Physical Breach War Stories & Operations

our speaker is Robert Moore and he's a senior security consultant for the NCC group he originally worked for them in Milton Keynes in the UK he's now based out of Seattle his previous academic background is intelligence based national security he just told me he learned Korean and actually crossed the border into North Korea oh my god so he's lived in study abroad in multiple countries before moving on to the tech side of Q security

hello I don't like to spend too much time on a bio I figure if you really want to know about me you can try to stalk my LinkedIn or something so this is blarney and brigand ree the name was kind of whimsical because you know all my colleagues are british and you know it's just amazing so this is kind of fiscal breach operations and war stories i'd like to have a lot of fun with this so it's not too crazy like technical but it really kind of i think it gives a really good dive over what like physical operations look like especially because they you know there's been a lot of media attention around some and and that

you know it they're not easy but not straightforward all the time and there's a lot of different random complications they spell it's really fun and it's both a penny ask sometimes as well so kinda who is black red team and I'll go into that in a second brexit survivor I managed to flee right in time energy drink aficionado she you can see she's already weaned me off of that for water so I'm very highly caffeinated right now so that's just kind of me you know that uh one of the CSO's of a company that we did he kind of sent me image she was he thought was hilarious okay so black team you can't just make up words right list of all

these extra teams and colors and spectrums of the rainbow and stuff like that and you know traditionally I get it it is very much on the red team umbrella I'm not gonna argue that with anybody right now that term is spreading aggressively through the UK and like EU financial sector and also through Australia and like Singapore and AIPAC and there's a very good reason for that and it's not just kind of us kind of making [ __ ] up because it sounds cool which it also sounds a lot better than a physical pen test because that's already like one step away from HR and so you know it's kind of like wait you know so

often times with these engagements the reason why we we specifically cordon off to the term Black team is because I'd say well over hacking game instead I do they say you're not allowed to touch the network don't do anything like absolutely not hard no anything you do on the network is you know you're essentially gonna lose our business right so they're clients that have like a lot of confidential things and that's fine right they don't want to look at that but they would like us to test our physical security and that's usually because they already have a fairly sophisticated security presence and that's very much likely you have a very strong digital security like external so

if you try to pop them externally I mean good luck like I think I'd rather just drink cyanide from some of these clients but the second you touch the physical security they get knocked over like just it's stupid easy sometimes so this mate some of this may sound really impressive but sometimes it's just been like laughably easy so we'll go into that and what kind of have fun and by all means like ask questions and do whatever I like to kind of I like to be very open and honest kind of when I when I talk in detail about these things so the problem right this is very much a storytelling format ok so this story is

obviously complete [ __ ] right but this is kind of a context of where of how we're gonna handle this so you know evil Corp no relation to mr. robot has spent million dollars hardening the external infrastructure right large heavy blue team things that we see all the time on these and kind of engagements like these companies that are so locked down they just throw bags of money at your face and they're just like you know test this one login page these two parameters for four weeks there's like so you know those kind of companies basically just nightmares to to do a traditional kind of like red team and I'd be forming a digital perspective

where you're just kind of you know trying to get in externally with a phishing or whatever kind of method you typically associate with like a red team engagement so however they were just breached by somebody inside the server room yeah this is the most amusing image I could find Nikken from The Walking Dead he's got the bat of GDP our HIPAA and PCI all right he's got a bashing evil Corp over the face with it those big fat fines so no sign of forced entry okay they plug directly into the server rack assets gone right they took like all the brand-new laptops they took mobile phones and you know one of things it can be worrying about that is maybe

those are like brand-new laptops or domain join for new starters and they left a stick you know with all the creds on it right that kind of situation and then you know customer and client information so we think like if we're typically on a red team and we see like plain text like car data you know like usually that that's heart attack scenario for a lot of companies and so just imagine just being able to just take it so it's in physical presence you just thanks to take their cards take you know all the client information and their clients could very well be other like four to five hundred people and then you have direct us you have their

account numbers you can make wire transfers if you so wish for ticks though they also pour coffee on the server racks just because they hated them so under that premise I'm now gonna go over something some more stories I've done and it'll kind of tie into this overall scheme of things the first operation borrowed or these are not real names of places I've done but I figured it's a good kind of rough representation it's big Tower okay over 40 stories they owned kind of is multi-tenant and I'll tell you why that's really interesting in a bit multiple sites following that location so it was the first one and I to more of this client sites to follow

afterwards you know all non-destructive entry it's very very rare where we're told it's okay to pull out locks or something it's beyond rare min ingress and egress points highly controlled man traps that kind of thing multiple floors owned okay so they own multiple floors in this building so they multi tenant okay so they don't own the building itself so reconnaissance okay so right on-site I'd already done some kind of passive low sent online before I got there but but when I showed up on their online presence they said we officially lock our doors at eight o'clock okay and we I specifically did not have authorization from the building management okay so at that point if I

was to breach the building after eight o'clock that would be illegal okay I didn't have that was not within my scope however I could walk in that building during public hours not a problem walking there and I almost had a heart attack I've just held stupid easy this was just walk to the elevator no authentication anywhere like none call the elevator well I'd like to go to this floor good sir takes you straight up okay no badging of any kind just straight up and that middle one right there is two stairwell so I wanted to double-check okay is there authorization or kind of badging on the stairwell no no it's like well why even have that

latch plate there like it was just unlocked no reason and then the hallway right if you if you look there so I'll tell you right now these are all black and white and that's just for kind of data sanitization and so I'll throw in some color where I can but it's just kind of me erring on the side of caution so in case you're wondering way are you like poor and you don't do color like you know so that that's kind of why so anyways if you see right there there's there's no CCTV in that hallway I was literally just waltzing around with KITT Mike this is ridiculous just taking pictures documenting everything as you can see frolicking so the first

day was very much kind of like Rick passive reconnaissance I always like to do a heavy amount of it I find these in these engagements the vast majority of your effort is going to be reconnaissance it's going to be passive ascent it's going to be surveillance it's gonna be real constants because when you get in you know you want to be clean you want it to be surface you don't want to damage anything don't want to be noticed right course that varies depending what the client wants maybe the client is like well we want to see just how how way with the fairies are security guards are they even looking at the cameras me and that

kind of thing and so you'll do something a bit more obvious but for this one I was very bored and I kind of wanted it fun with it and that was my manager who's a lot more than these he's like you know Robert like just have fun so you can see the picture on the left there yes I'm in the bathroom no I'm not pooping I'm not actually using the facilities I'm just sitting there waiting for the cleaners to go by you know it's pretty standard cleaner time like right after the business closes and then because this is a second day I had some tools I wanted to sneak in and I wonder what fun with it and guess what

time of year this is around right now oh yeah oh yeah so what I did before this all right this is a second day before I went in there I went to the Walgreens which is maybe like a block away and I found the cheapest Christmas wrapping paper I could possibly find right my mother taught me how to wrap presents really well like when I was younger yeah so let's sit there and wrapped up my gift and then just walked it right past security yeah it's normal whatever right yeah he's just bring him like an office present or something get up there and you know as in line with come with a lot of like tech companies that aren't

really security savvy anyone familiar with the motion sensor like the passive infrared we just take the compressor and turn it upside down yeah if you're not it's I mean this isn't my consent to use this from the various purposes you just turn it upside down you give it a couple you know look at Gus aver and bang the door opens okay so typically you find two methods of egress and a lot of companies most fire code every fire code will mandate you have to push a button like or fail open right some kind of manual release but oftentimes they like both people are lazy alright so am i I like to be I like a

door to unlock for me when I go when I approach it I don't want to have to actually try to open the door so that's what a lot of these do use dude Shh right OOP door opens up job done no alarm so nothing so I like to call this CVE hohoho I've not submitted it I might anyways unwrapped it and that's all it's an under door tool right there like $35 online they're really fun to learn how to play with you will mess up a door learning how to the right is the server room that we eventually got into the funny part this is when I was trying to get that like why isn't it working like I

don't have [ __ ] and they had these beefy handles like these huge heavy handles that were super slick and you just need like a giant palm till I open them I'm like how is this stupid little tool gonna get on the back and so I see their supply cabinet and just scotch-taped it all the way around the end and after sitting on my knees and just leaving this huge oil print on the door trying to push it like well I was hoping the door eventually open okay got in okay we're in the server room and at that point you know it was fulfilling the objectives there was like unencrypted harddrive seems like that one thing I do

like to stress on physicals is it's not always about depth right it's not about for example in pen testing it's not about getting da all the time right you need to prioritize with the clients after and they're kind of like they're their security threat so but you know some people work within scoping this is part of that so you know Pappas server room get in get an IP address see you know what kind of security violations are there then this I actually was in a conversation with some guys last night here and we imbibe a lot of drink come to find out we had both seen this video right I'm not gonna pull it open don't

think of internet access but I got to this door and there's a little push pad on let's how it looks loanable although I don't know how I there's gotta be a bypass there has to be right and so I'm sitting on my phone on YouTube and and there's this like this mum and she's just bored and she's like oh I found this lock in my backyard and she's like let me show you how to hack it and I'm like no way and she's and she Lily if she holds down that tab and she take a little pen and enumerates through and she's like I'll just wait for a little click and you found the first digit how's he

know all right and she's a reset and then just press a button hold it down again and just keep it numerating no we went through all four worked a charm right worked beautifully you see that's a big nasty key right there's no I mean there's no way like if I can't pick something in 30 seconds I'm moving on there's no way in hell it would have been able to pick that but there's I thought there's a fascinating finding and so open it up and in that room was just swag swag tons and tons of swag and you know because I to more sites following this allowed me to then look like a full employee like if you print a

badge that looks exactly like a work badge and you're wearing their swag nobody cares nobody cares like it especially in California nobody cares at all okay you want some snacks [Laughter] they're very nice though and this is me departing this is me taking a selfie and in it this is really I really hate taking selfies but I do this for like a report so right this is to show hey security didn't check me all right so he didn't care there's me they're like why is he taking the Christmas gift he just brought in like jerk you know and and so but at that point I'm wearing like the company lanyard and the shirt and you

know I'm all intensive purposes I'm a staff member now so departing is a new employee so this literally if it kind of when I went back through the attack vector it would take just very minimal amount of time to get that level back to it's like $35 under door tool like to pop the server room which had an unencrypted like CEO hard drive in it it would just mount directly and job done right I had his expenses and stuff well this is interesting uh-huh he's very reasonable and then but it uh but this is just kind of it was just so trivial and and you know this is when you start to realize the world's

kind of held together with silly string and hopes and dreams the second one I wrote a blog post on this it's not a self plug or anything but it goes into more detail for curious the evil pokemon trainer and like i play pokemon go with my mom alright a level 37 i don't care and so i'm like there's got to be a way to use this right it's so stupid alright the stupid you get the more people will just write you off sometimes and the trick is to be the trick is to be seen but not noticed right you're always gonna be seen at some point but you never want to be noticed a second

you notice is kind of when you're burned right or you need to figure out another way in so there was a security company everyone is in that office it wasn't specific to any kind of purpose it had everyone from their security staff to their devs to HR to marketing right is their headquarters covert entry only they wanted as minimal presence as possible this was i was almost kind of worried about this until actually got on site this is another kind of thing or the well don't do too much on the network but we want you to show proof of concept you can get an IP excuse me and they had you know some form neck and and

you know network access control so you know keep pluggin you shouldn't be able to get an IP but if anybody's messed around this it wasn't the good form of that and then they had a really tentative alarm system whereas what they told me ahead of time you know what alerts won't sound it alert some vibrations you know like all these kind of things worried and i'm trying to research it and they'd be like well this is what it does we're not telling you what like what alarm system we have but we just want to make you afraid and i was like okay so reconnaissance um you see just kind of just looking at the company from an outside perspective this

is from the kind of first day on site and the nighttime the far left picture is the CCTV and that little glowing is passive infrared so your phone camera other i'm you know it actually picks up passive infrared like sometimes at least on certain wavelengths that one you can see was on sometimes it's a really get away to see if the cameras on or not like you you know if you say oh there's 12 you notice are all along - like don't have even though we thought well yeah that might be a proper vector wind you can see right there just kind of the type of readers they had so hid readers at you know I'm sure some people

are side with RFID that's something we also do but the particular metaphor that would have been technically disruptive the other one right there you can see kind of like how they install it they actually installed those locks properly okay so that pin right like you couldn't like get in Shin that lock unfortunately or locks Lloyd we're gonna call it but this is the beaut this is beautiful right here but one of the far-right kappa dover quarter inch clearance okay and this this is me really happy this security company they had a fascinating like architecture presence where you know that VLANs upon billions upon billions thing initially they had that but in a physical form which i thought

was like incredible i've never seen anything like it and you know but this door was past all just it's always just one little thing it's always one little thing that kind of you know even have an amazing presence i'll show you why it's an issue so with my coworker I was like Hong Chris we're going to Lowe's it's the only place and we went there and we just bought a whole bunch of bars and and and I bought this JB hooked it's just awful for this purpose that hotel room I'm surprised he didn't bill me cuz that place just stank while I was trying to use it I took this bar and I'm in the

hotel room just like Bob end and just bruises all over my knees and okay we'll go back the next day so you can kind of see here straight in try to the side pull towards me and you go yeah how much does that that's three dollars and 49 cents right you might be able to find garbage on the street they would do the same purpose right it's shocking that clearance was very important quarter-inch was cutting it I found abuses a lot lately I still have this tool I kept improving it I'm kind of emotionally attached now and like and so I've got like Plasti Dip and so it's got a proper grip on it just not

that janky electrical chain well yeah I loved that thing though and so yeah straight in and this bypassed all their physical segregation right and their RFID coming up but you know is my fare 4k like I mean there's there's no public way to crack those right now I love trying to pop RFID when I can but sometimes it's more effort than it's worth I'm not as near as good as a lot of other people so inside right free rein I loved her they had amazing snacks hey that's the one that's one of the first things I do is uh you know we did you say everyone should have something I managed in UK he goes makes a cup of tea

right another guy he goes for the print room which was really boring I just go for food and that way I steal chocolate want to come back home oh hey honey here's your gift right it's sweeter cuz it's stolen right and I'm like huh I didn't have to pay anything and so all the doors inside now okay they weren't wrong where if people tried to badge into these doors like after a certain hour like even all those badges are live okay that's a huge issue like what this is horrible um and they're not even assigned to people they're just live what do you put them as a guest one guest to like in the database like this

is not so we had we had some kind of persistence right usually these engagements don't just you know it's not like the one day you're in and then that's it right you you're you're adding value to the client kay so if I get if we get persistence you know early on you want to go back right so unless you go back the next couple nights and you say well nobody noticed me right no no the security cameras picked me up nobody noticed a persistent kind of stranger presence and these are other kind of vulnerabilities that you can kind of go over with them but so now we're inside and we can't open any of the doors

inside with those badges even though they work we come to find out they work so we didn't want to push it but again trust you or to us a lot of that things so much so you get in and these those handles right they made it so easy he said a big beefy hook on that you just swing it in you didn't have to aim there's pop right and you know job job done get inside you know there's the kind of knack bypass where you simply just change your MAC address so I wanted to trick quick and dirty things we do is just find the nearest Polycom phone like you know rip the mac off it and just you

know change your host name to whatever that is and then you know that almost usually gets you an IP address sometimes I'll do proper 802 an X but it's pretty rare so it was Bing those are the first objectives of chief right so we're still trying to add value we're trying to not be noticed if we had tried to badge at any of that point they would immediately gotten alerts against any of those so even if we had stolen somebody's badge which we've done a couple times just straight-up thieving works but I'll tell you why that's an actual vulnerability sometimes especially for companies that have a substantial security presence or may be the target of hacktivism because

they sometimes are victims of violence so people will assault their workers or things like that so what happens if one of their workers who has a high privilege badge is walking home literally someone clubs and knocks him out literally takes a bed goes in and job done like they just run through for the night what kind of score shirts at that point but they're in so we're on the network and I love it when a semi pictures myself it just the it's great this is me trying to take a report picture so cuz I had found these keys inside someone's desk and their desk was unlocked oh my okay well I mean that's finding but like you know some like taking a

picture of it and here's the key that allowed me to get into this room right they this see this single CCTV camera was not on the same network as all the others I was like oh ho ho you cheeky bastard okay fine but so we get on the network and you know we find in really interesting things and this this bit right here the room alert right I think I just got done watching like mr. robot like season because steel mountain and turns all the heat up and stuff well there was nothing interesting he just kind of this old janky web app so I don't like recapping on on this point is how much of that ridiculous story

actually happened okay and pretty much all of it and that's what's just to kind of quick engagements so plug through the server rack right got access to new allocated subnet a sensitive submit we were able to communicate you know to I think I had like one IP away from like their main domain controller like this this isn't good credentials leaking around the off there's creds always every single time creds everywhere everywhere it doesn't matter how like lockdown with company they usually are someone's always not even an see and someone always writes password when a little sick you know you know and you find it these were to live passwords on a laptop that laptop was

actually in the IT office and those were very highly privileged potentials and it's happen you're so okay job done assets stolen those those right there those pictures on the right of those badges they're from a different engagement and and those you know they're just lying about in people's desk people don't think to deactivate these it's insane you'll find these so if everyone's ever pop like a Windows domain you see like these service accounts from like 15 years ago and their passwords never been changed that kind of thing and you're like what like in the password is something ridiculously like short because IT was lazy when they spun it up same thing right like these really all battling

about and the this kind of RFID tech is horrible it's like world readable you get close enough to it right you're gonna be able to read it and I'll go into that in a second the next one right there so intellectual property this is kind of hard cuz usually nowadays it's mostly you know like and get repos and things like that but sometimes you do find really really interesting documents on site so you pop the file in canvas you want to see what they're storing so in and it's not just kind of to set your curiosity which it kind of does but it's also say right you're horrible filing cabinets that have like one of most

common keys in the world I'm pretty sure if I just shake it like it'll unlock you know it's storing all your financial data all your finance information you know these are the these are things that are just terrifying like horrible practice when you think that you know me just trying to like opening a filing cabinet and all of a sudden I can wire transfer money out like right then and there to me it's scary the next one corporate cards and financial documents is the company's MasterCard I asked what's your limit on that and he's like I don't know oh oh that's that was just a great screenshot the report those keys are actually also the keys

that are using that one picture those are the keys of the second picture of any other picture laptops the amount of times I found literally a chest of like brand new MacBook Pros like 2030 brand new ones like and if I was just a generic thief and I didn't care about actually doing you know substantial damage to a company I just steal those now if I go right we never put talking and server racks pretty sure you guys fired I know I failed unfortunately it happens okay so I know everyone's wondering what happens is part of larger engagement right because if you only talk about physical stuff and that's that's on purpose the larger engagements

where we have a lot of time a lot of scope or no scope these are the things that we do very often you know audio/video bugs there's some very small very reliable ones and get nowadays like dirt cheap off Amazon or Alibaba or whatever key log there's a million key loggers nowadays physical you know you need like if you want to actually pop their machine and pop their machine but you don't even need to a lot of times establish command control so we'll have like you know cobalt striking structure set up and we'll do like low and slow you know so like what quick burns and medium burns and like long burns ones that are meant to kind of be picked up

or you know distraction whatever drop malicious devices that's a really that's a really big one they want sometimes they want to see how long it takes their stock to detect like a malicious device on the network and that's a very very common one and and so we'll slowly start ramping up the traffic right we'll slowly you just increase increasing crease increase until they kind of hit that baseline cuz you're there to help them alright you're there to add value to them not to kind of shirk your own ego and then like steal valuable assets so that's kind of like the low-hanging fruit right but it's still an issue you know like I said when you steal stuff

realistically if I was gonna be a smash and grab I could get away with what 20 30 grand and like physical assets it's kind of small potatoes compared to like a lot of the digital assets all these companies have this isn't a colleague this is from the game oblivion and gray fox [Music] so not covered here my favorite RFID I love this me showing my cat how to make this I just really wanted to put that picture in there if anybody's not seen this before this is called the we gotcha project it's all open source on github it's really fun to build you don't need a really you need to be adept and electronic something

like that this you know the parking things you go up to you swipe your badge you go in that's what they are and so there you might be able to get one on eBay for two to three hundred dollars used brand new they're about six hundred but you can read someone's badge may be this far away right and we've used it to great effect sometimes if we see this is becoming less and less usable as companies migrate towards high frequency cards which aren't that world readable right you need to kind of have have them or have popped like the actual reader like for example UK is way ahead of the u.s. in regards to RFID and so like this

almost never works over there it still works quite often here's actually in San Francisco all day sometimes you're trying to get a company's like cards right and you're like I don't know which ones could you get like a badge you get a facility code which is the building right and then you get like their their badge ID number and sometimes you just rain so many badges you're just like I I just don't know who's who and so you're trying to get like pure numbers right and just like these people won't stop walking past me and you can see right there that date is incorrect that's because I wasn't able to get the real-time clock working on it

but and the desk IDs all this is really is is like that that unit that antenna a Raspberry Pi a an AC and DC like battery pack that's it I you can probably you know if you're wired to some stuff up you're familiar as berry pies you probably make them three hours it's really fun I highly recommend disabling the beep on it which one of my colleagues found out the hard way with there's just unending comedy I then replace it with one of those little vibrating things from mobile phone which is also issues uh and so just just detach it so most cards can be cracked right I really wanted to drop you Bo like pulling Exodia here so this is a

proxmark I'd you know I'm just gonna assume that people don't know what it is even though people do and it's just pretty much the most common device for like RFID right debugging cloning cracking that kind of thing and these are the most common cards so the ones on the right there you'll see like the head like the proxy card to the in dollars those are like what's called both the low frequency type and they're very world readable and you can actually tell by holding a light to the back of the card and you'll see kind of like a ring like we're on the middle that means it's kind of low frequency if you see like the band like

a hotel key that's a rectangular antenna around the middle well you hold your phone like a flashlight to it I mean it's high frequency alright kind of quick and dirty way to find out and then kind of the most common card do you see my pair 1ks very common hotels I class cards a lot of the newer I class cards like there's no cracks for them at least as far as I'm aware of right now staying safe so this I'm gonna branch into something that I've never seen really a physical talk touch on and that's just really how not to like get shot in the face and so because the there is a risk there's always some kind

of risk right and so the two most important things on these engagements to be number one staying safe your colleagues should always be safe that's the number one priority above all times stupid risks are a quick way to make your company look like fools right and they're not paying for that the second one is value right you're there to add value to the client like I see you're not there to show here you go you're literally there to give them value part of that you need to factor in armed guards right armed guard believe or not are more kind of one of the the least things you need to worry about because they usually very well trained

they have very strict procedures stand down things like that they're actually pretty well I'm a lot better than most other guards I'm usually seen alarms fire alarms security alarms we can bypass this door so this door right here was to a very big client and there was a lot of other armed people in the area so we could have actually popped this door by just putting a rope through those gaps around that crash bar the other side just like pulling it because it required a lot of force for that door but we definitely did not we actually I actually ended up requesting a foothold into this company and the reason why is that if we were

going we were gonna trigger that fire alarm that's gonna cost that client a ton of money it's probably gonna bring a whole lot more than just their own armed guards on us especially in that area it's just gonna look like a bad show for everybody right there's no point you know you're much better off just saying hey look you guys feel security is on point alright you kicked our ass externally good for you right company should be told that it should be exemplified it should be celebrated and if you don't you're literally kind of robbing value from your client at that point if they give you like two weeks for example to get in and you're bashing your head you

know just trying to get into the external perimeter up until the second week like you're literally just burning their money at that point so you know ask right ask for everything asking for everything some of the best advice I've ever gotten that and always take the piss which is my favorite advice of all time but yeah can I have a badge right so what that does is it kind of it changes context a little bit but it doesn't remove the simulated attack from an engagement it's kind of a soon breach scenario I stole someone's badge III managed to actually clone it or some degree like that so you're yeah you're you're getting an initial fill hole but now

you're inside okay there's a multitude of things you can do to test their physical security once you're inside all right low and slow dressed like an employee don't just like an employee right see what they're really worried about once you're actually on the inside now like I said safety and quality is is literally just always the number one thing quality and by that I mean value so and sometimes a black team is overkill right I've shown up on site a couple times and you know Account Manager say hope to sell everything under the Sun and bless them right because I think black teams but it could literally be like that barn door I've showed up and Lily doors are broken like

they can't lock it's and at that point you're just like well we need to work with you to help out right do if I was to approach this like a simulated attack and kind of focus on depth it wouldn't help okay what we can do is we can do like an overt review I want you know that point would say look I think would be best if we we took an overt approach I'm signed in I'm authorized to be there people me watching and walking around taking pictures and stuff and you know looking like a numpty what's going on but at that point I get more coverage right I get more breath than depth at

that point but sometimes companies security postures is so kind of weak that's what's needed and that's fine too there definitely ought is fun but they do provide a tremendous amount of value and then you know for example if they've had time to go implement those things then you know say hey maybe next year or in two years yeah we're actually one assume aid attack now we think our physical security posture is actually a lot better we're okay we're ready to test that so some when things don't go according to plan right we've broken this place we got in and we I've been doing surveillance for a couple hours and all the lights were off you know they had the motion lights

to turn on we had there was visibility inside the bill to almost all of it on the outside right you know I mean that was an issue in itself but you're looking in it looked dead quiet cleaners gone everything we get in and my colleagues we made it upstairs and we go back down and I turned the corner and I see here light music oh my god oh no I turned around girl jamming out in this corner with headphones on oblivious of the world and that that little area where she was in had no line of sight anywhere externally right there Lily no way and I was like oh my god duck backed away because I was like she

sees us she's gonna think were there murder her right and I was like wait I was like we can't freak I was like no we can't freak her out she you know she wasn't aware of course it engagement going on I was like dude I'll let you have to go post up and my little tiny like cabinet whatever and I'm gonna go hide with a van just play on her car and we're just gonna wait and so this is me waiting now in half laying underneath the desk my girlfriend's texting me you safe yeah I'm pretty safe and and then just gonna you know chief probably left and we're just like oh where's the red pool

in this cafeteria so you know just one thing when things don't go according to plan but you have to roll with it right this is one of those things where something you think is gonna be streamlined and fast and all of a sudden you have to you know you have to pull the extra hours because you didn't want her to think she's getting murdered and this one is hilarious we broke into this place in San Francisco of course and we're almost finished it's very successful and all of a sudden my phone starts vibrating my pockets is on the name my own number we triple armed right I hope I answer phone my hello no like

hi this is Sam secure Police Department like oh that we tripped at bat alarm and and they're like yeah is this your car like the silver Nissan oh yeah I just got broken into it I was like like I'm in my head I'm like how am i okay I need because the cars right up front and they're gonna see me leave the building with all these steaming tools I was like guys I'll be right out I was like I went to my colleague and we don't you know we cleaned up we were there you know the King just get the other tools I'm gonna take out what I think is appropriate and I go out there I'm like

hey guys is my car I'm gonna leave the letter get a jail letter right I didn't cover that but you should always have one of these it's your authorization okay and it's usually signed by somebody who's like you know like a facilities manager or CEO somebody who is on site or somebody who is aware that you're there you can contact at all times you know just another kind of precaution and they look at it and they're like cool and they didn't even that they didn't verify there's like okay yeah you're good but your car your car's not good and you can see you see right there and and my colleague I remember the cop he

get one of them looked at me and there's four room there and they were very very lovely they were very nice they had followed the person they caught them like they did fantastic and the other cop he's trying his light my face he's like how long you been awake and on my toy look like I'm on drugs like I was like I don't know eight in the morning and he's like flashes the cars because energy drinks and there was there's ten and it wasn't my colleague and I we had just been hammering these you know surveilling and stuff and we just haven't cleaned the car out you see and he thought was a funny thing in the

world once he saw a couple like sweats a bullet my you thought was hilarious something a lot that you know anyways and we got a car replace and the engagement ended up still being a pretty strong success I was lit that was very funny so tool demo you're gonna boo me because I didn't bring it yeah I know I haven't engaged my after five to tomorrow and it's so big and bulky it's my excuse I'm gonna lazy so one of the biggest obstacles that I found these jobs is little things that just are a huge pain in the ass and one of those air are the crash bars you saw how they bypass those double

crash bars with I got literally like that stick single doors are crash bars especially they have no clearance on the bottom are really strong to turn you can't really under door to all that well like in depending on how that crash bar setup and how many like pounds force it requires to engage it it's gonna be a huge kind of pain and I'm not like a locksmith God or anything I'm not like a deviant earning like that and so you know to me I love bypasses so my uncle I was telling he's an engineering thinks it's spent how he's retired and score she has no time he has all the time in the world and he's like like this is my

visit thing I encounter what can we do need to do something to napkin and I took everyone to Home Depot and just see steel bars and what this does is it need some optimization and I'll tell you why but this is essentially the underbar tool and it's meant to go under door okay and engage a crash bar from the other side and that's using the leverage of the floor right to push against that bar and so you can kind of see it in action right now this is very much cheating this is my apartment building but this is a very strong crash bar they have in there that clearance on that door is huge right usually you might see

like a quarter inch clearance on in my experience rather and total so it it needs slimming right so I need to get stronger metals and it can definitely optimize but this is it in action Rakeem Android can I just like try this on the doors he's like yeah so you can see this is actually got the cable like an under door tool but it's mainly for for balance there's a slide so you slide it under and all right I use it at a data center actually you know where to charm yeah so and that's just kind of like the simple janky tools that we have to develop on site right and a lot of it's not a super crazy high tech unless

you're into a software-defined radio every things like that but a lot of these are just like really simple kind of like basic bypasses feel security is like it's so lacking I mean the implications are so massive it's just berserk so returning questions or if you've done with me yeah I know you talking about I know I don't want it yeah I don't want to reference anybody because we I don't feel I have enough context to really comment on that situation so I don't think it's fair I one thing that one thing that I found helps a lot is when I do these engagements I ask what kind of alarms do you have and how do they

notify if I trip your alarm who does it go to first right does it go to like your facilities manager does it go straight to ADP does it go to like the police department like how does like let's worst-case scenario I do trip an alarm how does that what happens right so I need to be prepared for that they need to be prepared for that sometimes that's that's been the main barrier that we need to work around as well because for example like I did data center when you trip an alarm you typically they need to notify like all their base clients if it's Colo colocation and so all of that has repercussions or even a

lot worse than getting a fire department called right and that looks bad on them and so they lose face and potentially money with their contracts with other people so something to always keep in mind another thing is scope scope is so important it's really easy to say oh we could you know breach that and go to scope or whatever but just just you know take the piss within reason right so you know if they say do not go in that room we've been told straight before you go to this area they have guns your letter doesn't mean [ __ ] they're right I'm good yeah yeah right I was like what what color is it how big is it like you know

you can even map to that place but but yeah those are big another is like you know stand down procedures so you know sometimes for example I've never had to do this but I kind of figure it's more of you know like riding a motorcycle it's not if but when you have to pull your letter but you know always have your get a gel letters on you you should have more than one definitely and you know just just understand how how they're gonna react you know really cope and you can never ask for too much information like on these engagements and if you know sometimes the clients are just like here's all the information you're like hold up like you told us a

ceiling attack you literally do my job for me in you know sometimes are so eager which I love they're so fun to work with but and other times they're just like you you have the name of us and give an address that's what you get and so you really need sometimes you need to be forceful but you're like I said safety right alarm sight we're cleaning that armed guards you know dogs dogs are thing novel mix not for me right I love dogs yeah we had there's just kind of need to work with them I think having a really open dialogue is really important and that's something that I always try to strive for knees because a lot can go

wrong and you're gonna do long crazy hours and there's a like you said like I've shown before that a lot of just weird crazy things that happen to you really can't always account for regardless the amount of recon rows and eat them yeah you know questions yeah

yes we have our own internal it's very very robust so there are UK I mean we're a British company and so we've been around there for a very long time so we have a pretty robust methodology that we adhere to in you know as long as if everyone's working along the same thing it also guarantees safety and quality as well questions so I do I just come on folks on the fiscal so when we do the full like King caboodle like I mean I will steal everything III mean I have the sticky stamp fingers like reasonable you will still think you know the dirtiest stuff you can imagine definitely do there's a lot of amazing

resources from people like I mean there's so many good public resources on this kind of stuff right from I'm it take for ages go into it but yeah yeah so what well for example last one that I did have we had somebody who was on hand waiting to catch a shell right he was managing the red team digital infrastructure while we were reaching okay because how do we know when we're gonna be able to get that shell right so we have to compromise the workstation so yeah we have somebody that's on hand and who can kind of manage that because that is that's a lot of effort to manage infrastructure in itself right but for

that so yeah yeah or or will be like you know trading because sometimes you know I just get tired from applying and I'm just like I just want to hack my pajamas I'm not a lie lie sometimes you know yeah so if I still want to have a girlfriend I better take some breaks right yes you know the question yeah oh I am i harassed my manager a lot I was very lucky tour when I got hired NC secret my manager will a global red team lead I that was just stupid circumstance and and then I got really into it and he's like oh well you're your scrub noob he's like here's what you can work on and I

was like how can I be around people that are better than me you know and I think that's definitely always the way to learn and so I was like how do I even get to the point where I'm around people who are better than me he's like well we need this contributed right it was like OSINT at the time or something like that and me someone who's like our master or and pick that up and automate and do a lot of for us and so I felt like a Google monkey for a little while but at the time I was still around like just brilliant people and I was lucky to like learning passively like you know I was

kind of in the same rooms with them engagements and then learning and then he said well if he wanted to physical stuff you needed up a strong like a red team skill set right from whatever technology is like from apps you know app services all kinds of infrastructure Wireless right and then at that point I was just kind of making sure that I took those off and then and I just started researching and watching all the videos you know watching like all the videos from like social engineering like Robert streets and you know like devious lock-picking and Robert pinger and all the YouTube videos right which are just fountains of knowledge and they're fantastic and then just kind of

passively just doing things you can passively do like I lie to every single uber driver ever I weave a beautiful web of [ __ ] every single time and that's because like I that's just a practice line right because you're all nice up on these engagements you're gonna be checked people are gonna ask you what the hell you're doing right and you need to be a boy who the hell you write the aggressive thing works a lot better in England over here they're just like well I will shoot you in the face like that it doesn't work right and if that was a shock that was really harsh me alchemy to but yeah it's a it's a it's also a

safety thing all right if you if you you can't freak out like if someone pulls a gun on you worst case scenario you need to be able to be calm and reasonable right because you're your social calmness and aptitude in that situation right is for your safety and theirs and you know it can still it's fine right I mean it's kind of part of it they asked you a question yeah it's a pain in my ass yeah yeah it does um so you can you can manage Moodle that but that's so when I mention those readers you can manage know that right with like an ESP key or something the problem is is that when I mentioned

destructive entry right at that you're technically you're you're damaging the wires right it doesn't break it but they'll need to rewire it right after you're done and so that often times that does considered a no-go for us largely because you know cuz more client base that you know they're they're bit hypersensitive to that which is fine hopefully or oh yeah or I mean honestly which is why this is why prefer bypass methods is so I figured the best advice my mentor ever gave him was a go for the jugular and there's no such thing as cheating right so if you can take the dirtiest Genki swinging but it gets you in and then taking it right yeah yeah if

I mean my other colleagues are very strong with RFID and I kind of rely on them sometimes if I need to do that but oh don't ask me that I'm being recorded [Laughter]

[Music] we need to get some beers so two things establish scope very important like especially now like now's the time of year where everything's on fire like all the time and everyone wants pentesting done now and they want it done for like five dollars they're trying to give those safely Club Card and [ __ ] and it's just like no like you know you need to be like reasonably yes we want the business absolutely right but it may need to be very reasonable with it and if they if we rush it there we're delivering potentially sub polity work and that's not okay and and they would be delivered some quality work when we don't ever want to deliver that right so

sometimes it takes me Stern I work with a lot of account managers on these things and I find an active dialogue like so they I will communicate with them a lot so they're not making promises that you know a bit too much for example so i find i actually i'd say i push for a huge open dialogue with the people who are more skilled with a lot of experience thank you