Tactics of the Trash Panda

cool okay we're good um hi everybody thanks for having me today um these slides do have a pdf version you can download by accessing that QR code and hosted on gof file um I've removed some of the videos because I can't play videos on PDF somebody finds out how to do that let me know but yeah go ahead and download that the slides will be available and posted um you know later as well if you free to share that with your friends I will give you five seconds to get a picture of this in two three four awesome thanks for coming this out um let in here while I'm dotro so just a quick who am I oh I

forgot there theor over there my name is Angel Gamboa I'm an infos doer I don't feel right calling myself a professional um I'm a senior hacker at a place uh printer enthusiasts and I've been in the game for six years now at this point I am trained in multiple discipline in terms of vulnerability research Network penetration testing web app testing physical uh vulnerability assessments as well U I'm a proud member of dc36 out of witto and occasionally Dro by Aha and set casc thank you all for those prospective communities pretty cool communities you check them out I do have a disclaimer here so the following presentation does deal with security andent topics consequentially some the content may be of adult nature

this content is handled in a professional manner by the presenter and I hope you can handle it with respect as an audience additionally content is provided for educational use only I take no responsibility for any actions by the audience as a result of this let's behave ourselves um if there are any you know of those adult topics that you don't want to see please do leave the room now there's more people coming in that's kind of weird so what problems do we face as modern attackers uh in terms of adversarial simulation we Face the problems of rising costs conspicuous devices you know you have your C five your your red team toolkits Etc uh your

Wi-Fi pineapples the more tradecraft you have the more problems you have want specialized equipment you also have the restrictions that certain countries or state entities might impose on certain Breakin tools or burglary tools um in terms of possession or usage during one of your authorized pen tests and you know these VAR stay check all your local laws and regulations when you're doing these kind of authorized tests before you go out so where do we come in we think of Batman and he's got a lot of cool gadgets he has money right and you can break into buildings that you could probably already buy uh but we look at raccoons and you know they look cool

they eat trash and they break into anywhere I mean you have raccoons breaking into any building that people would kill to be inside of a building unauthorized and get all the goodies right so here's the agenda for today uh We've covered who I am um we're going to go over how you present yourself my own kit for physical security and testing uh commercial tradecraft tooling primers and we're also going to replicate those with our own variance and I have video demos along the way so let's talk about physical evaluations really quick it's a great way to show internal network isn't too hard to reach uh there's lots of prep work that goes into it even without

all the legal paperwork um into that right if you're part of a large consultancy they may handle a bunch of that there's still a bunch of paperwork you have to um and there's not always repeat scenarios you can use for your pretex when you're social engineering people you can't just reuse those all the time most of the time there's temp right what does preparation for a gig entail well preparation preparation preparation U you have to assume all that paperwork is taken care of and you don't have to deal with any of the legal uh Batts of course but you have to set up your objective connections your out of office your checks your trash schedules get that information look at

at text stxs their surveillance schedules Antics behaviors company culture and look at their contingency planning and you got to have luck and then read a lot so I just want people to know that most of the time it's not just breaking into a place it's opportunistically doing your research and then once you find an opening going in one of these things you can read is fire code there's the NFP 80 the standard for fire doors and other opening protectives uh these will document how certain doors should be within certain structures these are basically like an RFC for doors and buildings same with ADA compliance you can go online and find the Ada access ility standards and this is where a lot

of trade crafts from for under the door tooling you'll see this little uh this little margin here uh 34 to 48 Ines is where you can grab the operatable handle so let's talk about packing for pre-ex U there are a few pre-ex archetypes I've selected here because they're more of what I'm comfortable doing U at least when I started out so I have the authoritative one you can be a help desk or it person you can be some sea level title that hates people I don't know something like that um you can have mutual bonding bonding you can can light somebody's cigarette you can have the door hold open or you can say hey yeah I'll let you in I'll help you

with that box um you can be an Inquisitor you can be an interviewee or a job candidate or an ignorant end user you can choose all of these you're not restricted to these at all you can mix and m match them as well but uh the main thing is to play to your strength game is game if you get inside the building that's cool it doesn't matter if you're this or that that's cool play to your strengths so more on preex packing um there are treasure TRS of information online for employees in terms of fundraisers company meetups Etc you want to get your clothing for your archetypes and covers and the way I frame out these

interactions and script them in my mind and on paper sometimes is I use props to perform a skit and have a punchline so the skit may be okay this is how um the whole skid is going to work out right the location Etc U the punchline is my goal what I'm after so take for example I have a clip board with an RFID reader built inside and I have coffee in my hand and a c Chief you know that's my promp right so I want to get a clone of somebody's batch and that's the skit oh dang you know could you hold this for me I just got this coffee all over my shoes I got to clean it so I I hand you this

clipboard okay oh gosh I'm cleaning this and now you have clown bch um so try to frame these ideals out in a playable scenario that you can go through and uh interact uh with people so in terms of packing more you want to pack just enough tooling when you're going on site if you do perform wardrobe changes on site that's cool that's going to entail more packing for those on encounters but it's not always required um you do want to have raw material handy in the hotel room so wire string pins things of that nature in case you need to fix or make any of your own filling outsite um you want to plan for failure if you're

caught with an under the door tool out or a certain device out how do you get out of that situation how do you to your way out of that scenario um some of the uh scenarios I've played out is oh I'm am trying to plant this implant right and somebody walks in I say oh I'm just doing asset tracking we couldn't find this on the network you know I'm just making sure this is all right or I'll say yeah I'm just ensuring this device is Ready For an upcoming intercom meeting so you know got to get the intercom set up and I got to Hope into the network for it for who knows what right um you want to practice quick

deployment so pulling these tools out of your back putting them back in ETC having those discret baggage options available is nice you don't want to roll in there with a tack bag if it's a covert operation and you also have to look at what is legal SL allowed on your person in case of getting caught so if you're detained Etc you may be authorized to perform the event test but you still may be asked to give finger prints because you have lock picks on you so just consider these things here's my kit and it's approximate usage a lot of these tools are easy to make or easy to to procure so I won't be going over a

majority of these but I'll go over some of the the harder ones or the the ones that I can reproduce very cheaply so what I have here is a my large stensil sheet and a Dylan's card or a shopper card right and these get me in to a lot of places U it's very funny and then the rest of the get is here all my spare wire this is the under the door tool of course um and you know you have your travel hook and all these like small little Nifty tools and then I have some upgrades that I've done based on these videos that I've labeled here so I do have the mini J Tool produced by The

Humble firefighter and then I've got the NATO civil engineer and devian alums mods on my under the door tool for dealing with door knobs and other crash bar type uh apparatuses then there's the electronic stuff of course which I do have my implants that I program using the flipper uart interface I have wireless cards I have you know badge cloning stuff proart flipper work for that um and a Leatherman uh the do put it in your check package uh I've lost like two of them so far and it sucks I regret that talking about under the door tool options you have a few options here so you have your standard under the door tool which is you know this type 42 in

in length from from that bottom hook um you want to get one that's made out of spring steel or high carbon steel at 1/4 to 38 of an inch and it's very good that's going to run you about $40 if you get this replace the steel cable with a Kevlar card uh we'll get to that in a sec on why that's important your Zin rods at Menards or Lowe's or Home Depot will work probably once um they they don't retain their shape well so after bending them few times it's pretty terrible uh to use you can have the budget low profile ones that not so civil engineer raid and I've put the screenshot of their video there um and

that consists of copper tubing with a small braided steel cable wire with polymer over that um there's also the takedown under the door tool which consists of having rods that are pegged together and you screw those in but that adds a little bit of thickness and it's hard to travel with it in certain compromised scenarios so as you can see here here's a little closeup of the tip that I've done for my mod so this is the one from NATO civil engineer uh we've got some featuring tubing for better grip and then we've got the little Channel cut out so we can put a Kevlar string that runs down and here's the really cheap one right so um you know

this one's about $40 uh right out of the gate and then you can probably manufacture three of these for about $30 the only down side is you can't really grab door knobs very easily with this and rotate them the same way let's talk about shims so you have your super mic shims which are suspicious uh to have on you at times and you can cut them down to about wallet size and I only use them to supplement where I would need a longer credit card right um I like the dill card it's free it saves you money in the long term what accusations are you going to have if you get caught with it out like you're saving money at a gas

pump fool like that's everybody does that right um and you can use laminated paper as well I have a a colleague who does this but that probably means you lost your Shoppers C it's very thin uh you'll see when you play with paper versus laminated plastic versus the super mic shims that there's a clear difference in that thickness and strength that it gives so so talking about shims this is how you want to cut them um I have a triangle cut in mine and this is essentially going into the door uh to actuate that bevel under there and then for these types of locks if you ever want to break into those types of areas

you would use a type of Notch here that would grab one of those limbs of that lock and you would close the door and push that card and it'll pop right open uh you can see the bulk pack for this you don't have to pay you know $15 for a three pack that's Tiny from Red Team Tools you can just go on Amazon I recommend about 14 to 16 mil for best results the one I'll be handing out today is about like 12 Ms to 17 Ms so it's around there um yeah these help a lot when you have these types of shims and the latches aren't sitting properly you don't have the dead latches actuated

so your still going to shim it but you can't shim it directly so you have to have that extra length to go under or over is that video going to play there little it'll do audio whatever that's fine so as you can see here I'm taking the Starbucks card and I'm just like going into there and I'm pulling it up because de dead latch isn't actually properly do that and you're in go right like this basically the gist of shims and loing right what card was that oh that a St this not an endorsement plastic card generic card not Nam R um talking about strings and cordage so you can use steel cable that's polymer coated the problem is

this will get torn up and it will cause damage to areas that you don't want to cause damage to you're at a client site you're there because they paid you you don't want to break their gos right um so definitely you have to inspect it every time I swap it out with Kevlar rope Kevlar rope can be concealed easier too you can sew it into lining you can put it on your shoelaces you can do whatever you want it stores better in my opinion um you can also use seam stress tape which can be used to uh kind of in place of 35mm films and use that to actuate the handle from the top side and

the uh other side and you can just say you're a fashion e there you're clothing designer Etc and you're trying to get proper measurements right so talking about cordage you also have your 35 film roll which divum lawers they have a video on it it's great you should go check it out definitely pack gear ties gear ties are great for folding up your equipment and being able to deploy rapidly talking about wire uh you want to have electrical style do p connectors those come in handy have some alligator clips in case you do need to do any electrical work on the Fly I personally try not to because that's an area I don't want to

get into on site um but I still have the wire just in case for physical tooling I recommend about 2 mm thick wire pliable and capable of holding its own weight uh disassembling barb wire real estate science estate sales science fence wire will get you this as a result uh talking about picks really quick uh lockpicks they're not always accessible uh they may be banned in certain countries certain uh localities um spring steel is where your high quality ones come from uh you can use bobby pins or windshield wipers you just have to make sure to Fashion them a little bit and I'll show you that here in a second there's a bunch of tutorials this isn't anything

new right so you'll take your bobby pins you'll have the The Bobs on the end and then you'll cut those off and you make sure you file these down because I don't want you to stab yourself I've stabbed myself multiple times with these uh and you unfold them you know use them however you need for those PS but oh okay maybe you can't use pretex maybe you're bald and you don't have any B pins that's cool you can use windshield Viper inserts I went to A's after a rainy day and got all these for recommendation from a f in South Dakota and you can basically take these inserts and just heat treat them because they're

nor steel and then fold them into PS or shavee them down to pics so I've got a tension wrench here I've got a pick here this is a little thin more thin than I like with steel you want to heat it fend it and quench it in water use motor oil and then here's me disinfecting them because they came out of a dumpster again you know like okay uh you can also use BR wire this is some pretty hefty stuff it's pretty good uh talking about Keys uh common keys are nice they have key replicators online where you can replicate your keys using a working key and they're easy to use I learned how to use them within two

minutes it's not too bad I bought one out an aution for five bucks you can buy your default Comon keys and you can share them throughout your community and now oh cool all your friends have these default Comon keys and it's a widespread issue and now man fact you start changing it and implementing security stuff cuz oh wait maybe we should here right um you can buy stuff off eBay if you find a seller that is maybe selling the keys you can copy them and then just send the keys back don't I I'm not going to suggest you do that but uh something thing you could do talking about common keys for bump keys I personally use goat

banding kits U I don't know if some of you are familiar with this uh we are near the Kansas area uh growing up we did see a lot of these so these will be used to actuate your key whenever you are uh bumping a lock open so here I have those bump keys cut out for you and you can see kind of the pins and where those those stand and your Hammer can be a variety of different things if it's more stiff it's going to be louder but it's going to transfer the energy better so and we'll see some demos that are quite humorous in a

second cool so as you can see here I have the normal key the working key right turn Lo right and then I have the bump keys in the background and I have goat banding kit on it a little goat band um on that so I'll take this bump key and the goal is to just put it inside the goat Bend and then put it on the key or on the lock and then go ahead and bump it with something rigid in this case because I don't care if I get caught wish it was like a fast forward Buton it's okay so looking at this well it's a very damaged band but they're very cheap to

find online so I think with this one I use the screwdriver back of one of your fancy screwdrivers real quick yep there we go so just going to apply very light tension tap it a few times and so right and what that does is it's actuating all the pins I mean you can talk to people from the lockpicking village I'm terrible at lockpicking locksmithing so uh you know definitely get more specifics on them so that's one option for a bump Hammer but at the same time if I have such a bump Hammer if I out here and you know it's late at night and uh I'm sitting here bumping a hammer trying to get a door open Etc and I turn

around and I have something like this bump hammer in my hand I turn around to an armed guard it's said you know like it's not going to go too well I may be eating lead at that point in time so you have to be careful right how do you disarm a situation uh that would require a good amount of intervention there's the route of perversion and as you'll see here you can have such phallic implements to perform these same rituals this one is printed out of Asa plastic it's uh it's resistant to ultraviolet light it's very rigid it makes a lot of noise I printed this one with 20 20% infill at the time I recorded this video

it was probably 1:00 a.m. I got back home it was hot off the press so I go and there it's open uh and you can do this with just about anything you can do it with your phone but the reason for doing it with such a device is to go the route of perion you can use a silicon one too you can use a poly I have issues with the Silicon one personally because the energy transfer is uh hard for me it's a skill issue on my part I'll be honest but as you can see there it just opens right up and and there you go uh but if you you essentially are in a position where the

guard's looking at you and you turn around you say you start banging on the door with it oh my boyfriend and I we we just broke off thearmy together for seven years the guard would feel really bad for shooting you I mean it's not like they're a threat to your life right it's it's more so oh this is something that I'm not trained to handle this is a route of perversion I don't touch this at work um in the case that my uh my friend had recounted to me this story the guard left he just like walked back to his part just left so yeah I really tried to use the Silicon one I couldn't

get video with silicon one because to this day I can't use the Silicon one I'm going to experiment with polyurethane but the ASA one works great it's just going to be loud um it's very funny you can also try to exp expense it to the client and you know see what they say uh but those rigid ones are going to be noisier is the thing so this dropped a couple days ago and I hadn't like known about this technique uh this is about cloning keys on a fly with casting so this one this is the replicant you can pay $90 for the cool kit which I recommend you do if you're in the profession you can get your company to

pay for it but like I broke you know like I'm poor I'm T I couldn't afford the the O So if you look here you have some Woods metal which is lead type Al with bisou or some other stuff and has a low melting point I had SOS safe on hand because of another project so I take the SOS safe and also notice the liveb content please do be very careful and ventilate your areas with this um and I found this 3D frenched model that somebody had online uh that you can go and print and it's a it's a perfect frame for this right so print it out scopy 3 polymer clay that ships with

that that replicant is like $4 or5 Joe and fabrics they were having a sale so I got a few of them for $4 and you can see here what I'm doing is I'm just prepping this little mold tray with the clay and then after I will put I use baking powder some people say you use topping powder I was like Hey baking powder looks similar right just got to do something it did do something it worked so as you can see here I have the key tucked into bed nicely I put it there for a few seconds like let the imprint get there you don't want to squeeze it massively you just want to squeeze it to the point these two ends

are touching um for casting you then have this you have to set the air channel I Target the back of the key and just run it up so that all the metal can go down the air goes out some of you are a lot better at metalurgy than I am so you know take this and run with it and you can see there's a a feeble attempt here that looks a bit uh suspicious and uh you know some people might be curious about that so yeah here I'm just heating up this SOS safe it's bisou alloy and it takes a little bit to go so we might have a bit of an awkward silence I'm using a can full of used SOS

safe and then some some honey dust which we'll get to in a second on why that's important after I've got a little lighter takes a while you see it start liquidating you want to get it all uh liquidy uh to the point where you can pour it and you can see I've got a gear tie that's what that black thing is around the the mold and I've got that holding it together that way it's not applying too much pressure because if you apply too much pressure you have a little too much clay I've failed on this a bunch of times in the like one hour I spent on it uh you know that night but

uh if you have too much pressure it'll override your air channel and compress it and then you won't get metal through right so this attempt specifically like there's no key when when that goes in there is none of that going into the key part besides that handle so I had to redo this several times um and here's the result of that it's definitely a skill issue I think practice makes decent in this case and you know that's what you need so I essentially have my air channels there it's also a different type of clay this is scul 3 the one I used in the previous video was scul Primo I don't recommend scobby Primo it

just has weird properties that make it a bit more dense tough to work with it's not as apply but

so as you can see here it's a bit malformed so I have to Rock It kind of upwards and now it turns and now you have a working key that you've replicated in it is me sorry uh yeah zero to Casting uh in less than an hour plus three minute video right so that's not too bad good okay so let's talk about Crash bar hooks uh crash bar hooks are meant to actuate crash bars from the outside in um and it makes it think that the door is opening from the inside but it's not right you can make your own there are titanium bars that are 3 mm that you can buy online and vend realtor signs

they have wireframes that can be used and certain hangers can be used here I tried a feble attempt at a a crash bar hook right and this first steps and then second third and that's how it ends up right you have your original uh crash bar hook and then you have the one I made out of a single hanger and some thread and some tape um this one has about a 20 the one at the top has about a 20 lb pull until it really starts deforming and bending but it snaps back to it's steel the one below it has like a 5B one before it just completely breaks but you know if it's a 5B crash

bar cool there's also the double door tool or double door tool J Tool setup you can follow the humble firefighter she has a jtool mini homemade with specifications there if posted on screen directly from the video uh with titanium you have to heat a red bend it and then let it air cool or sand punch it and then with your steel you have to do the heat up you have to then bend it and then water punch it or use motor oil punch it so it doesn't chatter so it's not too riddle right so you can see here this was in when I was in Austin there's a public park with parking facility so this is

what you would actuate this the inside looking out right so you'd come through the middle and you'd open it but more importantly than that 5T away was an open door so always check your cound it's always the easiest stuff right and here's a a little video hopefully this says audio because the audio Yeah

this is the AP they War you about this is who is coming for your data so that's a titanium rod there so that's being B and I do go in sand quench the sand I have is a bit moist but it's still B the Drake you don't want to you don't want to punch it in water use Mot just kind of Let It Go there's a spring back effect when you're bending titanium so if you want it at a 90° angle you do have to go a bit uh sharper and you have to allow it to Spring back at that point so you bend it about down to here and then it'll spring back up to

90° so talking about forensic tools such as finding kead touches to get into your your digit uh gated communities Etc or facilities you can have uh the dust online that is sold that's ultraviolet and you can find it uh you know available for $13 Etc or for the same price you can have something that's cooler and has more excuses for it being out right um if you have this little dust on you the one at the top I mean like how do you how do you hide that right if if you get investigated the officials are looking at like why do you have this dust like what does it do it's just kind of you're you're goose cooked

um but at the same time you have honey dust which is a sucros based power very fine granules it's normally meant for sensory Pleasures uh right you can use cornstarch you can use baking powder or powdered sugar but the granules are not as small and not as effective and I'll show you a demo here with a keypad so we've got a clean keypad here I clean it to the best of my ability after numerous attempts at failing and I'm just showing you based off the light reflecting you know how it doesn't look like there's any grease on it right um and I'm going to go ahead and type in a code so remember that that's the passcode for everything I use

so if if anybody wants to that's it so and you can see the grease marks already right without any powder to apply it it's just kind of obvious that my finger has been there because of those ridges so then you want to dust for those prints essentially what I did is I I basically just threw the dust at the pad with this feather duster uh you can use a makeup applicator as well for foundation um and you can see how the dust accumulates on those Ridges of human oils and you kind of wipe off the top you you want to be too rough with the wiping because then you'll start getting all of the dust off of there but

you can notice here like two of those Ridges at the top okay the the four has some ridges and then six has some ridges and then Seven's a little harder to spot but it's still there right and another method you can use is a yellow highlighter so if you have a yellow highlighter and a UV light I make a little X over each Little Dot you get the point I'm just going to fast forward so I'll make that X over each Dot and then it looks like this and once somebody touches it you'll notice ridges accumulate where those disturbances occur on the ex's so my internet just crapped out on spot and you can notice here those

rigids at that point you can examine and make all the permutations you want and attempt however you want to play it so talking about door alarms uh sometimes you'll encounter door alarms that are magnetic read switches um K and J magnetics have some good stuff uh the AMOM ones can work for demonstration purposes but I don't recommend them for actual field testing things Okay so we've got a couple of devices here so I've got my neodym magnet very strong one just then I've got this thing I forgot what it's called it's a text magnetic field you can essentially use it so you want to check the polarity a little comment on this is the uh this

specific lock or the specific alarm is very cheap and was just accepting any polarity I realized that like after I filmed the video but I thought it was very funny so you essentially just want to replicate that side of the polarity for this alarm I've got to tape because it is annoying as hell to have a small enclosed space so you take this to do magic yeah right it's about magnetic levitation and all that so the theory is slipping a magnet in between there and then you're able to open the door how you do this is you can get an airw wedge those allow you to make more gaps or greater gaps in doorways you can

also use a small small pry bar I don't pack a pry bar except on a keychain and it's a very tiny one that's about this big so and uh actually can you turn the audio back on real quick I just realized like there's no sound so you can't hear actuating going up yeah sorry about that you see there mess it up guess cool

yeah so talking about hid um this is like something I get a lot of questions on I'm not a very good researcher when it comes to hid I use kind of what's out there and what works I have numerous tools uh but worse it comes to worse depending on the protocol you can just reduce your toolkit to Arduino Shields and work with open source projects um but I do have like the commun pro flipper zero um all those things are are pretty cool for cloning those cards and doing tax I also have a ro Mark 3 but I pull that out more for um research scenarios or what I in card I haven't looked at

before and you can make your own antennas uh for those longer range engagements where you can get like a foot out in terms of distance Great Scott has a video on this and checking impedance for the coil and trying to maximize the distance based on these cheap knockoffs on eBay so talking about disguises I have what's in my hand as you know cosplayed as a bump Hammer earlier uh this is a z in printer and this is really cool I got this a couple weeks ago uh for making your badges on the Fly it's a 2x3 Z Inc printer and it costs about $60 online you know you can buy replacement cartridges for 50 for about $20 um and

essentially I just take my blank Badges and will'll make something on my phone this was edited in like Snapchat's editor uh and I just printed it out and it prints out within 15 seconds 30 seconds so something on the Fly that you can carry uh that is pretty nice if you do have such an ID card or a badge that you're trying to falsify and you have the pretext if somebody go work there forever do run it into the ground do apply wear and tear to it it's not going to look good if it looks all CH new and chiny and oh you've been with the company for 10 years right so yeah shop around to Goodwill uh get swag lanyards

all that collect it so you can reuse it UNL your engagements or sneak in a Dev comps right talking about usb implants uh these are cool so you do have your R duckies of course but you can get cheaper if you just rely on hid utilities so this digispark bad USB uh comes up to about a dollar when you buy a pack five so at that point you can not feel bad about leaving these on client engagements you can plug it in and say okay set up forget we're not going to touch it um I don't feel bad about that uh $70 rubber ducky yeah like that sucks I could have had extra rubber ducky but

whatever right and you do have multiple implements you have the pone pyo which is based on the pi 0w uh that one does have air gap bypasses and different utilities that I've used before that are pretty cool uh what I did specifically was I had USB cables that were soldered so these are all joined came out to a USB connector and I just was talking to an IT technician while I was sitting there behind with their computer they're all in one just plugging it in and I was like where the [ __ ] is this USB port I got it in and then uh left and then I forgot about the implant until like a month later and I was like oh

forgot I had a shell on that uh you can also use the Logitech dongles uh you would have to require uh setup for the encryption keys for logic cheacker uh this would allow you to perform those operations and remote key injections without uh compromising your security and having clear text Communications talking about network monitoring Network Taps I use these little orange Pine type boards and just wait until armbian releases on them so these are pretty nice you can use uh SMC spoofing on them to spoof Macs printers your vo phones Etc or vo systems uh you can add your buttons as you see fit so on mine I have gpio buttons so that when I click something it will start packet

capture mode on that interface and it'll go to monitor mode Etc and then I can go click and then it'll switch to a oh okay I'll connect and then I'll I'll either give myself a static IP or DHCP in the next fill out so in terms of tapping uh network connections you do have your physical implementation such as the ninjas throwing star do keep in mind that if you use the throwing star it's going to downgrade the connection speed to 100 megabits per second you won't get that gigabit performance it's just how that passive tap Works uh you can see my money spread here this is at some point in time worth like $400 um your active connections with

power will be able to read those gigabit that gigabit data from The Wire and if you do want some type of powered Network tap for gigabit connections you can spend $230 on a wire sh thing or those of you who manage switches Etc and know how switches work you can just buy a $27 manage switch and just do Port mirroring like it's not that bad and this in a network closet looks a lot less conspicuous than this connected to some weird printed case and oh I don't know where it goes so just keep that in mind talking about Wireless uh Josh Campbell actually has his little Wireless hacking notes if you want to scan that QR code

and get access to that shout out Josh Campbell that's a cool little workshop visit him RF Village but essentially you do have the ability to uh use uh your hack five pineapples Etc but they have failed me in the past at critical times so what I've done is I've just said okay screw this I'm going to work on Linux and have better cap I'll have two speed on I'll have all these packet captures going and know how to manually perform these attacks and I've been way better off ever since that so make your own Solutions pagi is great uh there are two forks right now that that work and you're able to swap out the network

interface so you can connect it to an external USB network interface and take full peaps while you're doing all these de the attack so you can attribute your yourself to your client and here's some homemade antenna stuff from the internet um you've seen the yogis there are plenty of tutorials online I'm not going to get into that um normally I'm Inland Park L just snipping from there so here's a resource dump and these are where I got a lot of the resources from on on specifications and the manufacturing of these tools so you can check that out physical security Village from Defcon they have a good amount of bypass games on their website you can

check them out for sure uh humble firefighter has a great playlist on respectful entry for firefighters and looking at these other professions allows you to uh gain that insight and knowledge so the takeaways from this talk are essentially to be resourceful become ungovernable and once you've learned a concept and how to execute such a concept go back and repeatedly perform the concept with worse and worse tools every time so you're more than familiar with Concept stay out of trouble and you know come and visit oek it's a conference we have in witch so uh definitely check it out it's I help organize I'm game mastered I run CTF so uh would definitely appreciate yall having uh post Bing them out there so I

was told to put this at the end I don't endorse these person's Services I just endorse them for thank you for sponsoring s Casey and giving me a spot to perform I I'm not that's not you know I'm not paid by but the for the venue and everything thank you everybody and the volunteers and staff uh who put this on this has been a great experience um any questions I thought I had a question slide but I just click and it's not there do let's do questions yeah we have questions from the audience yes would you be able to go to the first slide so you get the PDF yeah yeah let's uh I wonder if I go backwards if it'll just

start playing the videos I

cool there you go you can take that U yeah there are specification on there any other questions cool ask me St ask me whatever you want you got yeah oh okay josa yeah yeah I definitely blazed through that that's normally a one hour presentation uh no questions really oh yeah you have any you were caught stories yeah um so that time I was playing in the help desk um I was just talking there so essentially imagine your help desk person is right here and it's a lower elevated desk and they have the allinone with USB ports on the back Expos and I was just talking I was just you know s sitting here fiddling with my

hands and was just like oh cool whatever and then once I got it plugged in I kind of like sat back for a second and I started popping po shell and trying to do like fast fast P he's like do you know anything about Powershell I was like what he was like yeah you know I keep seeing like power shell popup is that like you or something because they know at that point I was an internal red teamer so they were like oh you're up to no good or something I was like I no I'm not on the clock right now I just I got a clock in like 15 minutes uh and that one was was pretty fair and caught uh

there was this one time in a state where I was doing a a more covert operation with a buddy and we were told to go to this distribution area where we would walk in and there'd be a locked it closet in the back sorry you're getting a two for one right now I'm sorry but sure cool um so we were given some swag from this vendor and they were like here take some hats take a sweater like you know just wear this and just go in and see to inspect the it closet which hooks into uh an electrical grid so um we get there we walk in and I'm going hell because I I social engineered to Mid

Western the woman well we get there we say Hey you know we're with it we're wanting to check out the network CL that's in the back it's locked uh could you kind of show us where that is and they're like oh yeah that's in that's in this office over here normally it's locked but or the main office is locked but this time it's open because there the it admin was away so that was a stroke of like opportunity luck like we didn't do a research on that we were just like let's do this ready to go so we walk back there and the IT closet inside that office is is locked and we're like okay I have the tools to

bypass this right now but the person standing right behind me who's like oh you're from it cool whatever I to the door I'm about to like take out the the slim gym for my sleeve and she says oh do you need a key I was like I would love a key that'd be great so she goes and gets a key she's like I have a phone call that's coming right now let me go get that key and I'll get back to you after the call so we have a couple minutes uh but we didn't know that so I like okay that's awesome so we're just sitting there and I'm fumbling I'm fumbling with this the

slum gym I didn't get the wrong side I'm like oh gosh I wasn't ready for this to happen um and I eventually I get it open I po the door open and she comes back like 30 seconds later she's like oh y'all got in just fine I was like yeah I forgot you know like ex person name and whatever company gave me a key when I came down here it was just in my backpack like sorry about that didn't know um so yeah we got in there plugged into the network and um we actually called our contacts uh from the van because they were just sitting in the van they're like let's see if you know

they get kicked out or something and we're like hey come in like we you know like we want you to help us like know where we are on the network and I plugged into the network and they're like yeah that's the backbone that like connects to all the rtus and stuff and I was like yeah I just hooked in like cool we're here all right cool man so yeah that was a that was a very nerve-wracking one and I just felt so bad because Midwestern people are so sweet like we love to help right um and I'm not saying that it's something terrible it's just you know in certain scenarios might not be the best thing uh

especially when you have like somebody like me at that time I wasn't very covert about it and I had a full tag bag with me my buddy was dressed up with the you know we had the hats Etc so uh but yeah I'd say those those are the the funniest ones in my opinion so far any other questions yeah up I noticed you didn't mention R sensor attacks at all is that because those are becoming less effective because you know um system integrators are becoming stop sensors or good ones you can't Bypass or oh yeah that's a good question so in terms of Rec sensors I mentioned it because the last time we did a Rec

sensor attack the bottle or the spray can bottle of that computer duster cost like 20 bucks and was that a Dollar General and normally it's like $4 but they cost 20 bucks there and we were like well I can't say come out here say make stuff with trash and then it's that but uh yeah we we've definitely used the computer duster um I have heard of colleagues in cases using certain adult shaped objects to pass under and then inflating for that heat displacement uh to get through doors um but of course you can uh do with that what you will right so but yeah um that might be something I add in the future it just

hasn't come up in an engagement where you've got two events right normally lying is a great way to get in or just being let in half the engagements I'm on in terms of physical entry it's just oh I don't pull out of tools except an implant because I'm already inside cool but yeah did that answer your questions yeah cool uh you have a question yeah uh where do you find all these different tools to use do you look for them or is there like a place you know where it's yeah like uh you know Bing like lock F lawyer de all the not so civil engineers um sometimes you manufacture your own like with the J tools that's not really

I mean you could probably find a shop online but it's titanium wire you can order or you can order from Amazon um in terms of innovating tools you just kind of like see what the problem is that you're trying to solve there are some that I haven't presented here because I have a colleague who was like Hey I have this idea for a tool and we have free to PR mockups and stuff we're still shoing stuff uh but yeah just essentially seeing how other people do stuff and sharing stories and sharing that knowledge and saying okay how can I do that better like oh okay you got in with proxim Mar three how can I get in you

know with this this flipper zero just you know oh cool it's same protocol my fa 1K cool do then your question awesome yeah yeah you a little bit about the r how do you think that fair Banks um so I haven't encountered anybody using fa bags defensively I have a couple myself and have done some tests um there's been some that I've bought that are more fair day bags for cell phones but generally yeah if you interrupt like high frequency RFID um It's very effective because you're already have to be very close to that and to have some Missle in front of that you may not plus you you may not be able to get a proper read for

the duration you need to crack those keys so how flag the them uh high frequency usually the max I've seen the max I've gotten at working is probably like 4 in it's not it's not very far um but I mean you could probably amp that up with low frequency you'll find people online who are making readers for you know a foot or two feet and they'll try to Max it out um the normal flipper one that I have I think I've gotten probably like 10 cm or no i' say I'd say more than that probably like about like that far it's worked for me yeah I don't know how to measure that so you the back work

pretty well yeah yeah for your your high frequency stuff um there was a actually an engagement where we were debating one of the workers had a flipper and they had their card saved on The Flipper and we were like is that a security issue and we thought the flipper only actuates that signal and only relays it whenever you tell it go it's not just always passive right so it's more secure technically depending on your threat model is more secure than just having a normal badge because you know passively you can't walk to somebody and oh hey let me scan your flipper right it's they have to activate that and say okay fch me in uh but yeah like you know your

fair day fair day bags definitely test it right you can try to read your card with your phone and you can have your fair day bag that you want to test and you can say okay does it work with my card um and see if the NFC you know you have NFC utility apps that will try to read the card and if it bumps and it says oh there's a card there I can't decrypt it you you know I was try and read it at least so yeah problem any other questions I saw some other hands thought I did at least I'm sorry I wasn't looking for my phone oh okay yeah I mean that's my ask okay Goa yeah I

don't know we we can test it if you want but as long as you're cool any questions