particularly like to do it. Like it's,
it's nerve wracking and I have to lie to people and it's, it's, it's just all kind of scary.
And I said, well, you know, if you get a job you don't want, I would love to try my hand at it.
And I was almost kind of, I was kind of joking, half joking. And he was like, oh, if you really mean it, I think I could probably get you on some jobs.
And I was like, oh man, okay.
So a security assessment company offered Jack a contractor assignment to try to physically break into a building that they had permission to test the security on. I went in to do this test and I got in on my first try, which was wild to me at
the time because a secure facility is secure, right? And that became clear to me that that
wasn't always the case. So I got in and I got back out to my car and I called my friend back
and I was like, I need more of this in my life. I am addicted.
I've been doing this for three, four years now.
But the thing that surprises me about that story is that you basically did it without any real security or any real training at all to know how to do this. Is that how it?
Well, that is correct. I am an APT, my friend, with no degree in English.
What makes you feel like you have what it takes to do this or what does it take to do this?
That is a really interesting question. So in order to do physical penetration testing or social engineering, I think the biggest quality a person has to have is confidence that you can do it. I
can break into that building. I can convincingly lie to someone because if you are not confident,
that comes off in the way you hold yourself and the way your voice sounds. It becomes unconvincing
to other people if you don't believe it yourself. So I think my time in theater and my time in
journalism, learning how to talk to people, learning what questions to ask, how to put
people at ease, that probably is what set me up for a successful career in physical penetration
testing and social engineering. Actually, I've heard this before.
Jax said she had a background in theater as well as journalism. And other penetration testers have told me to get good at social engineering,
take an improv class or an acting class.
Because there they'll teach you how to become someone else and be convincing.
You'll learn how to react to really zany situations and be able to get through it cool and calm.
So yeah, acting does play a big part in sneaking into places.
Now, if you couldn't tell, Jek is female, and she sometimes uses this to her advantage while doing these social engineering missions.
She also uses different costumes.
Yeah, so I have several different disguises that I can switch out my appearance relatively quickly on site if I need to.
So I have wigs, I have glasses, I have different changes of clothes,
things that I will be able to remove and apply quickly,
different types of makeup and maybe like a prosthetic mole or something along those lines.
But my favorite toy, my favorite tool that I use on these engagements that if I can use it, I do,
is my pregnancy prosthetic. I have a big belly that is filled with silicone and it has Velcro straps that I will use to wrap around my waist and stick it to my stomach.
And it makes me go from this 125 pound, pretty unimpressive person to, oh my goodness, I am eight months pregnant and would you please
get the door for me? And when I have that option and I do use it, it works 100% of the time.
Oh my gosh, that's so evil. Now I see why she's Jack Hyde. Dr. Jekyll is a good person, but Mr. Hyde is sometimes
shockingly evil. I mean, can you imagine seeing a woman who's eight months pregnant coming down
the hallway, holding her back and her belly, asking you to kindly hold open the door and you
just close it in her face and say, badge in like everyone else, lady. It's like, what are we supposed
to do in these situations? One of the things that I think
most pregnant women or men who have had pregnant women in their lives have experienced is pregnancy
brain. And so I can pretend like, oh man, I'm feeling foggy, you know, pregnancy brain. I've
forgotten my badge or I've forgotten this piece of information.
Oh my goodness, can you believe I cannot remember my password? And people are very sympathetic to
that. And again, it's exploiting the human factor. People are very eager to help people who are in
distress, not just pregnant women, but older people or somebody who is either disabled,
or maybe they're temporarily injured, and they have older people or somebody who is either disabled or
maybe they're temporarily injured and they have a cast or they're in a wheelchair or something
along those lines. We want to be helpful people. And that's what a lot of bad guys take advantage
of. You have these scams against older folks all the time who get calls supposedly from their grandkids.
Grandma, I'm in jail.
Or Grandpa, I'm in the hospital.
I need money.
And that's what we try to emulate is this malicious actor who doesn't care about people's feelings.
They're just in it for themselves.
It's true.
A lot of scam artists do target the weak and elderly people who have no
chance against them. It's evil and sick. Okay, so I'm properly freaked out now already by Jack.
I'm confident that she's evil enough to do something crazy to get into any building.
So let's go along with her on a mission. A physical penetration test, a social engineering engagement, a red team assessment.
We were hired to do a physical or international manufacturing business.
The way a lot of companies do their headquarters is they'll have a headquarters in different countries.
That's their international corporation.
And so this particular headquarters was in a Spanish-speaking country,
and it was where we were hired to do this physical.
It was a Spanish-speaking country, and I do not speak Spanish. And so when I heard that there was a physical component to this test
and they wanted us to plan a rogue device, I was like,
okay, we've got to bring carl on carl not only uh focuses
on the rogue devices and drop boxes as we called them at the time but he is also a spanish speaker
at least a little bit not to get by which is what was necessary for this one i'm uh i'm carl um i
basically do the uh the hardware and our rogue device side. So Jack essentially gets me into the building, and then I install the devices.
And so we've been on several of these little trips together now, and it's been a good time.
And so the story we're about to recite is one of my actual first physicals.
And so there's a certain aspect to the emotion of that.
And when you're used to being a nerd behind a computer for so long,
and you're out in front of the adversary, it's a little different.
So the objective is to break into this manufacturing plant in a Spanish-speaking country,
plant a rogue device so that they can try to use it to hack into the company and then get out.
They have permission from the head of security to conduct this intrusion,
which is to assess the security of the facility. The team consists of Jack Hyde and Carl. Jack is
a physical penetration tester. She's an expert at sneaking into places that she shouldn't be in.
And Carl is the hacker. He's an offensive security certified professional, which is a training course
and certification that teaches you how to hack computers. He's a coder and he knows his way around operating systems really well. But most of all,
Carl has a real passion for computers and breaking into stuff. So the two together make a very
dangerous pair. So when we get a client, the first thing I want is an address of the building that they want tested.
And then the first place I go after that is Google Maps.
I am looking at this from bird's eye view, satellite images.
I'm looking at it from the street view.
I want to know everything I can just looking at the building from the outside.
And what I found looking at this building on Google Maps was that there was basically a fence or a wall on surrounding the thing.
It was not just any fence. actually a palisade-style fence with this curved top and this three-pronged, very aggressive topper.
There were two entrances to get into this building, one for trucks and deliveries, and the other was for workers.
From Google Maps, she could see that these two entrances had a guard shack right next to the entrance,
which would watch that everyone used their badge to get into the turnstile and into the building.
This was a pretty aggressive security situation where there was a pretty intimidating fence,
there was a guard checkpoint, and I found photos of the badge readers online because
people post everything on social media.
And so I knew what kind of badge system they were using.
Jek's first thought was,
okay, maybe they can find a nearby coffee shop,
see somebody with the badge to this place,
bump into them casually,
clone the badge in the process,
and then walk away.
But when she started getting the badge cloning devices together,
she had second thoughts.
This stuff looks kind of intimidating,
and you don't want to be carrying it through airport security
in countries where things might not be as safe as they are here in the U.S.
So unfortunately, bringing my badge cloning equipment
wasn't an option for this particular job. And so we were
going to have to figure out, we were like, okay, maybe, maybe there's a way that we could like
jump over this fence. Maybe if we found like a tree or a dark spot, you know, it wasn't,
it didn't seem particularly well lit at night and so I was like
okay maybe maybe jumping this thing might be an option it wasn't concertina wire and I'm I'm a
relatively we both are relatively um physically fit people and so we we were kind of playing with
that idea and we were like okay that's that's definitely an option. Jack and Carl did some
more passive reconnaissance
and decided to fly to the location to try to find a way in.
They arrive and decide to scope out the place from a distance
to see if they could find any weak spots in security
where they could just sneak into the building.
When we got there, though, we performed on-site reconnaissance.
And when we got there there we realized that this guard
there were like three guard booths around the facility and they were all manned 24 7 on top of
that there was like a police watch that did rounds around this facility in the neighborhood around it
at night and so that we knew right away, we're like,
okay, there's no way we're jumping this fence.
It's just not going to happen.
Okay.
The manufacturing company seems to have their security in order.
Lots of cameras and guards and fences and turnstiles
and only two entry points.
Gosh, this is going to be hard.
Walking in off the street doesn't seem to be an option here.
And you're not going to get in this building without a badge. And if you try to go up and
lie to the guard who may not even speak your language and you get caught, the whole engagement
is blown. And potentially face angry law enforcement officers and guards whose language we don't speak.
Or they can use a completely different strategy to get into this place.
So we started looking at our options,
and this was kind of the plan B that we had been building up
before we got in country that we were going to lean back on
if we decided that a more covert infiltration wasn't going to be an option.
And so when I was doing reconnaissance, I looked at a lot of social media accounts.
I looked at LinkedIn and Facebook and Instagram is a big one.
And just playing Google, Googling your company in the country.
And what I'm looking for is a mark.
In social engineering lingo, a mark is the victim person,
a person who you think is just gullible enough
to be tricked into doing something for you.
Jack is going to do a bamboozle on someone,
and she needs to find that perfect victim.
She's going to places like LinkedIn and seeing what people are into.
She's looking for people who might be somehow eager for
acceptance or they show a lot of vanity. Or maybe there's just somebody who's really greedy. If Jack
can find someone like this, she can try to trick them into doing work for her. And after researching
this long enough, she found someone, a mark, who she chose because of their idealism. So this person had single-handedly put together a coalition of their co-workers and started up a food bank.
And he convinced them to not only volunteer at this food bank, but donate their time and resources to help building it up
and they become a movement in their community to help feed the hungry and that became
where I focused my attention on these people.
I think I just saw Jack turn into Mr. Hyde. She's choosing the people who set up a charity as her mark.
She's planning on exploiting their caring and good-hearted nature
so she can get into this building.
Ooh, that's evil.
So we built up this pretext that I was a woman named Bridget
and Carl was this guy named Ted.
And we were both involved in the department of our company back at the headquarters in the United States.
And what we did was we put a phish together, a phishing email with a domain that looked a lot like our target company's domain.
Instead of targetcompany.com, it was targetcompany-commun of target company.com.
It was target company dash community resources.com. And then Bridget and Ted,
these two fake people kind of went back and forth talking to each other,
talking about this conference that was going on in that country for our
company.
And we were talking back and forth as if we were going to this conference.
Um,
Hey Ted,
are you going to that conference in November?
And he was like,
yeah,
the whole family's coming.
Well,
we're looking forward to it.
I'll see you there.
And I would respond.
Yeah,
that's fantastic.
Well,
we should swing by and see,
see our offices,
our headquarters in country while we're there.
And he says,
yeah, that sounds like a fantastic idea. Actually, there's a team there that put together a food bank that I would really
love to meet. So now Jack is acting like Bridget and Carl is acting like Ted, and they are both
acting like they help with charitable activities from the corporate office and these emails.
But so far, these emails have only gone back and forth between Jack and Carl. This is just to build up the pretext. See, a pretext is a cloak.
It's a disguise that hides who you really are. And it has to be believable. So by sending emails
back and forth between them, it builds this up because they are about to forward the whole email
chain to the mark. So I said the day before we were planning this breach,
hey, Ted, have you reached out to that team yet?
Because, like, you speak Spanish, and I thought you were going to go ahead
and see if we can maybe go meet these awesome people
who created this awesome food bank program.
And Ted goes, oh, dang, I hope we aren't too late.
Like, we're not in the country for very much longer.
And so he puts together this fish in Spanish, and he goes, oh, dang, I hope we aren't too late. We're not in the country for very much longer. And so he puts together this fish in Spanish.
And he goes, hey, my name's Ted.
I'm a project manager based out of the headquarters for our company in the States.
And I heard about the inspiring work you're doing.
And we're really proud.
Put in a line to the extent of if you can't feed 100 people, just feed just one from
Mother Teresa. And that really connects. You know, it's a good sentiment in any case, but it really
brought the entire fish together. And it just sits there nicely at the bottom of the email.
And just, you know, it's like putting the bow on top of the present. And that's essentially the picture that we were trying
to paint is we're very interested in this food bank. And we were similar minded individuals that
had a similar goal of community outreach. And we were interested in seeing the location there.
Okay, honestly, would you fall for this? We often shame people who fall for phishing scams. And we
say things like, I would never fall for something like that often shame people who fall for phishing scams and we say things like
I would never fall for something like that. But imagine if you had poured your heart into starting
something and now some big time people are contacting you wanting to meet. You might just
be so excited that you miss the little signs like the email address isn't right or that this email
has a sense of urgency to it. We're all a little narcissistic and we want others to appreciate
the work we do. And something like this feels like you're finally getting that recognition that you
deserve. Especially when Bridget and Ted have actually researched a lot about what you do and
seem to know exactly what you've been doing. This is not some mass email. This one is extremely
personal and targeted. I think anyone would have a really hard time
defending against this. Now they send this email chain to the mark and the mark works in this
building that they want access to. This email did not contain any malware or shady link. It just
asked if they're willing to meet. After they send the email, they wait. And keep in mind, they're already in
the country, not too far from the building that they're trying to break into. And they're just
sitting at the hotel crafting this whole scheme. And after the break, we'll hear what their reply was.
This episode is sponsored by SpyCloud. With major breaches and cyber attacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited SpyCloud.com to check my darknet exposure and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and your organization at risk and what to remediate is critical for protecting you and your users from account takeover, session hijacking, and ransomware.
SpyCloud exists to disrupt cybercrime
with a mission to end criminals' ability to profit from stolen data.
With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure from third-party breaches,
successful phishes, or infostealer infections. Get your free Darknet exposure report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
After Jack and Carl forward the email, they wait for the reply.
They replied within minutes, saying, oh my goodness,
yes, we would love to show you around and tell you about our program. We can, you know, I want
you to meet all of these different people on the team and we can show you where we pick up donations.
And they were just extremely enthusiastic.
This was exactly what Jack and Carl were hoping for. They couldn't sneak into the
building, but now they've got someone inside inviting them in and willing to show them around.
These two are evil, but really good. This did impact Carl. He thought this was messed up to
exploit someone's good nature like that. That was the biggest thing that was the hardest to shake out of my mind.
And I guess the mantra you keep on going back to is,
you know what, if a good guy can do this, a bad guy can do this.
And if a bad guy can do this, the ramifications are going to be far more severe.
Yeah, you know, I guess it shows you that you're human.
You know, it matters that you're making those connections.
You're using a method like this, and it kind of sucks.
But if it makes the client better,
and it means that a bad guy can't perform a similar action,
then I guess that's why we do this.
So while it didn't feel right, they went along with it,
using a slimy but solid exploit, the charitable side of humans.
Okay, so this Mark and these people that they're exploiting
are overjoyed that someone from corporate wants to see their food bank that they started at work,
that they actually offer a car to come out and pick Jack and Carl up from the hotel.
So they agreed to be picked up the next day. But now Jack and Carl have a lot of work to do. They
need to really become Bridget and Ted as best as they can. And in fact, they
picked two people who actually did work in the company named Bridget and Ted in an attempt to
blend in even better. So in the previous two days, we had some extensive, extensive study time into
these personalities that we were developing and going as detailed as, okay, we'd quiz each other.
Where did I go to college? Like what Like, what's my wife's name?
What's my husband's name?
What did I study?
Favorite activities.
And it was a huge cram session.
And you're just kind of hoping that all that fit into your head.
And you're hoping that the right fact is going to come out of your mouth at the right time.
The next day comes.
The mark, or the employee at the company, sends a car to come get them.
But to throw them off, they have the car sent to company, sends a car to come get them. But to throw them
off, they have the car sent to a different hotel. That is exactly what happened. So they offered to
pick us up, and we didn't want to bring them right to where we were, just in case things went wrong.
And they figured out that we were not who we said we were while we were still in the country. We
didn't want them to connect us back to that. And we were staying at like a medium rate
hotel and we had the pickest up at the nicest hotel in town.
And the driver drove us to that site, the headquarters, and we were given visitor badges,
which were RFID visitor badges. And just like that, we were let in.
Let me just back up for a second. When I was trying to think of a way into this building,
I never would have thought that somebody was going to come pick them up at the hotel and take
them into the building and give them valid badges to get in and show them around. This is unbelievable. Honestly, there was a moment
where we didn't know if we were walking into a trap, if maybe they figured out what we were doing
or that we weren't who we said we were because we just picked out people on LinkedIn who we kind of
looked like, who did the jobs of the people we were trying to pretend
to be. And there was always the chance that maybe, maybe they reached out through internal channels
and figured out that we were not who we said we were. And so there was a tense moment right as we
walked inside, right as we were about to be greeted by our mark, we weren't sure.
But then, you know, they welcomed us with open arms and were extremely excited to have us there.
So it was clear that they trusted us.
We were who we said they thought we were, who we said we were.
And for the next three or four hours, we hung out with these people.
Now, when they came on site, Jack had a small purse and Carl had a backpack.
Jack didn't have anything special in her purse, but Carl had a rogue device and a laptop.
And he was constantly looking for a moment to get away and to go plug this into the network and try hacking into the place.
But the team kept giving them a full extensive tour of the whole facility.
In this three or four hours when we were in the building, we're talking with them about
community outreach and all of this. And in a way, that kind of made it easier because
being genuinely interested in that, it comes from the heart. So it makes you
come off more genuine. And I don't think they really suspected too much there.
Had we had to talk about something too scientific like nuclear propulsion or something, we probably would have been outed a lot faster.
So it was nice to kind of have a pleasant chat.
But going back to what we were saying before, you kind of have that sitting in the back of your head like, oh, man, am I just a terrible person for being here right now?
Because what you're saying, it's got like a triple layer cake.
Like what you're saying is true and you actually believe it.
But that middle layer is, well, I'm here for doing something completely different.
I'm actually malicious, even though I'm talking about a good subject right now.
Then you get that third tier like, well, you know what?
It's for the best anyways.
And so there's a ton of emotion, um, going through you at the time. Uh, but, uh, it was pretty extensive,
about three or four hours. Yeah. And, and we were, I'm, I'm actually kind of lucky that
it was, uh, we, we did speak different languages. Um, you know, Carl and I speak a little bit of
Spanish, he more so than I, and they spoke a
little bit of English. And so if there was any awkwardness or a difficulty communicating, you
know, if we slipped up a little bit, there was always that language barrier that we could fall
back on, like, oh no, you must have misunderstood me. They're there hours and hours
on site, but their hosts were so good that they never let Jack or Carl out of sight the whole
time. And even when like one of us tried to excuse ourselves to go to the bathroom, there was
somebody popping up who was like, oh, let me, you know, let me, let me show you where to go.
And I was like, are you going to come to the bathroom with me too? But they didn't.
So as we're walking out, I'm like, dang it, there's just no, like, I can't, I can't get away.
At this point, the tour is over.
And the host took Jack and Carl to the front door to say goodbye and to turn their badges in.
Trash, they thought.
They spent all day here and didn't accomplish what they came to do, which was to plant that rogue device somewhere.
Think quick, what else can you do?
They're now at the front, at security, about to leave the building, and the guard is asking them to turn in their badges.
Carl handed over his badge, and I legitimately, for about two seconds, had misplaced where I put my badge in my bag.
And I was like, you know what?
I'm just going to run with this.
And I was like, oh no,
I seem to have lost that visitor badge you gave me.
I misplaced it.
I must have left it somewhere.
And so I'm just standing there looking casual.
I may be putting the right amount of distress in,
like, oh no, you lost your badge.
That's so rude of us visitors.
We should know better.
And they were like, oh, no, no problem.
No problem.
It's fine. You know, thank you so much for coming to visit and keep in touch.
I was let out a larger gate towards the side of the building, and we were home free.
And I also had a visitor badge.
The hosts arranged a driver and a car to take them back to that fancy hotel
that they weren't actually staying at.
They get let out, and they take their guest badge back to their hotel room
and plan out the next steps.
They now have a complete layout of the building,
since they were given an extensive
tour of it. They know their way around pretty well now, and they have a badge that will let
them in through the courtyard gate and through the turnstile and into the building. They also
know the itinerary of the host that gave them the tour and know exactly when they'd be tied up the
next day. So they waited until the next day to revisit the site, this time unchaperoned.
We were able to return around mid-morning when they had mentioned they were going to be in meetings all day.
They both arrive at the building and walk up to the turnstile.
And they know that when you swipe it, one person's allowed through the turnstile,
which kind of makes it impossible to tailgate someone.
Well, I think when we did that at the time, I think there was either nobody in the booth or they weren't looking the right way.
So I know that I was super nervous about this. And I went through and I used the badge first.
Carl gets in. He turns around and hands the badge back to Jack. She swipes it and she gets in.
Now they're both in. No problem. They did not have a one swipe, one entry protocol with their badge readers.
So we were both able to get in with the same card by just passing it back through the turnstile.
So now their only objective here is to plant that rogue device in the network and leave.
This rogue device is like a Dropbox.
It has a way for Carl to access it from outside the building and to get into it. And if that device is on a good network port,
this would allow him to try hacking into the network all night long,
safely from his hotel or from anywhere in the world.
He just needs to find a good spot to stick it.
From our tour the day before, we had noticed that there were some conference rooms.
They were fully occupied and we couldn't get away from our hosts anyways.
But this next day, because fortunately there were extensive meetings, a lot of these conference rooms were empty.
Jack and Carl pop into one of the conference rooms and close the door.
Carl quickly starts pulling gear out of his backpack.
The rogue device, a laptop, some cables.
We are trying to look as normal as possible. So I have Carl sitting on one side of the he's customized it to give it like a mobile internet connection. So as soon as it's powered up, Carl can connect to it from anywhere in the world.
So then he takes the internet port and plugs it into a network port in this conference room.
But he's not seeing much traffic go by on this port.
If I don't see substantial traffic that makes it worthwhile and not enough hosts,
it's not going to be worthwhile. So for example, if there are
a lot of Cisco phones and there aren't any like Windows workstations or Linux servers or just a
sparse amount of traffic in general, if I don't have a point to or any data to leverage my device
on in the network, there's no point in planning it there. Often what corporate offices
do is have a separate network for phones and for workstations. And a phone network is often
locked down to just allow phone traffic through. Carl is using a program called TCP dump to watch
what traffic is being broadcast on this network. He's just seeing phones. Rats, this port's not
going to work. He might be able to find a better port somewhere else that has a lot of workstations or servers plugged into it.
And I know that I have to essentially pack everything up
and then tell Jack, like, well, hey, I'm sorry.
We're going to have to go on to the next room.
And then we just try the next one.
They pack up and casually leave the conference room.
They find another room and go in that.
Again, Carl unloads his gear and Jack acts casually and keeps a lookout.
Carl connects into his Dropbox and begins his attack.
Yeah, so when we first log into the Dropbox,
we just want to see what's going across the wire.
So a lot of it is really passive listening.
And so I'm not actually giving myself an IP initially.
I'm just passively listening layer two, layer three and watching stuff go by. We wait as long as campaign time
wise, as long as we can afford to wait. It's kind of a gamble based on within that one or two minutes,
I'm looking at the traffic. If I decide, yeah, we'll go with this one or no, let's try the next
one. And then I'm looking at Mac addresses flying by. I'm looking at what traffic if I decide, yeah, we'll go with this one or no, let's try the next one.
And then I'm looking at MAC addresses flying by.
I'm looking at what kind of workstations, if we're looking at like Linux boxes, if we're looking at Windows 10, Windows 7.
And then I will, when I feel like dropping down to the wire, I'll statically assign an IP and just drop myself down and then change the MAC address to make myself look like the workstations I've been observing.
And then also change the TTL so if I'm pinged,
I'll also look like a Windows workstation instead of having it come back as Linux.
But again, nothing good is on this port either. He's not seeing any workstations or servers or anything interesting
as he's listening to what's on the wire.
This isn't going to work. Maybe he can find something better.
So the team once again picks up all the gear and goes to find another room to try again.
They're starting to get a little worried that the conference rooms might be all locked down.
Well, there's a little bit of fear that starts to eat at your mind a little bit.
Like, oh no, each one in this floor might be a dead port. But the third one, something
was different. I did notice in the first two, the port was a little bit dustier, but I thought,
you know what, we're here. I'm going to go for it. I'm going to try it. The third one, the port
looked a little bit cleaner, which is probably a better signal that people have been plugging in
and out of it. And it worked. And I was pretty relieved. After the third conference room, when Carl plugged in,
he immediately saw workstation traffic.
Bingo.
This is the port he was looking for.
From here, he could probably gain access to one of those workstations
and then keep pivoting up to main servers.
And he'd be able to do all this from his hotel or even back home in the office.
And their plan is just leave this device and do just that.
Because it's too risky to stay in this conference room for hours and hours and hours trying to hack into the office. And their plan is just leave this device and do just that. Because it's too risky to stay in this conference room
for hours and hours and hours trying to hack into the play.
So it's best to leave the rogue device,
get out and then hack into it later.
And then it's a matter of obfuscating the device
as much as possible to make it blend in
and look like it kind of belongs there.
Luckily there were a fair amount of cables
underneath the table.
You know, in some businesses, you like to look all clean and tidy.
But in our scenario, we love it when people just leave trash everywhere and have cables going all over the place and just terrible cable management.
I can tuck a device in there and it'll look pretty benign. And if we're lucky, we'll sometimes find on site some stickers from rummaging
around from the IT department that we can slap on there and make it look official. Or we'll print
them out ahead of time that'll say company name, IT department, please don't remove. And it makes
it look a little bit more official. With this rogue device in place, hidden neatly under the
table amidst the rat's nest of cables,
the team packs up and begins heading out.
This is all they came to do, so it's time to leave.
Yep, yeah, it's time to pack up and walk out casually
and hope that you don't get caught on the one-yard line before you get into the end zone, really.
So that would be just the worst thing possible,
to have somebody stop you while your device is planted and just trace everything back and have your campaign fail at that moment.
So we casually walk out and that was that.
They even give their visitor badge to the guard on the way out since it felt like the end of their mission.
And at this point, they had an Uber come pick them up and drive them back to the hotel with a feeling of accomplishment well it's a it's a feeling of success as far as you know the time that i was given to build this device
the device works the time i was given to research this location that's paid off
uh the trust put into me and the client to perform this in the in their interest and perform a
service that's worked so i guess just it's a relief of you know what uh wherever whatever
we can do remotely to this device that's that will be what it will be but as far as the physical goes
we've earned you know we've earned what was spent to bring us here and we've uh kind of upheld our
end of the bargain and so that good. And especially being my first physical
and not being very used to twisting people
and creating the mirage and all of that,
it kind of felt good to not be arrested
in a foreign country in my first attempt.
We were in the car afterwards
and I'm like, I'm feeling the rush.
I'm like, yes, we did it.
I feel good about this. We got our teammates back home, the'm feeling the rush. I'm like, yes, we did it. I feel good about this.
Like we got our teammates back home, the access that they need.
And I look over at Carl and he's just got his head in his hands.
I was like, what's wrong?
And he was like, those poor people.
That really kind of weighed heavily on me.
Man, our hosts were so gracious and they were so passionate about their project that it felt bad that underneath it all, we were essentially lying to them about our purpose there.
And that's something that even with X amount of rationale, it's an inescapable feeling.
It was kind of a wake up call moment for me.
And I knew,
like I knew what we were doing was not great.
But I'm glad that he, you know,
recalled me to that
because I've been doing this for so long.
I sometimes can lose sight of that
and he keeps me grounded.
But that was exactly what I told him was, look, you know, we are pretend bad guys and there are real bad guys out there.
So we can we can feel bad about this.
That's fine. But we're we're a vaccination and shots suck.
Using the rogue device, the team did find more vulnerabilities in this network,
which got them domain administrator access into the network.
So even though it's current year,
sometimes people still have unencrypted credentials flying around their network.
And so with sufficient amounts of monitoring on the wire,
credentials were recovered that allowed us to pivot into
multiple systems and then we eventually escalated up to DA and we were able to extract all of the
valuable information that you're looking for in a situation like this as far as credit cards and PCI and all of that.
So all within a few days of recon
and a few days of actual exploitation,
this team successfully got in,
put their rogue device in,
and gained full access to the network.
Incredible.
The team wraps up their findings
and puts it all into a report
and gets on a conference call
to explain everything to the client,
who's the head of bit of awkwardness. There's always a little bit of shock.
I think a lot of people assume that it's going to end up better for them and speak better of their security than it ends up being. In this particular case, it was very personal
because it involved very little of their physical security. Their physical security
held up quite well under the circumstances. If we were malicious actors in country,
there's a potential that we could have made our way covertly past their security.
But what we did was we exploited the human factor, and that hurts a little bit more.
And so we not only had to explain the situation to the folks who received our report,
but then they had to go down and debrief this team.
Now, because the team felt bad that they exploited these people, they tried to make something positive from all this.
And they really pushed hard to have the corporate headquarters connect with this food bank project and get acknowledgement and help from corporate.
And that did, in fact, happen. The headquarters was happy to see the food bank project,
and they helped give it more resources and recognition to make it of information or a
file or a physical location quickly, that shows some red flags for you. And that's exactly what
we did in this case was we showed up in country and said, Hey, we're only going to be here for
a couple more days and we're off to this conference. So if you want to meet us and you want this,
this food bank project to be noticed and maybe get a little bit more funding for it, you need to meet with us soon.
You need to give us an answer soon.
And we took advantage of that.
And you know what?
The people who started this food bank project, the Marks, that got social engineered by Jack and Carl, this is a story they're always going to remember.
And this is a story they'll share with everyone.
A story like that will certainly travel around the company
about the two evil penetration testers
who exploited such good people.
And whoever hears the story will think twice
about what a bad guy is actually capable of.
These people still work on their food bank project,
but now they validate their guests a little closer is actually capable of. These people still work on their food bank project,
but now they validate their guests a little closer before showing them around.
So hopefully this is a good lesson they learned,
which, in the end, makes security a little better.
You've been listening to Darknet Diaries.
A big thanks to Jack Hyde and Carl for sharing this amazing story with us.
You can follow Jack on Twitter.
Her handle there is HYDENS33K.
Oh, and about this podcast.
I'm about to rebrand this whole thing.
New podcast artwork, new website, new stickers, everything.
I'm super excited about that.
So look for it soon, TM.
Want to discuss this podcast with
other listeners? You can. You can join us over at Reddit at reddit.com slash r slash darknetdiaries
or on Discord at discord.io slash darknetdiaries. See you there. This episode is created by me,
the one-eyed, one-horned, flying purple packet eater, Jack Recyder. And the theme music was
created by the shrimp sampler, Breakmaster Cylinder. See you in two weeks.