Padlocks And Plausible Pretences: The Break In Blueprint

just a trick just to make sure you're all listening right hello I'm Ian parks and this is my talk padlocks and Pla plausible pretenses so what we're going to be talking about in this is basically I'm going to be taking you through uh a physical security penetration test and how what things I look for it might not be the same for everybody but this is the things I look for and uh some of the stories of how I've used the things that I've discovered word and uh and yeah information on there so uh basically this talk is just to really focus on how information is key and how uh if you're not too sure about about physical

penetration testing you can't just really walk up there and get in you're going to you're going to probably fail so this is where we're going to talk about how you can use the information that you can find uh and use it to get into some really cool places I've been in a server room in a bank so we'll talk about that so big disclaimer obviously this is all illegal if you get arrested it's not my fault uh I'm going to be talking about things uh I have quite a lot of experience with access control and CCTV systems and fire alarm systems obviously messing around with fire alarm systems is a really bad idea if you don't know

what you're doing because you could kill people uh and kill people Sue very badly uh but yeah all the stuff I'm going to be talking about here there's nothing secretive or uh stuff you can't find out uh but it's all information that you can use uh to basically break into places um it's nothing new nothing unknown we'll talk about uh information you can find through public knowledge and through public uh websites and and finally yeah physical penetration testing is fun but stressful just remember that very stressful so I currently am a senior security consultant at root shell security I'm my main background was 18 years of experience with fire alarm Access Control CCTV Intruder alarm

systems as well as building integration so I have a lot of background of like building how buildings work and how they how they you know function uh I've performed physical penetration tests in the UK and Europe and a fun fact when I was young I connected a five a 1.5 volt filament bulb to the main Supply it was very bright for a very short period of time which shows you know you don't have to be the brightest to do this sort of job so breaking into buildings it's illegal right so whenever I drop my kids off at school uh somebody says oh so what do you do for a living I tell them that break into buildings it you get two

types of responses you get the response of people walking away very quickly you get the response of people really interested in why and how and who who wants this so you know who wants this so what sort of companies would want a physical penetration test so it you know you're obvious ones your high-risk organizations where they're at risk from like nation states and APS so you know your financial institutions uh might find this a big risk where they're using a lot lot of uh sensitive data information about people uh they don't want to get out uh disgruntle staff maybe you've got uh an abire you know people you know you know some vegans out there may not like it no offense to ve

people who are vegan but you know people who have protesters and Rivals and companies maybe you got intellectural knowledge uh you've also got things that are uh critical infrastructure like food and medicine is a is a popular one and maybe you know energy uh things like that so all these companies uh physical penetration testing is kind of very key to uh but it doesn't generally need to be those uh and it all depends on the engagement itself so obviously when we do a physical engagement uh there'll normally be what what risk is to the company so different companies have different risks so for example uh a plant where they make uh make items like medicine or something their risk may be

that someone gets into the industrial control system uh and affects the medicines how it's how it's created uh where a bank it may be that somebody gets into the server room access the server or the banking system itself uh and affects that so this can also be part of like a red team so you know where you got a red team engagement you might have a company say you know do what you want with us here's our information we might use it as part of a red team to get information or to get access to the infrastructure itself um uh so yeah so it could be part of part of that as well so what do we

gain so doing all this it's it sounds fun sounds exciting oh look we've got into your server room but what what information can we gain from there so for a client's perspective we look at the external presence of the company so it will help the company realize what's out there and what can be found out quite easily it'll also help understand what the weaknesses are uh and to improve their security so maybe they didn't realize that that gate was not very good around the corner or their security staff aren't on the ball as they should be uh you can also assess the response and processes in place you know do do the security do the thing you

can't really do that if you're you're planning it however on a physical engagement you know that a requirement might be that we want you to get caught we want you to see how security can track you down and find you uh and then overall you know it might assess the training and what staff need to do you know a staff aware of of the risks of doing x y and Zed uh so can we can assess that as well so the stages of physical penetration test it's not as short as turning up and going in as I mentioned before it's got the same stages of what you would probably find in a you know infrastructure test so

we've got the osin phase so this is where we look for information about the company the buildings the area the environment of the of the the target we've then got hostile reconnaissance this is where we actually physically go to site and investigate what we can see what information we can get from that we've then got the planning and pretexting this is kind of the largest part of the the exercise this is where we actually plan what we're going to do how we're going to do it uh what are the risks involved of doing X doing Zed uh is there a better way of doing it do we need more than one person more more attempts certain time so this is the

important part the execution where we actually perform it uh the intrusion and then the objectives within that execution so what are our objective once we got on site there's no point of saying we get on S side that's it we need to have an objective because once we've done those objectives we want to get out of there we don't want to get caught we want to have a successful engagement where we've got into the the building we've we've completed the objectives and we've got out and then finally it's reporting and training so you know we need to be able to report uh what vulnerabilities exist what training is required and how they can improve their

security so first of all we're going to go for open source intelligence and everyone's favorite Google the hacker directory so whenever I do a physical engagement I'll have an address I'll go to Google Map so I'll go on street view and as you can see I can easily look at a building I can normally go all the way around the building so this you know this takes a lot of the Hostile reconnaissance uh concerns away of being weird standing by a building for a couple of hours uh it can get the information instantly and it can I can find information out straight away about what the building's like one of the things that's really good on Google Maps

is it's normally got a photo section it's normally got photos from the actual people who own the building or the company and also it might have photos from just random people who have been in the building so uh an example is there's a factory and it had lots of pictures from the uh customer on the outside you know really fancy look at our products but hgv drivers were posting pictures of inside the warehouse which helped me to determine what sort of High vid they wear what sort of uniform they're wearing what their badges look like and all this information was readily available on on Google Maps we also do obviously Google searches and we look

for any files so you know I'll download you know their monthly financial statements and I'll have a look at the metadata on those files can I see uh what sort of computer using you know what software was used to create it what the username were uh who created that file and I can get information from the company that way uh which might be used might be used within the the engagement itself another one of my favorite websites is the planning office on the planning office uh we can easily see what works are being carried out on site or nearby the great thing of this is you've normally got some plans so you can normally see what the layout of the

building is which is great so for example if I'm trying to get access to a server room then I'll go to the planning office I'll type in the post code of the site and boom I've got some nice plans and oh they're having an extension or they're installing some more security cameras I can see where them security cameras are now uh in fact it was one engagement where they were installing security cameras I knew exactly where they were looking what range they had because it was all on the drawings so from this information you can actually get quite a lot of details you know I've got the names of the contractors that are installing it I've got the name of

the architect that's probably designed part of the building I can see what sort of layers when it's going to happen uh and yet again all this information I keep and I use as part as my I might use part of my pretex when going on the site it also helps to work out where I'm going what I need to do so for example uh I'll look for like safe spaces for example uh a toilet is a safe space nobody comes and follows you in the toilet generally uh uh and it's a good place to kind of hide and plan your next part of an attack so these are great websites the next website I go to is

social media so LinkedIn or hacked in uh I go there to see you know company photos that they've put on there of charity events where they're given big checks to people and they're all there in their lanyards uh which shows their company company their name who they are and general layout I don't even it doesn't even have to be high quality cuz I know what their logo looks like and I know that blur it was their logo and I know that little face shaped thing is their face uh so I can use all this for information to be able to create my own lanyards of course see company celebrations all just celebrated something or you know they might have

some blog post on there about something they've just done or they're going to do yet again more information I can use as part as a pretext I can see what employees are on there so on LinkedIn you know people put their employees on there I might you know try and find someone who I want to avoid facilities manager for example they're going to know who's on site if I'm going as a third party contractor maybe someone I need to avoid or someone to name drop in that situation the company website itself great careers page I can see what jobs they've got offering I might even be able to find out what technology they use so for example they might be

advertising for a developer that's that can work with PHP ah I know they use PHP there uh or uh images of inside or you know work imagees say at this company we offer this this and this and and we can get that information on there yeah again downloads again I can get meta metadata from those files that we've downloaded so my objectives for all of this is to try and get as much information as I can about staff the uniforms who they work with uh the building layouts the security details any lanyards and ID cards that they use all this information that I'm going to use because at this point I still don't know whether I'm

going to pretend to be someone who works there or someone who doesn't work there so the more information I get the more it helps me to find the processes so access control and lanyards as I mentioned people wearing access control and lanyards is great so you might have seen like a photo like this on a company website very very common of them wearing the lanyards I'll zoom in and I'll say ah okay right then the visitors wear a visitor lanyard Amazon visitor lanyard done you know oh they wear blue lanyards ah Amazon blue yyard you know it's very easy to do and if you want a custom lanyard you know they've got like their custom branding on it do

you know what you go to a website there's a check box that says I am authorized to use this logo and that is the security on most of these websites to create custom lanyards so although they're wearing custom lanyards they might have their company on there uh you can easily order a lanyard that looks very similar it might be not be exact but it' be enough to be visually perfect uh be have to copy their lanyard as well which I have done in the past and it's worked very very well so you can do all this online it's very great so another thing I do I go into hostar reconnaissance and the first thing I do is give them a call sounds

weird hello can I come and look at your building today no not that type of call so one of the things when I give him a call is because I have experience of access control and CCTV I know sort of things are are weaknesses in those in those areas and if you've seen my talk uh I did in London uh in December you'll know one of the things I asked for so one of the things I always ask for is I pretend to be a fire officer sounds a bit weird but what I do is I pretend to be a fire officer and ask them when their fire alarm test is you all know you've all got a bill and you've

probably been in an office and every Wednesday at 10:00 the fire alarm goes off there's a good point there's a good reason why I asked that question first of all I know they're going to have one yeah there's going to be an answer and I know that everybody knows the time and day because they're all used to it they don't need to go and ask anyone else for that information so the reception staff will be probably be able to answer that question and they'll they'll think well there's nothing to worry about there so they'll just tell me ah it's 10:00 on on a Wednesday I'll then ask them who their responsible person is so with fire alarm

systems you have to have someone that's called a responsible person they're responsible for making sure that the fire alarm system works so they they get their head cut off if it doesn't so they'll get they'll probably give me that name and then I'll probably go over a bit deeper information which they normally don't know or they may not know is who looks after their firearm system uh and I'll get the company name so yet again I might get more information there so I can easily use that as part of a pretext uh another reason why it's good to know about the fire alarm is because it's usually a time where it's slightly more quiet because they don't normally

have extra people to come and do these fire alarm tests it's normally the security guard that are doing these tests so that means I know that security or generally the building itself is going to be a bit disorganized at that point so when they're doing the fire alarm test it's going to be noisy people aren't going to be kind of talking as much and they're going to be move there's going to be a lot of movement around so I know it's a good distraction technique for me to try and get in into the building so hostile reconnaissance yes that is my bag and I have used hostile reconnaissance with that bag and those areals so first of all I'll probably go

and Drive by the building just generally drive past it just have a look at the building itself look at obvious areas what are people doing around there would it look a bit weird if I'm walking around I also want to make sure that I kind of blend in why am I walking around the building or if it's in a random remote area then I might not do as much hostile reconnaissance than if it's in the middle of a city center it's in a city center I can just pretty much wear whatever if it's in an industrial State I'll wear I'll wear something that looks like I'm comfortable in an industrial State you know I could be a a a worker

nearby Factory or wearing a hive is or I could be in a suit uh if I'm around like a Office Park so I I'll get that all get that all information more than likely within the oent and then the Hostile reconnaissance I'll use that as a as almost like a pretext for the Hostile reconnaissance I'll get as many photos and pictures as I can uh of things like ENT rances and exits and fire exits and around the building I normally do this with the old phone technique you know I'm taking I'm taking pictures at this point you know I'm not on the phone I'm taking pictures uh I'll also make a note of any smoking areas because it's

usually where people congregate and I can normally use that as a possibly possibly a tailgating uh area I'll make notes of people movement attitude of people holding the doors open for people are people generally very nice to people are they talkative do does everyone kind of know each other or you know are they walking in with headphones on are they young or they're old you know younger people generally have a less um less awareness of security than older people cuz older people are kind of more o with you know conmen yet younger people are kind of in the generation where they're not aware of it as much that the physical uh attackers could be around

I'll also have a look at contractors on site I've had some engagement where I've seen contractors on site and I've used that as part of preex so for example let's say I've seen a contractor working on some doors in the building and I've noted the company name I noticed the date and time they were there I can then go the back the next week say oh I'm so and so from that that company uh John's Contracting I've just come to check on the work that they they they did last week uh and because I have this information extra information makes the pretex way more believable I'll also do with my bag there I'll do some Wi-Fi capture either

passive or active depending on what the requirement is so passive I'll just basically walk around with my that in my bag uh and it'll basically capture any sort of wi-fi connections uh any uh H any um any uh basically any captures any handshakes and then them hat shakes I can take back with me if they're if they're uh crackable and then I'll I'll basically try and crack those to get access onto their Wi-Fi network or active where I'll actively try and de authenticate some clients and try and access their uh and try and access that capture yet again to try and take it to see if they have a very strong have have a strong or a weak key

used I'll also discover any access control system use so I'll have a look at what they've got I might do a a a a capture of their reader so uh on certain systems you get certain Keys uh so Access Control cards use keys on the reader and on the card and then they basically use it to encrypt it so sometimes I'll use everyone's favorite toy a flipper zero uh and do some uh reading on the access control readers itself to get some information I can then use that to clone badges later on so from this I'm basically using this to confirm any items I found on the ENT have a look how generally people act and

dress kind of get pictures of area anything assess the security itself you know does is there a high security presence in the front door but not many security at the back door no security on the back door you know how if people are going to the smoking area which door are they using are they going through the front door are they going for a side door uh I'm looking all these small details which can be leveraged later on yeah again experience of fire alarm systems I'll look for things like this so if I can get access to a reception I'll have a look to see if I can fire a fire alarm zone chart fire alarm Zone

charts and normally by every fire alarm itself and here's one for example for my my local uh retail unit uh and this basically shows me the building layout shows me where all the entes could be it might give me a name of a company as well as a main contractor details it might even tell me where you know the safe room is or the or the the cash office or the server room it might all be on that detail there and I haven't had to gone the planning office to find that information out uh also the fire line panel itself yet again I might have a look I have a mate model I can use

that as part of a pretext I can have a look if there's any faults or disablements yeah again another engagement I had I I saw a fire alarm system with a lot of faults on there like like dangerously lot of faults I felt bad for them in a way uh but when there's a lot of faults on the alarm system it means it's it is vulnerable so they they technically could be using it could be occupying the building legally uh because of the the issues on the system so yet again that adds the the urgency that which can be involved in terms of the pretext and saying I've come to look at your fire alarm system

uh because of the faults you've got I can use that information yet again uh um it's part of the pretext yeah going to look at the Lock data as well so for example this panel here I can see that it says level two on it which means it's unlocked which means there's menus on there so I can do certain things like set the fire alarm off if I wanted to without having to do any serious damage yet again I wouldn't uh ethically uh but there's other menus in there that I can use which I'll talk about later uh in order to get access to a building that I can use that that being in level two to

be able to open some doors for me so planning and pretexting so I'm thinking about my options now so this is where I take all that information I go right and what is the best routine am I going to go as someone who works there am I going to go as a contractor what tools will I need so yeah again I'm looking at every little detail so even very Minor Details so for example I'll I'll get workware i'll get high ve of the same color or the same design I'll get my lanyards printed so for example get a a label printer I get a uh ID card printer and print ID cards that look very

similar uh and I'll get all the information that I need what props would I need so for example if I'm going in as a electrician I'll need like screwdrivers and meters and and things that an electrician would use and then kind of what attitude would I have you know are they going to be quite shy you know I'm trying to get all this information one of the one of the important things about pretex is have a knowledge of that pretex so for example I use you know electrician or firearm engineer or Access Control engineer or security engineer quite a lot because I have experience of it and I knowledge so if anyone asks me any questions I can

probably give them enough information to make it believable so don't go in there saying you're lift engine and you know nothing about lifts uh it's probably not the best way to do it so if you have a little bit of knowledge sometimes a little bit of knowledge is dangerous and in this case it actually could be dangerous that people could believe you um so make sure you know what to wear what props to get so this is why I always do the Hostile reconnaissance first and then I'd probably leave it a week or so to be able to actually do the do the actual execution itself and remember Minor Detail so for example if I'm going to have a tool bag or a tool

belt having a brand new one out the packet is going to look a bit susp suspect because it's brand new it's clean I'll go and take it in the garden give it a couple of walks around the around the block make sure it's a bit dirty so it looks like it's more used or I wouldn't be carrying for example if I'm going into the work I wouldn't be carrying a briefcase or that type of bag I'd be carrying like a tool bag to take my things in so the execution my famous tools of execution so I have this big lots of keys these keys are like generic keys that can be used for opening for example cabinets uh server

cabinet server racks uh General kind of boxes uh and they can be great for using anything I mean one of these is used for lifts if I really wanted to although I've never done it well not as a as a um trying to get access but if I really wanted to if there's ex control on the lift I could probably ride on top of the lift it sounds something dangerous but it can be done although obviously uh I don't think Leal would like that so much uh but it's something that you that could be possible if if it was allowed uh and obviously just be sometimes it's very optimistic you might have a plan of

how you're going to execute it and obviously you've got multiple rotes of how you want to execute uh make sure you've got the multiple uh multiple routes to get in because you might need to change so for example make sure you got your keys make sure you got everything you know you might want to adapt so for example on one one engagement I knew walking in as a contractor would ring alarm Bells with security because they would know that I'm not meant to be there so I walked in as someone who looked like they were working in an office I then went straight to the toilet and changed into a contractor so I tricked security by

making them think I work there and then I changed it to a contractor to get into the you know the the office actually on the level because it was a multitenant office so I used two kind of two pretexts there to get in and one pretext then to get past the door um to actually get into the client area uh obviously be observant of others so see how they act so for example if people are holding the door opener for each other hold the door open you know you'll be surprised that if you hold the door open for someone people have this natural urgency to pay back that debt of you holding the door so if you hold the door open for them

the chances are if they get to the door before you they'll probably hold it open for you so use that abuse the kind of the natural human nature that we have sounds horrible but you can abuse that sort of trust that you've made like you know I've opened the door for you you'll open the door for me kind of logic also have your hands full you know I sometimes go in there with the the with the previous slide I sometimes go with that pole there which looks you know almost like a flag to try and find me when they're trying to trying to chase me down but it's great people hold doors open for you and they ask questions

about it so they ask in oh are you what you doing and you know I use that kind of a more of a technique to get access to areas also as well for example you might have an area where everyone is you know swiping in their Access Control card to get into his own even though the draw is open to be observant saying why are they doing that the chances are is what they call an an Passback system which means you need a card to get in and a card to get out uh if they don't swipe in they basically can't get out uh so if everyone's scanning in you need to pretend to do the same your card may not

work it won't work hopefully um but you can obviously use that technique to pretend you're swiping in even if the card doesn't work so you look more believable uh so you look like you know you're meant to be there one of the other things that I've used as well uh with the ID cards is these available on Tik Tock shop uh so these are cat printer that print without sticky labels some some sites actually have stickers that print out a picture of you and to say you're allowed to be on that site on that day you can buy a cat printer you can print it off on your phone before you go in and it

works so always have an exit method as well always have something planned so for example you need to use a toilet so on one engagement uh I got into the I got into the building uh I sat down I did some various Network penetration tests I captured some uh hashes is of uh you know people logging onto their computer onsite for about an hour and a half and then I decided to up the game a little bit so I started to ask people if I could use their computers which surprisingly people said yeah that's nice okay yeah so I use their computers uh and after that I went back to my desk and think right okay I'm I'm sorted now

I'll log off and guess what happened Windows update so I was there waiting for Windows updates to finish to shut my computer down and a lady come up to me she said uh I've just been informed that you access to a couple of computers but I'm not aware your me you know I'm not aware of your presence today can you tell me who you are I use the pretext information that I knew so I said oh I'm working for uh I basically use the it consultant like the It manager say I'm working on him to check some network uh stability issues okay can you come to my office if we can just verify your presence now at this point you know you

think oh I'm caught now but I didn't I I had everything ready I had my bag packed so I basically said oh yeah he's at the office just around the corner cuz I remembered where she was sitting she say yeah yeah it's the office just the other side of the office if you just come there said right I'm just going to pop to the toilet and then I'll come to come to see you that was the mistake she went to her office I went out the front door uh at this point obviously I did call the client to let them know that they probably going to have a very panicked lady calling them up and sure enough

they did uh and they went into full lockdown because obviously I accessed a couple of their computers uh but yet again it's that trust that you know have that Escape Route another one I've used before is said oh I'm meant to be here hold on let me call my manager I have no reception on my phone let me go outside I'll just give him a quick call and let you know and come back in and let you know so I've used that as well uh and that's a good way to to get out in an emergency my aim here is to actually not get caught I will always have like a get out a Jail letter which basically States

I'm authorized to do this engagement but my my aim is to not give that away I don't want to give out giveaway I want to basically get to the point where I've said okay I've successfully compromised you even though I sort of semi got caught so remember that Weekly test I talked about well most most fire alarm systems if you didn't know are can actually connected to the Access Control Systems the reason for it is obviously the fire alarm goes off and you need to get out of the building it's a fire so you'll find that most Access Control doors are actually free release at that point so you could just push the door open you don't need a card you don't

need anything so because of this I first of all a found out when the the fire alarm's going off and B I actually know a time and a date what time the doors are open that's like brilliant information so I'll use this information so most sites do not have an isolation key switch to turn it off because the idea is is they're testing the fire alarm system they're testing to make sure the doors release so this is basically the most weakest part of the security and it happens on every building every week uh so because of that I know when it's happening there's also a very loud siren that tells me that it's happening and

the doors are unlocked which also helps so I don't even know need to even watch security I can just you know one engagement I went I walked in through the front door knowing that the fire alarm test was in about 5 minutes I just waited in the stairwell because I knew that in the next 3 minutes the fire alarm's going to go off and I could open the door so you can you can use that Sounder to to to make you aware and yet again uh it may only be for a short period normally you know 15 seconds but you've you've normally sort of like 30 seconds or so but on most newer systems they're what they call addressable

systems and it actually takes about 15 seconds for them to reset after the sounds have stopped so even when the Sounders have stopped the doors could still be unlocked at that point and sometimes they might do it one or two you know two or three times so yet again this can help you get into certain areas so for example on that engagement I waited in the stairwell because it was access control from the stairwell out when I heard the fire alarm I opened the door I then walked into the main lobby and then walked into another area an open plan office area I didn't need the card again I pretended to use a card just to so people around me could look

could see that I'm using an Access Control Card even though it didn't work but I knew the door would be open so yet again that that adds that sense of security to people watching uh and then I got into the area so yeah again internal doors will be released what about the server room I wonder if that door will be released yeah again it's something to something to check and be observant of uh also as well when they're doing the fire alarm test it might be the actual security staff that are on reception are doing the fire alarm test which means there's no people at security so you can first of all a walk in without a problem

secondly man traps and stuff they probably release as well so all these man traps I can just walk through so yeah again I can walk straight through those and then the access control doors I can get straight in so you may only have a short period of of 30 seconds to get into a building and where you want to get to but but generally once you're in a building once you're P that front security you'll be surprised how many people trust you for the simple fact that you visually look like you're meant to be there I you're wearing the same color lanyard you got the same ID type badge you've got the same lanyard you've

got the same Access Control Card uh but people won't ask you questions because you got in so that's how I use a weekly test so once I'm in I look for other things as well with Access Control tricks so here's a favorite favorite one uh you may have see these on exits to buildings how many of you have seen them on trying to get into a building so for example on one engagement and this was a bank uh had these by The Doors next to the access control Point like that now I know this is physically connected to the lock so by pressing the button I know the lock that's locked unlocked now and I can just walk in so sometimes you

might see these installed incorrectly another thing that you have sorry that's going to buzz until I do this next bit I

apologize I bring these keys with me which which is that magical key down there I like to call it the magical key this key basically allows me to open these [Music] boxes so when that's open that's basically the same as activating it these are never normally Glass by the way they're all plastic so they're all resetable plastic elements so what I do is I carry one of these round with me cuz when I see that I know that I can use this key to open the door very briefly very short period of time so it might have a Sounder or you may have heard it when somebody left the door open too long an access control

it might beep Well normally that's the S same siren or or buzzer that alerts someone that the door's been opened without the appropriate access control so I'll just go there with my key I'll pop it into the bottom of the lock I'll open it quickly walk through the door and click it back up nobody's know I've activated that if you want a key by the way I've got a couple here do not go an Open Door uh but yeah I I can easily access by that so I on on this bank I um I went to I did an engagement on they basically had this on every single Access Control area so I could basically walk around

the whole entire building by using that little black key with no access controls in fact they had it in the entrance to the server room and guess what it had like a biometric scanner and you had to scan in and they got you to sign in but they also had this green call point so I thought to myself let's give it a try so I put the key in and I opened the door and I heard that buzzer I panicked a little bit cuz it's an open plan office and it's like a little little office over it I looked around nobody turned around so I shut the door and I did it again just just to see what would happen

and yet again nobody paid a notice so I walked in so now I'm in this Bank in the server room which is an interesting place uh and quite a lot of banks they may have a server room but they'll also have another sub server room in the server room normally a caged area uh where uh they've got the more secure servers that normally do the transactions themselves that they have to have an extra level of protection now I noticed one thing so this is where I'll go into the uh the door controllers part so Access Control Systems normally have what they call a door controller which is a box that's on the wall that has the power to it the

main Supply and that connects to the reader and also connects to the magnet and also next to a fire alarm interface so it releases on a fire alarm condition so in this server room I noticed on the wall inside the the non secure area the door controller so if I wanted to it was at reach arm reach level as well I could disconnect the wire from there and open the door it wasn't in the secure area and yet again the fire alarm interface itself so the door controller may have some security on it it may set off an alert on the access control system but the fire alarm interface will not have that because fire alarm systems are so

regulated that they don't evolve very quickly they're very boring and very generic because they have to be they have to work in extreme conditions so I know that I could open the fire alarm interface box disconnect a wire and the door would release and I could walk in so obviously that company that bank had a very big wakeup call when I said yeah I accessed three of your server rooms uh and I just walked off the street in a one-day engagement they were there were they were happy that we found it but also a little concerned uh as you can probably imagine but yeah again don't worry access control logs they look like that they look horrible you know this is just

an example of the Paxon system so you can see that the door was forced and then relocked you know nobody's looks at those logs and nine times out of 10 they're not connected to an intruder alarm system so in this situation obviously the door was opened without the access control it wasn't recorded on security security had no kind of knowledge that it even happened because they're not looking at these access logs you know somebody tries to scan a card in the wrong area or log it and it it'll be just full of you know full of information that is not is not really relevant and then CCTV rooms I very rare you know working in the CCTV industry

they're very they're very they're not very uh proactive they're more reactive so what I what I mean reactive is they don't look at the CCTV live they look at it after Something's Happened so unless you're in like for example a shopping center center it's more sort of proactive they're looking at people who are going to break into you know not Breakin but you know steal items so they're looking at people who are known offenders uh quite a lot of Office Buildings and stuff like that they don't have that sort of security normally the security on the front desk and he's signing people in he's talking to people you know he's sorting out contractors he might have the cameras on the screen but

he's not really looking at it you know he might be looking on his on Tik Tok looking at cat videos you know it's all stuff that he's doing and they don't have the funds to have someone constantly looking at the CCTV so I really don't worry about things like CCTV I don't care if I'm on CCTV because I look how I meant to look and I'm not you know I'm even walking around with a big red pole half the time you know if you can't find me and I'm carrying a big red pole then you know what's going on so another engagement is uh myself and a colleague uh entered a building he went through the front door uh he tail gaaged

someone in and then because he didn't observe someone using their Access Control Card where they had anti Passback he got almost caught by that because of that reason and he got tooked to reception uh I went to the kitchen exit where they have the kitchen deliveries and I told them I was using the fire alarm uh technique so I had my big red pole with me I had my tool bags and I told them oh I'm just coming to do your fire alarm system can I just come through here they let me in they they're very good company they've had lots of penetration tests physicals before uh the staff actually went to reception to confirm it after

letting me in and at that point I'd gone in and I've walked up the stairs and I'm already on the third floor walking around so I'm walking around uh different areas of this building just generally chatting to people people uh having an interest because I'm working on the firearm systems I stand behind people too so I pretend I'm testing the smoke detector above their head and I'm looking at what's on their screen you know I've normally got some sort of recording pen or recording glasses so I can get that information off their screen as well uh and sometimes I say oh can you just step to the side while I do something perfect opportunity to to plug

in a bad USB or something like that uh and at that point actually security were aware of my presence at that point and apparently they were chasing me down I walked third floor second floor first floor and exited the same way I got in without being caught so it shows that the security weren't really looking at that CTV following me they kind of are very reactive so they're looking back to say oh somebody got in they're looking back to see where I've been so they didn't I wasn't running either I was just literally walking around talking to people uh so it just show CVR is isn't as scary as you think if I'm on CCTV

thinking it's not a problem because they're not going to look at it live so once we're in what do we do so we want to access High restricted areas such as server rooms filing cabinets offices control rooms yet again this is something that the client would Define in terms of a risk uh so server rooms are one of my favorites cuz nobody likes you in their server room um so I try to get there I love to remove stock and items and branded stuff so you know I'll look for for example the fire marshal that's got a fire marshal High VI on the back of their desk I might take that with me or if somebody left their Access

Control Card on their desk I'll I'll have that uh you know I'll I'll have anything that I can find like that one engagement was to actually take stock out of the warehouse uh so you know I love taking things with me uh I'll look for unlocked machines you know I'll find an unlocked machine if there's nobody around it I might I might a bad USB a bad USB basically runs a a script simulating as a keyboard uh so it doesn't get flagged up as like a a mass storage device and then that then will contact back to a C2 connection that we've got set up I'll look for email addresses uh look for email accounts

that are open if the computers unlocked I'll look at messaging apps like teams or slack and I'll try and send a message to the client contact to show that I've compromised that account I look for meeting rooms with uh EET jacks uh where I can plug a uh remote access control device in i t I tend to use a remote access control device so something along the lines of a a Raspberry Pi this one's got a screen on it that helps me just run actions but I'll also use a modem in it so a USB modem that will plug into it this basically means that if I can't get internet access from that device I can

directly communicate to it via SSH or some sort of VPN I've set up on it so I can try and their Network remotely without actually being on site and I'll plant this under a desk uh or in a little um um little hatch underneath the floor where they've got the EET Jacks uh or plant it in somewhere like the back the back of a computer or something so yeah again you might want to do like key loggers and stuff as well uh but basically once I've I've successfully got my goals I'm out of there I want to get out as quick as I can because once I'm in and I've done my objectives the longer I'm there I'm going to get caught

now sometimes depending on what type of Engagement if it's more of a social engagement rather than a red team engagement I will try and up the spaces so I'll ask people to start you know start using people's computers uh or just generally try and step it up until the point where I feel like I might get caught at this point so um that's what I'll try and do yeah again I'll look for Firex is Firex are a great way to get out of a building if you need to uh it will generally cause an alarm on the Intruder alarm system on most sort of stairwells so I try to avoid those if possible uh there was yet again this

this bank that I used had one of these you had to swipe out or one of these to get out I just use that uh and I got out of the building without without being compromised uh but yeah once you're in it's obviously remember you you need to get out as well so what sort of mitigations can we we learn from all this information so first of all don't discl information over the phone or social media one company where I tried to do the Fire officer basically said to me I'm sorry we we're not allowed to give out any information over the phone you need to contact someone you're aware of which I thought was great I thought I'm stumped

here I don't know what to do cuz I can't get any more information out of them so you know information even on social media you know pictures of lanyards and stuff like that very easy cop very easy copy even if it's blurred I don't even know need to know your name just a layout sometimes is believable another engagement where I use that technique so for example this engagement I saw a l i saw a lanyard I made a copy of that lanyard they had custom lanyard with their company name on it I created a custom custom what custom lanyard I created a custom badge trying to use it as much as I can I actually took a

screenshot of the lanyard and overlaid my parts to try and work out exact placements of everything I then got that printed um and when I use that in the engagement I use tailgating to get in initially and because it was a very small site there was probably what five or 10 people on this site they I said oh your your Access Control won't be on this uh system here because you know you're from a different office cuz that's that was our pretext he saids do you want me to add your Access Control onto our uh onto our system and you know what I said yes so I give them my card and he's holding my fake lanyard and

card that I created you know I ordered it from this this website and it's a card I just I just found I didn't know the technology of the card so I just picked something uh and he's there he's first of all trying to search and he goes oh I can't find you on assistant I said oh yeah we had some problems with these cards back in our office he go oh I'll just I'll just add it manually then so he's he's trying to add it onto the access control system the only failure at this point was that I chose the wrong card technology at this point I was a bit sad because I thought if I had the

right card technology he would have programmed our cards with me and my another consultant onto their access control system and we had would have had legitimate access to this site for the simple fact that we copied their lanyard that was it so something as simple as that can be very worrying and very scary and when we told the client they were very scared at that point thinking wow that was you know something as simple as that cuz ID card printers they're actually they're they're they're not cheap I mean you can get one for about £700 on onwards but that once you've got it you can use it you know if you're an AP or someone who doesn't who has all

the money in the world or all the resources then you're not going to think twice about about doing that so think about it you know you can use that quite easily so install isolation key switches so obviously coming from the fire Aline background the access control you can install what they call an isolation key switch on the fire line panel so when you're doing your weekly test you can turn this key switch and that makes showes that none of the doors release as you're doing the firearm test the Sounders will still work people are still aware of how it sounds uh and that complies however to to fully comply you need to test it at least once a year to

make sure it does actually release the doors uh so obviously at them points you make sure that there is you know extra monitoring for things like server room rooms and people coming in the building maybe you prevent people from signing in or swiping in at that point um to make sure that no no people are coming into the building are not meant to be there you know make sure your access control is fit for purpose there's no point of having these green brake glasses installed on the Ingress side of a of a secure area cuz you've basically just installed a big key to get in um so make sure they're installed properly make sure the the door controllers and

interfacing is all on the secure side of the building so uh you know someone with a ladder maybe they've got in legitimately well or illegitimately with a ladder you know they won't won't be able to access the access control systems to release the door and obviously staff training make sure that people are trained about how to challenge Unknown People if they don't recognize them what would you do you know challenge them take them to reception verify don't just look at their ID card it could be fake you know one of the things I always say with Access Control why don't you ask them to swipe it and make sure it does actually work that's a good way to verify that

their Access Control Card works it might be a clone yes you've got that worry take if you're still not sure take them to reception make sure they're signed in correctly and yet again door forced alarm make sure these are actually connected to the Intruder alarm system so if somebody does open a door without swiping in for example that server room situation if it went to to security rather than just logged on the access control log then maybe uh people would have been aware and they would have investigated it rather than me go to every single server room in that building and that is everything I hope you gained some information about this I know it was long and I showed you some

cool stuff uh but if anybody wants one of these keys I did buy some uh so you can have them as a little Memoir and to not be used maliciously uh but yeah any questions uh about that yeah

sure so on one engagement uh it was a slightly skiff engagement because uh we gain access to this plant uh in fact uh this engagement was to access the the control room for the I system so the you know the actual plant producing uh the manufacturing the product we got into that plant within half an hour of the engagement uh and we got out um we shouldn't have been in that server apparently it's the only time it was opened at that point uh we then had legitimate access for the rest so for example security were aware we were there but nobody else was and we had a whole week there of nobody reporting us uh other engagements uh it was another

Financial firm uh we gained access we stayed there for 5 hours sitting at a desk people were making us tea and coffee uh and then we ended the engagement cuz we were bored at that point cuz we're we're there running responder on their network uh while sitting while sitting in their office uh and then we basically got bored so we wanted to see how many computers we could access so we asked people to use their computers and then we left at that point we didn't get compromised so yeah so probably you could easily stay once you're in there you there's this full sense of security that you're meant to be there the longer you're there in fact the more sense of

security so if you can if you can pass the half an hour hour mark the chances are nobody's going to come and approach you because they've seen you there they said oh that's the guy working on the PC on the computers on the internet in fact we went to one site and he was he was saying um oh finally somebody coming to fix our Network that's great and we were actually just running respond around the network it's like it was great fun another one with the firearm system I actually went as a pretend contractor they actually gave me an all access pass as soon as I walked in the building cuz I said I'm a contractor working on site

and then I I wasn't actually accessing the whole building it was just the client floor but I use that to get access to the client's floor and I use that yet again as as almost like a pretext to show that I'm meant to be there CU they saw that I had an all access pass from security so yeah you could once you're in you're in it pretty much uh it's all about having those Minor Details to make you make you more believable I think we got time for one more question

yes there are some human hacking uh qualifications uh that you can do um I'm not entirely sure if there are many it's pretty much experienced thing so you know I got into it without knowing anything pretty much and learn that way and use my past experience of doing fire alarms in order to to get in so you really have to look around but there are some courses that are concent TR on the sort of the human social engineering elements of it so that might be good good route to look at and like acting classes you know you got to pretend to be someone so uh it's always good to look at that I think that's all

the time we have thank you very much guys [Applause]