The Insider: Physical Social Engineering and On-Site Access

thank you for joining me chapter one confession all stories have a start this is my story like most typical eighties kids my parents split up I lived with my dad my dad worked hard results he may be in a latchkey kid I was no different than any typical kid very average in fact I hated school in it hated me chapter two quite regularly as a kid I'd lock myself out with no one home I could be locked out for hours I had enough I got tired and tried to go each guy got up and tried the garage door it was unlocked people often leave side doors delivery areas and garetty's unlocked but Garret is no warmer than doorsteps I walked out

and went around to my dad's house the bathroom window was slightly open access is not always easy be prepared to be or to do uncomfortable situations I've jumbled that Paula Johnson the bathroom window was your typical 80s style slightly rotten wood horrid oblong skinny shaped window it was all so high up could you open it and climb in if a cat can get its head through it can pull its body through I don't think this is the same for a human but I wanted to try back to the garage I grabbed the battered olds paint splattered ladder and carried it round to the window I placed it up climbed up and took a close look falling doesn't

cross your mind as a kid the catch was on and fingers couldn't be squeezed in a screwdriver might fit once back from the garage screwdriver in hand back up the ladder the screwdriver slid in nicely a bit of force and the cap slid up beating a problem is abuzz you don't forget and with that the window opened I slid my cold wet body in in the dark tired wet but not stuck outside chapter 2 this is a hard presentation for me to give a few reasons for this fear I feel that others do physical security probably better than they these two experts sitting in this room presently who do this I won't point out I don't

use toys a tailgate with style at fear I cannot mention any details or I could be liable some of you most of you may be thinking who the hell am i I'm Neil lines I work for a few over the last few years I've presented a lot on remote I say remote sees a really really easy subject for me to chat about I absolutely love remote sa definitely one of my passions but to date I've never spoke about the fact that I also get out of my seat and travel when required and blog my way into environments I don't care what you call this I call it on site essay for legal reasons all works

carried out under signed authorization chapter 3 I lost count how many times I've done on site essay but I've gained physical access into private banks media firms government industrial factories medical facilities and lots and lots of private and public sector offices the start this may surprise you I don't particularly a groove on site SC always the reason for this picture Russia North Korea or China cyber armies if you think for one minute they would consider on-site opposed to remote I think you're a little skew also mister robot while entertaining I personally feel is created a muddled picture of on-site si which some IT professionals seem to be inspired by example one Elliott from mr. robot created a wikipedia fake page

insinuating he was an IT rockstar he then walked into a data center and suggested to the receptionist to look him up the receptionist is so impressed by his IT status he's given a guided tour by the CEO I've learned the hard way if you talk to receptionist your chance of getting gained just dramatically lowered I find the best way is to simply not talk example to IT leaders pre perceived ideas can you pretend to deliver pizza yes I can pretend to deliver pizza but the question is where does this scenario go let's take a look so you walk into a reception area of a pizza box the reception opt operative we'll look at you odd consider this how often does

your reception get pizza delivery secondly if they do get deliveries of yummy pizza will they just let you past so you can take it to the person you're pretending it's for most likely result reception operative will looks at you blankly followed by no one ordered pizza followed by and a comfortable silence [Music]

anyone could walk into the reception area and get stuck you don't need a pizza to help you do that Chapter five during reconnaissance periods I've walked into reception areas dressed in scruffy clothing which I call my weekend winter summer collection and ask the reception operative if I have any jobs going asking for a job like it's the 80s the Internet's not a thing get you a very funny look and a recommendation to check their websites I've had people sort say to me you can go down to the library to use their pcs and if you don't know how to use it I can help you while I'm in the reception area the reason why I like to do this

personally it gives me a chance to sort of have a look perhaps the reception area to see whether they've got turnstiles to see if they've got lifts see if they need card swipe access onto lift doors to see how people walk in I find it really really useful there you go this kind of approach gives you a feel for how you may get in people tend to see clothes I've turned up the day later in a suit and just walked in obviously Google Maps especially Street View for recon can also help chapter 6 originally I used to overthink jobs and that messed up the first job back story it was target was an insurance office quick

recon on the target using Google revealed the main entrance LinkedIn revealed the CEOs name I spoofed an email from the CEO the day before big IT project going on IT contractors will be in blah blah blah blah blah costly project so don't hold them up give them a pass with full access email sent very late the night before Mariza flat is so my concept was if you send it to them let's say three or four in the afternoon they've got a good chance they can check it up if you sent it very late at night if the first thing they get in the morning let's see this email thing oh crap I've got it I've got

to just you know accept this and it instantly I would be there so no idea was a wouldn't give them time to think about it I even called I phoned them up on the way down as was driving there receptions picks up I start talking on the contractor I mentioned the CEOs name receptionist oh yeah respecting you you can park out front Wow first on site sa a rock up and even get parking but unfortunately this is not how the story ended I drove up park a parked right outside and instantly needed away even the cocky get nervous busting I jumped out of my car a mistake never rush I walked to the main door

still busting for away I opened the doors the receptionist was not quite what I pictured from the call it's too late now I carried on I had Spacely tried to black my way in hi I'm expected he looked up and explained that he worked for security and was filling in for the receptionist while they're on their break stumble I tried to wing it but the security guard hadn't read the spoofed email and he replied I don't care what you say you ain't getting into my building I'd like to tell you there's a happy ending to this opening story but I won't lie to you failing feels crap chapter 7 a friend of mine told me story long story

cut short most of his internal tests he would attempt to just walk in bypassed the reception area and find the client sitting at their desk I'm it a likely story so I tried chapter 8 the job was close to home it was a standard internal I was feeling confident I wanted to test the just walk in theory despite from the car park employees using a back door I walked up slow I joined of us walking up I slowed a bit the target employees went ahead and made the person in front opened the door they all walked in and the last person held the door open for me I just entered an office area bypassing the reception area typical

office once inside was very limited security restrictions I had full access to the building chapter 9 client requirement access the back office in one of their restaurants this was a hard target not because of any particular security measures but because it was a simply unusual target during the recon time it was possible to find examples of their internal security cards people will regularly show their cards on things you see on LinkedIn all the time program you shouldn't show the cards people and they're like why because this but creates the spoofed Internal Security card matching their land yard and everything ready to attack I walked in early to the restaurant it was not officially opened but the doors

were unlocked I spotted an employee she spotted me time to perform I walked up holding my spoofed ID card up for her to see I made the card using mspaint and a printed it on my home printer at home on a piece of a4 paper cut it out my kids were laughing at me as I was doing it then what the hell is that and I literally would had a normal card and just as even I just rested over the top and sort of locked into the card holder I've done that many times gotten too many security environments unfortunately doing that just literally wave the badge I open the door nanine it's rare people actually ask to hold

the security card cuz they did it have fallen apart in hand I'm from IT I'm here to do a network call it I need to look at the APS and check the office those this guy pays and when you walk in somewhere you very quickly spot what you can use and if you have to you just use it and I started touching at the AP is going or I can see and see what your problem is you networked really slow which is like I don't know well they're too close together you know it's clear what's wrong and I reckon they're on random channels I didn't wait for the reply I turned around and started touching at

the right please she walked off and came back with someone and introduced themselves as the manager then asked me what are you doing I'm here for my a to do network or dit I need to look at the APS and then check out your back office looking unsure B saw said yeah gone then carry on I've learned sometimes you need to be very quick people could change their mind fast I walked into the back office confident like admin many times before and plug my laptop him I don't have time on this talk to talk about what I do following plug in my laptop him but on previous talks I've given I've said that it can take as little as

30 minutes from plugging a laptop in in a rogue Network from to me getting to main admin and I find the pretty 98% of my tests I've done I've got to man up in about that amount of time chapter 10 the client requirement see if you can access the on-site offices this had limited recon time and sometimes you'll find the clients when see the value and recon and they'll just go now wing it and you try of encouraged that reconnaissance period is really really required it's really really important but sometimes people just won't won't listen so you just have to go for it given this was one of those I want to say limited time I pretty much

had an on Google Streetview showed the target area was massive you could see a main gate used to enter the area there was nothing really of help from looking at Google Maps you get there lots 5050 I find where it was actually helpful I turned up early and parked down a side road there's no shops bars or buildings right in front of the main entrance you can commonly use such opportunities to try and get a better view of a target the closest building to the target was a petrol station the petrol station employee was useful and quizzed about the target firm he replied that the target employees often come in at lunchtime to grab coffees it was far too

early I couldn't hang around there for like three or four hours it would just look odd you saw moved on the lorry depo was massive too large to walk around thinking out little to lose I just felt stuffy I'm going to start to walk up and try and get a look at the actual entrance to see if there's any where comes walk in the plan was simple after 15 minutes of walking I finally came up to the entrance as I approached I can make out high turnstiles for employees to walk in as a walk past I could see there's two security operatives sitting in a car glass kind of mini sort of tower box thing and they were watching

the trucks coming in and they're watching the people using the turnstiles trucks could drive up but they were stopped by Baron and security got out and they checked the trucks I carried on walking and walking and some more walking finally I reached the end of the targets property from my walk I had no idea how to get in then I'd seen the sign it would be rude not to take a stroll along right the path was muddy no good when you an office clothing when you have no idea of what the inside environment might saw where you kind of have to just think the probably wearing smart clothes so fortunately this moment you need to picture the fact I'm walking

down a really muddy path wearing a suit what was good the path followed the lorry Depot's perimeter fence and the fence was getting noticeably the deeper I walked down the path I [Music] ignored the sign and jump the fence best way to describe the other side of the fence muddy wet steep hill climb full of trees that's what it was like after nearly 30 minutes of slips and slides I made it to the top as a teen I read very few books 99 percent of the books I read had no impact on me of the one percent that did have impact on me I'd like to quote from this book now and I'm standing on the edge of some crazy cliff

what I have to do now looking back at it it was a bad idea walking up a big hill next to a lorry Depot and as I looked over the edge of a cliff into the lorry Depot I did feel stuff this I don't want to die now I was running out of time but I generally pretty much refused to give up when I'm on a job and so if I can I'll go right the way to the very end I've sometimes finally got access to something within five minutes ten minutes of the allotted time ending it's just cuz I don't like to lose so I went back to the way the way I came down the

hill and walked back round and by look always take a look e chance if it shows itself a lorry had pulled up the main entrance and was presently been inspected by security I slowed noticing the security or just about finishing and starting to walk off I walked up quick behind the lorry I tailgate people all the time but tailgating a lorry was the first the security gate went up the lorry pulled forward and I walked alongside it and in once pass security I was able to walk around the outside office areas I got access into a porter cabin to start with but there was little there was nothing inside it so I walked back out and up to

what looked like a back door leading from the employees carpark what was amusing was the glass sort of security environment corner we liked viewing gallery they could see around French 65° so they were sat there the whole time watching Baris come again and I'm just walking back was the force crosses carpark going to port cabins in other little rooms leading from the employee carpark and awaited outside a door he didn't take long until I could hear someone coming from the inside I'll often like toilet areas outside lifts in and stuff I literally just sit stand right behind the toilet door it's pretty creepy you think about it I'll stick my ear to it really close I'm a bit deaf so

I have to get it right in and if I hear someone coming I'll just open the door for tenifer Springs although and hopefully I've had this many times where I'll open the toilet door and that door we just got a card swipe in the reception area he's just starting to close and they're coming through so it's walk past all right straight for that door I mean anyway on this job he didn't take long for someone to come and that bypasses Scott Card security door I just not even walked in a few seconds later I was inside and I started asking employees have had any IT problems I tend to do that a lot once I'm inside I'll suddenly become

like alive I start talking to people I quite like it fixed menea printers while doing on-site si per se si no joke that's true right chapter 11 I get it a lot and I shouldn't say it bothers me but kind of does boffin being away because the people who say ok I hear people arguing about what is on site I see a lot and I've been told that what I do is physical security by one person I never said he'd say see what's amusing is the people have generally argued and dragged me into an argument I had no interest in getting involved with and a lot webapp testers so I think you've never got off your chair in your life so

it's like you can call it what you like but here you go this is my reply I don't really care what you call it but I'll say this yes I tend to preference sneaking in so I'm a bit creepy and I'd rather not speak to people but which obviously doesn't require social engineering but some of my Icee engagements have lasted a week on site and you'll get a lot of clients will say I do some of the jobs I've had are SC jobs tapped onto internal testing so like oh you've got another first day congratulations well done have a security card now so don't have to keep doing that no no no no you could do it for a week so literally

every other door every day get off the train walk ups their office and blog my way back in again you can't spend a week sneaking around an office not talking to people and that social engineering chapter 12 I've learned over the years I like to access roofs I understand this will seem odd but hang in there I was a really hard SC gained access to a number of buildings in a short time commonly clients will ask you to gain access into more than one building and I personally think this is quite hard thing to do you know you're very polite in a kickoff call or pre sales call and you say yeah we can do anything you

require that's what we're here to do we're here to help you and but I always try and sort of advise what I'm basically about to say now generally most networks are not you know segmented I hate to say internally once you get access to one internal environment most environments you've got access to all of the networks or all of the boundaries they go all the network your access to everything so anyway that's my reason why I don't personally see the requirement to get into this in this building especially not to have to one day to get into that building day three against that building they're all really high secure I just think it's like you're kind of creating a fail and I

don't personally see your point anyway back to roofs I was on my way back from a recon day I was sitting on a train looking at Google Maps making sure I didn't miss anything it's a boiling hot day and the aircon didn't work in the Train this is when it hit me the target was a typical City terrorist office so the roof area on Google Maps just looked like one long line there's no separation between each roof and I have spotted some people do put separation in between the book cages over there environment on top of the roof that's smart so that's just a random picture I pulled off because obviously I can't show anything

legitimate but if you look at the building towards the top there it's a long line well that could be a multi-tenancy building with as many of 20 different clients inside so while the target building that I was going for had turnstiles 24/7 presents the whole nine yards you can bet they would hope there would be a way to the roof now I'm not going to suggest a mayor found a route route to the roof or another building because legally that would be gray what I will say is people smoke and in some city areas I found examples of people smoking on the roof and fire exit doors to roof areas often get forgotten about so let's just say if you found

yourself on a roof you may find a fire exit that's been left open giving you a very easy way in chapter 13 the target business was a financial business and the client requirement can you see if you can access our on-site office this was really easy sight I arrived at 8 a.m. Hoggett office had an on-site call president's call center presents so there's lots and lots and lots of employees going in all the time coming in and out in and out in and out a number of employees were walking in and tailgated in after them there was no a reception operative till past 8:45 so I literally did a little tap dance past and it took loads of

pictures but when you do on-site we where we have to photograph it to prove that we've done it so not only we're creeping around we're also taking sneaky pictures and that's what I did there what past taking the pictures so I used to hide once inside an office now I tend to try and be as visible as possible I think it probably looks less suspicious I found that if you go to a meeting room and all CEOs office as I've done you find out pretty quickly people go what you're doing in there or have you booked this room that's good one or can you move now my time is you know it's my time now I've booked this room so he

thinks forget it I might as well just sit in the open and see what happens so on this occasion i sat what appeared to be a hot desk right in the middle of the call center I plugged my laptop in and shortly after it solves da lobbies domain admin by the way sorry I should have explained earlier and on a much softer main it's on a single domain it's regarded as one of the largest amount of Rights that you can get from a domain account as generally should only go to you shouldn't really use it to be honest but it should only be used by the administrator when required when the absolute something hits the fan that's

when you should use it to main admin accounts generally finds that in majority places I go to pretty much every IIT admin or even helpdesk member belongs to the domain administrative group which is wrong though I won't gone on this talk and anyway I noticed that my phone lift up it was text message I picked it up and started to read it that was when I heard heels that clicking sound and it was getting louder louder louder and then it stopped they were right behind me I turned around what you're doing she was stood right next to me me I replied she didn't look amused why are you using your phone because I'm an adult I received a text message and I

wanted to read it I fought as I smiled but said I'm in IT sorting out a problem had to look something up I smiled she didn't smile back you should know better than anyone no phones in the call center call center no phones I didn't reply pointing out the irony of the statement gainsight early can occasionally result in an easy way in Chapter 14 I've been asked this is quite a lot of times and honestly when an on site I see is coming up I panic a bit I'm quite a nervous person people say it must be fun I always get all the time I want to do the SC job site a wicked that's something I definitely wanna do

and of all the jobs I've done probably only two or three of them I really enjoyed but stress the stress involved these engagements people don't think about we basically were under a lot of pressure to succeed it's a hard one and if you don't get so-and-so access if you don't do this if you don't do that the people are like well maybe you're not very good or maybe you're doing it wrong or maybe so we always feel like great pressure to succeed is assuming that maybe people in industry haven't spoken about but I personally I feel under a lot of pressure you also walk into an environment you have absolutely zero knowledge of you could be questioned at

any time you literally walk through those doors you don't know where you're going it's hard you can sometimes get floorplans and posh offices especially London area they'll often put their floor plans online for you to see so you've got a good idea but things could still change offices do change people put temporary walls up and stuff regularly things get moved around and I keep going off track and thinking of a million stories I can tell you I remember I could be sued so I can't you can be set up this is a good one and I often find it wants to get access in and I get access to employees email accounts and I find that I can go back through

like a week before or a month before emails and I'll say month after month warning that a security test is coming up and someone will be attempting to test people and I see this all the time III personally I think it's important to educate people I'm not so sure it's the right time to do it a week or two before a test personally okay personally when I walk for a door during an se engagement my mind blanks probably shouldn't tell you - pocket area moves at a million miles a minute and I'm clocking every single thing going but it doesn't it just goes completely blank and I just focus on staircases left or the person on tailgating chapter 15 recon

time is very very very important they're little careful of people who give you advice on the target and they can honestly be trying to help people who might have done jobs before a site that you're going to that they'll try and help you I had this one time and have you ever been to the office before what floor is he on yeah he replied yeah been there loads of times absolutely loads of times I guarantee it on the fifth floor easy job you're walking straight in the left bank you're being no plans at all fifth floor can't go wrong a walk for the reception area it was a multi-tenant Akama near deception areas generally soft targets multi-talented buildings

where you go any different vendors in a building the receptionist they don't care they're there for guests if you wor have any kind of confidence Ettore i've not been stopped by one and the jobs often and patel getting to the left and got off at the fifth floor as i said before your mind goes blank and you just react the client wasn't on the fifth floor they're on the sixth authorization will only cover your target potentially not all floors of a multi-tenancy building chapter 16 target a global business headquarters recon showed they had turnstiles in the reception area at Google Maps I could see it zoom right ain't they go turnstiles could do it for

all all the buildings back door also had turnstiles I discovered that while on site actually having a look on a recon I hate turnstiles personally I I'll find him no the recommendation is put turnstiles in actually they poked me and I've been told by my colleague just put your hand there and they'll open Harley due to health and safety if they think it's trapping a person noticed open I've always tried to decide almost died through him and stuff and get hit and look like an idiot and I hate to install I've jumped over him on jobs waiting training software and so I land down quietly we've got like that work for me right a friend told me how he bypassed

turnstiles I liked the idea so I tried it made way for a lunchtime I walked in off the street and walked up to the turnstiles and in turned and looked at the security operative and said crap I left my purse on my desk and it's out at lunch you let me in people start forming in a queue behind me the security guard didn't look sure apply pressure come on let me in will ya got a meeting in a few minutes the turnstiles opened I walked in right that is 434 sliced only 29 minutes I apologize insider part 2 users will be presented at a b-sides London on June 6 2018 on my exploit 2600 on Twitter are there

any questions