Let's Get Physical: Stories From Behind Your Company's Gate

all right thank you everyone so uh we're going to do a bit of story talking about our experiences with physical breaches um so the content for today is going to be we're going to give a quick well the intro has already been done about us um we're going to give a quick background about red teaming and what it about but we're going to keep it very light um then we're going to start with our stories uh I have one story today moris has two and then at the end we'll do a quick takeaways and uh QA at the very end um so just a disclaimer all the story details are of course anonymized we're not going to

disclose any names or locations or dates so who am I well we already heard I'm fat I've been at n Vis for four years and I'm a red teamer in the Aris team and then we have uh my colleague morit yeah he's also ad Vis for I believe like four years or something 5 years and also r in the ARs team which stands for adversarial risk emulation and simulation so a very quick background what's the difference between pent testing and red teaming so with pent testing you basically have like a web app or internal Network or mobile app Etc and you do like security testing on it the customer is fully aware of what you're doing and you try to find as many

vulnerabilities as possible with red teaming you basically do a whole attack simulation against a company as a whole so um you try to be stealthy you get in Via fishing um assume breach where they give you entry or you do like physical breaches which we're going to talk about um then there's a few terms you need to know with red teaming who is who so basically the red team that's morit and I uh we are the guys who break in the bad guys basically um well we do it for ethical reasons but we are supposed to not get caught and re reach our objectives at the end of the red team you have the blue team they try to make

the life difficult for us they try to catch us they are basically the defensive team and we have to be stealthy for them and try not to get caught and uh usually they're also well they are normally not aware of the operation unless we get caught and they say like okay you can continue now um but we'll keep an eye on you and then you have the white team they are basically the connection between us the red team and the blue team they will basically let the red team know what's going on like hey an alert has popped up you guys have been detected or The Blue Team seems to be suspicious of some activities going on

in the network um and then it's story time and I'm already going to give a mic to my colleague Moritz he's going to do his first story all right hi everyone so uh it's my turn to talk about the uh Mountain Base project that was a really really cool one I believe so as you can see it's a industrial facility built into a mountain and already sounds pretty James Bond stuff I believe believe it was pretty cool um it was very remote though as you could imagine because you usually don't find mountains in the center of a city right but the objectives for this project were to gain physical access to this facility to well get in there and

also to plant a rogue device so a remote control device planted their by us so we could then also access their industrial Network so that was pretty much the crown jewels of that facility now how would you approach doing something like that well here's what we did of course we start with some reconnaissance first always in so we try to find out as much as possible without touching the objective or really engaging with them but only leveraging open source information like u YouTube Google Google Maps social media and this is just a wealth of information you couldn't find there so the world is pretty much your oyer there and we found some pretty interesting stuff so just

doing some uh lookups on Google Maps you could already see some interesting pictures so yeah it is indeed built into a mountain you can see there's just the rock face there uh there are some groups of people wearing hard hats there's some rails okay already interesting you can also see some pictures of the outside then doing some more Google searches or Google image searches then um you can find that there was actually a 3D map of the facility super interesting for us but as you can see it's not annotated or anything this not the actual picture of course but a similar one it's not annotated really so we don't really know what we can find or where we can find it

but we already got an idea that this is a very very big facility Well we drew some conclusions from from this information so it's a very remote location by the nature of the facility right it has a very extensive underground area so it won't be easy to cover won't be easy to find interesting things there in a timely manner and of course it's close to public but what our research surfaced was that there are guided tours which is nice because you could potentially infiltrate them right that's cool so let's keep this in the back of our minds we then proceeded to do what we call embedded Recon so we go there on side and try to have a look

from some distance and the uh Focus there is to have a look at the physical access controls so like are there any doors locks whatever and the perimeter barriers and the perimeter security so like CCTV any alarm systems um yeah but how do we do that you know it's just an industrial facility so we found this is by the roadside it's pretty remote we could just drive up there at night and act like we were just um taking a break because it's just a that is a public place so that's okay to do we did this and had a brief look and we found out hey there are high security locks might be very hard to lock pick Let's maybe

not do that there are also uh key keypads and card readers might be interesting to have a look at and uh at least during the day there's a lot of traffic so that might be good for us might be bad for us remains to be seen so what are our options here so here's some tech here are some techniques that we could employ there um exess card cloning they they got card readers cool would be very very tricky to get a hold of a card though because nobody usually leaves their car by the entrance so that's not an option we didn't want to um fiddle really with the alarm or CCTV uh systems so because that would

possibly trigger alarms don't do that uh we won't try and attempt to lockpick some my security locks so that's out of the question also we didn't really feel like spending a whole lot of time that trying to disassemble and try to fiddle around with the key card reader so I ain't going to do that so engineering sounds interesting um so we will keep that open destructive entry though no there would be too much also the client didn't want us to so let's not do that but you know once we got entry on an access there what we could do is try and establish persistence so try to stick around there to um to distance ourselves

from a group that we joined there and just separate us and maybe just try and stay there until they're closing down and then we would have free access to the facility could be nice so here's what we did we tried to go ahead with the soci engineering and persistence approach so uh we knew there were guided tours two caveats though two problems first one is uh it's from for a group size of at least 10 people we were two colleagues uh there was a problem and the other problem was that you have to register for such a guided tour eight weeks in advance we were there for two more days doesn't check out okay but the

white team said that's not a problem coincidently the next morning there will be a guided tour for new joiners try and infiltrate that may maybe and we said hey cool we're going to do that that's cool so we uh developed a background story we said you know we are from a remote Branch we happen to be here U by coincidence let's maybe just join we were invited here might be a good idea so we went there uh this is at a mountain it is at a very high altitude it was uh snowing a whole lot it was we were freezing like hell and at some point that bus with the people for this tour arrived they were pretty late too

so we were freezing our butts off but anyways uh they arrived they got out of the bus there was a very lovely HR lady which approached us and said hey who are you what are you guys what what are you doing here we told her a story and she was like oh wow I had no idea I wasn't told but hey that's great if you could if we could make this happen that would be so cool come ahead so we went in there uh had a very interesting toour super super uh interesting really and we were on left to ourselves right that was cool but then 5 minutes later she came back and was like you know I had a call with hrhq

and they said they don't know about anybody joining so what's your name can I maybe then verify and check we gave some fake personas that we uh that we prepared in advance we were again left alone cool we continued the uh the tour was all nice but again 5 minutes later she came back and was like I had another call with with HR we couldn't find your names so uh who's your manager who else can we call and then we well we stumbled a bit we're like you know um the onboarding of our branch is known to be very very bad you know we didn't even get to know our own manager yet we just

joined yesterday we didn't even get to know them and at this point she was like No And she had a face that said you can't really play games with me so we said oh let's not do that and she asked us to leave she said this is a uh an internal event we can't really verify your identity please leave so we did that there was a worker who escorted us outside and um he was like you know I don't get it there are public guided tours here why does it play a role if you are now a joiner or not with whether you're an employee or not we tried maybe talking into letting us remain there

right but then again we knew that if we encountered this HR lady again we would be busted for good so we didn't this was half a win actually because they did not raise an alert just there yet so we didn't have to give up our cover story we didn't have to admit that this was indeed an assessment this was just a job well done by her and that's good for the customer I guess so just to draw a a quick result here this lady was very process oriented any deviations from this from those processes they spark suspicion that was good for her bad for us right she was incredibly persis persistent and deserve but as an

aftermath they actually raised an uh internal incident at HQ that was interesting but at that point we were like you know we won't just stop there because we want to simulate what happens if we actually got there if this was successful so the white team said we are going to escort you we are going to get you in at night and then then you can simulate what you would have done if this uh first attempt was successful so we went back there it was night still snowing still still cold a white te member actually escorted us there and they uh disabled the alarms it was cool we knew what ground to cover so we went

in there um but didn't really know where to go because we didn't get very far in that guided tour so we explored uh the location explored some more and some more uncomfortably long and then we actually found a control room there was very Ing we found a couple of interesting things here first there were two hmis so like control displays uh the first one was unlocked but with a very low privilege read owner user interesting but not a crown jewel the other one was locked but had an actual username that had admin in its name so that was already promising but we didn't have any credentials so that sucks but there were a couple of drawers and we

had all the time in the world we believed so we browse around found some files and you know just like in any bad sketch I guess there was actually the clear text credentials for that second HMI so we unlocked that that was great great for us bad for the customer again but a good learning for them but we still didn't get to plant our device because we didn't find a network Jack of which we believed that this would really be um interfacing with the OT Network there but you know there was a printer and that one was connected to a network socket that had the same color as those hmis we had this this suspicion that if

we um took those hmis off of the network there would be an alarm trigger that's not good but would there be an alarm trigger for a disconnected printer maybe not so we disconnected that added our network switch added our Network device and we're good to go cool yeah um but then actually like 2 minutes later the telephone rang and remember that was like at midnight and the telephone rings that's a bad sign right so uh my colleague and I locked eyes and we were like oh what's going to happen here and then we had a look at the the Y team guy and he was like ah yeah guys you know there's possibly going to be security and if I

were you I'd run because they're going to be here in 5 minutes uh yeah so we did uh remember that was a very extensive area I was uh not only breaking my sweat on that way so we got out of there and we uh decided okay let's maybe wait to see what happens is security actually going to come because nobody was inside anymore right so they had to get there and then face us there so we went outside and waited and looked around and looked around and nobody like for 30 minutes no no joke um yeah we were all pretty much puzzled uh continually looking around nobody was coming so that was a bit of a let down

but again a uh good way for the for the customer I believe to actually improve on that aspect so to draw some results here uh the leg up was successful I'd say they it turned out they only had heavy security at the entrance well got us pretty far actually and they did also race an a local incident but they didn't draw any uh connections to the first incident which was weird and they then also the next day concluded a plantwide investigation in search because they knew there were some alarms being triggered there on the network side something must have happened yeah well they didn't even find our device turned out so also something they then could improve on and then I'm

going to hand control back to viat yeah so um who are you that's my story for today um basically I had to get into an office building and um gain well gain physical access and then also plant a rogue device but also take picture of uh sensitive documents or other like uh laptops that are left behind that I could find so for the Recon I went to the building um during noon break just to see what people do when they go out for food um I saw that it's a pretty large office well medium large um there was a revolving door which was the only entrance into the office and I saw that well it was um see through all the

windows so I could see that the elevators are in front of a receptionist desk um I thought to myself okay tailgating looks possible because I saw a lot of people coming in and out and uh the doors basically kept spinning while people were batching um I also saw people in the streets wearing company merch so I thought okay I'll just go get grab some food and I'll follow whoever I can find that has um merge from the company on I thought to myself okay I'm not going to need a fake batch this looks quite easy I'm just going to follow people and I'll get I'll see what I do inside some improvisation basically um so I went to action pretty much

immediately I didn't prepare too much for this one but of course uh it didn't it wasn't that easy as it looked the doors require Badges and even if you try because I was waiting outside when I saw someone from inside was coming and badged I went inside the door from the outside and then it suddenly stopped halfway and turned us back slowly which was a bit awkward because we locked eyes and the guy gave me this kind of look like yeah you can't do that and I tried it again afterwards maybe something was wrong but it didn't work the second time which was also awkward again eventually I saw someone standing outside having a smoke and I talked to

them and I basically gave them this story which is quite effective by the way um like hey I'm a consultant like last minute replacement I need to be inside of them quite early um could I go to the toilet or something like this because I really have to and I have to wait like an hour or to still he's like um actually the receptionist lady is coming up right now she's coming back with a food like I'll send send you to her which I didn't really like because I didn't want to be talking to the receptionist lady um but she basically guided me in and asked me some questions like who are you here for like what do

you do like um um what is this contact uh details and I gave her the details of a person that I knew in the company but only first name I didn't give her the phone number she didn't really ask afterwards so I was inside um thinking okay good I'm inside but um what am I going to do here um she was sitting there and and obviously waiting for me uh for someone to come and pick me up I was thinking okay good first um I bypassed the doors but now I'm sitting here and I don't really have anywhere to go I had my bag of food with me though because I went for noon break I was actually hungry um

everywhere I looked required badges though even the elevators so I couldn't just walk off and and go upstairs and expect her uh not to noce after a while she said do you want to eat your food in the canteen and I was like you know what I'm fine I I'll just eat it here it's it's fine I'll wait for my contact person but actually 3 minutes later I was thinking like what of course yeah I would actually like to go I would actually like to go to the canteen like that's why wouldn't I because the canteen also required a badge and everyone's eating there right now because it's noon break so she actually did guide me to the canteen uh

with her batch and I was sitting there eating my food and I saw of course everyone around me had the merch on because there were multiple companies in the building so I saw okay this table is uh getting ready to stand up so I thought I'm going to follow them outside of the canteen and I'm going to follow them into the elevators um but of course they didn't go into the elevator they just went outside and I was outside of the canteen waiting in the hall hiding from the receptionist because there was only a small wall separating me from uh the receptionist lady and I was standing there thinking all right I'll just wait here eventually

a group did pass by and I followed them into the elevator the lady could actually see me but I tried to hide between the crowds from her so she wouldn't notice um and yeah basically followed them to whatever floor they would go to um they also they were very nice and opened the door for me to go into the office as well and I thought okay good I'm in um I sat down somewhere at a desk and two guys came up to me and had a small chat they were they were looking at me as if like hey there's a new guy here let's talk to him uh but they left afterwards and I was like okay great now

I can finally get going plant my rogue device have uh some some Recon in the office but of course they uh came back and they brought someone else the receptionist lady who was very very shocked to see me in there she was uh almost angry and she started asking me rapid fire questions together with the other guys um she was like what are you doing here you were supposed to be waiting downstairs for your contact person uh the other guy says uh what are you doing here this is actually a very sensitive Department you're not supposed to be here it's a department yeah where everyone knows each other and the other person asked can I have a contact person and their

number I have to call them so basically they were asking questions through each other and I try to answer everyone I give him a story yeah I don't know my manager is out of office the guy that I'm supposed to contact is out of office or sick is not picking up his phone uh eventually the one guy forgot about the question of giving him um giving him the number of the contact person and um after while I actually managed to convince him to let me go um and then one guy actually came with the all right I'll will guide you outside and I'm also going to get you a visitors badge so I got very lucky

there so that was great I went outside we talked for a bit we went to pick up the visitors batch and then we went back to the office but of course I was a bit stupid sometimes you shouldn't really talk to people especially when you've already won I went to the receptionist lady I asked her like okay which floor am I supposed to be on because I don't want to enter the wrong floor again and she was like she got suspicious and I was like you know what actually do come with me and uh she brought me to the security room where the people did ask me the questions and I had to wait for

someone to pick me up and we considered that a leg up but the Y team did actually tell me okay technically You've Won because you had the batch but uh you just shouldn't have talked after that so yeah that was it for my story let me give back to my college all right so uh another industrial plant um this one wasn't underground this time though uh and not as extensive as um uh being Creator makes it seem um but let's have a look so again objectives was um gain physical access to the facility and then also gain access to servers that were were hosted onsite locally uh those were servers that controled various parts of

the facility they just wanted us to get access not to fiddle around with them of course so again we did our Recon um again I in and we found a satellite image from uh Google Maps and we could see again yeah well it's uh remote as you would as you would suspect from an industrial installation uh but there are parking lots there are only very few buildings but a very open area there that might be tricky we also got some street view images which was very helpful to get an idea okay uh just how big is this facility where are the fences exactly are they tall enough are they too tall to climb are there any um

uh security installations there well there were lots um yeah we again found out remote location very extensive area and this one was fully close to the public no guided TOS whatsoever and aside from this not a whole lot we could actually find out why I was in this was a bit depressing honestly but we went ahead and uh did some Recon there again and found out those guys they were they were really prepared so um regarding exes there was just a single gate and very few doors those doors were embedded into the fences they were pretty much bolted down and there was even more CCTV surveillance at those doors there was a bit of a let down and then they had lots

of cameras lots and lots and lots of cameras not only cameras but uh wide angle cameras they got thermal vision cameras they got night vision cameras dude they was uh they was excessive um actually the white team told us that especially during the winter time we again were there at winter time uh the thermo cameras would obviously bust us so not a good idea there was another interesting thing which we stumbled upon that was those black boxes hanging on the on the fences we noticed them because they were there in intervals of like 1 meter and we were like what the hell is that we had a sneaking suspicion and the white team confirmed those are

vibration sensors they even pick up on freaking Birds sitting on the fence so no way we could try and climb that stuff but we found something interesting even though there was a fence perimeter around the facility um and there was nothing really next to those fences or really in the vicinity there there was one opportunity where there was a very small building like an electrical cabinet of some sorts right next to the fence on the outside so theoretically we could have climbed on this one and actually jump over the fence there was like a 2 m fence so um a bit risky but you know it's not a very good option so um we presented our findings to the

white team and said you know there's one the first option jump the fence easy to get in because it's easy to climb that cabinet not that easy to actually land safely then but it's also incredibly hard to get out because there's 2 met fence you will instantly detect us when we try to then scale that thing might be hard also um we then want to do this at night because um during the day there's a whole bunch of people there there's nobody there at night that we found out uh but you know it looks suspicious because there are uh some uh residential a residential area was nearby there were people walking that dog e at freaking 11:00 p.m. I don't

know uh and there were cars driving by so there was a very open area you could have easily seen us because the whole facility was lit in the night okay that's that's a bit tough it was also again uh winter time so we couldn't really hide very well because there were Footprints everywhere if you just took a straw in the snow not a good idea uh Us in the white team we said no we won't do that but you know there's also at every assessment this last STW uh this is social engineering and the white team told us if you had had more time to observe the location he would have found out that there's a cleaning service

coming by twice a week maybe do something with that we said okay we're just going to build a pretext and say as background survey we are the replacement for the cleaning staff we're going to get in there easy peasy so the pretext requires very little uh preparation simple execution we thought might be good enough but the thing is though usually those guys got keys or key cards to access um limited areas we obviously don't so there might be a problem white team said let's go for it and we went for it so uh we said okay let's go to the hardware store get some cleaning supplies I think it was a total of €70 uh and get there just short of uh just

briefly before lunchtime and we went there to the gate they asked us obviously what what are you guys doing here we were like you know we The Replacements the other guys are sick let us in they let us in Easy Peasy so there we were why team already told us where to go uh we need to go there so we could just go there right and we pretty much did what we feared was that this was crawling of people turns out no lunchtime nobody's there really nobody we were just in time there for lunchtime which was great everybody was at the cafeteria so cool we could just go away we went there then we were

at this uh this uh Target building of ours so just a very tall building um massive glass front we couldn't really get in because there was a card reader but somebody came by and we just asked them you know yeah well again where are The Replacements could you open for us he was like yeah sure no problem I'm going to for you and we were in that was surprisingly easy but uh there was only one way and that led upstairs so we were sitting there and we were sitting duck because slowly people were coming back from the lunch break and they were seeing us there ising by and why were we ising by because every single door we

saw had those big fat warning signs saying if you go there there's electricity gases and chemicals going to kill you don't go there and obviously we didn't want to risk our own health uh and we didn't want to um uh compromise the uh Integrity of the facility so we called the white team white team didn't pick up what do you do then well we acted like we belonged we started actually cleaning that stuff and it needed cleaning so badly uh well then we actually got a hold of uh the Y team and they told us where to go so we went through the building having them on the phone and then we could finally uh get to our

servers but they were locked like the front panels of those server cabinets they were locked there was a huge let down but you know finally enough the side panels were not so we could just literally unhinge without any tools the side panels and then read the servers so that was super easy again then we went out and everything was cool 1 hour later though the original cleaning staff came and they were like yeah you know uh we're here to do our job right uh and those guys at the reception they were like what the heck what's going on obviously there was some confusion right so um for some results the social engineering was incredibly successful

they had heavy perimeter security but they were also I I would say lacking security awareness there so uh again they raised a local incident and even more than that that was a bit weird I've never seen this before but they went ahead grabbed the CCTV surveillance footage and printed freaking AED posters of ours they handed them out to co-workers and we're like if you see those guys apprehend them at any cost um and now I actually got some some takeaways for you to most of you I I hope they are obvious already or you knew them already but uh really do trust but verify be persistent and very assertive people can tell you anything and they will tell you anything just to

get in but verify challenge them uh if you got any visitors on your facility do have them escorted have some staff be in their vicinity have them you being monitored pretty much and um we actually had another story uh where we had to take away that um if you got a a visitor always verify the contact person right they can name anybody ring them up ring those guys up if you can't reach their contact person don't let them in it's I guess very basic stuff but super important and that pretty much concludes our talk thank you guys very much it's been so

fun almost on time so where are the questions wonderful and David can already pick up and put the laptop down to prepare for the next talk in meanwhile hello uh hello thanks for your talk it just was really cool and I have a ton of tons of questions but the first thing I bit bit curious about I mean the thing is when for example with with the fence uh real attacker would not care about not cutting the fence so is there yes you you shall not like like the um disturb stuff but is there any rule that you say okay let's let's go let's pretend we we cut the fence and then we go on there because I mean this

would help you a bit or for example you destroy some encasing and I wondered is there some when you when you do this uh pen testing or this this Breakin is there some procedure with the white team is say okay let's pretend we did this because a real attacker would actually Break Stuff yeah I mean that's what we call assume breached or the um or um a leg up basically so with a leg up they say okay we obviously not going to destroy stuff we're not going to kidnap people or extort people so if we see something like say hey we could actually jump over here then they're going to say okay we're going to let you guys in um

they're going to maybe ex um escort us through the building or to where we have to be which actually they did for your talk the first part right and um then you continue from there so yeah we do it like that thank you hi thanks for talk um just maybe a stupid question but um how do you make sure that you don't get shot by a security guy so I'm assuming you operate also in different countries and uh yeah uh well usually in Europe that's not issue uh that's not really a risk unless you try to infiltrate a like a uranium refinement facility but I not sure about that uh no I'm I'm actually not sure if we ever had that risk really

upon us I don't think so no like we I think we only uh exclusively operate within Europe right so no that's not an issue also we do have get out of jail letters so if we are um faced with security uh Personnel right we just show that and say which says here we are being we were contracted by the customer and here's a contact person or two and they can then ring up those people which they know which are from their company and they will then uh verify the

story had you ever the police show up uh not during one of my assessments but my manager always also says no and he's been part of more even more uh assessments than

ISO all thanks for the great talk uh in your experience how relevant is lock picking nowadays is it used because one would think that anywhere serious as electronic logs or can your lock pick and it be useful I yeah actually depends uh when you got your auto security parameters those are usually um equipped with high security locks or electronic measures right but um indoors that might also be an option yeah have you actually used that I I personally haven't done it but we actually had a physical breach not too long ago from another colleague and he actually did use some of the tools if you guys have seen our vault um you actually use some of those tools to um

basically open doors without actually breaking them so yeah it is some still relevant okay thank you fat and thank you Mor again