Breaking Into Banks Like A Boss 2.0

check-check can everyone hear me all right I kind of yell anyways so is that too loud and if I'm doing that I think that's about as high as I'm getting all right sweet I get thumbs up hey welcome to sides right 2019 Augusta right this is pretty awesome event give it up for these guys these guys doing awesome yeah so thank you for for joining me I really appreciate you my co o of rendition InfoSec he's actually presenting right now as well and it was a competition to see how many people we can get in mind versus him his so I appreciate you coming to mind and not his so yeah I appreciate that so yeah this is breaking into banks like

a boss 2.0 did anybody come to my first one last year okay awesome wow thank you guys yeah so it got presented last year here in Augusta and then I kind of did it at a couple other b-sides kind of locally and and then everyone loved it and so I decided to kind of extend it to a 2.0 we will recap for all the newbies that didn't go through the first one so so let's get into it so I am Bryce self that's my twitter handle up there two underscores at be selfless I know it's a weird last name I didn't pick it so you know it is what it is so I am our physical pin test

lead at rendition InfoSec I used to be in the Navy where I did some cool stuff and then I did some three-letter agency stuff and learned even more cool stuff and I say cool cuz I can't tell you what it was but it was pretty cool right and basically what it translates into is I got to do all this cool training and whatever whatever that turned me into a social engineer and go pin tester right and I get paid to do that so legally right so so it's pretty cool and then whenever I'm not doing I guess computers I'm camping and with my wife and ride motorcycles and and then breaking into your office and looking at

your fingernail clippings and desks that you keep there that's a true story alright so we're in addition InfoSec you've probably seen us you probably have also seen this ambulance outside if you haven't it's out back it's awesome it's like a rolling CTF we've got a booth out there we do digital forensics instant response pin testing audits assessments training we have a 24 by 7 Security Operations Center here in Augusta this is our headquarters and then we got guys all over the place alright so what we're going to talk about we're gonna do the 1.0 recap we're gonna talk about kind of what's been happening last year this whole year when I've been doing 1.0 and

obviously things have changed and adapted I haven't changed the talk until now what what has changed my ways and kind of lessons learned frequently asked questions and then how to stop me once again all right so the recap so physical pin testing what are we doing we are literally just breaking into a building or clock my clients they give me an address they say Bryce I need you to break into our building in downtown Chicago or downtown New York or whatever it is this huge huge skyscraper they just give me an address and I basically start on my computer looking into them all the way into where a couple days later I'm out on that site I'm up in

your server room putting a payload on your server I'm up in your CEOs office taking a picture of his a card that he left in there stealing his password that he wrote down or whatever it is again another true story there all right so why is it important it's there's a wives tale that there's a there's a CTF right we have a couple cts going on we have one at rendition if you haven't done yet it's pretty awesome check it out but basically you have two teams you have two a team B and the moderator says hey guys we have the server right here all you have to do is get complete ownership of the data the data on the server and

this might sound very similar to two people that have heard this talk before so basically we have this server you just have to you just to gain access to the data right so team a starts hacking away where my hacker is at my pin testers are guys on the keys where you guys at all right a couple guys sweet so you guys start hacking away port scam boner ability scans seeing what you guys can come up with right find out what's going on below what you can exploit team B just kind of sits back and there go you know he just so we just have to own the data right we just have to take complete control

alright so they get up and they walk over and they unplug the server and they drag it over to their table and guess what guess who has the data now it's not team a anymore good luck trying to trying to scan the port that's not there you can't even connect to it right so I think it's one of the most overlooked pieces of our industry of cybersecurity is fizzle because we've spent so much time trying to lock down our ports protocols all these different things and and what does it matter if the hinge on your server room is busted and anybody can get in there alright so I broke I broke this down into kind of four four

pieces here four phases a lot of toys I developed the first talk was because I heard a lot of hey this is how you pick a lock and this is how you break into this door and all the stuff whenever you get into the building and that's all great but but how do you actually get into the building what leads up to actually physically going to that door why did you go to that door why did you talk to the person who you did why did you say what you said why did you wear what you what you wore right so I broke this down so first this is observation it's just passive I get a cup of coffee

I look at your building from afar I do some ascent online open source intelligence I'm looking through Google Google Streetview Maps right I'm looking at your building I'm looking who's coming in who's coming out that kind of thing right I start building a pattern of life then I do a little bit of recon so we kind of get a little bit more active I'm not really trying to get into your building at this point but I'm I'm I'm gonna start dumpster diving right and maybe I'm dumpster diving to look for data right and you're in your trash can but actually what I'm doing is I'm I'm actually dumpster diving right in front of this camera

to see if anybody's actually looking at it and if someone's actually looking at how long is it gonna take them to come out and catch me right because maybe I'm just a homeless guy just looking through your trash right cuz I mean that's what they do and I'm just playing that part I'm just in a role and I'm looking through your trash and then I see the camera I'm doing that and it's them 10 minutes to come out okay well I know that it takes them at least 10 minutes to look at those that camera and then come out to me maybe they don't come out at all so now I know that they're not looking at their

cameras right so I speaking about those processes and those procedures I go on as a delivery guy and I and I say hey I have four words for so-and-so and then they look up in their directory if they have one and then they call their desk number oh and oh they don't have cell phone numbers maybe I want to give them a cell phone number anybody remember that for my first saw maybe I want to give them a cell phone number right maybe that cell phone over number calls back to rendition right and then my god on the other line says oh yeah that's me you can just go ahead and let them add a

little spoiler there all right third phase is prep preparation right so now I'm going to start pretending I'm just start getting that role going I'm gonna figure out if I want to go in as a AT&T contractor right and then I have all this cool paperwork and I look like I'm a professional and I have cable equipment and I'm pretending like I'm gonna be this person obviously I know a little bit about networking I hope if I doing this job working for my company right so at least I can add talk the talk of a little bit of networking right and and I'm gonna start working that in and practicing that and then I'm gonna

execute it I'm gonna go into the building at a certain time because I know this security guard is a little bit lacks and then I'm going to talk to him and then I'm gonna provide certain certain documents and that's how I'm gonna get in right he's gonna let me in give me a badge maybe that'd be awesome right all right so how's it been going since last year so Bryce you talk about this like foolproof plan you know you get you get dressed up as a contractor does it actually work it does work and it's still been working right I'm still batting a thousand I haven't came across client yet but told me to break in their building and I

haven't yet okay that being said some things have changed right so we had a client that that basically I broke into their building pretty bad right they were really upset with me they were happy because what we're doing is we're securing their building right we're securing their network which is data that you know you guys might be stakeholders of this company right and it's helping you guys out - all right so obviously they're but they're mad though right but I'm helping them out and they said okay hey we fix everything I know you picked up blocks coming up up all the floors we fixed all the locks we fix all this stuff come back say okay well I

come back and and it fix all X guys they did but what they didn't do is they didn't train the front desk security person that there might be expected visitors like myself who pretend they're AT&T contractors and then I give them a fake cellphone number that calls rendition and then renders yep go ahead and give him a contractor badge he's good to go and they say okay cool and then they give me a badge so now all those great locks that you put in that I I can't pick anymore because they're pretty good right or it will take me a little bit more time now I just have a badge where I can just scan in and those

bypass sensors that you put in don't need to worry about them because I'm actually badging in I'm a legit guy now yeah so not good for that good for the home team but I did get denied guys someone actually told me no and and and it it didn't go so well so so what did I change well they told me no and this is great like I said this is great for the client because I get denied right this is great for rendition because now our client is actually seeing how important our work is right they understand that they want to secure their data better right this is great this is great wind but not for me

personally I don't like to be denied right I like to get into the building okay because because I'm actually doing my job so I got to figure out another way in so that contractor covered them I talked about in phase one it didn't really work alright so when in doubt you do the easiest thing possible and you tailgate right so we came in at night as contractors and I presented all this data and guys I threw it on thick I was like hey man it's an emergency we have to get up here you have to give me please I don't want to be here either I want to go watch NFL insert your favorite NFL team I want to go watch

them play too please right he's like I cannot do it I said fine came back the next morning and just walked right on walked right in past security during the morning rush of course but nobody notice it noticed noticed words are hard and just walked right now so confusion persistence and patience I'm going to talk about this here in a second this is this is key here to really kind of get your way into the door alright so I love this quote by old old George Bush George w this is a great a great example of confusion patience and persistence ok this guy right it's clearly confused in the statement number one but number two

he's very persistent and tries to finish this guy outright and he tries to finish the statement I love this statement right but you guys get the idea right when you read this you're like ok I get it you know what it was it fool me once shame on me fool me twice shame on you right you guys get it but when he said it and he's all confused and everything like that that's exactly what I'm doing I'm just confusing you saying yeah yeah there's a network thing and then the other stuff with the the thing and then you guys let me upstairs because and you're like dude I do not care get out of my face take this badge right that's

exactly what I'm doing he's great at it George Bush is a genius he doesn't even know it I don't think anybody else knows it either except for me in this room but all right so so yes so when in doubt confuse them right if you get challenged confused and deflect whenever we tailgate it in we rode the elevator up just kind of riding up with people that had badges to get into places and obviously we just tailgated behind them these these badge access floor and then one of the employees in this he actually did something that they're supposed to do they notice we did not have a badge and they challenged us right yeah come

on guys this is awesome right finally somebody challenges rendition whenever they're walking around without a badge this is awesome however however I would consider that a win if we got in for them I would if we if we got in and then they they kicked us out immediately I would consider that a win for them right and I'll be like tighten up your you know you're tailgating at the front and we're good to go yeah so basically this lady came up to us and she said hey you don't have a badge who are you what are you doing right oh you know there's this person I can't remember her name Kimber Lisa oh you mean kimberly so-and-so yeah yeah

can you take me to her desk that's what I'm trying to find oh well she's not even on this floor she's on the tenth floor great let's go up to the tenth floor take me to Kim's desk hey Kim this guy is here to see you Kim looks at me as like I don't know who this guy is right he doesn't have a badge you good yeah we're cool my escort the person who challenged walks away leaves me alone and then I say hey Kim sorry I just I just want to congratulate you on that one thing she's like what I'm like oh maybe that wasn't you sorry walk off and then that's it and I'm back in the

building I'm back in the building an escorted I'm doing whatever I want now as long as I don't run into that same woman right that challenged me I'm good to go right and obviously we're walking around some more and doing what we do and getting all this sensitive data so I was like man they were so close but didn't didn't so what about persistence and patience okay I go up to another another building I go up to the security I say hey contractor yadda yadda yadda you guys know the story they're like well we're not going to let you in I said we'll take me to your supervisor I keep escalating it right finally long

story short and weiming long story short I sat in a room the security room for three hours I'm exaggerating I come in at like 11:00 p.m. on purpose and I'm I'm I don't even get upstairs in 1:30 right two o'clock something like that and and basically I'm just chatting it up with this guy there's all types of confusion of who we are it gets to the point where he denies us he says hey whoever you're trying whatever you're trying to do get upstairs they're not gonna let you upstairs we don't have access you don't have access you're not getting upstairs tonight come back in the morning I said okay I said well what's the number of

the people the people like what's the number I have to call to get in right he's like oh I got you I was like I'll set up ointment up for tomorrow morning no problem I get the number I called them I walk out of the office I called them immediately and I called them so many times and then I have rendition guys call them so many times to the point where they get so frustrated with us and they're like I don't care who you are from AT&T but this is the last time this is gonna happen I'm gonna give you access upstairs Wow so we were so persistent and so patient that they got tired of hearing us trying

to get access that they just gave us access yeah it pays off guys all right so lessons learned okay you might be the bad guy and what I mean is you remember I was talking about like people might be upset with you you're trying to help their organization out you're trying to make them safer you're trying to make I'm trying to make stakeholders to safer more secure secure your data right I want to secure your money this is your future your family we're trying to hold it down for you guys okay you come into a meeting and they say hey Bryce you broke into our building like we told you to but you broke some things right and it's and and

usually it's the person who whose job is on the line who didn't know about the test right he's in charge of securing the server room he's in charge of physical security and you just pretty much do it in his in their face and his boss just said hey I hired a company and it doesn't look good for you right so sky obviously could be like hey you broke everything spoiler we didn't at all like we didn't break anything I'm very cautious about that the reason I bring up is be careful document everything you do when you're going through these buildings if you are physical pen tester make sure that you cover your own tail and your company's

tail in this sense that you do everything properly document everything properly so nothing comes back to you and and they try to try to pull this one on right leadership when I was first doing this one of the common misconceptions I had obviously is your CEO your CEO CFO the c-suite right there at the top of the building right all the way up so if I get like a maintenance guy I'm like hey hey let me in you know or give me a badge as soon as I get an elevator boom top floor right or like somewhere in the middle is like IT right IT security somewhere in there it's just always how it's been came across the

building I go all the way up top floor not anywhere where I wanted to be at all the floor was in the middle of the building okay and how you know this is it's decorated really nice right the CEOs office and floors always think it's like marble and gold and and then you go you go to like IT security there's cockroaches running all over the place right so it's like I know what floor I'm on right so just saying that whenever you go in there try to find what it's on here building directory right it in and that's that's you know I'm looking for sensitive data right I'm looking for PII pH I all this passwords whatever but

what's really good to have is as soon as you get off a floor you see key that every employee has this direct sitting on their desk and it tells me what floor everyone's sitting on it tells me everyone's phone numbers what the responsibilities are if I need to get access after hours to something who I need to call who I need to email the email template that I need to give them right oh man this is great I'm gonna put this in my back pocket for next year when pin test them right so and Google Streetview this is just something silly but just remember that Google Street View is not up today it's not real-time it's not a live NSA

satellite feed right so if you see that they're doing construction on Street View just know that probably some stuffs going to change so take it for a grain of salt whenever you're doing Osen or open source intelligence look at Google Street View and then make sure you get on site get your actual eyes on the building before you start making really big plans right have a plan be prepared to adapt all right frequently asked questions my wife liked it like she she didn't hit me but she hit me on this she she said she said Bryce I love your talk everyone loves your talk here's the thing you do this talk and then people ask these great

questions and then you answer them and you put the story together or whatever here's the thing you go to another talk and no one asked that same question and then that's really good data that you don't give them so you need to put something in your slides that talk about those those questions to answer that for people so here you go you can thank her alright so what happens if you get caught it right that's always a question first one hey Bryce what happens if you get caught this is what happens you get a what's called a get-out-of-jail-free letter right this is something that you sign your company your leadership and in that company's leadership you guys sign

it you have a document that's area around on you physically that if you get caught you present this to security whoever it is to the point where if it's kind of the last measure before cops are called that's kind of when I bring it out or when I would bring it out haven't been caught boy that's where you would bring it out and and present it so now here lately this slide has changed right because this doesn't work apparently right anybody hear about this recently okay we won't get into it but that being said if this doesn't work okay just understand that your leadership is going to have your back right make sure that basically this doesn't

happen to you make sure that the statement of work everything in there is laid out exactly what you're doing make sure you do have this letter make sure all parties that I think the biggest thing that we can learn from this is all parties like understand what's going on right if we we did a building where basically they had a third party company they shared the building to company share the building and the company that we were pen testing didn't own the building technically we had to make sure that the security of the other company knew who we were and what we were doing because those are the people they're gonna escalate it to the

police right so they had headshots of us they know what's going on they know when it's going on make sure like I said just make sure all third parties everyone is kind of in the know who needs to be there all right especially the people who might call the cops okay all right so what are some creative ways you get in Bryce okay what about floors right share a shared building this is really great because they say hey we got a floor ten if you're trying to do your own startup you can be right in downtown Chicago and come rent this space call up that that that real estate agent or whoever it is and say hey I want to take a tour of

this building that will at least get you past front security into the lobby where you have a reason to be there pass front desk security and up the elevator and then you you will learn some things right and you might even be able to sneak in a couple buttons or two and try to get on a wrong floor and maybe even just leave the real estate agent behind who knows right what about if you're looking for a job this is actually a real threat I don't know if you guys know this but it I don't know now you know someone could try to get a job with your company if you have some type of sensitive company nucular

financial whatever an adversary could try to get a job with your company to be to be an insider threat okay and they could cause damage from the inside and and I will go and actively look to see what what positions they have open that they have open to to get a job and and then that would get me in the lobby potentially up if I want to go see the IT security floor I'm gonna interview with IT security right obviously make sure you know what you're talking about but not too much so they don't give you the job it's like you know no I wouldn't keep working with renditioned trust me all right so what happens if you get in

what do you look for Bryce look for sensitive information I look for desks that are open I look for obviously server room servers specifically any sensitive data especially if its financial I'm obviously looking for PCI PCI stuff anything like that right and then candy around the holidays you guys leave out some candy canes on your desk boy and I'm fat so I love some candy cane so kid a Reese's Reese's peanut butter cups I'm just saying everyone leave them out I'm like the opposite of a tooth fairy like I don't leave anything I don't leave you a dollar I just take your Reese's you know so Bryce was here all right and then and then how do you how

do you get into this Bryce how you develop these skills I want to I want to be a physical pen tester how do you do this what are some of the things I can do acting classes right acting classes improv classes start getting into that be able to lie go to a bar so or or while you're going through the airport just strike up a conversation with someone try to try to like make them think you're billionaire without a private debt or something I don't know you know I mean just just just make sure you're comfortable with people there are some things that that can be taught obviously but you have to be a kind of a

specific type of person a certain personality to do this but you there are some skills that you can develop deception cupper you know thinking quick on your feet that kind of thing all right and how to stop me once again spoiler here this slide hasn't changed at all from the first talk okay because all this stuff still works and and this is the stuff of how to stop me if it didn't work it wouldn't be up here so prevent once again please I don't care if you known John for 30 years and you sit beside up every single day you tell John to badge in right you shut the door in John's face and you say sorry John

I actually two guys came up to our booth today and they're like yeah I ticked off some lady I slammed the door in her face and I told her badge end and I was like all right yeah good job Oh like I mean you got to tick off some people to do your job right right because I mean here's the thing John could have been fired yesterday and you just let him in and now John's trying to come in and destroy the company that's your pay that's your family right that's your customers and and John could try to ruin that all right hide your badges I love looking at people's badges especially in the parking lot so I can make a fake one

and come in right and I can just show it and walk right in don't even need to scan it validate all visitors with employees okay make sure if I say hey I'm here to see John or whoever it is make sure John comes down and actually knows who I am instead of just saying yep go ahead and go up and see John police each other if you're seeing something like I said slam that door in that person's face and then and then don't don't provide sense of information over the phone guys don't that this has happened that's why I'm saying that do not give us a login portal and then restore account that we didn't have and

give us domain admin yeah yeah that happened so don't do that all right questions you guys like that no questions yes sir oh nice question all right he said a question is what is my favorite disguise and do I like Halloween more than average person I would say the more than the average person I definitely do like Halloween I love scaring little kids and I have an excuse because I own a house and we got a big old front yard and it looks scary I got like Spanish moss coming down I can't do it this year because we just moved in but next year I'm scared that I'm scare some kids right cuz I did like

I got scared as a kid there's and then what's my favorite disguise business casual always works or whatever that company's attire is right I know that that sounds like cliche or whatever but I would say my favorite one is a yellow a yellow reflective vest and neon reflective vest that will get you in anywhere you can look up YouTube videos right now of people that go got into Walt Disney World for free cuz I wore a vest and like literally they're like hey I work here yep cool and they're like yeah yeah I mean like that will just get you in anywhere so like keep one in your back pocket like our CEO just hacked one

he just keeps it I don't know why he just has one I mean I know why I don't get me wrong but he always has one yes sir

yeah good question so the question is whenever you're doing physical pin testing are you by yourself are you solo or do you have some team on site it depends on how big the client is right if it's a huge huge huge skyscraper and there's and there's multiple floors right and I know it's gonna be kind of a lot of a lot of that I'm gonna bring multiple people that being said the adversary who is who has has a lot of money right because we're walking off the clients budget but an adversary that has a lot of money that's motivated to get into your building it's gonna have as many people as they want to use and

why I say that is because if I only have three guys it's like using the same IPS for our hackers using the exact same three IPS and you can't change them so if I Stan your network with an IP and you see something suspicious going on now you're gonna trigger that IP in the physical pen testing world the IP is my face right so I only have three guys with certain faces I can only change so much shave a beard cut their hair put on a hat whatever it is until the point that we're all burned as we call it in the industry right where hey I saw that same security guard and he's not letting

me in any other questions yes sir yeah

get rid of them I actually it's funny I just I just I was going to put a slide in here that said lessons learned the client your glass doors are really pretty but they do nothing for your security right I can see everything in there and usually they have the the wreck sensor on the other side which I I'm sure a lot of you guys know I see a lot of yep yep yep you can trigger that thing from the inside upside down air compressed can you can trigger that I like to use balloon animals yeah the long balloons you just blow it up and it just skyrockets on through trigger that trigger that alarm yeah I move this if

you're gonna have glass doors right try to close that gap try to see if you can put like a metal a metal strip right so that way it can it can open but but there's not going to be that gap magnetic locks take away this the the motion sensor to get out use a slot panel that's far away where I can't reach it from the inside so I can hit escape to leave and then and then roll out any other questions yes sir

yes we haven't personally dealt with it but I would I would wear I would wear a a beard or grow a beard then shave it and then do it and then send another guy in you know that that kind of thing here's the thing if you become friends with the person that has control to turn off facial recognition now we don't have to worry about it right so one more question in the back and I got to go yes sir

sorry yes sir so so the first gentleman's question over here was do you deal with facial recognition and that was my answer for that and then this other gentleman's question was are there any industries financial health care etc that you try to stay away from I will say we are no to answer your question we are hesitant aka I am hesitant with any any any born that has a gun right anyone that like if they're like hey or like it's a compound there's people with like in 16s on their back I'm like alright let's tell them who I am and then or let's assume I get past them I'm not trying to get shot I don't

trust anyone with the gun but myself alright so perfect great questions and this is rough okay get someone to do you you're stripping sir you want it in the back it's stripping someone tell me something you learned today yes I saw one hand go up you sir no come on yep one more time love it do what I saw you on picking do you have a lockpick set I saw you lock clicking at our booth do you want a Wi-Fi Alpha card yes all right this is yours all right yeah yeah yeah use balloon animals instead of the compressed air that's a Bryce touch right there cool thank you so much guys I really appreciate it

mmm