Evasive Facility Breach: From Ingress to Egress in 15 Minutes or Less

[Music] get started this is Ralph May and Travis weathers so um Ralph is a security analyst and a penetration tester at Black Hills information security he is also a co-developer ER and instructor of the Practical physical exploitation course before joining Black Hills he spent 5 years performing offensive operations on a wide range of security assessments Ralph is a US Army veteran who previously worked with the United States Special Operations Command on information security challenges and threat actor simulations and uh Travis weathers is a practice director on optiv attack and penetration team since stepping out of the military he has worked within the offensive security space performing Advanced adversarial emulation assessments and leading offensive security practitioners Travis is the

author of doppelganger RFID and has spoken at various conferences including Defcon RF Village hack Miami bides Tampa and sour zero con additionally Travis takes great pride in giving back to the veteran Community through mentorship so please welcome Ralph and Travis wait Travis yes sorry yeah Travis on evasive facility breach from Ingress to agress to in 15 minutes or less thank you oh there we go let's get this right level here all right I don't need to get too close Welcome to our talk and welcome to the back I guess um all right so first can I get a show of hands who is currently doing physical security assessments no one what a couple people all right who is interested in doing

physical security assessments all right a couple more people right who has no idea what this talk is about all right we got one perfect welcome all right so uh hopefully you guys will have fun here uh we are going to uh kind of dive in about us even though she kind of gave us a a big Spiel yeah hold on I got this little clicker here I'm used to having a laptop normally so this is kind of interesting all right Travis all right uh nice baby photo 80s photo really 80s we're going for for the for the theme here um so yeah Travis W practice director uh on the attack and Pen team over at Optive security uh I've been

doing offensive security stuff since about 2014 when I stepped away from the military prior to that uh I spent 12 years in Army Special Operations and Joint Special Operations various capacities uh currently um working with Ralph here on the Practical physical exploitation course um I really love developing physical security tools so you see some of these here this our stealth reader that we we kind of threw out there we'll talk a little bit more about that later but uh big passion of m y all right Ralph May this is my uh baby photo as well this is the most 80 photos possible because I have a mullet as you can see in here and this was a very

popular thing at the time maybe still today uh anyways uh yes so I do pen testing uh I love doing physical stuff with Travis uh obviously we we built this course um I've been doing tech for a long time in different capacities um and I would say for the last 10 years I've just been doing security focused uh you know testing so all right let's jump into this yeah so agenda uh are we for real can you really break in and get out in 15 minutes uh yeah absolutely um with a little bit of caveats uh we'll talk about some of the remote remote Recon uh onsite surveillance threat profiling and then the unauthorized access and that

that 15minute access window so the caveat is all that stuff leading up to it the access window itself is really truly only 15 minutes if you're if you're well prepare for it are we for real we are for real we are for real real real um yeah so uh properly scoped with clearly defined intent and goals um so whenever we do physical security assessments we're talking with our clients to find out what exactly is it that that is important to them uh what what keeps them up at night if somebody wants to break into the building um Pro tiip as it folks it's not always gaining access to a server uh sometimes it's it's personal harm uh to their their

employees uh or destruction of the property itself so uh keep that in mind um these are kind of kind of The Way We Lay things out there's always three goals when it comes to an assessment first goal is always gaining physical access uh second goal whatever keeps your your client up at night uh and then third go uh third goal will likely uh increase that level of effort effort so that 15minute Ingress to Ingress window might change a little bit if you have to go after a bunch of different things within their environment um so uh solid operating methodology uh that's followed to the te absolutely uh important and then going in with the mindset of once

your cover is blown the engagement is over so we'll touch on that uh a lot uh when it pertains to physical security and then something we always tell our our practitioners in the field is uh don't be a hero stick to the plan A lot of times as hackers we get uh obsessed with illustrating more impact and more impact and more impact and next thing you know you've deviated from that that plan and that client intent was uh from the get-go and here you are just running a muck uh throughout the building chances are you're going to get picked up nabbed uh maybe even have to present your letter of authorization yeah all right so how right let's talk about the first

thing which is going to be Recon right so having good Recon is really going to help you before you even get to this this assessment right it's going to help you um you know know what you're going to be up against before you're even on site um a lot of that can happen before you get there and what you're going to do when you actually get there is confirm all of this information right um the next thing is uh properly executing your threat profiling right so deciding how you're going to make your attack based off the information that you've confirmed once you get there right and what you're going to do next um another thing is uh in understanding the

client's intent why are you here why are are they paying you to do this thing right um and hopefully you've gathered that uh in the conversations you've had with the client before you get there so you have a good understanding of what's the purpose right um and then uh following your uh letter of authorization right knowing what you're supposed to do and what you're not supposed to do that's really going to help get the client outcomes that you're looking for so you have you know a successful engagement and the you know the client appreciates what you're providing for them right um and then the last thing is this uh uh logging of all of the um uh data right so once when you

get there taking you know what we talk about in the course is taking screenshots and other things to get timestamps of exactly when these things happened right so you can make a definitive timeline in your report and for any kind of legal issues if those arise right um and once you kind of combine these together this can really help you deliver that um you know uh very effective and efficient attack from a facility standpoint so all right uh so how uh so we talked about 15 minutes yeah it does take 15 minutes for for the access and the the post exploitation getting out of there but it really takes a lot longer to do your remote Recon uh

the on-site surveillance and the threat profiling now I say a lot longer I don't mean weeks months it doesn't take a big lead up to break into a facility uh as long as you're focused in your efforts um probably two three hours of remote Recon on your computer and then getting there on site uh depending on what information you're a able to gather for the specific goals that you're after um it could take anywhere from an hour to maybe even two days uh to to do that so as a consulting firm or as consultants in what we do uh it doesn't benefit the client for us to to sell them a long drawn out assessment so we have to learn

how to do these things efficiently um so that way it's mutually beneficial both for the client as well for the uh the practitioner that's on site last thing you want to do is be on site for a month and a half trying to figure out how to break into a building they're they're definitely not going to pay for that um but yeah let's uh let's go ahead and dive into the weeds of of everything that kind of goes into it all right so the first thing is remote Recon right before we get there all right so with remote Recon here's some things we're going to be looking for from a remote perspective right this is before we get there this

is our internet snooping luckily nowadays we have so many resources to quickly gather this information without being on site it's it's kind of spooky but um so the first thing we're going to be looking for is workplace attire if you can figure that out so we have social media LinkedIn other things like that um you know if you can gather we'll talk about some of the other uh you know on the ground like street view stuff um but identifying nearby Break um and lunch venues right so is there a Starbucks close by where would they go to eat if you worked here right um do they have a smoke breaking area can you see that from uh geospatial um operating

hours what are there normal business hours do they kind of have a 247 operation or are they running 9 to5 like what is their kind of operating hours um the next thing we teach in the class and this is a great one uh for physicals almost a requirement is figuring out what their badges look like okay so most if not all companies use some kind of facility access control the reason for that obviously is we're not going to give a key to everybody and then when the employee leaves we have to make new keys for all the doors so um figuring out what that badge looks like people post badges all over the Internet okay

um we'll talk a little bit more about that so some helpful websites to do with your recon uh Google Maps images you know the web just use Google you can ask Google to tell you where to find more stuff uh Facebook Instagram Instagram's amazing for how many people post stuff um some people are overshares and you can find tons of information uh quickly without even you know being a friend or any kind of like Association So speaking of Instagram uh here are a bunch of photos of badges that people post um so how do we find these things all right so the first thing we'll look for is the company name right so see if

we have any associations they'll hashtag the company name um maybe the address so using uh a lot of times these uh posts will get tagged with the address or nearby location right um hashtags uh any tag section and then here's another really big one that usually Nets us a lot of gold is seeing who else they follow so if you find someone who works at the company and they just have a picture of themselves on there that's great but they don't have a picture of a badge maybe you start looking at who else they follow and you'd be surprised how many times there's someone else that they work with there's a picture of both of them together and this other person

has a badge photo right so we can figure that out yeah and a lot of times when you see them posting a bunch of stuff especially on on Instagram most of who is liking or commenting on the photo is person that made the post just to generate attention to it so follow that person follow the rabbit hole as far as you need to to find that that like good quality photo of the badge chances are you you'll get one pretty quick I see these all the time it's like once you start looking for them you can't like turn it off you just see that everyone posts pictures they'll say oh this is my first day or this is my last day or you

know or they're just posting a picture with their friends out whatever it may be um but they're wearing their badge everywhere so all right uh another good uh remote Recon or remote Recon excuse me is uh LinkedIn obviously right um if you don't have a LinkedIn account you can make one for free um but looking for job postings Technologies in use um employees names titles there's a bunch of ways to scrape this stuff off of LinkedIn and I think LinkedIn has tried like multiple times to make it so you can't scrape this stuff but um and that goes into another topic where you would be actually looking for email addresses but um let's find out who works there because you

might need that for some kind of SE if we get into that like phase or kind of scope piece um maybe company events that are coming on again we're trying to just establish whatever information we can gather about the organization um and who might work there

right all right so the next thing we would look at so we've looked at uh Instagram we're trying to find bad photos we're looking at um LinkedIn for employees um the next thing is geospatial reconnaissance right the uh the of this is amazing all of the world pretty much has been driven at this point with a camera it feels like um so the the first thing we might want to do is look at um aerial map right so figuring out uh the general layout of the facility you know if you were going to drive by this facility to confirm things like how would you drive into this uh parking lot um you could use this to determine how many employees

work there by how many parking spaces are there is this a big facility is this a small facility um identifying any obviously nearby establishments that are employees are going to visit so typically way I do it is I'll find The Establishment and then I'll start opening up my scope a little bit more what's around there right like what makes sense maybe are they in the middle of nowhere all right well you know this is going to be a little more difficult but a lot of times there is things around like what restaurants and stuff like that so do a little research like kind of be an employee for a minute and think how they would think um obviously

traffic patterns is it going to be difficult you know is it a downtown right I've done facilities where it's the you know 28th floor in the middle of Manhattan right so there's only so much I can do from uh you know a Recon from above I just see a really big building but obviously um there's a lot of things around like what what what is close by um and how I'm going to do my attack and in that case I walked it right I was going to drive in the middle of Manhattan to you know to walk around um so another thing too is use a lot of different mapping sources there's like four out there um so we have Bing Google

um there's Maps uh Google Earth Apple has maps and they all have different data okay they're not all the same data they're all collecting this data and sometimes that data is fresh sometimes it's pretty old or stale right um another thing to do when you're looking at that street view is identifying any camera placements uh viewing angles so you could see if um you know what can they see right sometimes you can't see cameras at all right you they the the picture is not good enough or they don't get close enough to the building but if you can figure that out that's good information to know and then you can start building your um your grg before

you even get there right um obviously looking for some areas that might be best suited for inperson surveillance um the parking Ingress egress like where's possibly the employee entrance versus like the main you know uh customer entrance depending on what kind of business they are right sometimes it's better to use the employee entrance um another thing that we'll look at too is determining possibly trash recepticles uh or any security if they have any security set up like do they have a security gate that you have to kind of check through to actually get into the parking lot this is all really good information to know before we get there uh anything else Travis uh no no

okay so here's a a few Maps uh of the same exact area uh this is in Riverview Florida um you can see Google Maps Bing Maps and arcj um each one of them taking the exact same day probably within minutes apart you can see the the Community Development uh difference between the two or between the three um pretty significant so that's why we we harp on folks looking at different mapping sources if you're not seeing what you want um a lot of times we'll go down and not know that there's uh construction going on um so having updated street views um that helps in most cases not in all cases but uh it's always good to know yeah again this is

all information we're trying to gather before we get there and when we get there we're going to look to confirm what we think is true right yeah uh so again on the the street view stuff uh here we've got pictures of the uh the trash receptacle uh if need be we have to go jump in dumpster uh to get some some material um to illustrate impact uh we could do that always last Venture um here we've got a couple different choke points these choke points we talk about these a lot uh these are great places to set up if you're going to do long range badge cloning uh you can kind of filter people into areas here I wouldn't necessarily

do it in the in the in the the crosswalk here but here where you see where it gets into the Shrubbery area uh a great place to to catch some some badges people aren't going to step off into the bush so kind of makes it hard for them to to get up and get away from you um stairwells great places especially if you have a buddy to kind of help direct uh traffic so you get your your your badge read we talk about long range badge reading all the time it's really not so long badge reading is what we call it um because often times you're getting really uncomfortably close so and and and a lot of times you have to

get a reason to get this close to somebody right um so you know there is some little bit of SC some conversation that possibly has to come up it depends though um these choke points can be great ways to uh naturally create an environment where you can get close to somebody without having to uh spark of a conversation right so also with that when we do our our remote reconnaissance the better our remote reconnaissance is is the less we're going to have to do on-site reconnaissance why is that great because the less you're doing on-site reconnaissance the less you're exposed every second you're onsite at a client uh venue or appointment or place of business you're you're you're there

potentially getting uh discovered once you're discovered the engagement is over clients out of money you are unsuccessful so the better the remote Recon the less the on-site Recon um but yeah all right speaking about onsite Recon right uh so on onsite surveillance so we've done our uh remote Recon if we got a good badge there we don't need to go onsite and get a photo of a badge that puts us in a position that we don't really need although I would recommend getting yourself in a position where you can at least visually see someone someone's badge so that way you can verify that what you have is in fact what the client is actually using so um

some considerate considerations when we we go on on U on site um everything you can do can compromise the engagement so now you're there you're in the mix of it um never expose yourself more than needed uh if you have what you need need from the remote Recon we touched on this confirm it and move on um it's not a stake out um get what you need and get out uh often times we'll see folks pull up in vehicles right two inches from the main lobby and pull up their telephoto lens uh start taking pictures or just overtly hold their cell phone up if there's any any type of of uh security system in place they might not be doing

active monitoring but when they go back and review the logs after your engagement they're be like oh yeah look at that guy he's just sitting there with the camera the whole time um so don't draw attention to yourself if if not needed um it sounds like a questionable decision in your head probably is so you'll get those thoughts when you're there like oh I could just hey just run up right now and grab this this badge clone and and get out of here and call it a day um stick to the plan that you set out for yourself um there are targets of opportunity but be aware of what you're doing it sounds questionable probably

is so types of uh on-site Recon so we have a mobile Recon and we have uh static Recon and then we have up close Recon so our mobile Recon that's our our Dynamic analysis the vehicles in motion the uh the static analysis obviously we're stationed up posted up somewhere so if we're going to do Dynamic analysis we should have already figured out what route we're going to take for our Dynamic driveby uh based on the maps that we reviewed the street views that we reviewed and same if we get what we need on the dynamic analysis we're not going to do the static analysis if we need to fall back to the static analysis we need to go back to that that grg we

recreated that grided reference map that shows where everything is and pick the exact spot where we want to sit up uh and take our our photos um the other thing I want to add too is on the mobile Recon sometimes you don't have to be in a vehicle right like I I described the New York example that that doesn't make a great example for driving around in a vehicle you could just walk on the streets there are hundreds maybe thousands of people walking the street in New York right so walking around is another great way to do that same analysis I'd walked around the building uh you know taking photos other things like that and then um when I got to the

static it was more of trying to capture Badges of employees going in and out of the building right um you know I look like a tourist trying to take photos um you know trying to be as inconspicuous as possible Right all right so uh Dynamic analysis what are you going to use uh mobile phone this day and age uh GoPros are great dash cam whatever it is that you have um keep in mind your body posture right if you're doing your mobile Recon let your tools do the work for you set your phone up in a position where you can catch the video and you could just drive you might reduce your speed a little bit but don't

overtly slow down where you're holding up traffic behind you and and and CA and eyes to be looked at you um let your let your let your camera do the work get offsite Analyze That that footage and then go back around for another pass uh if needed if you are going to go back for another pass I'd say wait 20 minutes or so um so that way you're not constantly circling the building uh because that will generate attention in some areas um again we talked about this remote Recon let that determine the route you're going to take and then only have the the the tooling required to accomplish the job you need so you don't

need to take the big kit with you you've just got a small small car uh runal car to do your your reconnaissance post up your camera don't have anything else in the back make it look like you're going to work make it look like you you should be in that area um yeah static analysis uh so telephoto capable camera um something to take notes with some consideration don't get closer than necessary so oftentimes you can post up at an adjacent business to your uh your your static Recon um your uh your static analysis um or maybe just set up in a different business entirely maybe you've determined that hey uh these employees all go to this this uh uh coffee shop

same coffee shop every morning around 8 am I don't have a badge photo maybe I could just get a badge photo inside the coffee shop and I'm not going to be directly exposed at the uh at the work site so another thing I want to talk about the telephoto capable camera right uh we have a very powerful camera in our kit to do this right um but I want you to think of this camera as a tool like a lockpick right you're not going to be great at it just cuz you grab and you think you can just snap photos right especially at range so my point with this is that if you when you when you

start thinking about this you should practice actually taking pictures with this camera before you get there okay make sure that you understand how this thing works right it's not just a point click and shoot it actually takes some finesse to use this camera at the range that we're going to be taking photos at so um yeah don't don't uh don't deny learning how to pick a lock before you get to the door right same with taking this telephoto camera all right uh this is a wall of text here so uh some things we want to look at when we're doing our our static analysis right so these aren't all things that we need to do right here in the static

analysis phase this is all stuff that we could have already looked at checked the Box on our uh remote Recon our our uh mobile Recon we don't have to sit down and get all this stuff firmed up right here especially if it doesn't pertain to our our goal or our intent for the client if uh we know that we're going to do social engineering because our client says Hey we'd like you to get in through social engineering I don't care what kind of badge technology they're using um so that I might forego that um so but in general here's some things you want to want to look at badge exposure policy right so this would be a finding uh so

we do a a inside out outside in um approach so if you're inside the building your bat should be out and displayed the second you get out of your building your bat should be in uh somewhere tucked away one so that people can't emulate your badge if they take a photograph of it and two they don't know where to go to clone the badge uh if you have it stash away um does it look like employees tailgate each other that's that's a good option to get in if all else fails so keep that in mind um guards and service providers so is there a reception desk where is it located uh what kind of guards are there

are they all stationary are they roaming guards are they law enforcement or uh armed um what do their shifts look like are they on 247 are they doing roving patrols every hour a lot of times we'll see companies like hey every hour on the dot you got to go do your roaming Patrol that's great for us as attackers because we know at 11 o'clock we have a great 15 minute or so access window we can get in where the the security guard is going to be completely preoccupied on the other side of the building just walking around so another thing too this comes down to scoping you'll going to know whether there is an armed guard before you get

there that's a question you're going to ask Okay so you shouldn't be surprised that they have you know a bunch of armed guards when you get there and think of it first number one and you could say this to your client safety is top priority for everybody me and all of your employees right so that's why we want to know you know is there an armed guard there are they going to you know try to you know shoot me just because I you know did something suspicious right so absolutely um cameras uh are they do they have cameras are they positioned in the right in the in the right uh Place uh are they pan tilt Zoom where they

need to be pan tilt Zoom are they fixed where they need to be fixed um do they have Push to exit request to exit where are those located uh if you can see those U chances are if there's a badge reader on one side there's either a push to exit or a request to exit uh sensor there um what kind of locks are using do they have any man traps turn Styles those types of things and if you are going after badge uh technology you got to know exactly what what you're going to go after um so if you're going to do a prox badge you got to clone long long range with with the pro reader you're

going after iclass or iclass SE CS got to make sure you have a capable reader uh to get those those uh those reads another thing that could kind of foil your plan there is if it's multiactor technology maybe now not only do you have to get a badge read now you have to some found some way find out how to how to read what they're putting into the uh the keypad or if it's biometric yeah probably going to have to take another another route to access um and again choke points put traffic uh all that stuff continued we going read through this actually I think this is a duplicate yeah so close proximity surveillance this is where we get really really

uncomfortable um we're having no long no no no distance remotely no distance with our driveby no distance with a with a no no benefit from the uh the uh long range surveillance so now we've got to get up close and personal so we're going to pull out our mobile mobile phone a lot of times our mental notes for our our logs are are going to be just that um take those those uh camera snaps those shutter snaps log those uh as you'll have verifiable time stamps that you can put into your logs later on um but again uh some considerations uh reference camera angles and and viewing angles before you camera placement viewing angles before you uh get going um you

don't want to do up close surveillance right in front of somebody doing surveillance on you um that'll draw unneeded attention blend in with the employees around you so if they're wearing a suit and tie you should wear a suit and tie if they're in casual clothes you should be in C casual clothes uh leave your 511 tactical bag in the car because that will always draw attention um dim the device on your screen dim the screen on your device all the way put it on vibrate and disable the the shutter sound um sometimes it makes more sense just to do video so you your walk by Ralph hit on this quite a bit um you get just a good video take

that offsite analyze it and then always have your uh evacuation plan another one of those practice it moments okay uh if you've ever tried to take video non-c conspicuously with a phone and you're moving your hand around next thing you know you know it's all over the place it looks like you know a horror film right um and you don't get any good photos of anything all right you're just like well that was a waste of my time so the point is is go out and try to practice this okay figure out how to hold the camera you know and be and be cognizant of that because you only going to get like one or two chances at this and this just

going to start to look weird okay so um make sure that you you take take the time to practice what you're going to be doing here all right threat profiling all right so now that we have um the remote and we have the on-site Recon Let's uh let's determine our most likely success path okay um now obviously this is going to come back to what we all just did right all of that information is going to dictate how or what we think is the most likely Avenue to success here okay we're going to go for the easiest route okay we're not trying to make this hard for ourselves we want success so we're going to pick

that right um obviously we want to stay within the limits of the uh letter of authorization right what they said we can do and what they said we can't do um if it's just tailgating guess what we're tailgating right that's that's the goal of the assessment right um and we probably would have not done any badge cloning because that would be silly um so anyways with that in mind let's look at a couple different attack scenarios right so badge cloning right this is probably our number one thing we want to do this gives us access to the facility I'm an employee you know nobody talks to me because nobody wants to talk to anyone at this uh place anyways um

so one of our observations is we see exposed badges so we're able to identify the badge we know what it looks like we know that they work for this company um and we also identified that this is clonable technology not all badges can be cloned right um but you know we know that this is one of those right so we make a plan to get near employees uh to clone their badge um so for this example we say coffee house or coffee house or Starbucks uh directly adjacent to facility um and so what we'll do is we'll go over there and try to clone the badge with a longrange badge reader obviously uh there's risk of getting too

close or them being you know suspicious of this interaction but um most of the time time you can get these badge clones in somewhere like a Starbucks pretty easy without drawing a whole lot of attention um so another thing uh next on the list here would be social engineering right so we did all that Recon maybe we need to social engineer our way because we can't get a badge clone maybe um we tried uh and for whatever reason we don't have that as our attack path um so they possibly have a Turn Style too that's another thing right and we don't have a a badge so we're not going to be able to tailgate so so um let's try the

social engineering path right so maybe we do a um telephone call like a pre validation uh as the um uh as a client employee um and then get a preo to go in there so we have a reason to go into the building we're going to visit so on so forth right we're going to be a visitor so your SE scenario is going to dictate what you're trying to do um the only caveat with social engineering is um sometimes you can do it quickly on site other times it requires a little like uh uh preep or um you're gonna need to do it before you get there right planning this up like oh next week I'm going to

be there that kind of stuff right so be considerate of that um and then the last one that we talk about is serous entry which um you know maybe we have access to an unprotected door on the second floor we're going to use a rope ladder grappling hook you know get wild with it right um you know and for the most part that's like last on the list it's really the last thing we want to do is like you know climb up the side of a building um but if the case dictates you know maybe uh maybe that's something we tried we're like we're all out of options okay and we want to you know look at that and we

have done some silly stuff like that um but also there's some risk involved uh you know do they have guards you know are they have cameras of you just climbing up the side of the wall right is this going to be you know obviously um someone trying to break in um and you know maybe it's well lit area so anything else all right oops I went really fast there all right so the 15minute ACC window all right so uh we've done all of our reconnaissance we did our our threat profiling we determined we're going to go in um we'll say uh doing a badge clone right um here's where we we really put it together put our time table

together uh coming from the military we like to reverse plan everything so we'll start at when we want to exit this the the facility first uh and then work everything back from there so at one o00 no later than one o'clock we want to be parting this the facility that means that between 12:30 and 12:45 we have our entry window um during lunch to identify our goal of of hitting their production floor uh and planning a shell or device uh on a workstation uh and then before that to get ready for that we've got to spend a couple hours so from 9: to 11: we're going to write clone car data uh that we'll capture between 8 and 8:30 uh

after arriving at the off-site location for for cloning and then we'll we'll uh um already have our replica badge because we found that on on Instagram two days prior so that's our timeline that's what we start with why do we start with that timeline because if something goes wrong in that timeline we're going to immediately stop what we're doing we're going to depart the facility depart the location we're going to go back to that threat profiling model and determine what our next approach is going to be maybe we had we got there we're like oh man uh we weren't able to actually get a clone we thought it was hi procs it's not hi procs something's something's off um or

maybe there's something wrong with your reader now we've got to go and adjust focus and get in a different way so it gives you time throughout the day to to adjust and and adapt to what you're doing so you put your depart facility time at closer to to 5:00 pm chances are you make a mistake you're not going to be well prepared to to go back and uh reattach the facility so with that uh we'll we'll go back to our uh engagement goals so that the engagement goal is overall to gain access to the uh production floor and then access to intellectual property to do that based on our threat profiling we're going to require certain tooling so a prox mark

with long range cloning capabilities or I'm sorry a prox reader with longrange cloning capabilities a prox mark for writing those captured cards a replica ID card that looks like the client so we can blend in uh a method to unlock or shell a workstation or drop a a plant device um some other things that we might need once we get in there and under the door tool and possibly some lockpicks and then of course our authorization letter we do nothing without that um so and then also with our our um reconnaissance that we did we'll develop some type of cover story that that kind of assists in that that 15 I work in it yeah so that is the the 15 minute uh

Ingress to egress I think that's the last one yeah I think that is the last one all right uh Shameless plugs okay all right so all that stuff we just talked about we actually teach a three-day course on how to do that right um and we go through the whole experience right um we talk about pre-sales authorization we tell you how to scope these things digital surveillance we go through serpenti entry we talk about badge cloning technology how to actually do it um we actually send you on a live facility breach okay this is an extremely Hands-On course we have role players that go out in town to uh act as fictitious employees and you have to

clone their badges out and around uh it's a very fun class um and it's more it's more an experience but uh it definitely will teach you how to go from someone who's never done this before to all the tools that you would need to actually deliver on this we're not going to talk about every single way we're going to talk about the most effective things that you can do in that time frame to actually deliver one of these assessments um we do go ahead yes something I'll add to that uh it's a high stress environment so you're constantly moving constantly adapting to change throughout it um it's not a 9 to5 in the classroom it's a 9 to 11 in the

classroom and then you're out the rest of the day and then we're gonna if you love PowerPoint slides don't come to this class yeah you'll be you'll be going through the middle of the night uh doing recon on actual facilities uh it is a lot of fun uh but again it's for for everyone it's not just for physical practitioners if you sell or design um um Project work you can come to this class get firsthand experience on what it is you'll be a better salesman for it be better at scoping it um better at leading it all that so if you're interested obviously it's on our website and then we have a couple classes for

the whole year here those are our dates you uh private uh corporate training and government training as well so oh do you want to talk about this yeah so uh here's actually our last class here here's them doing some some reconnaissance in the middle of the night facility we have we' put up so many different cameras when they go in so we got every every bit of good angles to watch what they're doing um here they are doing some remote Drive remote Recon or I'm sorry on-site Recon mobile Recon um here they are they uh found a a dumpster they picked the lock on the dumpster got some uh sensitive information from our fictitious company

out of it let's going here they are accessing the facility it is a live business that has live employees so they have to be on their toes throughout it here they are shelling a a workstation they are locking up the building on their way out um they had three objectives in this class and I believe they were out in about 23 minutes um from start to finish yep so we give you guys all the tools we have the the kits in gear um so you don't have to bring anything you can kind of just show up and we'll have all the stuff you need to actually do this class right um all right one other thing obviously

uh we said we have all this kits and gear stuff so we sell the some of the gear so what ended up happening is is we were going to make this course cool great yay all right um but we needed gear and so we actually ended up having designed some of this dear gear because no one sells it okay um so a lot of this stuff is Custom Design um and we ended up making a whole Pelican case that has all the gear you need to actually do one of these assessments um and so that's actually what's inside of here right there and do you want to talk about the we talk a lot about the long range

cloning and how it's not so long range so we kind of came up with our own solution of of how we wanted to to get away from that or situations where maybe we thought one technology was in place and in fact a different technology was in place so we put together this uh stealth reader um tons of different forms you can have a magnetic back slap it on uh this one is more of a adhesive back but essentially uh what you could do is flap it up on on any building any door you can put it on a on a on a bathroom and people will use their badge to go into it uh you can put adjacent to

an existing reader think of it one a card skimmer for for for corporate access um when it's in place you use the stealth card stealth card looks like this um and it allows you to disable the Wi-Fi so if they do have wireless detective controls they're not going to see that hey there's some device on the outside of your building uh broadcasting a wireless signal so just for example sake um I'll put the reader down here here's a uh iass class card goard gotard

and yeah so that's essentially it I'll turn it on right now if you guys want to go and look at those card reads uh you'll see a doppelganger SS ID the password to access it is under the radar capital u capital r but you can look at the interface you can reset the password to your or the Wi-Fi network to your own thing um go forward nice all right so that's all the Sheamus plugs we had uh any questions guys uh while we're up here all right go ahead yeah that's a really good question so uh phone based badge access technology um so most likely it's going to be Bluetooth right um that's usually the close proximity for that um it is

slowly rolling out the one thing that you're going to realize if you do a physical assessment or if you've done a physical assessment a lot of the facility access control is old right we still see hi proc readers which are like deprecated okay and they're still putting them on brand new buildings they like ah this we you know our our facility access control guy said this is the best we're like fire that dude but so what I guess my answer to your question is is that we haven't had really like a whole lot of issues with those yet being having to attack them right but um that's definitely where something like this is going to come

into play right so if they're using some kind of uh technology like that we would buy a reader that can do the uh mobile access right and again I'm getting into a little fictitious here because I haven't rolled that out to see how it would work there's some other things too that I've seen besides mobile that we're going to have to um have to worry about in the future as well as far as like facility Access Control goes right um so the uh what's the other uh communication standard besides WEP yeah osdp but that's actually for the wire itself so that's the communication on The Wire um the other one would be uh what was the

uh the other uh technology we're using besides Bluetooth um uh well yeah so an NFC based like challenge response on your phone where it's actually verifying that you're allowed to enter via a request over the Internet so your phone is making an active request right as opposed to like an ID so that it's more of like a um uh the equivalent of like uh OTP like one not one time pass but uh like key pass and other um you know password based authentication where it's actually making that handshake so that would be a lot more difficult for us to clone a badge because the phone is actually communicating to the device to make sure every single time you badge in

you're allowed to badge in not from the uh reader itself so go ahead so we don't right we can see the angle of the camera um we can see if it's a PTZ maybe it can move around or whatever some of these are high-speed ptzs that have you know 20x optical zoom right um but here's the one thing about cameras cameras are great but most of the time they're not actively monitored and they're not going to stop you from going into that facility right especially in multi-tenant facilities are really large companies there's just no way the one security guard knows all the employees and what they look like and that this is not a new hire and

other things like that so seeing me walk in the building and looking like an employee is not suspicious right um so cameras are used to figure out things in the past right so something bad happened what actually happened as opposed to necessarily solving crimes in you know uh real time right especially at companies where there's a lot of people moving and going so good question right in the back there uh yeah sorry yeah uh what do you mean for for bypassing you mean like from a security perspective uh you are you talking about like a alarm system inside the building uh buildings don't have alarm systems typically that we go attack because they have employees coming 247 or at some

point that's why they use facility access controls so they don't typically have some kind of like motion detector that somebody's in the building to um you know go off of I would add in the in the case that we've hit smaller organizations that do have motion sensors we would hit them during the day when they're already occupied yeah we're not going to go in after hours yeah uh yeah the female in the back there sorry for secure control like in general or for facility access like the badging technology oh biometric we had biometric yeah we had a company with Biometrics and it was um they had several authentication procedures um so what we ended up having to do is uh roll it up

into a full red team where we popped email boxes and uh impersonated people from their actual email boxes we set up rules to delete emails from certain people and then would send other emails from other people yeah it was quite a long process it was a twisted web but yeah so like biometric other things like that having a full-time 247 guard that like checks everyone in at that point you have to like combine why you're going to have to combine an sc scenario as opposed to like a badge especially with a really small facility right so it kind of like pigeon holds you into scenarios I've also been to really really secure facility and we actually ended up

compromising the badging machine and just making our own badge so we didn't have to chase people around obviously that doesn't work out every time and not every engagement allows that like kind of remote access attack right so plug for BH bhis if you go uh they wrote a a comic book yeah the Z there's a story of uh one of my first physical and hardest physical assessments that I did with Travis um in there it's a comic book yeah it's that particular one we just WR okay go ahead again

I would always recommend pre-authentication um that's that's usually the best way to do it if you pre- authenticate you can you can spoof numbers uh to originate from wherever appear to originate from wherever uh you can have them call people that don't actually work at certain places um so pre-authentication is always better than just showing up this also goes down to on-site Recon maybe you see a facility access company there or some like facility maintenance company and you're like see that logo you want to be that company because they're immediately gonna be oh yeah no I see these people around here they help fix whatever right they're the you know so um again that kind of goes down this like you know

when you're actually getting your threat profile what you're actually going to be able to do right um and depending what limitations are in place right so it definitely comes in can go ahead you you take that one so in the past yes uh we have but only where it makes sense for the engagement one it has to line with the intent of the engagement and the goals of the client kind of set forth for us we're not just going to put a drone up for drone sake um but depending on where we're going or what we're doing we might throw a drone up just to look at certain aspects of things yeah the geospatial is pretty

useful like you this day and age with with mapping sources really the Drone value is just like limited does that make sense like it could have some value but it's just kind of limited unless You' got a Fleer camera unless you got an unlimited budget all right go ahead right

here so uh that's a good point uh when we do arm guard stuff we will do more than one operator on On Target so one will be responsible for the armed guard so either distraction or or or keeping up with where they're at and the other person is doing actions on so yeah it it all it all depends yeah having more people on an engagement is really helpful there's all kinds of stuff you can do um you don't want like 10 people because then it's just like a mob you know but uh having a couple people is really useful um yeah right in the uh yellow yes yeah yeah oh that's a touchy one it depends

on how long you've been doing it uh what I could you tell them the way not to do it I can tell you the way not to do it don't pull out a fake letter of authorization and say that you're there doing a pen test test yes so I would yeah way I preach it is to deconflict first and foremost especially if there's an armed guard you don't know how that armed guard has been trained you don't know what's going on inside of them they might be like oh crap it might be time I I need to tackle somebody or something something might something weird might happen so you immediately want to deconflict so what we tell our folks is

you take your letter of authorization it goes in your left front pocket not in your rear right pocket because if you're reaching behind you can't see your hand so non-dominant Hand going into to grab the letter hey I have authorization to be here um you can escalate depending on your comfort level uh and what is defined by the uh why are you supposed to be here you know how they're responding this comes into some SE stuff like reading non-verbal body language you know where this is going a lot of times I can tell quickly whether someone thinks something more nef Furious is going on than just asking legitimate questions about why I'm here right safety of yourself and safety of the

people around is definitely key uh right the back there yeah yeah yes you sorry I don't have any better way to identify

people oh yeah that's a that's a great question so you got to probably be about this close so it's it's comfortable I could have done it right there if I had a reader yeah it um it's it's it's close it's fun in the class to watch the other students go out there and kind of Chase people around you know and uh you know and have to make up weird awkward conversations and uh you know it it is very interesting when you're out there doing it your nerves are also moving right because you know you don't you don't really want to like give up who you are but you have to like kind of get close you know and so why am I standing

next to this person so we talk about this too like this is weird this is not as weird right um so you know how you posture yourself and then having a reason to get close to somebody right you can have a genuine simple conversation uh asking for directions is a good one I use my phone I be like hey could you show me where this is at here so now I have a reason to lean in so um there's a lot of little techniques that you can use to kind of get closer and then obviously if you have that choke point where you're walking by so but you do have to get close and um you know but

hopefully if you're doing your job right no one knows yeah choke choke points are key um you can pin people in elevators especially if you have two operators you can kind of guide someone where you want them to go right one last question right

here yeah sure we are not there yet but I will say uh so two things uh another slight Shameless plug I have a webcast coming on about uh surveillance uh security cameras right and you are correct right cameras can't identify people they're using this actively in larger deployments they're pretty expensive right so that's probably why you're not going to see it in a lot of Corporations but that will be something that will have to approach where you walk up to the door the camera sees you you're not the person that's supposed to be badging in right and that could be an alert and that's what you know you talking about like getting real time response right

and and tying that in that's an advanced uh deployment at a at a corporation and right now most companies don't feel like it's worth it in the budget to deploy something like that but we could see that in the future for sure because that technology exists today yes exactly something I'll I'll add to to to cameras cameras are cameras right um as much as we we love them they're not always being monitored especially when they should be getting monitored so a lot of it lot of times it's after the fact and if your client is mostly scared about someone coming in the front door and and and taking people out chances are even if you had that AI

camera there it's it's probably too late to stop what was intended to happen in the first place so that's where we fall back on it's more about all the security controls coming together in a in a in a working fashion instead of having the the fanciest whizbang things going on all right uh that is all the time we had um but if you have any more questions for us we will be around the con if you guys want to see any of the stuff in this kit if you're just curious you have no intention to ever buy this stuff still come check it out right it's kind of cool um but thank you very much for

coming to our talk [Music]

[Music]