All right.
Thank you, everybody, for coming out to our talk.
Again, my name is Michael Aguilar, otherwise known as Vega.
That's my handle.
With me, I have Michael Howard and Eric Escobar.
And, you know, I thought we'd do a talk on things that we like to do.
And one of those things is physical security engagement.
So just kind of going over it.
The main part of it is that, basically, with these kinds of engagements, it's a group effort.
You know, you can do it solo, but necessarily we do it as a team.
And it's kind of through a lot of teamwork and integration that we kind of find a lot of success in these kinds of engagements.
So in the talk, we're going to kind of go just touch over who we are, kind of go over the physical security engagements as a whole.
We're going to cover some of the aspects of those, like external recon, some of the things that we look for with regards to the external perimeters of organizations.
Kind of go over some social engineering.
I'll be covering that part.
We'll go over some of the gear that we carry.
Again, there's a lot of things you can use to enter a facility.
It's just what do you carry and when.
And then we'll go over some of the bypasses and just some of the things that we use to kind of get entrance into these facilities if we cannot do it digitally.
And just some overviews on things from the field.
Things we've learned, things we've seen, just some funny stories in general.
And some questions and answers, if anybody has any.
And heckling.
And heckling.
So just about, you know, who we are.
Again, my name is Michael Aguilar.
I am a principal consultant at Sophos, or SecureWorks technically, at Sophos Company.
I've been there about six years.
I also am the resident code witch at the Biohacking Village.
I work with them to kind of bring awareness in medical devices.
I do a lot of things.
I wear a lot of hats.
Most of my focus is on adversarial simulations and emulations, internal network testing.
But I also do medical testing and other kinds of tests, APIs.
Just basically anything that's digital or it's there, we'll do it.
I run, cycle, on free time, and just make really loud, fast music.
But that's me.
Hand it over to my colleague, Michael.
I'm Michael Howard, and I've been at SecureWorks and now Sophos for about eight years.
I also do a wide variety of penetration testing, network, web application security assessments, physical pin testing, and I also specialize in some SAP testing.
I've recently gotten into reef keeping.
So if anybody is kind of interested in that or want to talk shop about that too, I'm cool with that.
I like DIY projects.
Some are like when your reef keeping project springs a leak and you've got to fix the ceiling.
Just throwing that out there.
But yeah, anyway, that's me.
Hey everybody, my name is Eric Escobar.
Let's see, I've been at SecureWorks going on nine years now.
I'm a principal consultant.
I like to focus on wireless security, network security, physical, I don't know, OT stuff.
I don't have any classic training of school.
I went to school, I'm technically an engineer, so it's really fun when I get to do some OT testing because it makes things a lot more interesting when you can use a computer to make really big things move and do what you want or what the client doesn't want to be done with it.
I'm also a ham radio operator, Whiskey Delta, and all my free time goes to kids because I have a bunch of really young kids and I just drop off and pick up.
That's my life.
So kind of going over what these kinds of things are in general with regards to physical security engagements.
Again, if anybody's not familiar with them, basically the ask is that they give us an address and they give us some goals and that's it.
So basically with that time, and normally about a week's time, we have to kind of organize a way to get into the facility, sometimes via people, sometimes via the perimeter with the regards to controls that they have in line to allow people in and out of the facility.
But basically, again, the long and short of it is to assess the security hygiene of both the people, the personnel that kind of exist within that topography, and also the physical security controls around said topography.
So again, it's our job within that week's time to get in and perform the actions to achieve our goals.
Without getting caught.
Without getting caught.
And again, that's basically the long and short of it, and the joke of it is that you don't want to get caught.
We've never had to pull our letters of authorization yet, but again, maybe you have one.
I have not knocked on some kind of podium, but hopefully that does not have to happen during these kinds of things.
But again, it's a time crunch.
You're working weird hours.
You have to get there sometimes when the last person leaves or before the first person gets there.
It's not a very linear kind of thing.
There's not like a one-size-fits-all.
Every kind of locale and area has different things and different kinds of things you have to learn to grow with and bypass.
I've noticed in my testing experience, it varies by region.
Not necessarily specifically by location, but it varies topographically how the people react and what the kinds of controls are in specific regions, at least so I've noted.
Because in California, everybody's really cool, really nice.
Everybody will hold the door open for you, which is great.
But you go to New York City, and tell me what happens, guys, in New York City.
I'll put it this way.
Some of the things that we've done, such as exiting building windows in California, would not fly in New York, and the doormen would practically kill you.
But again, starting from the beginning, we do OSINT.
You have to learn about your environment.
You have to learn about your target.
So we start looking around the things that are available with regards to the business.
We start looking around LinkedIn, pictures of the facility.
Is there anything on Google Maps?
Are there any smoking areas?
Is there an area where the people aggregate?
So think of it like fishing.
You kind of want to fish where there are fish and not kind of go into a void where there are no people because that's not going to help you with regards to trying to get into a facility and or blending in.
So a lot of this is with Google Maps.
Thank you, Google, for going ahead and taking the recon pictures for us because basically you've done all the hard work and you've already done it incognito.
So as an example, take a look at this facility picture.
Everything you've learned, like you've seen on Google, these are all openly available pictures, just a random thing that I looked up online.
It's just like, let's look at this building.
So there's a couple of things we've learned here.
One, there are some key entrances.
Obviously you can see an HID badge reader at the top of that little area.
You also see that door that has no kind of doorknobs on the exit of the facility.
Those would be prime things to use for like a shove knife.
But again, these are all things that are already taken for us that we observe and then we utilize to make smart determinations on what kind of tools we are going to bring.
Now down here at the bottom, you'll see two cases.
That's my friend Michael's kit with his physical security tools.
Mine are a bit larger and a bit more ominous.
But necessarily we have a lot of tooling and we want to make sure to bring the least amount of tools on site because you don't want to have to be running around clanking with like nine under the door tools and like eight high frequency badge readers when all you need is maybe a couple of picks and a smile.
But again, as you noted, the site entrance has that area where you can probably use a shove knife.
There are HID badge readers, probably the first version of that, so that's going to mean you need a low frequency reader.
And these things that, again, you find online are things that help us make smart determinations on, again, what we bring on site when we go there.
Also, again, you can find their camera systems.
Things like the battery in a hotspot.
If it's using an open source camera system like Ring or Wyze, we can take that offline.
And on the flip side of that, this is something that we'll just use on our engagements to monitor the parking lot and the entrances and exits because we can just sit in the hotel room, watch the camera feed, and then when it looks like, hey, coast is clear,
but he's gone, we can go try all of our badges that we've cloned, try picking the lock, all that kind of stuff.
So just like a $30 Wyze camera, a little USB battery pack in a hotspot, and now instead of just sitting in a car looking super suspicious, you can sit in your hotel room nice and lazy.
Now, Facebook.
I love Facebook.
Not as a user, but basically as a hunter.
A lot of people and a lot of businesses love to put things on Facebook.
Facebook and LinkedIn are a goldmine of informational pieces with regards to things that people carry on them when they go to work.
If you look online, a lot of times people will go to the Christmas party and they'll have a grouping of people and everybody's smiling and you look and there's a badge.
Now, what does that allow us to do?
That makes it so when we go back on site, we have a badge that looks pretty much believable, if not almost 100% believable.
We add the fact that we have a clone, possibly RFID, coming up later, then we will be able to enter the facility looking pretty much like you.
Except obviously, you know, since I have a lot of tattoos and things, I will be covering those up and you probably won't see any of those, again, when we enter that kind of facility, as I'll be wearing long sleeves and using makeup to cover up the ones behind my ear and on my neck.
But again, people take pictures of all these things and that just makes it a lot easier for us to determine what we're going to be doing when we enter these facilities.
It also gives us an idea of what kind of badges they carry.
Sometimes we've even seen it to where their facility code and their, you know, everything is printed directly on the badge.
It's almost like when we see the keys and they have the key bidding on the keys.
That just means we go to the hotel and we just cut the keys.
Cool.
Again, you know, when we start looking on Google Earth, we're trying to look at see where are the weak points.
Again, we're looking at things that we can do to get in undetected.
This is going to be the quickest ways.
Again, looking at those HID badge readers or say the doors that have those lovely request to exit sensors that you can use the canned air trick on.
You know, the placement of those sensors is key.
And knowing what doors have what makes it just a lot easier to determine what we can bring on site and how we can defeat their on presence controls.
And then the other part of it too is that, you know, obviously I'm the wireless guy, right?
So I'm going to see everything as an access point that can be breached.
When you walk around, you have some antennas.
You have some, you know, some random devices on you that you can log all the wireless devices that are in and around.
You get to know a lot about their architecture.
So you can see things like, hey, do they have Nest thermostats?
Or do they have, you know, a certain kind of laptop?
Are they a Mac shop?
Are they an Apple shop?
You can just see things just from the Mac address as associated with what's connected to their Wi-Fi.
That being said too, if you're walking around and you can capture any hashes, any credentials, you may not even need to get into the building to be able to compromise that organization.
You might be able just to put a device that's somewhere, you know, within physical vicinity and we have lots of little battery operated devices that you can just throw into a bush.
That's within proximity to their Wi-Fi that then you can use to pivot through, gain access to all the, you know, internal network pieces, and then you don't ever need to even actually breach the building itself.
So now we're going to talk people.
Now obviously, you know, we've seen the perimeter, we know what defenses are there, but sometimes you have to start interacting with the people, and normally you do, to try to get entrance into these facilities.
That's where the social engineering part's going to come into play.
Now here it again, it says these antisocial social engineer.
Now me, personally, I'm somewhat of a wallflower, which is funny that I'm up here giving a talk, but it's like one of those things that once you pull the cork out and, you know, you give me a couple of rock stars, you know, you can't put that thing back and it's just out.
So I go with that, but necessarily I'm pretty quiet, like I'm pretty shy, and so interacting with people is kind of weird.
Now obviously you see me wearing sunglasses, we'll cover that in a bit, but there's a reason for that.
But kind of we're going to go into how we move inwards on people.
Now, again, on-site recon, again, we're still kind of at the perimeter, but as you saw there, there's a guy and a phone.
Now, what's on the exterior of a phone?
A camera.
And luckily they have made these cameras very good with regards to zooming in and recording videos.
So, again, a lot of times we'll just be walking around, you know, having a fake conversation with somebody, but in reality we're actually recording the perimeter of your building, getting a closer look at the badges, getting a closer look at the inside,
any kind of defenses, and taking a look at the people.
You know, where are they walking to?
Are there any kind of guards that are there?
Is there anything we can note from that on-site reconnaissance, just walking around like a person who has no idea what they're doing, just having an aloof conversation.
People normally will walk by somebody who's having a conversation, not thinking twice, and almost kind of ignore it because it's somewhat rude to listen in on a conversation.
So they just kind of let you mind your business, and, you know, unless this is a very protected area, with people who are kind of aware, you can just walk around with a phone all day long and nobody's going to say anything.
So going a little bit further, again, obviously you have to try to move in on these peoples.
I'm kind of like a snake, I have a lot of skins, so necessarily I can, you know, dress up, act different ways, I know different terminologies, I've worked in kind of the medical field, I've worked in computers, I've worked DOD, I've worked in customer service,
so I know kind of how to interact and kind of how to emulate a certain persona.
But again, as you see here, you know, obviously I've had to dress up like business people a lot, and, you know, Eric has done the UPS thing to try to get inside to the building.
But you'll see how those kinds of things kind of come out with regards to how you can get quick wins.
And the other thing that's funny, too, is that depending on your, you know, where you are in the country or internationally, there's a lot of things that will work and some things that won't.
One thing that we found that works out quite well is if you just act like you're an electrician, anybody will let you in and say, hey, you know, we cut the grounding rod out back, you mind if we hop onto your desk real quick and make sure all your outlets are grounded?
Now, those are all words that, like, a lot of people probably have heard before, kind of understand, probably not as well as they should, and if somebody with a clipboard and, like, a reflective vest and a multimeter and a hard hat come in, steel-toed boots,
and they say, hey, can I hop onto your desk?
They're like, yeah, how long is it going to take?
And you'll be like, oh, you know what, it'll probably take ten minutes, grab a cup of coffee.
Well, now you have an unattended computer that maybe they locked, maybe they didn't lock, and that's now some unattended time that you have underneath their desk to plug stuff in, plug something into the network, a dropbox, you know, a key logger, whatever it might be.
So, you know, there's the one aspect where you're just trying to gain intel and gain information, but then when you're actually trying to go into the organization, you know, that really helps to kind of gain somebody's trust when it's something that they kind of know something about,
but ultimately they don't want to get shocked, and so they say, you know, I don't want to get shocked, so sure, have at it.
And I'll be like, hey, sorry, we're just doing some workout back, didn't mean to cause you any harm, that's why we didn't put in a work order or anything like that.
And pretty much everybody believes it.
Yeah, I mean, really the key is knowing what is going on in the facility and knowing how long the persona that you're going to emulate has in a normal interaction to be on site.
Now, obviously the FedEx and the UPS and the Amazon, those are touch-and-go people.
They show up for a limited amount of time, they may be wandering around looking for a space, but basically you have like 15 minutes possibly in a site if you're kind of a loop and there's like multi-tenants in there to pretend like, you know, you're looking for that specific person to get out before it starts becoming odd.
Now, again, that's why the determinations of what you're going to emulate are smart.
Like, other times I've shown up like a potential renter.
Potential renters have a lot of time in site.
You want to take a look around the facility, you want to take pictures, you want to see if this can be the right place for you to rent.
So, again, it's that smart determination of how you're going to emulate that persona and what you're going to what you need to achieve in that interaction to be able to get to the end goal.
And then the one that Aguilar just described of looking like a potential renter, he came up with it and it was brilliant.
And it was really funny because he was describing kind of the office look and feel that he wanted because he had seen pictures of our client's office online and it was the exact look and feel.
And so the building manager says, you know what?
We have an office in that building that fits this description.
I think that they'll let us walk through it if we ask.
And so then I think it was the CFO or some C-suite executive who did not know about the engagement invited us to go tour the office and go walk around.
And then our POC is sitting in his office and he sees us walk by, escorted by building management, and we just wave to him.
It's pretty funny, but it's one of those things.
We knew that they were doing our OSINT.
We knew that they were renting out spaces in the building.
We knew that they were looking for new tenants.
We knew that our organization would be friendly to having somebody come tour the facility.
So kind of pairing up all of those things, we got full entrance.
We were invited in to that point versus any of the other touch-and-go's like dropping off a package where, great, you get in for a hot second, but you don't get to tour around, you don't get to wave to people, talk to people, ask about their experience in the building,
how they provision cards, and all that kind of good stuff.
Yeah, and they really like the fact that it's like, hey, do you mind if I take pictures of everything?
I just want to see what it's like.
Making sure that there's not cameras and stuff everywhere to make sure that we're not going to get busted as we enter later.
I got a badge later on that one, but we'll kind of cover the how kind of right now.
So me, again, I'm kind of the people person.
I walk out and I talk to the people.
I normally am like the first bump or trying to do something to get that initial key read.
So sometimes, again, people they have these things you need.
Keys, badges, information.
And this is, again, where getting that social engineering play kind of comes in.
And me, when I do these things and when I'm actually trying to look for somebody that I need to get the information from, or I should say when I'm looking for a target, I am looking for one thing specifically.
Kind eyes.
Now has anybody, again, if anybody has seen this skit, Gary Goldman doing his skit, he's like, people say I have kind eyes.
But he does.
But here's the thing.
Eyes are kind of like the gateway into the soul.
Many people have said this, but again, if you look at people's eyes, you can kind of learn a lot about them in an initial couple seconds.
I have found that kinder more wide open eyes, again, are people who are, say, have a bright sunny outlook.
More willing to help.
Exactly.
They're the helper kind of people.
They want to make people happy.
And so, again, unfortunately, in a social engineering kind of sense, they're perfect because that means that they're courseable.
And they may not know it, but again, it's not just me.
Scientifically, this has been studied.
Dr.
Paul Ekman, he's a psychologist, a research psychologist in the 70s and 80s and stuff.
He came up with this idea about reading micro-expressions.
These are like little small things about people.
Like , you know, things that they don't even know that they're doing.
It could just be a two -second glance.
It could be like a one-second glance.
Like , you're looking there a little...
How do you say it?
Your eyes are a little bit terse, and you're examining, but again, that means that you're just being observant.
You're learning, and again, you're trying to dissect everything.
But again, people can also have the same things.
They can let you know things about themselves.
They can let you know if they're happy and sad, and then that's how you can kind of mold the conversation into what you want.
Frame it, and then kind of steer the conversation to kind of get what you need.
Now, an example.
Again, I'm going to show a slide real quick, and then just try to guess the emotion that is on the slide.
Okay?
Exactly.
Well, you remember how they did this test.
So they do this, and then they just go...
So looking at those faces, you have to determine which one is anger and why.
Now, the correct answer, again, is A.
But does anybody know why?
It's the direct look, the turst lips, the lack of wrinkling of the nose, and basically the eyebrows and the corners of the eyes.
The direct look, again, is implying that they're directly looking at the person, the target.
And all of that kind of interaction, again, means anger.
If you're looking at the guy on the B, that's more...
Sorry, C is more of a disgust.
You can kind of tell the nose is wrinkled and things like that nature.
D is more of confused or like, you know, just kind of like, you know, unsure.
And B is more...
How would you say?
I forgot the word, but basically it's not the directed anger.
It's more contempt.
So, again, by reading the signs, again, you can kind of steer a conversation of a person or somebody you're trying to interact with in a social engineering manner.
Me, again, one of my go-tos is, again, how would you say?
The kindness of people.
Again, looking for those people with the kind eyes.
Once you've focused on somebody and you actually have an interaction, again, look for somebody, maybe offer them some gum, you know, have a small conversation with them.
You know, hey, what's this building like?
You know, starting to rent them.
And then , like, if you exit the building with them, hold open the door.
You know , a kind thing.
So, when you do that, basically, they would like to do something in return.
So, as we're exiting, it's like, oh, you know, I have something in my shoe.
And so, you know, can you hold my bag real quick while I get my... get this thing out of my shoe?
Normally, it's like, you know, those loafer kind of shoes.
They're kind of tight.
So, while we're doing that, obviously, I've framed the interaction.
It's a small thing that they can do to hold the bag really quick, you know, as I just get this out of my shoe.
I'll empty, like, and there's a little rock in there.
But the thing is that they're holding my badge cloner and, basically, I'm just getting badge reads all day long, get my badge back, and then, basically, we'll just go and do arts and crafts time.
But by reading people, again, you can also get information, especially when it's, like, a decision or any kind of other things, to learn, like, you know, is this A or B?
Is it going to be, you know, C or D?
Sometimes these things can lead to maybe you possibly reading somebody's face and determining what the numbers are.
And that actually happened.
So...
I was going to say, Michael won a car on Price is Right.
You should go Google it.
But, again, one more thing that I always kind of tell myself when I go on-site is that, basically, you need to have a good reason to be there.
Because if somebody stops you and asks you, why are you here?
You kind of have to have a reason.
And one thing, again, in the OSINT that I like to do is to have a viable story.
Research a business.
What do they do?
What are their events?
Is there some kind of, like, you know, external wing that you're from?
Can you kind of make up an entity?
Can you emulate somebody?
But, again, once you come to this determination of having a story of why you should be there, stick with it.
Because if you don't stick with it, then it's just going to fall apart.
So to stick with it, again, you can tell yourself,
basically , just go with it.
Just put it in your head, and I'm there.
You know, I'm this person, and I'm just going to roll with it.
Yeah, so, we're going to talk a bit about some of the tools that we use.
I'm not going to go through every tool that we might use on a physical security assessment, but I did want to cover some that I've modified and customized to work for me.
Some of these you may have already seen before, some of them maybe just slightly different.
But I thought it would be good to kind of share these, and if you come up with ideas to improve upon these even further, please let me know, because I'm always wanting to improve my kit.
Yeah, so, the first is for the infamous K22, or the Under Door tool.
I'm sure probably everybody that's interested in physical security has probably heard of this tool, or seen it before.
From this slide, you can probably see at least one modification right now.
If you don't know the tool, normally it comes with a braided cable that really gets bound up into everything in the bag, and when you pull it out, it comes out with every other tool in your bag.
Here, this has a key back.
It makes use of a key back, which is basically just a retractable key chain.
It's made of paracord, so it's really strong, and once it's not in use, it just retracts like so.
So, it comes in two pieces.
This has made a massive improvement when I'm on site, so a lot of times I'm carrying a messenger bag or a laptop bag, and this thing folds right up into it, doesn't get tangled up into anything anymore.
So, that by itself was a massive improvement.
One modification that you may or may not have seen, I found this from the NotSoCivilEngineer.
The last time I looked, the YouTube channel wasn't available anymore.
I wanted to be able to direct you to that, because he did go through a really nice video demonstrating how this works, and some of the ways that you can use this modification.
But I'm going to try and do this with pictures.
So, in the bottom right, you can see that there's, hopefully you can see that there's kind of a notch cut into the hook.
And I think, yeah, here we go.
So, normally that end that looks like a hook, when you buy this tool, it comes as a loop instead.
And the wire, you know, it's attached to that loop.
So, one of the limitations of that is that you're kind of limited to the diameter of that loop, as far as how much space that you can slip that wire in between the door handle and the door itself.
You know, it may only be like an eighth inch, but I've come across doors where that just wasn't enough.
So, in this particular case, the top right, you can see that the way that key back fishes through that groove in the hook, it actually rests directly against the door.
So, as long as the gap is at least as wide as the paracord on that key back, it's going to slip through that door handle and get to places where a stock, not modified K-22 is not going to get to.
You brought that, right?
Yes.
By the way, good call.
I've actually brought all these tools, and we have a Sophos booth out here set up, and I will have all this out there to kind of demonstrate and show, and you can kind of look a little closer if you're kind of curious about some of these.
But yeah, good call.
Another way that this can be used is by opening crash bars.
Doors with crash bars on the opposite side.
That hook in the top right, you can see that you can actually use that hook to grab the stationary hardware of the crash bar.
And when you pull the cord, it will actually push the crash bar in from the opposite side.
How much force does that take to do that?
I mean, it varies.
It looks like an angle right there.
I mean, it is something that takes practice.
You kind of have to bend the tool to get at the height, kind of estimate the height of the crash bar.
Bend your tool so that it kind of comes up to right where you think it's going to land.
And then you can kind of work it in, and it will hook.
If you're off on that, the hook may not grab the hardware itself, and it will kind of slip off.
It does take a bit of practice.
And yeah, it's not easy, but it is something that can be done, and you know, it's not something that I would have thought of before.
Now, has anybody ever seen this on the other side of the door?
What do they think?
Oh, no, you try and make sure that nobody's there, if you can.
So he's actually alluding to a scenario that I got into where this was like 1030 at night, and we were on an engagement.
There was a small window in the door.
It looked pitch black in there.
So , you know, we had a badge that worked practically everywhere , except for the IT room.
And then on this particular engagement, the IT room was one of the targets that the client wanted to see if we could get to.
1030 at night, pitch black, card doesn't work.
All right, I'm going to grab the under-door tool.
So I grab the under-door tool, slip it under the door, and I'm working that thing back and forth trying to grab the handle, and the door opens.
Except I didn't open it.
So, yeah, make sure that the room's empty, if you can.
That would help a lot.
All right.
That's, onto my slide, this is why I don't like to go into the building if I don't have to.
So, kind of talking about, as we do OSINT, we're walking around the building.
More often than not, we'll get credentials, either it's a wpa2 handshake from, you know, just one of their iot networks that's out there, or if they don't have their radius properly configured, you'll have users that will just basically give you credentials in mid-air because they're trying to authenticate to your rogue access point.
Now, a lot of organizations these days, they all have mfa, or at least I'd like to hope that they all have mfa.
So you get, Chris in the front, how many have mfa, right?
But you'd like to think that they do.
A lot of the organizations that we test, they have mfa across VPN, Office 365, all that good stuff, right?
Now, the problem with that is that, for us hackers, you can't use those credentials on the outside from the public internet to then go compromise that organization from the outside in.
However, there's a nice little configuration that many, many corporate networks have, and that is the guest wifi and the corporate wifi all go out the same egress IP address, right?
So if you're on your laptop in the corporate network, connected like a real corporate user, you get the same public IP address as somebody who is sitting on the public internet.
Why that matters is because a lot of organizations will set up trusted locations, trusted IP addresses, where that traffic is more trusted than a lot of other traffic because it's coming from your main corporation.
And typically what happens is you get c-suite, you get your board of directors and they say, hey, why do I need mfa if I'm in the building?
Shouldn't the second factor of my authentication be the fact that I had to badge in to get here?
And what they neglect to think of is the fact that there are people and wireless extends outside the bounds of the building.
Right ?
And so if I hop on your guest wifi and I have credentials, now I can typically authenticate to things such as the VPN to Office 365 to your Citrix, you name it, because it's coming from a trusted IP address.
So now I didn't have to get in the building, I didn't have to have somebody open a door in my face or, you know, trick a security guard because we can just access it wirelessly, right?
So that's one of those tricks that I really like because, you know, it doesn't work every time, but even if it works five, ten percent of the time, it's worth that extra little bit for not having to do arts and crafts, print out badges, stalk people online,
all that kind of stuff, right?
It's a nice shortcut.
The other consideration, too, that I just think is so much fun is the fact that even if they have fully encrypted everything networks, nothing's on guest, blah, blah, blah, this, that, and the other, no matter what, you'll see in the wireless layer, you'll see the MAC addresses of devices connecting to that network.
And so, MAC addresses, they have the hardware identifier, you can typically see different versions of different, you know, wireless chips that are onboard, and then there's huge lookup tables that you can go look at online and say, hey, this is my MAC address,
and, you know, if it ends in this, or, sorry, if it begins with this, like, certain level octet, you know, hey, these are Nest thermostats, these are Wyze cameras, these are Ring doorbells, this is an S2 security system, everybody's using MacBook Airs,
right?
It gives you a lot of just insight.
That's not direct, you're not like, you know, reading people's emails, you're not, you know, all the packets of data are encrypted, but you get to see the base level of devices and hardware that are running.
So that allows you to kind of craft some of your, you know, different techniques or different tool sets or different things based upon what that organization might have, you know, just from looking at their MAC addresses.
And again, you can view all of this from a phone, from, you know, any other device that runs AirDump or any of the, you know, monitoring tools, and you can use that and leverage that to then gain, you know, access that potentially you shouldn't have.
The next bit about this is, as I kind of mentioned a little bit earlier before, hopping under somebody's desk, but just installing physical keyloggers, I think these are so underrated as, like, a physical entry tool.
Because physical keyloggers, you put them in line, right?
So this is not going to work for somebody that typically is just typing on their, you know, on their MacBook Pro on their keyboard, right?
Because this has to be in line to a USB keyboard.
But the amount of times that you can just go unplug somebody's corded, you know, mechanical keyboard, plug one of these devices into the back of their computer, and then that through there, now all of a sudden you're logging every single keystroke as they type it.
So sure, you're gonna, so if they were, you know, so we did this one time, and, you know, we, as we're in the office, we're planning these physical keyloggers, and we say, oh, that is one of the network administrators that we know from LinkedIn.
So let's just go put one on his computer.
And you could see, when he's seeing something kind of wrong with his account, and he changes his password, like, hey, thanks, you gave us your new updated password.
And the other really cool thing about the more modern physical keyloggers is before, this would be something that you would have to recover, right?
You'd have to go, you know, extract it somehow, and that's where you're gonna get caught, going to the same place two times, right?
Whereas now they're all based on Wi-Fi, or at least a lot of the ones that you can buy are based on Wi-Fi.
So you can either hop on their guest Wi-Fi and have that go out to a C2, or if you have another Dropbox, say, on that network, you can use that Dropbox as a relay so that you can see all these keystrokes.
And again, it kind of comes back to that, the laziness, or you don't have to be present in the organization.
So one time, Aggie and I were doing this, and we woke up in the morning, you know, because we were out late at night, you know, casing the place, and we just see, oh, here's the user logging in.
You can just look at the screen session and see their keystrokes as they, like, you know, jack up their password, backspace, backspace, backspace, backspace, backspace, and then type out the right one, right?
So you can see these keystrokes, and everything happened in real time.
So there's a huge power in being able to plant some of these, and it does take a whole bunch of elevated access to get into that point, but once you're there, you can even inject keystrokes in the opposite direction.
So when you see somebody do, like, winl or lockout or leave for the day, you can unlock their computer, because you have their password, and now you're authenticating their operating system.
So you can run any one of your shell commands to download a beacon, your C2, you know, so on and so forth.
You can think of all the bad things that you can do on that host.
But yeah, I really like these things, and Carlos, you're going to like this next slide.
Oh, is he?
So yeah, Eric likes to talk a lot about accessing the wireless network from the parking lot, and that's sweet, but we have a lot of customers that want to see if we can actually plant a Dropbox on the network.
You know, is port security enabled?
If it's not, or if it is, can we bypass it?
A lot of older printers and things like that don't support, like, certificate-based stuff, so those are often areas that we'll look at to plant a Dropbox.
But just like the Underdoor tool, before, at least before I customized this setup, it was a bird's nest, and if you tried to pull that out of the bag with all the Ethernet cables and everything attached to it, it would pull a lot of other tools out with it.
And, you know, depending on the scenario, this might be a situation where you're trying to be as quiet as possible, as quick as possible, and when you've got all these wires and things like that hanging out everywhere, it kind of hinders that a little bit,
so I came up with this little setup.
The main piece here is a Zima board.
If you've never heard of them, check them out.
I think they're awesome.
There's no moving parts.
They use very little power, at least relative to something like a Nook.
If I needed to, I could probably run this off of a battery for a little while.
In this case, I've 3D printed a piece that would mount to the original screw holes and things like that.
And it makes use of a hotspot that can connect through the USB.
Really short USB cable that just wraps around the device so it's not getting caught up in anything.
Really, all this thing needs now is just power.
I believe I remember seeing that you can use power over Ethernet splitter to power the device and get the power over Ethernet.
So if you have a splitter for that, that's just that much less you have to carry in your bag.
But this is a nice, compact little piece that would slip under desk and, you know, in most office spaces, you could put this in an area where nobody would see it.
And there's very little light.
In this case, I actually used the tinted plastic that comes with the Zima Ward to actually tint the screen on the hotspot.
So even if that comes on, it's pretty dim and, you know, if it's under somebody's desk, they're probably not going to notice it.
So that's another customization that I really like.
A couple of others.
So these are what we use as badge cloning devices.
This is a high frequency reader.
It has an ESP key from Red Team Alliance.
I think those little devices are awesome.
They're used to read the WGAN data raw off the readers.
The ESP keys are already programmed.
They got a little web interface.
Like, it'll spin up an AP.
You just hook up to it with your cell phone and it's ready to go.
So I love those things.
I've probably got three or four of them now.
And it's actually what I use on all my badge cloners because it uses very little power and it's, like I said, it's ready to go right out of the box.
In this case I've customized this so that I don't have to open it up unless, you know, you get stuck at TSA for 30 to 40 minutes and they force you to open it.
But I wanted this thing to be, you know, made to a point where I could just plug in a charger from the outside, switch it off and on from the outside, and never have to open it up unless, you know, I'm forced to.
Under duress and freedom?
Under, yes.
And that's the same with the low frequency reader here.
I also customize this with a battery that's removable in case it needed to be removed for flight.
I take this particular case as a carry-on.
Usually don't have a problem with it, but I figured if somebody did have a problem with the batteries I could at least unplug them and remove them.
But yeah, this is how I've customized my readers.
I hope it maybe gives you an idea of how you can make things nice and sweet.
Making this as compact as possible.
You know, I wanted this to run all day long if it could because, you know, depending on the scenario you might be out in a really wide open parking lot or you know, even working within a facility using this to try and capture additional badges.
You know, maybe the first one that you captured, it just gets you in the front door and that's it.
So you might want to walk around the office and try and escalate privileges using a badge cloner.
You know, catch yourself in the elevator with somebody.
Yeah, last time we were on site we just took that with us on the second visit, then opened a drawer and found a boatload of badges, then just took that thing and just kind of waved it over everything, just kind of scooped them all up.
Yeah, by the way for anybody that has not seen or used these, they have a read range of about 12 to 14 inches.
It kind of depends on the environment.
So yeah, if a desk drawer has a badge in it, waving that thing in front of it is going to get them.
Another case that I've used this is I've been in a facility where there were coats that they use for you know, like OSHA reasons.
It was like safety you know, kind of equipment or clothing.
And we just waved that in front of all the coats and started picking up badges that were just left in pockets.
So , yeah.
Okay, go ahead.
No, you go.
Oh, no, no.
Yeah, so anyway, that's another use case for this.
But yeah, each of these long range readers have a read range of about 12 to 14 inches.
So it really opens up the possibility for you know, catching badges at crosswalks in the elevator you know, things like that.
In this particular case, I wanted to keep this as compact as possible.
And the reason why is because if you have one of these and $3.24 and an Amazon vest, you can just hand deliver this to the target and they'll accept it because it's a package.
And yeah, you want to...
So going back to again the placement of people and things.
Amazon again, limited time delivery.
They show up, they drop off the package and leave.
In this case again, as Michael stated, his readers are nice and everything's put together.
Mine has like a bunch of wires sticking out.
But as you see here, obviously you know, walking in, what does Amazon do when they drop off a package?
They have to take the picture.
So you hand it to the person and you're like, yeah, just hold it right here where your badge is and let me take the picture.
Oh, shoot, wrong address.
Get the package back and we're gone.
Yeah, and in this particular case, this happened to be a single tenant that owned the building.
It was a wide open parking lot, so there wasn't really a natural choke point to try and get within range of reading a badge unless it's going to get awkward.
So we ended up coming up with this idea and it actually worked and as luck would have it, the person at the front desk was actually also the person in charge of the badging station.
So...
Yeah, we had access to everywhere just by hand-delivering that package.
Oddly enough, we showed up right when the actual Amazon guy showed up.
So another one, and this kind of falls a little bit more in line with what we would call phishing.
A lot of people, when they think of phishing, they only think of emails or maybe text messages, phishing, things like that.
This is another form of phishing and I put this together fairly recently.
I had a first iteration and my main goal there was to make sure that it could at least run 8 to 12 hours, or 10 to 12 hours.
That way, if we needed to, we could plan it before people got to work in the morning and then go pick it up in the afternoon after everybody's left and it would still be running and nothing would look phishy.
Well, the first iteration that I did only lasted about 6 hours, so it really had limited use.
If the reader dies on the wall and somebody notices that, they're going to tell somebody.
So in this case, I actually
ended up finding that there's about an eighth inch of epoxy that HID uses for probably environmental reasons, just to seal it up, keep it protected from the elements.
Well, it ended up stopping me.
In this case, that left just enough room for these batteries which are, as it turns out, a lot of paintball guns use these because of the form factor.
They're kind of suited for the grip.
They actually worked out really nice for this.
As you can see in that picture on the left, I actually had to shave a little bit of the speaker, the little piezoelectric speaker, off just to fit these batteries.
I wanted to make sure it ran.
So anyway, all of that worked.
This will run 12 to 14 hours now.
That little picture on the right is right next to my pantry in my house where I was testing this out.
The thing weighs 10 ounces.
I can put it anywhere with one command strip, I think two-thirds of a command strip.
I've got blankets and stuff under there just to test it out.
She had to badge in.
The wife had to badge in for snacks out of the pantry for a little while.
Speaking of fishing, another thing that we had to get a little bit creative with on another engagement was fishing with flyers.
They were pretty restrictive on what they wanted to allow us to do.
We could only be there while people were there.
This was the type of facility where everybody kind of knew everybody.
So we had to get creative.
What we had come up with, and we ran this by our point of contact, they didn't want us using the company as part of this pretext.
So we ended up going with this.
The reason why we ended up going with this is because, as it turned out, that week just happened to be the 40th anniversary for AT&T, and this customer was next to an AT&T store.
So we stood up a fishing site and printed up these flyers and just started placing them around everywhere.
This is just kind of another example of getting creative on these engagements, and kind of another form of fishing outside of what you would think of with emails and things.
Now, what happened, though, was that this was in New York.
Now, again, the people tend to know people in New York, and the cleaning staff knew everybody, and doorman knew everybody, and everybody knew everybody.
So as we were laying these down, the cleaning staff was picking them up and throwing them away.
Again, they weren't following us, but this led to our interaction on the fourth day when we entered, and we were apprehended within about 20 seconds of touching that floor by an angry gentleman and a woman screaming on the phone that was the head of security.
She unfortunately got us the first day.
We kind of soft-talked our way out of it.
I thought we got out of it, but again, that was my first interaction with people from New York, specifically Manhattan.
And sure as all Hades, he told me that she's going to follow up on that.
First thing in the morning, she followed up on that.
The operation ended with them putting out an all-call to everybody.
So if you see us, basically call the police, which is NYPD, which meant we were going to Rikers, which I'm not going to spend a night in Rikers.
But anyways, we no longer could go in certain areas of Manhattan for the last couple days, so that was fun.
But that kind of brings us to the end of our talk.
Again, we finally covered some things with regards to what we do with these kinds of operations, some tool customizations and other, but as the group, did you or anybody have any questions?
By the way, I just wanted to mention again that I will have all of these tools, including those that have been customized.
I'll also have a lot of the tools that we didn't cover today, just because of timing, but if you're interested in any of those tools that were customized, or any of the other tools that are commonly used, and you just want to see what they are, how they work,
and all that kind of stuff, feel free to stop by the booth.
I'm going to keep these here at least probably for the most of today.
I'm not sure if I'll bring them again tomorrow, but we'll be at the Sophos booth with these, so if you want to check them out, stop by.
Anybody have any questions?
Anything?
Well, I mean, they're not going to be able to hear you.
Oh, the sunglasses.
I wear sunglasses because I don't want people looking at my eyes.
Well, no, it's because my eyes dart.
I'm constantly looking around and thinking, so if you see my eyes, basically I'm staring off into space and it doesn't look like a linear thought, so people may think I'm kind of aloof, which again goes into the social engineering thing.
When I do kind of play an aloof person, it's going to be kind of like, oh, I've got a rock in my shoe.
Like, why would you have a rock in your shoe?
But anyways, it works out.
My question is for the little guy.
Eric?
Okay.
Kind of two parts.
So when you're on site doing wireless recon, are you trying to monitor all the Wi-Fi frequencies at the same time?
Are you frequency hopping?
Are you looking at the 2.4 and the 5?
Are you going to the Wi-Fi 6 and 7 now?
Or, you know, what basic methodologies are you looking at?
And additionally, hold on, guys.
Are you looking at wireless signal, Wi-Fi, not Wi-Fi, wireless signals outside of Wi-Fi that may also be coming from your target facility?
So to answer your question, the first thing that I basically do when I roll up on site is I see what access points do they have, right?
So see, you know, what their SSIDs are.
Once you can see their SSIDs, when I say SSIDs, like their guest Wi-Fi, their corp Wi-Fi, typically access points, they will transmit on multiple channels, so on 2.4 gigahertz, which is, like, the older school, like, wireless tech that goes farther as lower bandwidth,
it'll broadcast on typically 1, 6, and 11, because the bands will overhop.
All this to be said, typically, corporate Wi-Fi transmits on a bunch of different frequencies.
And so first thing I'll do is I'll see what frequencies are they actually basically, you know, transmitting, and then what I'll do is I'll kind of, like, narrow the scope down.
So the best way to think about it is if you're, you know, a 10-year-old and you're doing old-school flipping channels and you're going really quickly, a wireless card typically can only look at one channel at a time .
And so what will happen, what Carlos just said, is that channel hopping is you're going channel one, looking at it for half a second , channel two, looking at it for half a second, so you're gonna miss data in there because you're looking at the rest of the spectrum.
Now, if you can only look at three channels at the same time, you're gonna be able to collect a lot more data.
And so typically what I'll do is I will bring a handful of wireless adapters, connect them into, like, the Xema board or something, and then multiple devices that can all live in a backpack or in a, like, you know, messenger bag.
And so then I can camp on all three of the main 2.4 gigahertz channels, and then when you go up into the 5.8, Wi-Fi 6, you can have a bunch of different other adapters so you can try and ingest as much information as possible.
Now, that's gonna use down your batteries a lot, so it's typically only for, like, quick recon, but yeah, we camp on all of that.
And as far as looking for other, like, wireless technologies, we have a... I didn't get in all this because it's not a wireless talk, obviously, but we have a, like, little software-defined radio dongle that you can put in there, and it'll run a tool called Kismet .
Kismet will look at, basically, a ton of these radio frequencies, see if it can identify anything.
So one of my favorite ones that I haven't seen in a really long time is Logitech used to have wireless keyboards, and you could read keystrokes, inject keystrokes, just wirelessly.
So if you saw somebody had a Logitech keyboard that wasn't patched, you could just run a command , and, like, it would type out PowerShell on their screen, or, you know, start, run, CMD, you know, do all that kind of stuff.
So we do look at a bunch of other stuff, but typically we try to keep it to Wi-Fi, unless the client has a really specific, like, ask, or we see, like, we'll do an initial look and see, is there anything interesting here?
The other thing that we've done a lot to is gate cloning for, like, doing replay attack against what's called, yeah, sub-gigahertz for, you know, anything that's, like, 434 megahertz that you can easily replay to get through security gates and that sort of thing.
Anyways, I talk about this for a really long time.
Yeah, and so another example of that is we were on an engagement, and a lot of these we actually try and get a hotel near the target facility, that way we can keep eyes on it if we can.
In one particular case, we had a room right across the street, in a room, facing the target, and after, I think after the first night that we had broke entry, or made entry, we were in there all night, and then the next night we actually saw a utility truck with one of those yellow lights on the top that a lot of utility workers use,
but also private security use.
It pulled up around the time that we went into that facility the night before, and we started to suspect that it may be private security.
So Aguilar here broke out his little SDR and started tuning in on some of the local frequencies that private security uses in that area to see if they were actually talking about us, or if it was anything like that.
That's just kind of another example of where we might, in that particular case, they ended up driving off about a half hour later.
Yeah, I mean, again, normally PD, that helps to know if police is on the way.
Nine times out of ten, they're not using frequency hopping, at least not small metropolitan areas.
Again, most of the large metropolitan areas have done that, or should.
New York definitely had, but again, it's still one up-and-coming thing because of the cost.
Any other questions?
Oh, yep.
Well, I mean, they won't be able to hear it, or record it.
So for that flyer you had with the QR code, how do you do that scope-wise if they're going to use a personal device on that?
Is that an issue with some clients?
Do they care?
And see, that's all in how you do it with the authentication.
That one in particular, we asked when they hit the site that they need to verify their...
with the company that we were looking for.
So they had to authenticate into Microsoft 365.
Quote-unquote.
Anybody else?
Oh, yep.
So when using the rock-in-the-shoe trick, do you make sure to use an actual rock?
Yes.
Do you do smooth or sharp to really sell it?
It's whatever is in the physical location.
Normally it's a little pebble from the parking lot.
Okay.
So you use native rocks.
Yes.
Okay.
Because you never know if someone plays Dwarf Fortress and they're like, no, that's from a sandy loam, but we have loamy sand outside.
I can't use a river rock or something easy, so I just get something that's topographically there.
Perfect.
You're on top of it, it sounds like.
Remember, the whole goal is to blend in, not get caught, that kind of thing.
Well, that and the other one.
The last one, one of these jobs, again, it was just a conversation that kind of started it, you know, with regards to trying to get the target.
Actually, I had to run into the building, drop off a USB .
Actually, we had broken into a sister company the week before, and I stole some letterhead and everything from that company, so, you know, we dropped off a USB with some malware in it, you know, hopefully that got there, but then I came out of the bathroom after I washed my hands,
and there was like four people in the lobby, and then some woman goes, that's the guy!
And my blood kind of went cold, and I'm like, okay, yeah, no, I just saw somebody had dropped a USB, she was speaking with a police officer, and it was for kind of an investigation thing, but necessarily, you know, they were handing files over, so I just kind of rolled with it.
I don't know, listen, he drove off in a car, I'm just trying to make sure you get your things.
And we started talking about food, and I kind of broke down that barrier, and then she got close enough to let me give you a bad read with the shoot trick.
So...
Alright, if you guys have any more questions, we'll be able to...