License to Pwn: How Two Muppets Hacked into a Fortune 500 Company

[Music] thank you guys uh my name is Mike Stringer I'm a uh red team and uh consultant member from uh online business systems probably one of the biggest global companies in security that nobody has ever heard of uh we're based all over the United States and this is my talk on licensed toon uh how two Muppets infiltrated a Fortune 500 company in under six hours so uh little background for this talk uh this was actually my first attempt at a red team while also being the leader and like resident expert in red teaming for this company so it's like talk about trying to build a plane while you're flying it this uh this was the uh this

was like my prototype trying to create red teaming and uh the first actual engagement that we did in the wild with me and my uh my co-conspirator as we'll call him and it turned out to be an amazing success and the purpose of this talk isn't really to show you anything novel or like explain uh any crazy new exploits or super creative ways to do things but rather to show how approachable red teaming actually is for someone who has never seen it never done it and uh never thought that like it was something that they could even get involved in so uh hope you guys enjoy it and let's get started so uh this is uh

this is a little bit about myself uh like I said my name is Mike Stringer principal consultant and offensive Security Services expert for online business systems uh I lead the red teaming engagements and train my team as well as uh and the for social engineering and network penetration testing protocol analysis and exploit development so long- winded background of everything that I do for this company um I uh I established this red team or uh did this first service back in 2019 so this is quite some time ago now um and I've been doing you know hacking and playing with this stuff for a little over 12 years professionally now uh I'm also a former Army vet if that uh is you

know a little fun fact about myself I'm a big gamer and uh I've often been caught saying client's going to client as one of my uh one of my favorite ways to describe how irritating some of them can be this is my co-conspirator Josh Anderson uh he is no longer with us but he was instrumental in actually making this engagement happen so I could not do this talk without giving him an honorable mention and telling you a little bit about him plus you're going to be seeing him on screen a few times uh he is with Leviathan security and has been a red teamer for a little over seven years now working in the security

space um he's a really big into car hacking RFID and uh Wireless hacking and stuff like that uh and he's also a speaker at Boulder bide so if there's anybody from the Denver area or if you like to go down there um he's uh that's where he's from and uh he's big into those spaces super chill dude he made me say that but yeah he's he's a good friend and just an all-around awesome security consultant that if you get a chance to meet him tell him that Mike said hi this is the talk um welcome to the deep end of red teaming this is uh this like I said is the first time that I actually

went into a red teaming engagement and trying to do that for the first time while supposedly being in charge was possibly the most intimidating uh task that I had laid upon myself for this job so this talk is going to include all of the uh costs assumptions embarrassing mistakes glorious triumphs hilarious stories and lessons learned from my team's very first attempt of red teaming assessments with which uh unfolded over the course of a year for one of our biggest clients uh as you might have guessed from the title they're in the Fortune 500 so this was a pretty intimidating client to be working with and really really did not want to screw that up the scariest part of this

engagement for myself and my co conspirator was that this was our first ever solo red teaming engagement we'd never done physical red teaming we' never gone to the physical domain we were just through and through pen testers so we had always experimented and dreamed of it but it wasn't something we uh intimately knew the only things that we knew how to do really well was uh pentesting privilege escalation fishing and things of that nature so uh possibly our biggest fear and probably the fear of everybody else who uh started in rent teing was that you'd get caught instantaneously and the whole engagement would be a wash and maybe this isn't a unique experience and maybe it is but uh

I created this talk despite how intimidating this engagement was for us and uh yeah I'm we're really proud of what we were able to achieve in that time uh and you know just caveat bear in mind that everything that you see in this talk is anonymized to an extent so some of the pictures are from the real things some aren't just you know uh caveat we got to protect our client's identity so uh quick high level overview this talk is essentially going to be a brief 101 tutorial on red teaming uh educating red teams that are just starting out or even uh uh groups that are thinking about implementing their own red team uh showing you what the

budget and cost is of getting started your essential needs uh and to make red teaming overall less intimidating and hopefully we'll have some fun at the same time so why do we red team um the first thing that we have is our our mission as red teamers uh a lot of us would definitely say like drink all the beer hack all the things but uh really what our mission here is to uh uh place the physical Technical and operational controls of our client under its maximum stress load as far as we are able to provide essentially giving our client exposure to what it's like to be under assault by a state sponsored threat actor AP something that

is a serious threat to major corporations and see how they actually fare against a real threat in the wild and the purpose of this is to help our clients with their security maturity and uh give them a little bit of insight to how functional their Security Programs actually are uh as well as how it Stacks up against somebody like me or like you know apt5 2000 Infinity or whatever overseas uh the goal of this is to compromise systems and data by any means necessary and above all main stealth we don't want to get caught um up until we struggle so much with getting caught that we're kind of scared and we want to like throw our client a bone and say

like hey you caught us three days later um which you'll see more of in just a second and then the final thing is that we want to evolve as red teamers and uh both for ourselves and for our clients because threats and defense are like everybody says a cat and mouse game where we're constantly trying to get one over on each other and that is what this is all about we're trying to constantly get better at what we do because it's what the world needs for security to progress and because it's what we love so this is the uh red teaming one 123s uh most people in here who have like even like read the overview of the

ocp exam guide or anything like that is probably familiar with the four-step methodology of reconnaissance analysis and scanning exploitation and then uh privilege escalation and persistence these are the the uh the steps in which you take in order to progress through any engagement and this is like you know 101 the thing that you need to know how to do at least at the basic level uh so that you are as prepared for your engagement as possible uh reconnaissance you know is both passive and active to an extent passive being what you can find out without interacting with your Target and active being direct interaction with the target so scanning uh whether it's like Port scanning or

service anal is or just like calling them up and saying like hey tell me about your business and things like that so anything that touches your target that's active anything that you can do on the ENT side that's passive the analysis of determining what is actually a plausible attack scenario finding where the weaknesses are what the uh use cases are what potential there is to exploit something and then actually executing that exploit is the third step trying to gain access get your foothold and and uh penetrate the initial outer shell of your Target and then finally to enact persistance gain uh a reliable method to maintain that connection or stay resident there for most pentesters

this is very standardized and you know there's plenty of tools of how to do this we could go on forever about how this is done in the real world for the physical domain however this is a little bit more nuanced and you have to figure this out on the fly a lot of times because there's only so much you can find out in the physical domain from outside cuz you don't have eyes inside the organization to an extent and uh part of what you'll learn in this talk is that the biggest component of the success in this is how much of the Recon you are able to do in order to set yourself up for Success later on when we

started this engagement we basically had nothing except like our hobby gear that we got because we love playing with this stuff between myself and Josh our uh our gear was like we we had a few basic tools that we like to play with but there are some Essentials that you need in order to make this engagement a success it varies how far you can go with certain things but these are what I would consider the essentials to make this a success overall so uh a Raspberry p kit which like you can get super cheap ones but this is like a fully contained kit will cost you around 100 to $120 is uh and the purpose of this is to act as

a leave behind device because in the physical domain you're only going to go this far as a uh persistent threat if you can't get in by any other means if you have to go to the physical domain you don't want to stay there you just want to get in drop a shell get the hell out you don't want to expose yourself any longer than necessary and we as a red team uh want to simulate that exact threat so a Raspberry Pi is literally all you need to be able to set something like this up second is uh a way to uh drop shells effectively I can't think of a more effective or seamless way to do

it in a matter of seconds than with a rubber duck or what I prefer is a malduino a malduino is basically a rubber duck but uh the benefit of a malduino is that it has a dip switch that you can select multiple payloads so you can have one for Windows for mac and you can have a variety of different shells for if you prefer Metasploit koadic uh don't crucify me but Powershell Empire uh and any number of any other C2 tools that you might be familiar with you can have a payload on this thing for each one and you can you know select it as you go um also in the physical domain something that's

extremely helpful is a way to get through locked doors reliably this won't work 100% of the time but if you need to get out of difficult situations a dorim is absolutely indispensable the reason why what you'll see soon is that you can't always get into a place uh with a door shim but nine times out of 10 you can exit a building or get outside of a door as long as you're on the um as long as you are on the side of the door that is uh swinging out you can exit the building and because of fire code that means that if you're stuck in a stairwell uh stuck in a uh in a man trap is scenario or

like a foyer you can always get back out even if the door is locked nine times out of 10 I can't say always but um this this tool is extremely useful and then uh for more mature clients that have RFID and stuff like that um in this talk uh or this engagement we used a proxmark for RFID badge cloning and emulation um but now that the flipper zero is a thing like The Flipper zero is not only cheaper and replaces the prox Mark 3 it actually also replaces the malduino at the same time and a bunch of other tools if you buy the add-ons so like skip the proxmark The Flipper can do everything that you want uh it's it's an amazing

tool and I absolutely love playing with it on a daily basis just just because it's so much fun plus cute dolphin animations so the uh next thing that you need as a red teamer is you have to set up command and control infrastructure C2 uh command and control is any server or external host which is able to act as a centralized host for receiving connections from exploited hosts and systems in your target environment this uh there was actually just previously a awesome talk on living off the land with C2 there's a number of c2s you can use like I said metas sploit is what I tend to go with but there's tons and tons of

these out there um it's really Dealers Choice which kind you prefer to use for your exploitation and it's always evolving so every every threat Hunter knows that there's going to be a different type of malware that you're going to have to face like every other weekend red teamers are doing that because it stops working so not really any point in me focusing in on any one C2 as the best but just understand that this is something you'll have to change as your service you know grows and time goes on uh you can also uh consider a lot of infrastructure choices and options uh I went with digital ocean in this case but like anything where the provider doesn't

ask too many questions that make you uncomfortable uh is a good choice digital ocean worked for us AWS is also pretty good uh Rackspace anything that gives you infrastructure as a service can work for this purpose um and you know depending on what your team is familiar with like anything can work here in this instance uh and I did give some honorable mentions to metas sploit framework Powers shell Empire and kuic like these like I said they're they're constantly going to be changing so um if if if there's if you're looking for something new or if these are just becoming a hassle for you you know you can go on to any number of blogs out

there in order to find something or if you have money like that you can just get cobalt strike and you know oneand done Cobalt strike is uh I don't use it but I I see the price tag and it kind of like just makes me faint on site but uh it it's it's known to be extremely effective and they're constantly updating their payloads so it's able to evade antivirus reliably kind of breaking down the actual cost of this equipment um if you're like barebones Essentials is all that you can really afford about $200 is what you should expect to spend between your C2 server monthly costs um a bad USB whether that's the rubber Ducker malduino D

shim's Raspberry Pi kit and then just some some free software that you can get off a GitHub for actual exploitation purpose and then uh things that I find additionally helpful is a set of lock picks uh especially rakes are exceptionally helpful in these instances uh flipper zero can't say enough good things about that uh some Wi-Fi cards a cheap clipboard and a uh little mini Wi-Fi keyboard to kind of help you with configuring your pie because I guarantee you that's going to take you longer than actually getting into the client is making your Raspberry p work so something to kind of like take the edge off as you're trying to get into that shell and just nothing wants to work um

and if you just have money burning a hole in your pocket there's some other fun po that you can get that also help but aren't necessarily required in order to make this kind of Engagement a success uh land Turles are awesome if you've heard of that cat sniffers Uber tooths for hijacking Bluetooth keyboards and doing man-in-the-middle keyboard injection stuff that's all fun and uh one one fun toy that we have was a badge printer that was also very useful for this particular engagement but those are pretty expensive also not necessary but very good for creating a convincing ID um but if you're you know stuck in a pinch I have if you have like a badge ID

holder like a carrier I was going to show one for demonstration but I misplaced it somehow um you can just literally slip a piece of paper with your face on it in front of the RFID Card that you get as a blank and that will work just fine I have literally talked my way into more locations just because I couldn't get my badge printer working and I'm like screw it I'm going to print it out at the hotel conference center and uh I've gotten in many times that way so let's actually move on to the methodology steps and how we actually start doing this um by far Google is perhaps the most helpful thing that you can have on your side when it

comes to doing reconnaissance um it's it's indispensable and also very much required for getting this right like I said your engagement is only going to be as successful as your preparedness as far as reconnaissance goes um some essential things that you do need is do a little bit of groundwork with Google satellite and Google uh street view these are extraordinarily helpful because you can actually zoom in pretty good with these tools uh thank you Google van for driving past my client's site like right up to the front door so that I could see that it was covered in CCTV cameras and that I didn't even want to bother going in there because the front door oddly enough is closed

completely and nobody's allowed to go in the front door so it would have looked extremely weird trying to get in um you can also rely heavily on social media and I emphasize doing this because it it can yield some amazing lwh hanging fruit uh LinkedIn if you just go and befriend uh or connect with people on LinkedIn this gives you so much information into the company people expose what services software they use on LinkedIn plenty of the red teamers in the group will will be aware of this but you can get uh you can also like scrape out the pages of uh LinkedIn and make assumptions of what their email scheme is like and just get a full list of

emails and you'll find out social engineering is very important in this type of Engagement but we're just kind of glossing over that and focusing on the physical but it's it's definitely something to look into if you're not already doing it and uh while you are at it make sure that you are identifying what kind of access your target is using for your physical domain like if they have RFID badges go onto their social media pages I cannot tell you how many times I have seen somebody with a great big glowing badge on their front smiling as they're posing at a party and it's hilarious because they just given me the ID template that I need to

just talk my way past a guard without having any access whatsoever there's a list of uh other helpful tools uh hunter.io is kind of like a a sales assistance tool it's really just for collecting corporate emails and stuff you can use this as well but it also will tell you what the address scheme of the company is so and that's totally free you don't have to pay for that tool it'll just tell you like oh it looks like they use first name. last name and that's their email scheme at you know domain.com and you can use that to churn out a list of emails and start going further with that however you see fit uh

and then scraped in.pay is a tool that uh I created with a uh with another former colleague uh this is available on GitHub uh just at github.com scraped in SL scraped in and uh that that's a pretty useful tool uh we we didn't put our names on it or anything so you know this just between us I just don't want to get a bunch of angry phone calls from LinkedIn like stop scraping our website is whatever man like it's if it's on the Internet it's free so uh and then of course showan showan is just allar around awesome Internet of Things analysis and mapping tool if you don't have a key to it it's 20 bucks do it it's it's an amazing tool

it's uh there's no reason not to get this even for your regular pen testing engagements it's super useful so now we move on to uh the active part of the physical domain where you actually start casing the place trying to figure out what level of access is necessary to get a foot in the door so to speak is uh like the first part where your blood pressure starts to rise and uh it's uh it's there's a few ways to do it right um a few ways to do it wrong but I found out that there's there's a lot of things that you can get away with which we'll talk about in a second um but some

things that you look for you want to be looking for hidden entrances major points of Entry are critical and think about like watching the foot traffic of your target finding out where people are going and how they are getting into the building is really important because like I said earlier the front door of this place was totally unused nobody used it it was locked there was no guard it was just shut down nobody got get in through the front door everybody parked in the back of the building and walked in from that side have we not been sitting there watching this place and like why where is everybody we wouldn't have figured that out uh and we would

have tried to walk in the front door that's actually would have probably given us away um checking out where CCTV blind spots is also extremely helpful some have shielding uh but if it's like an obvious one like you see on screen where it's like you know where it's pointed you can get a good idea of where there might be blind spots so you can sit somewhere and be comfortable while you just analyze the physical domain of this place and kind of uh watch the outer shell and uh while you're at it if your former ENT phase wasn't successful in like capturing pictures of badges I have also had success just with a smartphone camera taking a quick snapshot of

somebody as they walked past me in the parking lot you can get badges that way too it's a little bit conspicuous but you you can get away with it if you're discreet so the uh next part of this was uh figuring out our uh our other entrance so I talked about the side entrance before it was it was you know a cafeteria side type thing with a outdoor patio the main entrance was security guarded there was a person sitting behind a desk with access to cameras and everything uh he had a badge log which we didn't know at the time but he was watching people as they scan their badges in to see that they were a

legitimate person popped up a picture of their face and everything so it's it was actually something that we didn't know was there so we were going to have to get creative on the Fly once the guard realized we weren't on the list so to speak um and they also had a very good hard uh visitor escort policy in place as well so trying to talk our way past the front door was going to be difficult so this is the side entrance that uh that we get a better look at from here this is actually from the neighbors parking lot so the neighboring location was uh just uh it was it as funny the neighbors parking lot was closer to this

door and the entire building than the actual employee parking lot the employee parking lot was 150 ft away in the back behind the building and their their neighbor was literally just 20 ft away from this side entrance cafeteria and like you could even see the glass windows of all the executives working uh on the top floor which was I thought was pretty funny so it was easy enough for us to just go walk over there this is actually a Google Street View image uh as a matter of fact you could uh you could just go here and see there's there's some uh garage doors which weren't always open but over there on the left uh there by the trees there's

some uh picnic tables and we noticed that like not many people were using them but we're like o there's a side entrance there that we can't see and you also can't see it in the picture but there's like some stairs that lead up here to the patio area there's another hidden entrance over there and uh that that was a second way in that we uh were looking for uh and as you're doing this like you're kind of thinking up scenarios of like well what's plausible what can I do like if I go through the main entrance I'm going to have to like tailgate somebody or I'm going to have to talk my way past the guard that's

going to be difficult that's kind of scary over on the side it's not so scary to just like walk up and like pretend like you're having a cigarette or talking on the phone or something and just waiting for somebody to open the door and slip right in and you can get into a lot of locations this way just by looking for unattended entrances that people come and go from as a matter of convenience so while we were doing this uh we also were doing some Wi-Fi analysis uh of the client and you'd be surprised how many uh engagements you can have some success on just by getting Wi-Fi access it's why those Wi-Fi antennas are important uh

but it also is a difficult landscape if you're on the outside because sometimes you're really far away from the building so we spent a great deal of time trying to figure out what this client's Wireless infrastructure was uh we were kind of obvious I would think sitting there with a ton of antennas just poking out of the windows of our car while we just sat there on our laptops and employees are watching walking past us I wish that I had requested some tinted windows because I was shaking in my shoes expecting somebody to be like yo there's these two weird dudes sitting in the parking lot they look like they're from Mission Impossible what the hell is this and I

was just petrify that we were going to get busted we sat in the parking lot with antenna sticking out of the windows for 6 hours nobody said a damn thing anyway onto the actual Wi-Fi attacks themselves um while we were going through the Wireless Route keep in mind we've been doing work with this client for a long time so we had some knowledge of their internal environment like we knew they were using WPA EAP for their authentication we were probably not going to get in so we didn't have to waste a whole lot of time but we were doing reconnaissance at the same time and you know we did it to say that we did it but uh uh if if you're dealing

with a truly mature environment where they require a red team chances are Wi-Fi is going to be closed off to you it's not going to be that easy but you never know so it's always worth giving it a shot and also you know you want to at least uh have the ability to like analyze who's coming and going because in some instances even a good configured Network you can still grab some usernames and stuff like domain information just from EAP authentication so just sniffing those packets by themselves it's good information it's worth doing so don't don't skip on it it's uh it's worth it to do it um and uh like I was saying before the

the distance from the parking lot to the building was a huge hurdle would have been extremely helpful for us to have directional antennas these are about as cheap as regular omnidirectional just like the big dongle antennas um for 20 to $40 you can get a pretty high gain antenna and point it straight at the building it definitely looks pretty weird having two Mickey mousers in your windshields pointed at the building but it it helps a lot if you're dealing with distance so know that if you're going to be dealing with uh this kind of scenario in the future so uh RFID badge readers are also a big thing to think about because it's it's way more complicated we found out

than we thought it would be um this was our we had played with proxmark and stuff by ourselves but we didn't actually like realize how difficult it would be to figure out what kind of badges they were using we were just like oh there's a bunch of universal types and we'll just like get yes as it happens we got really lucky in that between the two of us we both had the uh we have one of the cards that they used in their environment so it was possible for us to clone badges but it's it's not always going to be that easy the uh the thing is is that like now things are getting much more complicated with RFID

and uh there you could do a whole talk on getting RFID credentials to a building by by itself and that could take over an hour um but some essential things that you want to do is do a little bit of reconnaissance and see if you can figure out like what they are using if you have to bring a mess of different types of IDs with you for all different types of myair classic and hid procs cards and just like get the most popular ones they're cheap enough that you can get 10 card packages of these things and at least you'll have a good chance of having something available um thankfully with the uh new flipper

there's a excellent reader uh reader identification or detect reader function you can walk up to a reader hit it and it will tell you the make and model version of the reader that will tell you what the card is otherwise you're going to have to either a guess or start like doing some serious hunting and Analysis with binoculars to try and figure out what everybody else is using uh oh the other thing that is really important here even if you cannot clone a badge I've actually found it's extremely useful to have a badge that doesn't work but still activates the reader I have literally walked into a building with a a piece of paper in Gray

scale it was completely wrong because the hotel printer did not have color printing feature and the clients ID badges were color but I did have an RF id card that matched their reader and because it beeped when I hit the door reader the person was like huh that's weird you should go up to this place and go get it fixed and let me in so having a having a card that actually beeps is hilariously enough for some people so um having something available being able to detect that reader it can help you along the way so after we finished casing the joint and starting like kind of brain storming how we were going to do this uh

this was this was us that entire night we stayed up all night till like 3: in the morning figuring out how the hell are we going to do this um and we didn't do any of the C2 prep ahead of time so like we were we were seriously scrambling um but a as it happens uh raspberry pies and just a couple of uh a couple of digital ocean servers is truly all you need so um in this case we wanted to uh set up our C2 infrastructure make it so that we had every available means for us to get a shell back to us uh before we even walked in the building and be confident that it was going to work next

we had to print out our badges we got some IDs uh off of social media we had a pretty good idea what their IDs looked like um we needed to lay out the map of the building or have a rough idea of the schematic of what the inside was going to look like because we' never been there before and we wanted to have a good idea of where employees came and went planning our entrance and then rehearsing it it because we didn't know what we were going to run into ahead of time so Josh and I basically rehearsed like you know how how are you going to talk your way past me and I like was the

big mean uh completely intolerant guard that was like refused any and uh Josh oh my God the man is a Smooth Operator I I don't he could have talked me into anything I swear but uh he he decided to be the uh the inside guy that was going to try and walk in the building first because I was all jitters and I confess to you like even standing up here terrifies the absolute hell out of me so Josh was the guy uh to go inside because he was pretty confident by all means so uh he was like yeah I got this so once we had uh figured that out we uh we kind of rehearsed a few

scenarios of how we were going to get past and we were ready to go uh at the uh end of it like we'd never used the badge printer that we tried and it literally took us 3 hours to make this badge printer work I God it sucked but uh I I was particularly proud of the fake IDs that we came up with uh and uh and and especially our our monikers um I I I have worn the name Evan Essence for a long time nobody has ever noticed so uh for the C2 callback infrastructure this part is really important and you do want to think about this based on the Target that you're dealing with everybody's a little bit

different in our case our client was like they were frequently had users going to uh out to the internet we needed to be sure though that we could get past any firewall rules and stuff like that so having some backup options was really important our main one was open vpm which we used for all of our pentesting engagements and we had infrastructure for that so that's a no-brainer um the second one was reverse SSH connections and having that set up as like a Cron job or a system CTL Damon that would run in the background and keep turning itself back on if it ever shut off or couldn't have a decent connection we wanted to have that in

place but then we were like oh crap we have clients that filter both of these things what is another option and on the Fly we found a tool called cork screw which is actually SSH tunneled over HTTP which was absolutely the coolest thing best idea I've ever heard of and I literally have actually used this to get reverse shells in in the wild from clients that refused all other traffic even though it's unencrypted traffic it let the SSH traffic out because it was inside an HTTP protocol that was really cool so this was exceptionally useful um so between all of these things with reverse SSH being the most safe and reliable way to get a connection that

was non-vpn related um and having a backup SSH tunneled through https we felt pretty confident about how uh this was going going to go um and I mean SSH overall is just like high performance it's a benign protocol everybody trusts it for the most part so we were like okay cool this this is this is good we're pretty uh we're pretty happy with this if you absolutely need a tutorial on doing reverse shells over SSH there's a link here that you can refer to at blog. sti.com uh this is just one that I pulled off of Google really quickly um and it it's a good working tutorial but there's hundreds of these tutorials of how to do this out there so you know

Google yourself the uh Plan B that I talked about with uh Corkscrew this is the link to the GitHub repo for that um this is available from Brian pkc Corkscrew and uh it highly highly recommend this tool it was exceptionally useful the most difficult part of getting this set up was baking in our own Linux Damon so if you know how to do that God bless you system CTL is I I don't know what it is about configuration files but they just fry my brain so uh like yeah after setting up all three of these Avenues we're like okay this is everything that we can do and we are going to be dead tired tomorrow so this is going to have to be

good enough so uh now was time to execute the heist so the first plan that we decided to do was hard mode we didn't want to take the easy route in despite like all the indications that we were probably going to get caught um but for whatever reason we were like no let's let's go double or nothing we need to try to get in the legitimate way and try and and try to give the client uh a chance so we went with the tailgating approach through the main entrance past a security guard with CCTV cameras and although we didn't know it at the time a badge log that was going to tell that guard you aren't actually an employee what's

up with that so the uh but the reason why we did tail gaining first is because it's reliable it is easy for anybody to attempt and it's the most likely way somebody's going to get in and also people are just friendly so it's really easy to pre upon an individual to get in this way so Josh was going to follow in somebody gain access by uh letting them open the door first and then would attempt to break line of sight as fast as possible get the hell away from the guard it's kind of a logical trick where you forget about somebody faster proportional to the least amount of time you see them maybe that could have been

worded better but basically if you can if you can enter someone's field division and disappear within 30 seconds they have no idea who you are and they will forget about you completely for the rest of the day they'll they'll have no idea who you are the longer you sit talking to that person the more suspicious they'll get and the more committed to memory your face is to them you don't want to give them a chance to let that happen so breaking line of sight fast as soon as you get in is extremely important so step one of actually getting in because we're going to encounter a guard confidence is everything you want to look official

that's why I always carry a clipboard because nobody questions a guy walking around with a clipboard taking notes and staring at things inquisitively like H that doesn't look right and that's actually surprisingly intimidating enough that nobody asks you any questions if you get stopped you have several things that you are going to be expected to do that you will have to do and you want to have these things prepared ahead of time State your purpose own your identity whether it's a real one or a fake one doesn't really matter you you have an identity own it have it down and be confident in what you say have an excuse for why your ID doesn't work ahead of time you don't

want to try and make this up on the Fly you're going to Bumble you're going to be scared you're going to be nervous you you will most likely mess it up if you aren't at least somewhat prepared for that eventuality and then once you have delivered those demands from that guard or that person who is challenging your identity create urgency in your situation and figure out a way to break line of sight and get away from them so the first step for this for Josh was super simple it worked immediately he uh followed in that woman that you saw in the picture before walked straight in the door like did a courtesy wave of his hand past the badge reader

nothing happened and he walked right in guard immediately says yo your badge didn't scan and uh I'm going to need you to come over here so as uh as soon as that happened Josh is like oh okay what's the problem comply immediately walks up and starts uh and starts talking to the Guard the guard says I'm going to need you to scan your badge again because it didn't read for some reason he tries nothing happens nothing comes up nothing works so like I said we luckily had a myair car or I'm sorry an HID proc card that worked but we didn't have an identity link to it so it beeped but nothing actually showed up so as soon as

this happened uh Josh realized I got to fall back on Plan B and I got to come up with some kind of an excuse sorry my notes are super tiny all right so thinking quickly Josh immediately activated his fail safe pan and he panicked immediately but but only slightly just Panic just slightly so whether it was real or Fain pan Panic joshh started throwing out excuses that like oh no I threw my card in the laundry last night it went through the laundry with my pants I probably broke my card and just started like panicking to the guard and pleading with him like I have a meeting I got to get to in like 5 minutes ago my

boss is super pissed at me what am I going to do please let me go and the guard's like I I really can't you know he's like please I'm I'm in so much trouble and just started begging with the guy and he's like finally like all right but after this goat promised me you'll go down to facilities and and go fix your badge he's like thank you so much and bolted for the stairs he went straight into the stairwell and disappeared instantly that guard by the way gave us some interesting information if you caught it you'll you'll hold on to that word for later what the guard told Josh um and that'll actually become relevant much

later so uh wasting no time uh Josh broke L of sight there's there's other ways that you can play this um scenario by the way like I i' I've my mentor many years ago who did Red teaming like all the time he talked his way into a building with a box of donuts and he's like hey guys I got extra Donuts here you want some gave them to him they're like oh you're awesome man thank you so much and then he's like great cool see you later bye and just walked off to the elevator so there's be creative you know there's there's no 100% right or wrong way to do this but just have something

prepared and have a backup plan prepared cuz you don't know what you're going to run into the least that you have to figure out on the Fly the better uh I am running out of time okay so after that Josh promptly got lost as soon as he went into the stairwell cuz he found out that as soon as he walked in the stairwell was locked and it was RFID badge access out every single time this is where he got stuck because if he went back he was going to have to go past the guard and then the guard was going to be extra suspicious because oh yeah that guy didn't have ID it wasn't legitimate

he can't get through the doors what's going on and then the gears start turning not an option don't go back don't face the same person that just caught you at least not for a while uh the other option is to shim or pick the door this was a fire escape door so a little bit tough would have been pretty difficult to do if he was on the other side of the door much easier because as I said the door is swinging out you can get out a lot easier than you can get in with a shim cuz you just jam it in there um and pop the latch but from the other side it's a little bit more difficult so

the other option is to improvise which is precisely what Josh did so Josh standing in the stairwell flipped open his phone and just started just talking about nothing and waited somebody eventually walked through the stairwell because luckily you know Health culture was big at this company they walked out the door and he's like oh okay I'll see you in the meeting and then just kept going person didn't even look twice at him and he was in so as uh all right there we go demonstrating effectiveness of the hall pass for bypassing locked doors well I didn't expect that to start playing but uh this is a demonstration of the door shim of how it can work from the outside of the

door if the door is swinging out you can liter there's no uh there's no door hem on the outside so you can just stick the a credit card or a door shim in there and pop it open fairly easily so the door is swinging out at you like like this that's that's the easiest way to get in on the other side of the door might be a little bit more difficult but there's some uh options for you that's why I say the dorim is like the cheapest easiest way to get through someplace uh if you have to all right so uh while still lost Josh was wandering around in the building and the uh first thing that he had to do was

Orient himself very quickly so getting a fire evacuation map and figuring out where he was getting into a secluded location and then chill out plan your next move cuz number one you're probably going to be absolutely panicking by the uh By the time this is all over so that's one of the things that we do get into a restroom or something hide chill out um there is a uh there is a secondary entrance that uh I I I'll just go ahead and play this for you at this point Josh was already in for some time doing some reconnaissance so this is me going into the building waiting for him to let me in in um but

as it happens that actually wasn't necessary just kind of tapping my badge and oh hi thank you so much some random guy just walked up to the door and saw I was having trouble and just led me in didn't ask me any questions so I I ran into Josh later on uh in the hallway and then we just like bolted to a hidden office that he found was unoccupied um we also had some trouble getting in through the interior so one of the things that we ended up needing to do was like get past RT e sensors that's request to exit which you can do with just some compressed air because the sensor just looks for a temperature

differential and you can just Spritz a little bit of compressed air through the door and suddenly it lets you in it's surprisingly effective so the last thing that we needed to do was to give oursel a back door because this was absolutely essential for us once we got into the office the number one thing that we needed to establish was persistence so we're on to our final stage I realize I'm getting short on time I'll blow through the last slides as fast as possible so when we plugged in our Raspberry Pi we were relieved to find out that this was it instantly worked not only one call back but all three of them came back right away so there we go

we established persistence just simply going in behind a desk unplugging a phone and jamming a pie in there as soon as it turned on we had shells we had access we were in the network and if we wanted to we could just leave it at that and walk away but uh we wanted to go a little bit further so we tried the sensible thing every pentester does when they get started is they turn on responder and uh in about uh 10 seconds well congratulations you have domain admin and suddenly we're in the network we've completely owned the domain and we were disappointed to find that oh God that was already over so this is a brief

timeline I'm just going to kind of blow through this but we got there Josh walked in the building just ubed to the guard and said I'm going to get fired and got l in the building I met up with him through the side entrance separately and uh we plugged in a pie turned on responder get shell get da assessment done right well I don't know it doesn't feel quite like that's enough so we decided to go the extra mile we wanted to get into this thing this was a biometric handprint reader with pin and a chip card reader to get into the data center uh we really wanted to get in this room because we felt it would be

like big time bragging rights um so you know it it was it was a situation where uh we we felt this was too easy we wanted to give our clients their money's worth so we actually spent 12 hours just hiding in the office playing around looking through file systems just you know burning time until we saw everybody went home and then we got to walk around at night like a bunch of ninjas in the middle of the night through this corporate campus and um we found quite a lot of stuff like there was a bunch of unattended unlocked file rooms with unlocked filing cabinets containing tax records and all kinds of fun stuff I say fun but like it's

numbers we don't really care but the client cares that's what matters uh leaving behind more devices and you know other things of that nature and of course passwords on sticky notes there were so many passwords and I got so upset by it like more upset than was justifiable um but you know it happens in every organization make sure that you're enforcing your clean desk policiy these blue uh blue guys you like really go go smack some people on the wrist for this such password much security the last thing that we found and this is where I wrap up a little bit early I apologize uh but we identified the badge room which this was the Crown

Jewel we couldn't get anybody's badges this whole time we didn't find any Ling around and we couldn't get close enough to proxmark their badges ourselves so when we got to the uh badge room we were so stoked I immediately broke out my lockpick I'm like I'm going to get us the hell in here and we're going to go print ourselves some Badges and we're going to have keys to the kingdom forever um within about five minutes of me trying to pick that lock Josh um found these sitting in the desk right over there 5T away and uh we're suddenly in no lockpicks necessary and uh I'm going to go ahead and skip the pro Mark demo just because

it's a little bit lengthy I don't have the time for it but this this was an exceptional tool if you get the flipper zero you don't need the proc Mark again it works for 90% of cards nowadays um but just lay it over the card make it scan and there you go you have a discrete way to just go beep and walk through the door anytime you want so I'll skip that but like there there's the there's The Flipper super super simple right here and the pro Mark's literally no different but funny enough we did that demonstration in the front door next to the security guard and the security guard is staring at us like what the hell are you doing and

then we walked past some waving uh we also waved at every camera as we went by we were pretty cocky at that point um it actually took us more time to uh read the documentation for the badge printer in the room um while we were in there it took us about 3 hours to figure it out um so we're reading the documentation that's in the unlock desk of course which uh uh we easily got logged into the machine with the the domain credentials that we had before and you know immediately got started uh trying to figure out how this thing worked just as we finished printing our badges somebody walks in and I about my

pants all I hear is just like hey there can I help you guys and me and Josh froze just Stone Face like oh God we're so busted like we're definitely not supposed to be here um in that time the uh the employee was just like so uh can can I help you with anything thinking quickly Josh is like nope we're good be done in a minute he's like oh okay just literally walked away and left us in there it's like this is a critical critical room to your security infrastructure you should be scared that someone you don't know is in here didn't think twice um so we spent a lot of time having some fun uh glossing over things

briefly we put a microphone attached to another Raspberry Pi in the conference room where the executives were we had a lot of fun with that um and we like we wired up Raspberry pies all over this place some of which we couldn't get the client to ship back to us so we had a back door for like 3 years um that was kind of a problem uh we we tried to tell them like this is where they are please ship those back we need them and they're like ghost uh and then we got caught again yeah so uh this is another area where they had a cage filled of backup tapes for their IBM data center um I sat there

picking that lock for about 30 minutes when a janitor walked in looked at me looked at the lock picks all over the floor and was like I'm going to empty this trash can I'm going to get the hell out of here he never said anything and I think that he probably just saw us like dressed like we definitely didn't belong like all disheveled we hadn't slept in over 24 hours and I'm sitting there r this lock and all sudden like oh and he's just like nope I don't get paid enough I don't want to die and just walked away so after this we we tried to get caught we tried to get caught really we decided

to go hard mode on this thing and make things so difficult that we printed out these Badges and started walking around with them and we spent two more days on site and nobody noticed not a single person said anything um ultimately we walked away leaving our business cards and those a copy of those badges uh on the ciso desk who is a guy with a great sense of humor and he absolutely ripped his employees apart but uh it was it was quite a tremendous success that I'm I'm exceptionally proud of um that I hope that this talk gives you some confidence to try red teaming if you're nervous about it if you guys want to find me ber Bert

from this particular red team you can find me at script Nomad on Twitter or x.com whatever it is now github.com script dnad and there's my LinkedIn as well if you want to connect with me totally happy to do that uh and there's my company's website as well if you want to look us up and talk to us about some red teaming stuff we'd love to uh we'd love to break into your office thank you guys [Music]