Moritz Thomas, Firat Acar - Behind Closed Doors: Physical Red Team Tactics (BSidesFrankfurt 2025)

Okay. So, okay. Hello everyone. So, Moritz and I are going to talk to you about um our physical red team war stories. Basically, um it's not going to be a very deep technical talk. We're going to go over some little technical details here and there, but it's not going to be very uh elaborate. So the agenda for today is basically we're going to introduce ourselves a little bit introduce Envo very briefly and then um give us a quick uh give you a quick background about the difference between pentesting and red teaming and then afterwards we're going to jump straight into the stories and at the end we're going to do a quick uh takeaway and Q&A session.

Um so yeah all the story details like names, locations and everything are anonymized. We have uh a lot of pictures that are AI generated just to keep the anonymity. Um so me I've been at Envo for almost 5 years now and I do only red teaming. So um basically like 90 to 95% red teaming. >> Right. Uh my name is Mo Sumas. Let me also welcome you to our talk. Uh I've been with Inviso for four years now. Started out as a pentester then became a red teamer. Uh nowadays while I focus on doing R&D in the red team space uh every now and then I get to work on on other projects right and on more exotic

projects and on more exotic scenarios and one of those are the physical projects you got that we got going on and you will hear a whole lot of that in this talk. Um so who is Inviso? And Viso has been around since 2013 and u um we have spread to basically from Belgium to Germany to Greece uh and Austria and we have like I think it says 270 expert but um at the moment we have over 300 experts um in Europe and basically we do the whole range of cyber security stuff. We do red teaming, we do pent testing, blue teaming, we have a strategy and architecture, um compliance, everything um about cyber security basically.

Um so a quick background so for the people that don't know yet um the difference with pentesting and red teaming is basically um pentesting you have for example a web application that a customer gives you or another application and they say test this please and just report as many vulnerabilities as you can. So there's no stealth. They know that you're doing the exercise and they expect uh that you find hopefully a lot of vulnerabilities. With red teaming, the difference is that um you get an objective like for example a bank says, "Hey, we have this internal application. If you reach this, it's game over for us." Um and you have to be stealthy. Um and sometimes this includes

like uh fishing to get your foothold and also like physical uh breaching. So going to the offices and actually going in there and plant some devices or uh steal some documents. And that is what we're going to talk about today. Um another quick um methodology background. So for these physical breaches, we have like um certain different methodologies that we use. Um we're not going to talk about all of them in this um talk, but basically you have different phases like for preparation and recon. Um you do what's called oint open source intelligence. You go online and try to find as much about the company that you uh can find um without doing active scanning. So,

it's just passive. Um, embedded recon is basically going to the office premises and um without being too obvious, just um take a look, take pictures of people with badges, for example, see where they have exits and entrances and then try to come up with a game plan for later. So, phase two, you have covert entry and overt entry. Um for covert entry, for example, you have um the access card cloning, which we're also going to touch on today. Um covert means that you still under the radar. You're not talking to people. Um you try to get into the the premises without uh seeing anyone basically or talking to anyone. Uh the over entry for example, social

engineering. Um yeah, that's where you make yourself known and you try to um trick people into basically letting you into the premises. And then phase three, once you're in there, you want to reach your objectives. And sometimes you want to maintain access because it has happened before that we had to go in there multiple times. Um, and that you do via hardware additions or you steal some documents or you try to steal uh badges they can use for the um batch cloning. Um, so who is who in the red team? Of course, you have the superstars, the red team itself. um we are the ones that actually execute the attack scenario. We try to be stealthy. Um we have to find

our way either via cyber or physical intrusion. Um and we try to reach one or more objectives without getting caught. Then you have the blue team, they are the enemy. Um they are not fully aware of the attack. Well, actually not aware at all. Um and once they see an incident, if we do release a detection somehow, then they need to treat it as if it's a real well they don't know. So they will think is this real or is it a red team? They have to treat it as if it's real and they have to investigate and they make our lives difficult or they at least try to. Um and then you have the white team.

They are fully aware of the operation. Um those are basically the people that know that we are doing the red team which is usually like two or three people within the company. Um they are involved in all the planning and they are the connection between the red and blue team. So for example, if we do something and it gets detected, they will let us know and they will say, "Okay, the blue team is now investigating. Um, and then it's time for our first story." All right. So that will be mine. You could could give me the presenter, please. Thank you very much. Yeah. Come on. Thank you. All right. So, uh, first story is going to be about a industrial

plant. It looks something like that. Um, so it's in an industrial setting. Uh, it looked not that fancy, not that epic at all, but it was quite sizable, got to admit. And our objectives were to gain physical access and infiltrate the facility, then gain access to servers that were hosted there locally, and once we had access to the servers, try and attach our rogue device, our uh uh Raspberry Pi basically, to one of their network switches there. Sounded like a mouthful to do, but let's try and do that. So, we started with reconnaissance with Oint. So we tried to find out as much as we could about the facility without directly interfacing with it. So

yeah, Google, YouTube, social media and um for industrial settings specifically uh Google Maps as a gold mine because you can get a very good idea of the size of the facility of where it's located of access points everything. It's pretty cool. So using that we found that this is a very remote location. Makes sense. You don't usually have industrial facilities in the middle of your city, right? But you could also see it's a very extensive wide and open area. You could see some perimeter defenses like fences, uh, parking lots, accessways, and a couple of buildings that might be interesting. Then using street view, for example, we could confirm, yeah, indeed there are fences, uh, quite tall fences

actually, like two to three meters high, so could be tricky to jump over. Um, there were lots of cameras. We could already see that. Uh, and there was only one single gate for entrance, so that could be a challenge. Um, also we found it's close with the public, so there's no events taking place there. There's no guided tours, no bring your child to work day, whatever. You wouldn't find that there. Again, makes sense, right? But it was a bit of a bummer. Um, so then we proceeded to going on site, taking a walk there, acting as someone just uh enjoying the landscape. Admittedly, it was a quite nice landscape there. Uh and what we found there with a focus on the

physical access controls and the perimeter defense there was that they indeed only had a single gate and very few doors embedded into the fence both of those were heavily guarded by lots and lots of cameras. It was absurdly many cameras and it was not only regular cameras. The white team told us when we uh discussed that with them they told us no um there are wideangle cameras, there are thermal cameras, there are night vision cameras, they got everything there. So again a bit tricky. Uh then we found some weird sensors that were installed on the fences. First we couldn't make sense of that but after some research we found that those were vibration sensors. So uh climbing the fence not a good

idea. They told us they are highly sensitive. So much so that even birds landing on the fences would regularly trigger them which is good and bad for us. Bad because it's highly sensitive and they would for sure detect us. Good because they were triggering and causing false alarms constantly. So maybe that's an idea. Uh then we found that even though the fence was pretty tall, there was one spot where we could potentially jump over the fence because there was an electrical cabinet on the outside of the facility and you could theoretically climb that and get in. Uh there was not a very bright uh uh lookout for that. So we presented them two options. The first

one would be jump the fence. The second one would be some non-technical, not very exciting but maybe more promising social engineering. So we said okay for jumping the fence we found that spot. It's super easy to get in for us. super hard to get out because that spot was on the far side of the facility and there would be virtually nowhere to get out from then because try jumping three meters. It's uh quite the challenge. Um and it would be super suspicious at night because we found during our observation that there was nobody on site at night. Um the facility was well lit, incredibly well lit. It was winter time so even the the snow on the ground

would reflect all the light. So you would be sticking out like a sore thumb. That would make it super hard to hide in case you were detected by anybody. And you would you would be thinking to yourself, just go there at night. Nobody's there. Nobody will see you. Maybe via CCTV, but hey, no, I kid you not. There were people walking their dogs even as late as 1:00 a.m. at night. Crazy. I don't know why, but people did that. So, okay. Um, hiding not an option. Maybe that's not a very good idea. Um, in summary, so we together with the white team decided, hey, let's not do that. It's a terrible idea. is maybe go with source engineering but we

don't have a good story or pretext to use for that. And then they said okay you only had one day for observation which is very very short amount of time. If you had had one more day you would have found that every other day there's an external cleaning staff coming to the facility to clean. So maybe you can impersonate them. We told them how you know sounds like a super easy pretext. Let's do that. So we can deploy we can develop a super simple story and persona for that. It was during COVID. We just say uh let's grab some some supplies, some cleaning supplies. Uh tell that the original team fell ill, got COVID where

the replacements sound like a super simple execution. Question is, will it be good enough? And then also another challenge when you got accidental cleaning stuff, usually they got keys or key cards so they can enter the areas they need to enter, right, for their work? But maybe you can get around that. Let's see. And the white team said, "Hey, let's go for it." So we decided to do that. Cool. Then later that day, my colleague and I had dinner and we discussed a bunch of stuff and he told me, he asked me like, "Okay, you grabbed all the stuff for the Rook device from the office, right?" Yeah, I did. I did the test run of it run good. Did it like

do all the things? And I was like, "Dude, I was in such a hurry. I just grabbed all the stuff. I didn't test it yet. Damn. Okay, I will do once I get to the hotel room." And I did. So, the Rogue device, super simple. It's just a modified Raspberry Pi. We got our peripheries for that, right? All the accessories. And it's supposed to work something like that. When you're on site, you would just connect it to the local network. It would then have a uh LTE modem to connect to the internet, connect to our C2 server, and then we could remotely via the C2 server connect to the Raspberry and to the network. Super cool. Pretty simple. So, I tested

that. Didn't work. That was a bummer. Um, turned out, oh no, I grabbed the wrong freaking LTE stick because, uh, we only had one in our office that we knew didn't work. We tested this and accidentally I grabbed that one. So it was on me. It wasn't me. I was like, "Oh no. Oh crap. What am I going to do now?" So of course, there's going to be a Linux USB network device troubleshoot speedrun session until 2 a.m. Not very fun. But luckily, you know, there were a whole bunch of people who had the same exact problem or use case there as I had. And I found that again you know that pattern whenever there's some obscure poy supported

documented USB periphery chances are that someone before you try to make it work on Linux horribly fails but eventually succeeded and this was the case right so I scrambled together some scripts that was before chatbt by the way um you can see there's a whole bunch of sleep statements in there was janky as all hell but it worked reliably it just took like 15 minutes to boot up and be ready but it was okay and that's how I felt after I was done with So next day we were ready. Uh we first got our cleaning supplies for like 50 bucks. We got a mop, a bucket, some uh cleaning agents, whatever, sponges. And then around lunchtime, we went to the

facility to the gate. Uh rang the intercom. They asked us, who are you guys? What do you want to do here? We told them, hey, we are the cleaning staff. The original team fell ill. We the replacements. And without any further questions, they told us, hey, you know, proceed inwards. Uh go to the registration desk. You're good to go. Then we were there. We didn't consider at all to go to the registration desk because why would we and we already knew that this was the building that we wanted to or needed to go to. So we did just went there and we were a bit afraid that might look something like that. Very busy, very many people. But no, it

looked more like that because of course it was around lunchtime. Uh and nobody was there, right? Everybody was grabbing their lunch in the cina luckily for us. Um and we were there. So that building looked something like that with a huge glass front. Uh turns out it was locked. We couldn't get in. It was a bummer. But there was some random worker passing by. We just told them, "Hey, you know, we are the replacement guys. We got no keys. Could you please let us in?" And after rambling a bit about COVID, they eventually let us in. That was good. Now we weren't there. Uh but all the doors were locked. There was only a stairway going up. So we went up

and then we sat there and all the um all the all the signs on that on those further doors said something like ah you know hazard to life there's electricity gases whatever it will kill you not cool uh we don't know anything about that we are not going to proceed here let's do the sensible thing call the white team and ask them what to do I was around lunchtime they were not answering yeah um so then we sat there we were super exposed because there was that huge glass And uh slowly people were returning back to work and we just didn't want to be sitting ducks. So we actually started cleaning. You know, you have to to really fill in

your role there. That worked quite well. Eventually the white team picked up. They um gave us directions throughout the uh the rooms there and we finally found our destination. So there was the server room, but dang it, all the server cabinets, they were locked. Yeah. Well, there were maintenance panels on the sides you could just pop open. Nice security there. So we got our hardware additions and our access to those sensitive areas and we were good to go. So after doing that and taking some pictures as evidence, we left and one hour later the uh inevitable happens and of course the original cleaning staff turned up. We're like hey we're here to do our job and

the guys were like dude you were already here. What's what's the issue? So uh turns out you know um it worked pretty well. So social engineering super successful. They had heavy primitive security that didn't work at all for them in that case because their staff was just severely lacking security awareness. Uh, interestingly enough, they figured out that something was wrong. They raised a local incident and there was some bizarre measure that they took. They actually reviewed the CCTV footage and I kid you not, they printed water posters of ours and handed them out to people. That was interesting. And with that, I hand it back over to >> F.

So I think so um I'm going to tell my story which is uh not in a industrial setting but more in an office setting. Uh my objectives were also gaining physical access of course and then planting a road device and take pictures of sensitive documents or anything like a laptop that they left laying around. Uh, sorry. For the recon phase, I went there and I saw that it was like a medium to a large office. Um, I saw there was a revolving door and I saw people getting in and out the whole time and the door kept spinning. So, I thought, "Okay, that looks good." And I saw elevators um inside the building because it was a big

glass pan. And I saw there was in front of a receptionist desk, so I would be inside of them. I would have to be a bit crafty there. Um, but yeah, I thought tailgating looks possible and I saw people in the streets wearing company merch, so I thought, you know, during noon, I'm just going to go follow some of them and I'll just tailgate behind them. I um I thought I wouldn't even need a fake batch. It's going to be an easy tailgating job. So, I just didn't prepare much and I went straight for it. Um, but when I tried to tailgate, it was actually a smart tour. So it saw that I didn't batch and it turned me back twice

while someone else was also coming from the opposite side and we looked eyes and was quite awkward because we turned back very slowly and we crossed eyes and it was like no that doesn't work. I tried that again and then it happened again and I was like okay this is not going to be as easy as I thought. Um so after that I saw that one of the colleagues there was smoking outside. So, I talked to him and I said, you know, I'm a consultant. I'm late. Uh, sorry, I'm early and I really need to go to the bathroom. Is it possible if you could let me in or something? And he told me, "Ah, the receptionist lady is actually

coming right there. You can go to her." Um, and I started, she started talking to me. She said like, "Who are you? Who are you here for? Um, do you have a number or something?" And I basically said like, "Yeah, I'm just this this guy consultant from this company and I needed to be here." Uh meanwhile she proceeded to let me in. So I was sitting there in front of the receptionist lady. Um and then she said, "You can wait here for your contact person." Um so I thought, "Okay, nice. I got into the building, but now I'm sitting here and she's probably expecting someone to pick me up. So what is the next step?" Um it

was around lunchtime, so I did have my bag with food and drinks with me. Um so I looked around and I saw that all of the doors and elevators required batch access. So, I wouldn't be able to just sneak around and and get out without her supervision. Um, but then suddenly after like a few minutes, she says, "U, do you want to eat your food in the canteen maybe?" I was like, "Um, no thanks. I'll just sit here and I'll wait for my contact person." But then my ID came up. I was like, "Wait, what am I doing? She's giving me access. She's giving me access to a locked uh locked room where you normally need to bat." So, I was like,

"Okay, you know what? I actually do would like uh to go eat it in the canteen. Uh so she brought me there and of course normally you need to batch to enter it. So I thought okay this is one security perimeter I've breached already. Um and then I looked around I saw people with the company merch eating their food because it was a building with multiple companies. Um and I thought you know what I'm just going to um follow these guys into the elevator. I was looking at them uh saw that they were finishing up and I was uh ready to follow them. But when I went outside, sadly those people left the building instead of

going to the elevators. And there I was back at square one again. But at least I was uh out of sight of the receptionist lady. I was hiding behind a little wall a bit similar to this picture. Um and then I saw other people coming out and uh they did go into the elevator. So I was like, "Okay, I'll follow them." Um, and I followed them into their office store where they held the door for me very friendly so I could get into the office and uh sit down somewhere. So I was there. Um, I just picked a table and some guys came to talk to me and they were like, "Hi, who are you? Are you

new?" I said, "Yeah, I'm just a consultant. I need to do my job here." And we had a chat for like 2 minutes and then they left. So I thought I So I thought, "Okay, jackpot. I got in. That was easier than I thought in the end." Um but then suddenly they came back with the receptionist lady um and she looked quite um concerned like on the picture and they started rapidfiring questions at me with three uh while I was sitting there they were surrounding me and asking questions. Um so I had to be fast and she was like who are you? I thought you I thought you were going to wait uh I thought you were going to wait

downstairs. What are you doing here? How did you get in here? The other guy was like um who are you? This is a sensitive department. Normally only authorized personnel is allowed. Um like they could spot me immediately that I did not belong there. And the other guy is like um do you have a number? Who is your contact person? I will call them right now. And meanwhile I was trying to answer all of them at the same time and everything was getting a bit confused and thrown through each other. Um in the end the guy asking the number just forgot about it. He just uh I don't know he didn't do it and then he was like all right fine I

will bring you downstairs again and we'll get you a visitor's badge for another floor that is not sensitive. So that was uh great news to hear. I went with him. We had some some chat. We had laughs and everything. We went there. I picked up the new badge. I had to give my ID card which is not ideal but at least um you still got the badge. Um but I was not in yet. Well, I didn't win yet because I made a stupid mistake afterwards. Um, I went back in and I saw the receptionist lady sitting there and I was thought I was like, I'll go chat with her and ask which floors am I able

to access or allowed to access. Um, I could have gone into the elevator without asking her, but then suddenly she got suspicious and it was like, hold on, wait here. Um, and she brought me to the security room where I had to wait for uh someone to pick me up suddenly. And uh so we I called the white team and I told them what's happening and they were like okay I'll come get you and we'll consider this a leg up because technically I had already won. I just should have not talked to that lady afterwards. So back to Morit then. All right. Thanks a bunch. So uh this one is about a a mountain base. Uh

looked something like that. So that was super interesting. uh a bit more of an exotic project because um this one was an underground facility and the only thing poking out really was the entrance at the side of a mountain and there the client asked us uh and gave us the objectives to again infiltrate it, gain physical access and plant a rope device but not only anywhere but in the uh controller network in the OT network. Okay, so uh we proceeded to do some reconnaissance, right? Uh turns out for a underground mountain base satellite images are incredibly not helpful. So, I skipped that. Anyways, um Google Maps gave some interesting pictures for on-site visits and tours that they did

there because as you can see there are various people of various sizes. So, I guess some of those were children, random clothing, but all of those got hardheads. So, ah, they got public tours. That's interesting. Um, and there were some, of course, some pictures of the of the individual rooms there in the underground facility. I even found a 3D map kind of visualization thing of the facility. Super interesting. Admittedly, it was a bit hard to map the pictures that I found to that map, but it was of some um help was some somewhat interesting. And again, of course, it's a remote location. It's some random mountain, right? Uh extensive underground area close to the public,

but guided tours. Super interesting. Uh a bit of a bummer about that. Um you need to you needed to register for those two weeks up front with a minimum group size of 10 people. We were two testers and we were supposed to go there like three days later. So well um anyways we proceeded to do some embedded reconnaissance on site again because um this base and that entrance there was located uh near a public road or just right besides a public road and people usually just take breaks there because it's a semiopen public space. So we did that at night because then nobody was around really at night everybody left and we found that yeah there are locks

that look like they were high security locks. So lockpicking not a good idea especially because there's a whole lot of CCTV cameras again. So they would surely because like pick up that we were picking locks there not a good idea. There was a keypad in card reader that was interesting because that had exposed screws. So you could theoretically fiddle with that but realistically you would order try to identify the exact model order it to your to your company to your lab and then try to research it try to break it open and find out how it works. Obviously, we couldn't do that in that amount of time. And we found that during the day, lots of traffic, but at

night, no traffic at all. So, how would we then try and approach that? Well, we thought to ourselves, okay, there's an access card reader, but we won't realistically find any access cards laying around. And trying to get people to give us their access cards might be a bit tricky because most of the people going in there are like workers, and trying to convince them could be a bit tricky. trying to disable alarm or CCTV installations rather destructive we wouldn't want to do that also the client didn't want us to uh lockpicking not an option due to the monitoring there and filling with the access controls there also not a good option so that left us

with the over entry and we were certain and the client was also that they didn't want us to destroy anything so that left us with so engineering and persistence so persistence meaning that once we got in we would try to hide somewhere maybe in bathrooms and then try to do our malicious actions then there at night when nobody was around anymore That was interesting. Uh, but we told them, "Yeah, we found out about those guided tours, but they we can't register for that anymore and we are too few people to do that." And they said, "Well, okay, you're right on that, but as luck would have it, the day you are uh scheduled to go there, there's also a

uh a guided tour taking place for new joiners, so maybe try joining that." That was a very good idea. So, we did. Uh, we went there in the morning at 8:30. It was cold as hell because it was snowing. Um, and then we waited for the bus of people of the new joiners there to arrive and they arrived. We joined the group and we're immediately greeted by a presumably HR lady and she told us, "Hey guys, I haven't seen you all morning. Who are you guys?" And we had already we developed already a persona and uh and pretext for that. And we told her, "Hey, you know, we are from the German branch and maybe they didn't

contact you yet, but we happen to be here just recently joined and we were told that this tour took place today and we should just join given the opportunity." What a coincident. Cool. And she was fine with that. So, we joined that tour. It was super interesting. Um, after like 10 minutes or so, she came back to us and asked us, "Guys, what's your name? I I had a call with HRHQ and they aren't aware of anybody joining." So, we gave our fake names. And she was okay with that. We continued to tour and another 10 minutes later, she was like, "Okay, guys, who's your manager?" Um, nobody's aware of you and nobody knows your names. And we told her, yeah,

you know, our German branch, it's really known for having a super rocky onboarding. You know, it's known to be very hard and that they screw up stuff all the time. So, it's we are not very surprised that you didn't hear of us and that maybe our manager is not in your system. That was a bit of a it was a bit weird, but um then she told us, well, you know, it's a private event here. I can't have you be here. I'm I need to ask you to leave. Uh which was a bummer, but it was it was somewhat okay. We were then escorted out by a a worker there and he told us, you know, I don't get

it. It's the same tour we give to the general public out there. What's the issue in having you here? We were briefly considering talking into letting us rejoin, but we were super certain that this HR lady would spot us again, so we wouldn't do that. And this is a half win or more of a fail admittedly because we didn't get to do what we wanted to do. But the situation did not escalate. We were not busted. We were not really caught. Uh for such cases we have a get out of jail letter which is a written piece of paper which says who are we what are we doing here are contact persons from our company from

your company. So before you call the police and apprehend us please call those people so we can deescalate the situation. We didn't need to draw that card which is good. So their first attempt turns out this lady was the sole reason why this didn't work. She was super processoriented and we presented a deviation in her processes and that sparked suspicion. She was super persistent also and assertive because I I tell you this lady had an expression in her face. She let you know that she's not someone to be kidding with. So we didn't we didn't dare. Yeah. So um interestingly enough they raised an internal incident at HQ but we never had anything of that and neither did the

white team really. So that was that. But the white team said okay we don't want to give up on this exercise at this point. we will provide you with a leg up and try to simulate what would happen if this was successful. So, we went there again. It was still snowing at night at like 1:00 a.m. and we were escorted by a YT member who was authorized to access the facility and had all the access keys and whatever. And he briefly disabled the alarms and let us in and then also followed us around because it's a quite hazardous environment, right? You can't just let us randomly jump around there. So, uh, we had a look at the facility,

but didn't get as far in the public tour as we would have would have liked to because we didn't know yet where to go. So, we just explored the space was quite big. And then eventually we found that control room. Super interesting. We found that there was a an HMI, which is an industrial um like human machine interface. It's um a display that lets you control the um the the processes that take place there, right? So, a very very abstract very high level description. It's basically like a fancy tablet you could say, right? They were locked though, so not of much use. Then we found some drawers and as you could expect, we of course had a bit of a look

at the files there and of course there were clear text credentials to that HMI so we could unlock it. That was pretty cool. Then we noticed there there was also a printer and we noticed that the network cables and ports were colorcoded and we noticed that that printer had the same color coding with its network cable and port as the HMI had. So since the item I needs to be connected to the OT network that might mean that then also the printer is connected to the same network. So why not try and uh plant our rope device here. But we figured okay maybe they might have some network access controls here. Um so let's do it

in a somewhat clever way. So we assumed that is this is the setup. You actually your printer that then authenticates towards the switch and the switch once um successfully authenticated would open that port for the printer to then reach the network. Cool. What did we do? Super simple. Again, Raspberry Pi to the rescue with two Ethernet interfaces. We bridge the connection. Um, and then using silent bridge, for example, we had a transparent bridge. We would then assume the IP and the MAC address of the printer and would then be looking the same to the switch into the remaining network infrastructure as the printer would. Super cool, super simple. Now, interestingly enough, uh I didn't really

think about that beforehand, but I think the Y team already disclosed that this would work, and I was surprised that it did. We again had an LTE modem underground in a mountain. I didn't expect this to work. It worked brilliantly. So, we had again connection via our cloud infrastructure to our C2 server, right? So, that worked. And then the cool thing is once we had this installation in place, we could then also remotely pretty much inject packages into the network. Super nice because we were just acting as some kind of router. We were then implementing a source nut for the printer, right? And static art so we could just communicate into the network. Super cool. We

installed that. That worked quite nicely. Um, again, this was like 1:00 a.m. and suddenly the phone rang. That was a bit weird. And we, my colleague and I were locking eyes and we were locking eyes with the Y team guy and he was like, "Guys, if I were you, I'd run cuz that's security calling. They detected you unplugging the printer possibly and they are most likely to come investigate. So uh we ran back really packed our stuff ran outside and the white team member said okay now with u from some distance let's observe and try and find out whether somebody comes to investigate at all and we had a look around and nobody was coming. We waited

for like 30 minutes nobody was coming. We were super surprised. Nobody was expecting that. Um there was a bit of an aftermath internally because of that right so we found out that legup was very successful they had heavy security but only at the main entrance that's what the white team said we couldn't really deduce this ourselves because they disabled this for us but then they raised a local incident because they figured out okay then that port was disconnected the alarm was disabled somewhat somebody was there but for some reason they didn't really record anything with their CCTV or couldn't make anything out uh on their recordings so then they rounded up all the people who were authorized to access this

location and asked them and interviewed them were you there and of course our YT member played along as like posing as some kind of malicious insider and they were like no I didn't and then this was quite interesting but they did not make any connection to the first incident which was which was a bit weird then they went all panic mode and u yeah started off a a plantwide investigation and search so they performed a whole sweep throughout the whole facility to find out whether anything was being sabotaged or manipulated or anything. They did not find the implant. That was weird. Also unexpected. And with that, you're up.

Cool. Um so for me, focal cyber threat. Um, again, office setting and the same objectives as before. So, I have to get in um and plant some rogue devices and take pictures of anything that I can find any interesting stuff. Um, for the reconom, we went there basically and I saw that it's a very big office building. Um, and we saw that tailgating would pretty much not be possible because the entry was right next to the receptionist desk and they controlled the doors um to open for visitors. Um, we did know that batch cloning is possible. That was something that we already saw when uh we um when the white team told us what kind of batches they

used. Um so we brought a copy device with us. Um so we um crafted an attack plan for this one. Um and we were going to use uh fishing with voice fishing basically. So what it what that means is you're going to call people and you're going to attempt to let them in let us in basically. Um and for our attack plan basically you need three participants. You need one intruder who's going to go there, a second intruder to also accompany them um for later and then you need a remote participant who is going to perform uh the calling. Um so first of all, what do you need to perform fishing? Of course, you need

phone numbers to call. Um how do you get phone numbers from uh companies? Basically, you can search the dark web. Maybe there have been some breaches before or you can pay someone that that can find out some numbers from inside. Um you can um do your like once you have your entry via virtual breach for example you can check the internal knowledge bases for um phone numbers etc. And also out of office mails like if you send a lot of mails to people some of them are out of office and they have these automatic replies and in their signature you will see um their phone numbers normally. Um so what makes this attack interesting what we did was uh we applied caller ID

spoofing. Um what that means is basically you can call people um and then display any number that you want. So I could for example call Moritz using a number from anyone here in uh or like one of our colleagues and if he has one of if he has that colleague saved in his phone it will actually also display that colleague's name on his phone. So I could call Moritz and it will display Ali for example but Ali is not really calling him. It's me. I've pranked some friends with this. It was quite funny. Um so a little bit technical knowhow. Um the client that we use to perform this is called Zoiper for example. There's

many other things that you can use. And then using an asterisk uh PBX server. Basically you set up a local telephone network inside your business. And then um one thing like from back in the days um uh trunk. Basically back in the days you had these telephone cables that go to your town for example and they go to each house. And if you wanted to make a call to another town for example, you would have something which is called a trunk where all the cables connect and then they get um routed to the next town and there they spread again to the different houses. Um online virtually you have what's called a SIP trunk um

and you can register those but it's something official. It's not something that you can just register like that like enter username, email and done. uh you have to actually provide some official um documents for this like uh this is not uh this is regulated stuff. Um so once you have that you can connect your local telephone network to the public network through that zip trunk. Um and then you can have your um your caller ID. So basically the phone number that goes through to your trunk towards the public network. And then there's something which called clip screening like caller line identification process. That's what it stands for. Um, some phone providers do not verify um the

caller ID. So, if you're doing caller ID spoofing and they you want to look for a provider that does not verify this, otherwise your attack is not going to work. Um, yeah. And then it was time to um to go ahead start the action. So, the first intruder goes there um goes to the receptionist desk and says, "Hey, um I sorry, my phone battery is dead. I need to call one of my colleagues immediately. Um could I use your phone, please?" Um and the reason why we do this is because want we want the receptionist desk number so we can actually call them. Like for example, the numbers I talked about earlier, we needed one of the

employee numbers and then using that employee number, we will call the receptionist. The reception is going to say hopefully of course could you tell me their number then I will call them for you and then you give them the the number of the remote participant the one that is sitting in the office and is going to do the calling and then she's going to call him or her and then once that happens you have then you have the receptionist number you know and then you can start the attack later. So with that number in hand uh our remote participant is going to use this caller ID spoofing is going to basically pretend to be that one

colleague whose number that we have and then it's going to call them. And one option is also you can use AI generated voice bit more difficult to pull off. We didn't use this in our engagement but um uh nowadays it's getting more and more possible to do this. And then that remote participant is going to call the receptions lady using the um the uh spoof number and she going to say okay that is that is a number from one of our colleagues right so he's going to say um hello you're speaking with this coworker I am for example expecting someone from this company uh to be here in 10 minutes I'm going to be busy in meetings all day um could you

please let that person in when they get there and I should be like yes that's fine I've noted it down I'll send them straight to you and then For example, the second intruder is going to come in as the awaited guest. It's gonna say, "Hey, I'm this person from that company that was just mentioned." And then say like, "Ah, yeah. I've uh heard that you were coming by, so I'll just let you in." Um, and then from there you are. You've uh passed your first perimeter. And uh interesting optional path is that the first in the intruder that got in now could basically let the other intruder in by using batch cloning. Like we knew that their badges were using a

weak um encryption protocol. For example, um I'm going to go over it on high level here. For example, um the Myfare classic card uh high frequency card has like um well their cards had a default encryption key set. So they did not change it. And also it uses crypto one stream cipher which is a weak and predictable algorithm. It has like the the sudo random number generator is uh quite predictable and if you can crack that you can reverse the algorithm. Um the thing is it's not like in the movies where you just have your your uh device where you pass someone by and does like a little beep and you have the card. No. Um for us it took like 30

seconds to clone the card. So you have to basically um have someone that left their card that went to the toilet or something and left their batch on their desk or something like that. Um the device we use to do that is called I copy X. Um so we put the card on there, wait 30 seconds or a little bit longer and then we copy it onto Myare cloning cards. So it has to be a card that actually uh accepts the same the same technical um specifications. And that was it for uh the stories. And we have some takeaways here uh for those that are interested how to prevent stuff like this. For example, for Morit story

that one lady that was very uh persistent and assertive. Um I know we don't like to do this with people. We try to be helpful but if it's a high s highly sensitive environment, you have to really make sure that you're letting the right people in. Um you have to ensure that visitors are always accompanied by staff. Um, if someone is uh visiting and they say they have a certain contact person, always verify this contact person. Call the contact person. Do not let them call you. And then make sure that it's really them before letting them in. And then when um you are calling someone, always make sure that you know who you are calling.

Um otherwise you will call strangers and they will have your number to further their attack path. So that was our talk. I hope you guys enjoyed it. And then we can now have a little Q&A session if you still have time.

>> Yes. >> Excuse me, sir. Hey, so um I have two questions. My first one about the batches. In your estimate, what's the percentage of batches that can be cloned in Germany? >> Good question. To be honest, I I can't answer that one. It's uh >> just a ballpark number. >> It's not It's not my field. I I wouldn't know to be honest. Maybe someone here that could tell you. I I couldn't answer that one. Sorry. >> And my other question about those um wanted paristers, did anything come from that? Did um the guy who let you in, did he recognize you or did he keep his mouth shut? Did he tell them where you

went? Um and did they find the device you installed? >> Uh the the white team member. >> Mhm. >> Uh no, they kept their mouth shut because um in for both of those engagements, we didn't only plant the um devices there for them to be there. And and I mean the uh and sorry not the white team member, the worker who mumbled about co. >> Ah no. Um well no uh the thing is during those assessments whenever we notice that someone didn't act as they maybe should have. We do our best to make sure that they they can't be identified, right? Because they we don't want them to be blamed. There should just be a

general announcement towards the the workforce. Guys, please be aware that we need to be uh sensitive to to such attacks. >> Okay. Thank you. We sadly didn't receive any. >> Well, it was only hearsay from the white team. So, >> yeah, for those that didn't hear, he asked if we kept a copy of the wanted paper. We didn't. >> Hi. Um, you mentioned the uh out of jail card and my question is, have you ever been caught? And do you protect yourself as an individual? Um, as you mentioned, you operate not only in Germany and other countries. So are you protected by insurance or other means uh against getting caught? And the question arises me arise arises because um many

companies are getting bigger and bigger and there are hierarch hierarchy and there are teams like the white team in the middle field for example and um like other stuffs might get in trouble or so and would like to see J for for example. So the question is if uh we've been caught before. I get it. Um, yes, it was actually one of my stories, but uh because of time constraints, we left it out. Um, basically the woman I had a fake batch and the woman at the receptionist desk was already well, of course, I couldn't batch like it wouldn't work. And that was part of the story that would go up to her and say, "Hey, my batch is not working." And

it was like a last minute thing, you know, and she just took my batch and immediately started scratching it as if she was trained to do it. She saw that it was fake and she just pulled it off because we didn't print it. Normally we print batches because it was last minute. I think my my manager just pasted something on there and she saw that it was fake and still still somehow she let me in because of my I just talked her into it. I just because Yeah. Because because I I just bullshitted my way around it, you know, and then she let me in anyway. She was already suspicious and she told me like I'm

going to check with security later so I know I was on borrow time and then I got like the message on my phone and I got the best of my phone saying security is looking for you and I was uh thinking that maybe someone's going to come in here and tackle me but he came a guy came up to me I was very professional I was already smiling because he probably knew it was a um exercise you know and then they just guided me out and we saw the receptionist lady on the way out and I I talked to her and she was like oh damn I knew something was up you Oh, but um do you fully rely on your out of jail

card from your company or do you have any insurance individually for your safety? >> I think we got insurance, right? >> As far as I know like not not hope so >> not not our personal insurance but the company's of course insured so in case anything happens they are covered. So >> okay. All right. >> We have our get out of jail card but we also sometimes bring a fake one, one without signature. So we bring two of them.

Another question. Did you ever break stuff with your um implants or rope devices? >> Do you mean break our devices? >> No. Like if if I heard about ICS and OT devices, they are quite sensitive. And if you plant a device like your rogue devices, did you ever break stuff? um we are super sensitive when we are operating in any IC context because that is not only very costly but also super super super dangerous to human life. So um in those context never really and then when we are in business spaces there's not really a huge risk of anything happening. So if we happen to break I don't know network port wouldn't be a big issue.

There's one more question in the back and then here one more.

>> Uh thank you. Um those were some really engaging stories. So thank you for that. Um so when it comes to initial access on these engagements um you presented a few options on the slide but almost always you fell back to social engineering. If social engineering wasn't an option, um, what would be the next most popular or what would you often prefer to do? That's a good question. I think we very rarely are in a situation where we are only or exclusively hindered by technical measures and even if we were, we would still try to attack the human vector. So for example, as as was the case with your with your batch, right? So even if we found okay they require

you to batch and we can't for the life of us get a hold of any batch or try and fiddle around with the uh with the with the with the pack system there we would still try and try to to yeah talk our way into it. Um other than that I've got one um or a few times I don't remember all of them but one time we didn't use any social engineer. Usually the bigger the office the easier it is to get in without social engineer you know and this was a huge office it's a different story and I was there with a colleague and by coincidence that day the security gates were left open

because of some maintenance or something um and once we got in there was another another perimeter we had to cross which was closed and uh we couldn't we couldn't get in so we went for noon break went to Burger King afterwards we went back and while we were walking we were talking suddenly I noticed that someone is coming with a wheelbarrow and I was like, "Yo, look, look." I started running. He was like, "What is happening?" The guy with the wheelbarrow came through and he batched and he opened the door. I was like, "Please, after you." And then I I snuck in and I saw my colleague after me running towards me as well. And we both made it

in that way. So, it was just pure coincidence that we managed to just tailgate our way in. So if you if you can't do social social ner you just have to hope that yeah something is uh open or something

you said using so and sanitized from the are they sanitized from the firmware and you also use Chinese USB sticks. Uh so how do you know your Raspberry Pay is not infiltrating on piggybacking you into the uh target? >> That's a very good question and honestly I can answer you because uh I am not part of the team who engineered those um at our side. uh thing is if I recall correctly we are currently working our way towards um yeah finding other solutions to Raspberry Pies because they come with a lot of drawbacks right um but specifically for for that question I'm afraid I can't really answer that question for you

>> well as far as I know we um >> like sanitation of the of the firmware or >> yeah Um, I don't think so. Wow. >> I mean, at least we do use newly formatted and newly acquired SD cards. So, that's a minimum. >> So, that's that. >> Okay. Thank you.

>> Oh, yes. Uh, we do. Uh, specifically, for example, for the um for network sniffing, we use that a whole lot. Um, I believe there are also network implants that you can remotely control from Mac 5. Um personally during my assessments I exclusively use Raspberry Pies. Then during pentest specifically I used more of the packet sniffing capabilities of like five devices. >> I think there was that packet scroll. >> We used I've used a local key logger before. It's like basically like a little stick and then once you're there it shows like a hidden uh Wi-Fi hotspot that I can connect to and then if I connect there I just browse to the website. I can see the keys that he's uh

inserting. And we've also used the remote um key logger. So basically you plug it in and then you can just go back to your office and over the net you would um catch their keystrokes. >> Uh what's your range of customers? So uh do you only test u private companies or also military facilities or agencies? >> I'm not sure if >> I don't know if we can answer that one honestly. No. >> No. >> It's a broad range of question. >> I'm going to stay quiet on this one.

We know your name.

>> Thank you. Oh, one more question.

>> Excuse me. Do you guys ever use fake identities? Like uh actual fake identification? >> I I printed a fake batch once. A a well printed one with a laser printer. >> So you don't impersonate like valid government identification. >> Oh, that's >> right. The thing is we >> these guys are trying to get us in jail. No, we don't do this. >> It's pretty illegal actually. Uh we had a one instance where there was a project uh or yeah an assessment where we managed to what was that there parking system right you could reserve a parking spot that was pretty cool there wasn't an web app for that publicly exposed we found a vulnerability in that and we

managed to bypass uh authentication for that and just book a parking spot for ourselves cool thing then we thought to ourselves okay you need to uh add your license plate there and we don't want to use our private or company ones we could just print a fake one right and slap that into onto to our car and are good to go. Thing is, it would be it would be looking super suspicious if you did that right in front of the parking lot. People would see that, right? And then we were concerned, okay, we would need to then do that somewhere uh traverse public space, public roads. Are we allowed to do that? So, we actually

called the police and and asked them, hey, can we do that? And they were, hell no. So, we didn't. So, no, we don't do that. >> That's a good question. I don't know. Very good question. I was not part of the project. I can't say. >> I hope they had the idea. >> I think there was one more question somewhere here. I Yeah, over there. >> Excuse me. >> Excuse me. >> Um, regarding the scenario where you did the call number spoofing, you mentioned that it's an official process and you I guess you have to register with your company. So I wondered um whether it's possible to trace back this uh fake call number back to your company and thereby

disclose basically your real identity. Um probably I I don't know you're shaking no but um I haven't looked that into that yet. If they do something like this it will probably be a quite big investigation. I don't think it's as easy as like tracking a domain name for example and calling the uh like for example if you register a domain name on AWS um that would be way easier to track you know but with phone numbers I don't think it's that easy would probably be a bigger investigation but I think I don't know if they can okay thanks >> uh what another question about uh phone number spoofing so you recommended if I get a call for my colleague and he wants

something sensitive, I should rather call him back uh under his number, right? >> Yeah. So, that's the weak that's the weak part of uh of this uh technique. If you call someone and they don't pick up or they want to verify, they're going to call that person later. And then that person is going to pick up and say, "No, I I didn't call you." But from my understanding with signal seven uh signal system 7 spoofing that um the attacker could also redirect my call and I would um um come out at your colleague anyway. >> Um like call redirect. I think they would have to have some access to either your internal phone network or uh

>> hack some some kind of some kind of cell phone tower. I think that's a pretty big attack. >> And ver Veritasium did a report about this. can just go into some uh into a country where regulation register um a signal provider and with a whole roaming system um they can pull off stuff like this. >> Okay, that's really cool >> indeed. Yeah. Um thing is those providers work differently and provide different options and different configurations for for their networks depending on where they are located. That's one thing and what they would like to do, right? So there are different European uh providers for example that provide no screening for a caller ID. Um that's cool. We obviously

try to find those and use those. Others don't. Then you can try um having a look in other countries, right? If that makes sense for your project and if you're actually legally allowed to use those services, you can do that. But >> uh so I'm not talking from a um p from a red teaming perspective here. um from a blue blue teaming perspective that it would not protect me against um serious um attackers or um state spons sponsored attackers and like like I said um I think the it's like €20,000 or so to get a license so easily affordable for cyber crime. Yeah. Then depending on the sensitivity of your of your organization and your

context, it would make sense to fall back to another channel, right? Because the telephone system is quite ancient. >> Okay. Thank you.

Uh thank you so much for sharing your stories. These were really really interesting. Uh but one thing I want to know is when you are hired for your role, what kind of training do they put you through? Do you learn how to pick logs? Do you learn how to jump fences? >> I'm just asking. I don't know. >> Some some acrobatics training >> really. >> No. Um, for physical training right now, um, it's kind of not really what, um, how do I say this? We don't really have a dedicated track right now for physical. They just look at who wants to do this and who can do this. Um, and then there's a limited range of of

available trainings for that. Um, but it is super limited and it's mostly um, yeah focused on on the technical aspects. So for example lockpicking and other means of bypassing physical access controls there are some trainings but looking into having more especially a take on the social engineering side of things that's a bit more tricky. I hear that there's a broader offer in the US for example but I'm not aware of any such thing really in Europe but >> not up to speed. So >> yeah there was one that I actually looked into last week that I want to take. Um but I myself I haven't done any physical trainings yet but my manager is now pushing me to do it because even

though I do these uh these assessments as well um it would be nice to have some official knowledge on all these batches and all these locks in case you need them because we have done it we have used stuff like that before to get into uh companies you know some some little bit of lock picking some batch cloning some trickery with um door locks and stuff like

Next question.