Jess Hires - Physical Security: From Locks to Dox

remember of my talk so Jeff Roth thank you all right so I'm J hirers I'm talking to you about uh physical security penetration testing today um let's go ahead and get the disclaimer out of the way there is stuff that in this talk that could be used for illegal stuff um don't be that guy don't get in trouble this is all for uh public education and helping you do your job so don't screw it up

I say don't screw it up and I'm immediately screwing it up let's not do that okay so a little bit about me I'm an information security analyst I'm founder of Jack Lockport and besides ja that'll be later this year um I coordinate tool Jacks which is the community version of blockport monthly meeting and everything in Jacksonville uh also do uh ja 2600 and DC 904 I'm the president of the Linux users group and general teacher of Linux lockpicking and hacking uh anything you want to know that might be in my area of expertise feel free to ask me I'm a pretty cool guy yeah I'm having slide difficulty so that's cool do you need some Loop presentation

anxiety yeah my laptop has presentation anxiety uh so what we're talking about today um physical security can definitely be a a great valuable thing to have on a penetration test uh what I'm going to be talking about is mostly exploitation I'm going to cover the penetration testing methodology from a physical security perspective um we're going to talk about the methodology we're going to do some lock identification tools required uh and various attacks come on I think I can I think I can I think I can I think I all right so let's cover a few terms before we get started here log sport is the uh hobbiest practice of picking locks or defeating physical security

measures uh can be for fun or competition there's lots of competition at these types of conferences physical security is any kind of physical measure that would prevent access to um your home company assets really like anything with a lock that's going to stop bad guys from getting it sound a penetration test is uh finding weaknesses in an organization's security plan there's usually a deliverable report of everything you found and Remediation recommendations there are lots of different types of penetration tests we're only covering everything from an on-site physical security perspective uh a red team is the team that would conduct the penetration test usually you'll have some guys offsite some guys onsite um I'm told that a

decent sized red team is about five members and don't go too much over that okay so let's talk about the methodology we're uh we're knocking down the normal method methodology to about five phases we've got pre-engagement interactions reconnaissance phase vulnerability analysis phase exploitation and post exploitation uh we're going to cover each one of those in depth so let's start with phase one uh this is really important because you want to Define to your clients or or with your clients the scope uh things that are off limits the trophies that you're going to be finding and any time constraints so a little bit more about trophies um sometimes I might ask you to take something off the

premises but you usually want to avoid that try to take pictures as evidence instead of removing it from the site because if you have to leave in a hurry then you look like you're stealing stuff so nobody wants that legal trouble all right reconnaissance uh this is usually the most important part of the penetration test you're going to be doing information gathering anything you can gather to help you with the penetration test there is passive and active penetration testing let's cover those passive is anything that's virtually undetectable you can check out a site from Google Maps you can look at their website for any building photos uh photos on social media promotional videos virtual tour is probably less of

a thing but it was a thing at one point in time so check for those cuz that could give you like a whole uh walk through their building and give you tons of stuff active reconnaissance actually go to their site pretend to be a visitor take a tour uh this is where you can really get creative um even some of the things that you might want to do later on in your uh uh exploitation phase pretend to be a delivery guy pretend you're visiting someone if you actually know someone that's there that's even better you're actually a visitor right now the information you gather from the reconnaissance phase you're going to use in phase three

vulnerability analysis you're going to detect any weaknesses and potential Road Blocks you want to figure out what your targets are uh we usually do this in potential difficulty versus potential value I'll show you that in a moment um look for your obstacles high security locks guard stations anything you might want to avoid anything that might need special preparation before you go do the exploitation phase um part of the vulnerability analysis is to actually plan your exploitation phase um uh again the same things I just mentioned use what you found to your advantage so you can have plans have backup plans have backup plans for your backup plans okay so this is a table I like to

use for uh potential difficulty versus potential value something that's low difficult low value maybe you want to Target it maybe not something that's high difficulty low value you probably don't even want to screw with something that's high value and low difficulty that's yes definitely go do that um and then High difficulty high value you kind of got to figure out again with the low low do you really want to go after that do you have the time uh things like that so A couple basic things you might want to Target let's not skip slides technical difficulty uh desk drawers you can find some really cool stuff in desk drawers usually people will put um username Nam maybe passwords

uh if not you could at least find their name add that to your uh your network penetration testing side add that to your uh Your Dictionary files um people's artwork on their cubicles you can totally use people's kids names as uh part of your dictionary file things like that filing cabinet same type of thing you can find more other pii maybe um Personnel documentation things like that um these are both really trivial to get into most of the time uh might not have anything super valuable but worth checking out storage rooms this is where we get into some cool stuff you might find uh storage media that could be backup tapes hard drives um spare laptops anything

like that uh this could be a little harder to get into but with a lot more payoff server room same kind of thing if you can touch a server you're much more likely to actually break into it but that's Again part of your network penetration test so uh you'll be the gateway to get your guys into that room uh vaults we're actually covering safe cracking in this presentation uh there can be a lot of cool stuff in a vault company Secrets um money women drugs who knows uh it is quite difficult it takes a lot of time to learn but it can have a really high payoff so some obstacles you want to look for garden stations fences uh

figure out if you're going to like try to get over fences or find ways around find ways around guard stations this is where social engineering could come into play um higher security locks we're going to start identifying some of those in a little bit um security cameras if you can cover those if you're allowed to cover those as part of your engagement things like that um knowing what kind of locks are are you're going to encounter is really important you've got pin Tumblr and wafer tumbler locks they they've got various attacks we'll get into later uh multiple dial combination lock you might see this for backup tape uh Transportation single dial combination locks like your vaults and safes uh

electronic locks uh they could be pin pad they could be uh biometric and uh RFID locks I'm sure most of you have RFID tags on you right now whether you realiz it or not all right so let's go through some of them pin Tumbler lock uh I'm just showing the cores of most of these cuz that's what I had lying around for photos this is the same kind of core that goes inside a dead bolt or a doorknob um tubular locks uh you'll usually see these on vending machines probably won't come up on a penetration test but I wanted to show you what one looks like Anyway wafer Tumbler lock is what you're going to see on filing cabinets notice

in the front they they've got um like these Wafers instead of pins uh warted lock again you probably won't come across this on a penetration test but good to know what it looks like you can't pick this like a normal lock uh but we'll get into the attack for that later same with a lever lock you're probably never going to see one of these um nobody really uses them anymore but good to know what it looks like all right so multiple dial combination lock uh like I said you might see this on backup tape Transportation you might see this on briefcases um it's it's literally just like it sounds it has multiple dials and there's a combination

entered here is a single dial combination lock uh your standard safe lock this is a lard 3330 um I can give more details about that later if anybody's interested in trying these out uh this is just one example of an El elic lock I had lying around um use your imagination with this there's a lot of different types this is just one this accepts anywhere between four and eight uh digit combinations but there's lots of variations on this okay so higher security locks uh we're going to be talking about your Medico your schlake Primus um some things like that they can have a different type of pin Tumbler lock um some of them have finger pins like a

whole separate bidding on the bottom of the key uh or angled pins that rotate the key pins uh to allow a sidebar to enter them um dis detainer locks are quite a bit harder um you you usually see these you see these a lot on bike locks um they're they're pretty common in the UK now you might not encounter one of these on a penetration test but good to know what it looks like group one combination locks we'll talk about that a little bit more later uh group one and group two manipulation proof have no real way to manipulate them but we'll get to that when we get to uh the safe cracking section and there's other exotic shape

blocks that I don't have any images of but be happy to show you at the end so Medico I don't know if you can see this but the the biddings are angled it's not just a cut it's a cut and an angle which rotates uh the key pins this is what the front of one of those looks like um typically the the more complex it keyway the more complex block it is they they really want you to not be able to fit Tools in there at least not very easily here's another example this is a larger one that you might see on a standard door and this one is for a military Munitions crate um it's the same kind of

core and a really heavy duty housing schlake Primus has got some uh popularity over the years they do have some weaknesses on their own um notice the the whole second bidding there for the finger pins a disc detainer key now this is um a very complicated lock this this particular one is one of the the most difficult on the market but but uh I just wanted you to see what the key looks like the cuting the cuts are angled instead of um bidding like on a standard key uh it's a dead giveaway that it's not a standard uh pin Tumblr lock this is what one of those looks like the the key I showed you is not the

same one for this lock but it's the same principle they have uh discs inside that rotate instead of pins that set so let's talk about exploitation um um there's lots of ways to do this um we're going to be talking about infiltration and exfiltration infiltration is everything that gets you past the mechanisms you need to get past exfiltration is getting your trophies off of the premises social engineering I'm not going to go too far into this because there are lots of other talks that go really far into this uh and a lot of people have done a lot of cool things with it but uh fake badges fake uniform forms pretend to be a delivery or vendor

a visitor um standing outside like a smoking area say you're a new employee and you lost your badge or you left it at your desk that's usually a really good way to get you into a door uh but the biggest key here is to be confident pretend like you're actually supposed to be where you're trying to go that's pretty much all I'm going to cover on social engineering now we're going to get into the rest of the um attacks so bypass is a huge huge thing a lot of doors can be bypassed without even picking or safe cracking or anything at all uh and we're going to go through all of these um one cool thing I like to

mention is uh removing the door from the hinges let me see if I can fraking mark on

this I hate this setup

yeah like that okay so sometimes if the hinges are on the wrong side you can just pop the pin out and remove the door from the entire frame um there's a lot of other cool things you can do like that but that's just one example of not needing any special tools other than knowing that this door is installed wrong and pop it out and you're in uh loing there there's a tool um the most common one is called the shove it tool it's or or lucky number seven if anybody's familiar with that um it's like the credit card trick you're basically just trying to depress that latch either from the inside or outside to open that door

without picking or anything like that um not usable on dead bolts because it's a dead bolt you you can't physically Manu uh move it it's not spr loaded um there can be some forensic evidence on this attack um mostly in the form of scratching away paint or maybe even uh a little bit of scratches on metal surfaces this is what that tool looks like um the round end is just for pushing it in on doors that open towards you the other devices are to open it the other way so you can uh just hook that into the latch jiggle it a little bit and pull it open and the door will come open with it under the door tool is a really cool

one especially if you're in a hotel um these are easy to make they hardly leave any forensic evidence maybe like a little bit of scaring on the bottom of the door if it's a wood door um that's what this thing is if anyone seen me walking around with this today uh it's it's made to just go under the door you prop it up pull it up against the door and hook it onto the latch and then you pull the string to uh pull the handlebar down it's for a specific type of handlebar um the 90° angle bars it's usually used for fire code um least resistance to get out um same with the next one the push to exit tool the there

are two ways to do this there's two types of push to exit bars one is a a physical push it to open the door and the other one's like a capacitive touch touching it will release the latch and allow you to open it the tool does both as long as it's a um what's the word copper as long as it is conductive this is kind of what that tool looks like there's a lot of variations again this is made from a simple metal rod that you can get from any hardware store uh and it's really easy to implement it would be particularly useful on doors like in the back of the room

here so there are lots of other types of bypass tools made for pin tumbler locks you don't necessarily have to manipulate the pins to open a lock sometimes you can insert a tool like one of these to either engage the actual tail piece in the back of the lock on a door or to open a American Lock padlock or or lots of other situations a knife tool is a very similar bypass tool for padlocks um I haven't had much luck with these but there are all kinds of YouTube videos of people opening locks with one of these knife tools it's very simple to use with a little bit of practice here's one thing that I love covering um

drop ceiling and raised floors where the wall partition doesn't go to the true ceiling or true floor you can if you can identify where the server room is and get into an adjacent room you can grab a ladder or stand on a table get over those uh partitions or under with relative ease small guys like LS here would be perfect for that um of course there's lock picking let's cover a little bit about lock picking there's lots of ways to do it it doesn't have very much forensic evidence but it is obvious if you were to take apart that lock and inspect the pins this is your standard lock this is what we're using in the lockpick

Village um this is the core that would be inside a dead bolt or another um door knob cut away it looks a little bit like this you've got springs on the very top you've got driver pins and key pins when those align between the core and the housing the lock will open um switching Graphics here but this is what that looks like with the proper key inserted notice everything is lined up let see if I can use this pen thing no good enough close here's a key with one bidding too high notice that the key pin is stuck on the shear line in between those two parts of the lock this will not open same thing with one bidding too low

the driver pin is wedged in the shear line and that will not open single pin picking um when you apply rotational Force to the core uh one pin at a time will bed this is due to Mechanical imp imperfections and I can go into this more in the lockpick Village after the talk um you're going to set these one at a time it takes some practice and feel to figure out what's setting when you set it the rotational force will keep the driver pin in the housing and will not reset um when this happens another pin will bind and you move on until youve bound and set all of the pins when this happens the lock is

open you can pick the wrong way and there are tools called the plug spinner to flip it the other way around or you'll have to repick it raking is another common technique uh it's designed to be very fast and less precise usually people have very good um what am I talking about people usually have pretty good luck with this uh it's a little a little less precise one might start with a rake and then move the single pin picking if the rake doesn't work um there are security pins that uh provide pick resistance in locks this is uh what a couple of them look like on the top here we've got driver pins and on the bottom we've got key pins um

these are spool pins yes I'm just going to quit doing that uh mushroom pin next to it serrated pin next to it and then on the far right right is a spool serrated uh a lot of people call this a spool rated pen and then on the bottom on the right you see a serrated key pen so if you were to over set a pen this will prevent it from getting back to its normal position without starting over one thing I want to mention I have no idea where this photo comes from but I love it I lose my video I got it from the patent's office I got it from patent searches oh really it's on the Tampa

lock board apparently patent searches searches seches searches um a tubular lock is just a pin Tumblr lock uh there's nothing different about it except instead of the pins being in a row they are in a circle you can still set this with normal tools um the tensioner is a little harder to to create or find but it's just a standard lock there are lots of specialty picks specialty tools for wafer locks wed locks tubular locks Etc the wafer lock picks are generally considered jigglers they're very easy to use hardly any practice needed to get one of these to work these are you're going to your filing cabinets your desk drawers and even Automotive but those

are a little more difficult wed lock picks look like this um usually on a wed lock you have Wards preventing you from getting to the actual lever and the idea with this is to find the lever and depress it uh again you won't find this too much on a penetration test so I don't go too much into detail but I want you to know what it looks like this is a tubular lock pick this is a very fast tool for opening tubular locks um it basically has two steps to actually implement this to press all of the finger pins and jam it into the lock and rotate back and forth that's pretty much it it's a very simple tool to use

if you get very good at lockpicking and want to attempt a dis detainer lock a tool like this is what you'll be looking for there are many variations to work with many different types of locks uh it does take a lot of training and practice uh the tools aren't very expensive you can probably find them for 30 to 50 bucks on Deal extreme I mentioned exotic shaped keyways earlier this tool is actually um four half Diamond picks kind of put together um this middle shoulder is used to apply tension and basically you're going to rake the hell out of it with the other end but this is one example of a uh a custom shaped lockpick that you

probably wouldn't never encounter but they are out there pick guns are pretty popular um it's the same idea as bump keys uh these can make really quick work of a lock it has a um a blade that that snaps you pull the trigger the blade snaps uh the energy from the blade is exerted onto the key pin that's transferred to the driver pins I've got a gift I can show you um at the end of the presentation to show how that works it just creates a brief Gap in between the key pens and Driver pins where the shear line is allowing it to be opened very easy to learn these can get exp expensive depending on where you buy

them um probably I'd say around $50 to $80 range uh and these do leave some forensic evidence on the pins from the snapping motion this is what that gun looks like it also has a tensioner it's not a magic tool that just opens locks you do still have to put tension on it to actually rotate the core bump Keys is the same idea um these are very easily aailable ailable you can use anything as a bump Hammer virtually um there are lots of bump hammers that are created um from a piece of plastic stick with a block of wood on the end to more professional looking ones it's easy to learn uh once you get keys you can

duplicate them so it's easy to reproduce but it does leave heavy forensic evidence because you're typically uh jamming a piece of metal and hitting it with a hammer into a lock so you imagine how how that would affect the lock this is a standard set a bump Keys um you can probably Identify some of the keyways I've got on here quick set schle um Master Lock and Yale locks this is the same set of keys with um storm lockpicks bump Hammer it's it's really easy to learn I might have one in the lockpick Village if any wants to give that a try decoding is a really cool thing we mentioned the multiple dial combination locks earlier where you might store um

backup tapes or hard drives or or documents in a briefcase there's a really simple decoder tool it looks exactly like the knife tool but much thinner there's lots of things you can do as a makeshift tool I'll show you one in just a minute um if the lock is vulnerable to this attack it's very quick to do and little to no forensic evidence will be left behind so just like I said it looks identical to the knife tool but it's about 1 the thickness uh right here I'm picking a lock that I actually have over in the lockpick Village um I'm using part of an inkw well pen that I just broke off for this purpose but it worked very well uh

I let my brother have a shot at this and he probably got it open within a minute so it's a really really easy attack all right so here's kind of like the gold mine of the presentation uh we're going to talk about safe cracking the main senses used are touch and sight um sound is not involved as you may be led to believe from the movies and TV shows um that's because the wheels that you would be listening for are typically behind about 4 to 8 in of Steel plates so sound is not involved at all um you need to be able to visualize the internal components that's really really important so you can figure out

what's going on it is time consuming it takes a lot of time to learn no tools required it's just your hands uh and graph paper and this will leave no forensic evidence I've got a couple locks I practice with I've got a um legard 3330 a SMG 6730 these are great locks you can get them on eBay for about 40 bucks if you want to practice um this is what the back looks like note the little Notch for the change key um You probably won't be changing it on a penetration test but it's good to know how it works this is what it looks like on the inside um we've got the lever here and nose

we've got the drive cam and spindle and then three of these wheels so I didn't have any good way to show what the side of one of these looks like so uh I just did up a quick drawing and and snapped a picture and threw it in here but essentially you've got the three wheels with their corresponding Gates on the back is the cam wheel this is the lever and nose um normally it rests on the cam wheel until you get to um the end ation uh I'll show you that more in depth in a minute um the big part of how this works is you've got a fence attached to the uh lever this fence

doesn't rest on the wheels except for when the nose is depressed into the drive cam but these wheels are never the same size uh it's virtually impossible to make perfectly sized wheels so this will always exist in some form or another not so much on the manipulation proof because they add additional Hardware preventing the nose from uring the drive cam unless the correct combination is set so those you won't be able to attack but you should be able to um figure it out pretty quickly from the outside if it's a group one or group two blck if anybody's interested in giving this a shot and practicing there is a mod you can do on the actual lever you

just bend the fence up a little bit so that would only ever be touching one wheel at a time this makes it a lot easier to get readings and we'll we'll cover the manipulation graph in just a moment and how to do readings so you'll start the same way you would uh opening a lock you'll rotate all Wheels to the left just like a regular lock um you won't be able to see the back side but I wanted to show you what this looks like uh it does have a left and right contact point and these are very easy to feel just by rotating the dial on the dial that's about 142 you'll want to measure these to about uh qu to

an E of an actual notch on the dial we're going to grab the right contact Point uh here it's 8.125 approximately now what you're going to do is put these on a graph um as I said you're going to measure 1 14 to 1/8 for precision really depends on the lock on how granular you need to be with this um you don't have to dial every number on the dial there is some tolerance so every other number every even number is usually a pretty good rule of thumb um you can draw lines on the dial to make this easier you can put a piece of tape with extra lines there are even some outlines that you can uh print out

on sticky paper and stick on the dial to help with this this is what a completed graph looks like you can see uh I'm not quite doing every other one I'm doing every two and a half numbers on the dial but essentially wherever you find the biggest variation is probably a legitimate number on one of the wheels um you can then take this data try each wheel one at a time to figure out which wheel is actually being set so uh I don't know if you can see it right here some of the wheels are already set um I think two of the wheels are set here let me see if I can clear that now

sorry all okay so I've got the previous marking in red the new reading in green uh this is what that looks like on the dial the previous one was 14 1/2 now we're at 14 and 1/4 the left contact Point typically gives a lot more um variance in the readings than the right contact Point um here's the same thing for the right this one's only Changed by an eighth it was at uh 8 and8 and now it's at 8 and a/4 so you go through through this with all three wheels you're going to graph it essentially three times and that will give you all three uh numbers of the combination so write that down and you

can open this lock as many times as you want uh when everything's set that nose depresses all the way into the drive cam and you just pull the um rotate the lock to the right to retract the bolt now I know that was a very quick demonstration of how safe cracking Works Matt Blaze is a great uh paper out there safe cracking for the computer scientist anyone wanting to get more into this I highly recommend it um so that's pretty much all of the exploitation like actual attacks I had but there are some other things that your network guys might want to do while you're there install lands connect the Dropbox um maybe 3G Wireless that gives

you uh access from the outside reverse tunnels things like that so let's talk about post exploitation we've got key decoding and duplication RFID tag duplication is another one there's not really a lot you can do for covering your tracks like you would typically do um other than if you unlock a door make sure you lock it back on your way out key decoding is really simple if you can get a hold of one of the proper Keys um there's a key gauge you can use to decode that lock for that manufacturer you can use the code to go to locksmith or if you have a key cutting machine you can just cut a new key um I've seen

sometimes people have a van off site uh you just like text in the code or or or radio however you're doing your um Communications cut a key go out grab it and then you can come back in whenever you want without having to pick or attack again this is the key gauge this one has five different lock manufacturers they all use different sizes for cut um you could use a caliber measure them out that way and do it like that but this is a really easy way to figure out what you're going up against uh and decode those keys key duplication there's lots of ways to do this uh one of the coolest ways is a clam shell it uses a um

plasticine mold and a low temperature lead to create a duplicate um it's basically a putty that you stick a key into remove the clam shell remove the key um and then pour lead into it to actually Forge a duplicate key uh it's not good for many uses because it's a soft metal but you can take that to a locksmith and duplicate it or if you can only get a photo of the um key you can send it to an online key duplication service they've got pretty Advanced algorithms to figure out those cuts codes and uh there are some services for5 or $10 shipped you can get a key duplicated so after you're done with your penetration test you're going to

have some deliverables um you'll want to show any findings and documentation areas you exploited how you exploited it what can be done to fix those things um of course any trophies that you had established whether it's getting into the server room or um taking a picture of something in the vault you'll want to give those photos uh again recommend against taking anything physically off the property but um pictures are a great way to prove that you were where you said you were and that's all I've got any

questions as kind of practicing you could Bend up the the fence the fence you toate on one wheel at a time y going over part of that and um you know if you were doing one for real you're just changing to the next wheel when you turn directions is that how that works yep so if you do the mod on the fence to actually make it a practice lock um you would be doing them in wheel order you'd be doing them 1 two three um typically that won't be the way happens in in the real world so the difference is in in a actual safe cracking when you're trying to do it um you don't know which wheel

you're going to be on you have to figure that out after you graph it um with the mod you know you're always going in a specific order but to make sure that you prepare yourself for real lock you'll want to go back and verify that those are the wheels that you think you got the combination for just just to be you know do it the right way and and make sure you're going to do it right when you encounter a real lock does that answer your question okay anything else if anybody oh I've got two over here so digital combination locks are a lot more foolproof um I would say that in most cases you don't want to screw around

with those they do have auditing features so you can tell when something's been tampered with with or tried many times they can have lockout periods permanent lockouts and even notify People based depending on what the lock is um in those cases again physical damage isn't something you'll usually be able to do on a penetration test uh if you can try to try to pry it open but most of the time you're not going to screw around with those for simply because you don't want to damage anything uh in the back did you have something hard oh that's hard to say it depends on the lock there are some cheaper disc detainers that are not too hard to open

if you have the right tool um a Medico if you do a lot of research you can probably get good at opening um both are pretty difficult anything else all right so I'm running the lockpick Village I've got lots of tools and locks for people to try out if you want to come ask me any more questions or give it a shot feel free to come on over and that's about

it