NolaCon 2019 D 07 Breaking Into Your Building A Hackers Guide to Unauthorized Physical Access Brent

Video Statistics and Information

Video

Captions Word Cloud

Captions

hello everyone welcome to breaking into your building a hackers guide of unauthorized access I'm your host Tim Roberts I'm Brent white so who are these guys again we are pen testers senior security consultants for inch D security and we specialize in physical intrusion physical side assessment thing things like that so our whole thing is sort of what Jason does with trying to gain access to buildings but we also like to bring some cool tools along with us as well so we aren't as cool as Jason I suppose because we require tools so yeah so though we have people calm that's our personal blog you can go there as some of the things we'll talk about today bypass methods things like that you can see some of that information as well something we just would like to always say in our talks is not all hackers are bad you know the term hacker is a little subjective but we like to think of you know we're all hackers right as long as we can make something do something that it wasn't intended to do you know for our benefit I guess yeah and so the media again I always ask this question does anybody in here wear a ski mask and gloves when you're working at your computer hacking away no you don't put your name right maybe you do if you're the first person that's ever raise your hand so yeah I mean you see all these stupid images I mean what is this yeah just Google hacker and these are the things you come up with right yeah just look in the image search this ridiculous stuff and there's this image to of like you know hear the word hacker they think that you're going to rob them in the parking lot and still their baby or something you know it's like hey we're people too so we're we're very mature you'll see that in our slides and things as we go and something else too anybody that has questions just raise your hand we'll answer those as we go we don't have to wait until the end so yeah or if you want to heckle that's cool too so just really quick just unauthorized this want to clarify that this is when we are taking on the security posture or taking on the role of an attacker potential attacker we don't just roll up somewhere and try to break into a building because that's illegal we have permission from that client first obviously so that is what we mean when we say unauthorized so Brett was saying some of the things that we do after we've established our rules of engagement and the scope of the assessment what's the goal where are we trying to get into are we trying to get into an executive suite into a data center are we trying to steal a server out of the room and you know things are discussed during the kickoff call but mostly what Brett and I focus on these days are covert physical security assessments what this means as we go in try to covertly sneak into your building and while we're in there we test your physical security controls too so we usually add social engineering in there but it also it's very dynamic and it depends on what the client is looking for in kind of a situation from what we choose to do right sometimes we do need to interact with people and other times we do what we can without you know being noticed we try to stay as gray as possible so I'm gonna talk about surveillance you know there's so many tools out there just wanted to show us some of these really cheap things that you can get like the spy cam pin or even a cheap little lighter with a camera inside of it I mean this stuff if you're going to use things like this change the housing of it because there are people that are trained to spot these things so if you just roll in there with you know one of these spy pens or something they're going to say oh that's not a real ink pen come with me so be creative with these things if you do need to started working into more like artful concealment with some of these tools there are a lot of other resources and we're happy to talk to you about that as well this is something to I want to add a little disclaimer whenever you do the rules of engagement you're talking to the clients make sure that you have authorization to do any kind of recording because some of our assessments will record while we're on site some of them you know of course we take pictures of evidence and such but you need to make sure that that's clear cuz there are certain laws and stuff you got a week client was so addition to the surveillance some of the things we do we just we like the Matic pro just because it's fun but we just put like a Wi-Fi like a nano on the top you know that's really simple and it was a quick thing to do we got some industrial-strength velcro tape taped it on there and didn't it could still fly yeah really well a lot of advanced engineering went into that setup yes very much so very highly technical we put some gaffers tape to keep the antennas from flopping around but one of the things we do is we'll just fly it over there and land on the building you know there are ways to prevent this there are Faraday things you can put on top of your roof damage signal jammers and such but this is an easy way to just go and put it up an evil ap or sniff something or if you want to put even a RFID Kohner you can get close enough or something but the noise of these things is too loud to fly around people yeah it's it's definitely not something you want to do as your first step nearing reconnaissance because you're going to call attention that something is going on truthfully the only time we ever use a drone is just at night when we do some reconnaissance just to see where the access points are and like outside the entry points and the roof to get a good look at the roof just do a physical assessment of that without climbing up there yeah so if if the certain location if it's hard to see you know with cameras if it's hard to get good photographs of what the access controls are from on the door or we're there through our guard stations are things like that and maybe the the images on Google Maps I've have been sanitized in a way that they aren't helpful then that's when we might you know throw the drone up there so so what is Tim and bit or are Tim and Britt doing up here that is a plane yeah software-defined radio it's awesome it's useful for places where you might go where you can perhaps snoop on security teams if they are using unencrypted radios there are also ways to decrypt those signals as well in order just want to listen to the radio yeah yeah one night when I was playing around learning to use this it's kind of embarrassing in funny stores in Dallas I was laying in my hotel so about bed and I started hearing something and it was this lady and she was like these diamonds are amazing you have to buy these diamonds because they're not going to be around for long it was like awesome what is this so I start tuning it in even more and it ended up just being a QVC broadcast and so close so yeah I'm still learning SDR again going under surveillance you can use these things there's a lot of good places that you can use them but if you're going into more higher security areas again change the housing there are some really really good versions of these things but just that the cheapo off-the-shelf things they can work but you can also burn yourself pretty I bought this leg it was like a 1080p it's called cop cam it was like a little little square it looked like a miniature visit one of the fidgets boxes or whatever battery had a micro SD on it and I mean it works great it's just a little tiny square you can just kind of carry around and put wherever he wants it yep so just real quick we're kind of go through some of this stuff really quick because we have a lot of content but there are some cases where if you're doing certain reconnaissance surveillance you don't necessarily want to burn yourself especially if it's a smaller team and they are you know they they actually are pretty legitimate with their with their coverage for security cameras things like that there might be some cases where you need to change your appearance just for some quick surveillance yeah we don't do a whole lot of this because we just kind of depending on whatever guys we come up with if we want to be a contractor or a vendor maintenance worker you know Evan ease and screws and go sit right there yeah Oh Joe Dirt you know with that we do a lot of we do a lot of acting too outside of this so the improv exercises and things help you to blend in in a quick sidenote the picture of me as a land surveyor you can set that up as long as you have like a high-vis vest and something and something people will not pay attention to you in most areas so you can even have that in that tripod and have a huge camera lens on there that is obviously not land surveying equipment at all taking photographs of things but because you are positioning yourself in a certain area with a certain look people like you're basically invisible so and then blending into like this just reminded me of it but carrying around the ladder I mean you guys see people do this online a lot they just carry a stepladder but one of the guys on our team I was the project manager and so I had a knife ache number on there we found out who the the property manager was for this building that the client was renting from I wrote up a fake letter saying that we need to you know inspection because there was a recall on the sprinkler head model blah blah blah and then I gave them this letter and he pretended to be with the property manager and he was able to just walk around in with a stepladder and when they asked him they looked at the letter and they called me and everything was fine and he installed a rogue access point and they're sitting in the conference room with his ladder so so just quick on this I was doing an assessment a physical assessment against the hospital was my first time at the hospital wasn't really sure what to expect and the longer I was there which was quite a few hours learned that different different roles have different color scrubs so like sanitation crew for example would wear the maroon scrubs so I didn't have any and it have any scrubs with me but after walking around the gift shop at the hospital had every type of scrub for sale this is this is actually from that place so one of them one of the best ones to use too is the black because the phlebotomist use the black scrubs and they come and go and there's such a turnover from these guys because there's several of them taking blood from different locations and stuff so yeah that's pretty handy yeah and again if you're trying to blend in having that gigantic lens trying to hide it with something like that nope you know just just use use common sense now if you're somewhere and it makes sense to say you're your back story would be taking pictures of a sporting event or national landmarks or something like that and your yeah make yourself look more like a tourist than some shady dude trying to you know act like he's not doing something so so there's just a couple of the things that we carry around in our bags but not all the time do you need block picks or fancy tools or bypass tools sometimes it's just a matter of having a piece of plastic or you know like json saying it's friendly or dopey face trying to encourage people trying to you know talk to people and so these it's not always hey I need to learn I gotta be awesome I got to be great at Loch sport and I got to be a fantastic lock-picker to forget anything yeah and and that that talent does help I were definitely not knocking that there have been instances where we have needed to pick locks yeah but it we don't use it very much and then you know these are pretty big kits so we actually do a lot of research and work into dumbing these things down so this is my wallet I keep several things in this very small traveler's wallet I've got a few different bypass methods and other things that I keep in here and if you just look at it just looks like a flat wallet so also this is a neat little tool that Billy Boatwright had made himself and yeah he just kind of got a couple picks in there yeah the tensioner is bent but it's very easy to conceal and it was easy to use and I keep gaffers tape on a lot of things there's so many uses for gaffers tape and I'll show you a sort of a way to maintain access with some gaffers tape in a bit again I'm just talking about we like to take our kits and sort of dumb them down so that we can have tools that we need that we can conceal and so this is a mini laptop it's the GPD Pro it's about this big but it's a full working laptop and of course the Wi-Fi pineapple and some other tools that you see there Milky Way that's a real Milky Way that's when you get access to a place especially if there are armed guards sometimes your adrenaline can can be you know going as you might expect so I tell people this all the time to like when I first get into a building I usually go to the bathroom yeah and I said no high for a bit just to get my adrenaline and stuff down and I'm not as sweaty and yeah like I just broke down or snuck in so so the Milky Way or any type of food when you eat that it helps to naturally suppress the fight-or-flight response so it helps you to serve chill out and you know get your mindset it's Tim mentioned plastic door shims this is this is the tool that I personally use more than any other tool to get into places so you can see how quick this is so this is an office this office is to one of the executives there and we were showing them afterwards because we've got into the facility and then they were like how did you get in there we're like well I mean there's a couple different ways to do it you have a nice window there so we could have used the under the door tool and just you know or we could have just used a piece of paper you know so there's just it's ridiculous so the cure people think things are without right so this is a quick war story and I know I'm actually going to come back to this to make sure we have time for other things but this is another video similar to the the bypass with the plastic this is a shove knife so you can see Tim on the other side of the door so we're going to lock the door so we'll share this as a double crash door there's several different ways we could have bypassed this but this particular one you'll see here in a second I use if you look right here you'll see it just real quick it'll lat it'll unlatch the door and then pop open so what's really funny about this too though is that they had a PTZ camera there and it was all scratched up I mean the dome was all it was a mess it's really when it was weathered you know there's moisture in there it's they would come see us anyway even if we were trying to stay under the radar even more yeah and then some more things just sort of building off of the piece of plastic or the shove knife you have these travelers hooks or schrum tools and they're super useful they have a very slim profile so it's a lot easier to get those in in between door frames to avoid doors a lot easier when something like the hall pass or something is too thick to go in there another thing too so talk about strike plates and it's supposed to help prevent people from loading the doors you know because it's supposed to block the latch well it's really easy to bypass those two simply by going over the top of it and pressing down and now you're loading that door this tool it's actually about this long and it's metal so it looks like a weapon so you have a deeper range yeah if you're walking around with that in your bag somewhere like New York or something and someone questions you it's not going to be a good day for you so you can do something like that or a coat hanger so if you just take the bottom part of the coat hanger down here and cut that off then you can just put a slight bend in it and you can put it in over the top of the striker plate and just still do the same thing with a coat hanger so the last bolt how do you prevent this so a good way to do it is just having your watch bolts that property so if you look at the security pin here on the left just making sure that's set incorrectly a lot of times to people that install whether their proximity like badge readers or they're installing these physical security controls they're the same guys that their maintenance guys are wearing multiple hats so making sure these guys understand how to implement this this stuff the hardware and install it correctly and then securely is very important yeah and what I mentioned - this fixes and prevents all those attacks that we just showed with the plastic the shrum tools the shove knife all that stuff those will no longer work if this pin is correctly set that's all it takes so there's a couple different other tools out there the double door crack or a double door tool or the crash bar tool you can get this you can make them in fact we'll show you the next slide one that we made but this is really easy when there's a gap so if there's a gap there's no a stable or anything like that protecting you can just shove it in the middle of the doors turn it and then just open the doors in the back there like those this double crash bars there's a big enough gap where you can actually put it through the air turn it and open the doors so that's that's perfect example those doors right there so this is one that that I made I put heat-shrink on each side to just try to prevent scratching for wooden doors things like that they you just get the right dimensions you bend it make sure that it's it's strong enough and there you go and it's small enough that you can put it in the small of your back or basically in a pocket or something so so another thing is a deadbolt on Turner the same thing if you have a gap there and you can get to the deadbolt that's a neat little tool that you can turn and it spins on the tip so it turns the the deadbolt knob yes if you look at the slides here I just kind of went through those but so you put it and these are really really popular for retail locations so you just put it there you insert now you actually put it on the thumb turn the thumb turn on the other side and now the doors open and again the windows are super handy yes windows are helpful any hotel you stay in you know we talked I wrote a couple blogs on hotel rooms security but this is always an issue but outside of that corporate offices federal buildings I mean anywhere you go there's you find these lever handles they're easily bypassed or open with under the door tool I'm sure several you guys are familiar with this pretty easy to make it looks like this on the right here it's a video of me doing it in my hotel room a little while back and this this video creeps a lot of people out because obviously we're all staying at a hotel this hotel actually has these handles in your room yeah saysay goes under the tool under the door and then you just find the handle you pull down on the string and voila you bypassed their biometric two-factor multi-factor pin and fingerprint reader and badge reader and just by putting a piece of wire with piano string under there so how do you fix that super simple grab a hand towel roll it up really really tight and this is from my roommate from Def Con last year yeah for reason for reason stuff so just shove it in that now that wire cannot get under there if you want a long-term solution just get something that you can put two on the door that blocks from going over there because some people have to have these love handles right there's some that are beveled the little slide off so it doesn't get a good latch on but yeah I think the guy on the right there's usually what we recommend to some of our clients yeah and then Tim using the window just watching it go right on the handle so that's helpful too and then request for exit sensors we love to bypass these things because if I were to make up some sort of a really good percentage like 99% of the time that'd probably be pretty accurate with with the amount of sensors that we bypass I would say tailgating and then bypassing wreck sensors that are too taught to always infiltrate a building yep so they're they're usually too close to the door and their angle is is too far down so just by inserting canned air spraying it it trips the sensor because you have motion from the air and then that canned air is colder so there's your temperature variance yes so the rank sensors aren't MP of the temperature fluctuations and what signals it along with the movement it's not just movement yes yeah you do a lot of stuff like that if they give you at all them did it with a with some scotch so yeah yeah I think Dave Kennedy did it with a bait yeah but yeah yeah but the thing with the canned air is that it is cold enough so and some of the water could be colder water to it just needs to have that different temperature variance to trip the ones that read temperature fluctuations yep so here's a quick video this shows Tim and I getting access from an external door through two internal doors into the target area that we were tasked with with trying to access you'll see a few things here Tim you know we'll see well let me go ahead and say this this is a this is after we did it because the client said hey how did you guys do that and we were like oh well quarter video for you that way you can show your guys and now you know how yes I go back so this so this is where with a paper clip so the magnetic the magnetic locks like flawed things like that you can completely basically disable those by putting something up there like a paperclip now I will caution obviously that looks awful so if anyone's doing door checks or paying attention why is a paperclip stuck to the door with tape that's one good way to check incident response so you can see I just pull the door right open there's there's no resistance on that at all so yeah we'll watch the rest of this video can you hear that out there ttle okay that's alright so just basically on the other side of that door is another door with a fingerprint reader and a badge reader at this door like you have to you have to badge in to get to this door too bad you and to get to a fingerprint reader to badge in and then you're into the target zone so this is the fingerprint reader here I do want to say make sure you carry two straws with you with the canned air at least at least two straws this is pretty places I'm doing it and I shoot the straw off like oh now he's trying to house dry hits he's like he's like yeah the straw came off see it struck him up so we round to positive put it on there and that's just full disclosure you know we're not trying to go through and look like we do everything perfect if we mess up we're gonna tell you we messed up so yeah and they're actually the video of a coat hanger and hand warmer there under the door tool and a hand warmer as well oh just to grab petroi oh yeah yeah when we when we actually open this door the straw was probably a good sesh I mean it was it was gone but also be aware of chemical burns yeah um when you use canned air especially turning that upside down snow fun when you get it on your skin so in and there just talked about that so this was this is one of my favorite assessments today when they they're like oh we've just spent we've spent so much money on all new access controls on this brand-new data center and we'll call it we'll call it the super secure data center in Washington and and so after we were told that we will not be able to get into there this is us doing a video of me getting into a cage so so we didn't have canned air this time but we needed other temperature variants and then we also needed motion so we use the end of the door tool that was in my bag and Brent had a hand warmer in his bag and a hack the planet bracelet yep and if you watch the badge reader right about there there turned green and thank you yeah we're inside so super easy yeah so your gates and your fences if you have requests for exit or anything like that don't don't use those it's defeats the purpose yeah at least into such a small cage yep so we're talking about like the shove bar so if you're trying to attack these crash bars or put canned air in to trip the wreck sensor how do you stop those things well the the reason you're able to do that is because there's a physical gap in the door if you remove that gap or you cover that gap with an astragal there's no way for those attacks to work anymore unless somehow there's enough room to go under the door but you can also put weather stripping and other things there that will help close those gaps now all those attacks you've just seen they don't work except for this so again back to the magnetic locks you can see that paperclip sticking out looks awful one of the things one of the reasons I carry gaffers tape you remember the the ink pen earlier where I had gaffers tape wrapped around the top of it so if you take a strip of gaffers tape just maybe three four inches and as long as it's at least an inch wide you can take that off you can stick it up there and it actually blends in really well and the best thing about that is there still resistance on the door so when they come around and they do door checks and they pull on it it's going to seem normal but when you need access again you just give it a good strong tug and you're in so also some of the sensors to won't trip that that door is open because it's so thin and there's they're still receiving that signal that the door is closed on some of the monitoring devices yep so again tailgating piggybacking free entry that's the thing we do all the time yes question right yeah you do need request for accident it's just the way well the request for exit to is also just where you position it but yeah the mag lots I think it's just making sure you're actually checking the doors because what happens is people just some people don't even check doors at all I know their guards will just walk around and they'll badge in and then they'll go back in or out of the building so it's important that if you have guards that you're actually checking these doors pull on them make sure there's no tape on the the latching mechanisms or the magnetic lock yeah there are alternatives to the the exposed mag locks like that where they actually lock inside of the door frame so once you open it you there's not really a way to disable the mag lock because it isn't exposed that like that so there are there are alternatives that are a bit more secure there another hand another question yes that's a good question but it's gonna take a really well I didn't I didn't I didn't want to eat too much so yeah so yeah it's all getting piggybacking you know just a friendly facing you know you sure your charisma or I look busy I mean we're not gonna get into this too much cuz a lot of our talks we talk about social engineering and you know Jason did a good job covering that but tailgating again it's one of the top ways with any of us get into buildings yeah and that's just to you know to add on to what Jason was saying earlier it's such an easy way to get in a very common way it's a natural human for humans to want to help each other and so unfortunately when we have to think like bad guys we have to exploit that exploit people's kindness which is an awful thing to say but that's what that's what bad guys do so nice purse stupid bad guys ways to prevent this you know Jason I mentioned too like this is a big open floor plan that's monitored it's pretty intimidating when you walk in right and then having a guard there that's actually doing their job but there are mantrap security doors there's other man traps out there that help to reduce piggybacking so some of the best best tailgating prevention systems that I've seen I'm not going to vendor-specific but I do want to mention one boo Needham they make a really really high secure mechanism like this one you see it's a turnstile and it has this cool thing called stereo vision in it and so when someone is walking in it will sense if there is more than one person trying to go in at once and so it will automatically walk you in that area it also has detection that you can set to where if an individual is walking through this area and they've badged in and they have an item that's in the shape of a weapon it will also alert so there's a lot of cool things that you can tweak pressure Floor Mats things like that so there are ways to to work towards mitigating tale piggybacking tailgating whatever you want to call it earlier Jason mentioned seeing the the pin like where there rubbed off it's been used a lot you can tell which code you can kind of let narrow it down this is a way that Bret and I like to do it sometimes just using a sharp or highlighter to highlight the numbers and then before someone comes in before gets really busy and then you can just go back and you can use the UV light to see which pens or numbers they're pushing that way you can kind of reduce the amount of guesses that you're aiming for yeah so I've put a lot of time sort of researching this now there are certain confess like rubber pin pads and things where Sharpie is not the best medium to use however common it's pretty common that I've seen four garages things like that to have more weather resistant buttons such as plastic or metal so if you use the sharpies and they have to be the older sharpies that don't say smudge free so if it's just an old school are really cheap sharpie then it gives you a good six to maybe eight nine minutes before it dries but it's plenty enough time to run up and paint the pad clone someone's badge and then go see what buttons they push again as Jason mentioned now we know at least the four buttons that were pushed to bring it down to a 21 now we have 21 guesses for that so it's just a quick quick cheap way to try to to decrease the amount of guesses you have to take with a PIN pad real quick shot out devian olam he's done a lot of research for things that are keyed the same and so this is a sample key kit that we used thanks to his recommendations and so when you find things like Dorking access controls you can buy the master key off of Amazon or any other place so when you see a common door King access control you just unlock it you open it and there's a postal service button that you push and whatever door they have assigned to that will open so yeah police getting you through the first layer of physical right that barrier so what to look for when you get inside you know one of the things we like to look for service elevators I usually have unrestricted access you can get to you can use fire keys there are keys out there that you can use to bypass badge restricted floors but you know some of the newer elevators have different keys you know there's different sets out there but it's just easier to find a service elevator and and use that all them times - they don't have cameras for some reason I don't know why that is but it is a common case yeah my favorite thing about finding service elevators is that they're they're often used by you know if there's some sort of a food crew or cleaning crew or something it the reason they use that other than the full access to all floors is that they are often back out of view of the public so when you're using this you're not right you're not in the main lobby most of the time where it's easier to be noticed you're back out of the way so that you're not getting in the way and so it's just it's a good find also if you're wearing like maintenance outfit or something like that and you know you're it's more appropriate for you to fit in and no one's really going to question while you're entering the loading dock area and going to the service area or a hive is vast right there's so many things padlocks there's a lot of really bad ones there's some master lock is not the master of much yeah does anybody notice the theme with our pictures up there yeah so there's several ways to bypass these you know shims things like that we usually carry a handful of of shims on us in case we can't pick the lock or or something or have a harder time if it's a combination lock it's easy to bypass combination locks with the shim if they've got the hook on both sides teeth on both sides you can use two shims Jong on some of them you know there's a lot of good locks out there too so just make sure that when you're when you're getting padlocks don't don't go to Walmart and just buy the master locks in the hardware section yeah if you really want to protect it and you know don't do that and there's even one you can google I'm not going to point it out but there's one on here that you can open simply by hitting it in the right spot with a hammer yeah see yeah if you guys go to any lock picking village at any hacker con you're gonna see a bunch of these locks why are they there it's because they're they're pretty easy to pick and that's usually where you can get star hits yeah beginner locks and they if you whisper gently to one that will open as well so we like to look for hinge pins a lot of times in commercial settings with the proper doors this isn't really something you see a lot however there are times where we've been on commercial style sites like warehouses things like that or they just want a quick entry door and they expose the hinge pins externally so you don't need to unlock the door when you can just take the door off it's amazing - when the client does you're in something like that property management it's that's when I did some of their doors they had the hinge pins outside but they had they had a retinal scanners yes so it's like man you just made a lot of money to put that fancy eyeball reader there yeah let me use my pen dollar tool yeah so the banget is a handy little tool that just you know you can just black it real real hard with a hammer or whatever you're not gonna carry a hammer on you but you can pick a lot of different things to just like a bump hammer bump hammer we invite these that actually works with it so it just knocks the pin up pretty easily a quick fix for that if your hinge pins are exposed and there's not really a way to mitigate that what you can do is buy these really cheap things called security pins like the door hinge security pins so you take one screw out on one side one screw out on the other side leave that hole open and on the other side you put this guy in so now when the doors closed this actually goes into that so even if I take those those hinge pins off I can't lift that door up now because it's stuck into place so and they're pretty cheap too that's it's a cheap remediation so keys fun story Brett and I got into a security control room picked their they had a like a wafer style lock on an aluminum box that housed their keys so we were able to pick that really quick we got in there and then we were doing an assessment at a different data center a couple days after it's same client different location when I ran there were like holy crap look at this key and they marked it and it said XYZ data center huh and so we took a picture of it we went to Lowe's we bought a file key blank key and we played arts and crafts in our hotel room lobby for for a while and it worked yeah drew Culbertson help with that too you know so don't take don't take pictures of your keys either and put them on lines because of stuff like this because that's exactly what we do they just took different angles got clothes we measured it all this stuff very highly technical arts and crafts but there are also on-site field duplicator kits out there too or you can actually duplicate while you're there yep badge emulation sometimes you don't have to clone a badge there's been several times where we've just seen what they look like go back to the hotel craft something up in Photoshop or your image editor of choice and print it off we've even had a guy that we know that you got access to a pretty secure area with just a piece of paper that he drew on with some random thing with a red crayon yeah I got him random marks I got access to a health it was like a health processing place and got inside I found one of their letter heads and I had a sleeve for a badge an H ID badge if I want their letter heads like their envelope that had their logo on it cut that up and I cut another thing and I made a made a badge just by cutting and putting layers of other stuff you did that while you were inside of this yeah I did it inside I did it in a conference room while I was setting up a access point to make sure they could read it from the parking lot and I was just super cutting it out I locked the door to make my own office so it's pretty fun yeah it's fun yeah if you can find a conference center or a conference room or an office you can get into it's pretty cool go in there and you just lock the door you plug into the network and you do whatever and then when someone starts knocking they're like one second I'm changing or something like that you know just to okay come back there's a lot of different ways you can you can do that bad clothing we do a lot of batch cloning as well some clients like to know hey is our badge easy the clone or it replicates and most of the times it is because people go with the stock hid badges you can use several different things to do this our favorite is just the proxmark there's a couple there's newer versions of this but the proxmark 3 and the proxmark very easy that's kind of our defaults we usually set ones low frequency and one to high frequency there's different ways to do this there's toggle pins you could have the same the same or a beat reader replay and stuff you can set it to low or high and just toggle that but this is just kind of our setup in one appoint go back real quick so this this is from dangerous things calm it's a little wallet size RFID checker and so when we are not sure if someone's badge reader is in set to low or high frequency you can walk up to it with this and it will flash and tell you if it's low or high frequency just fisting your wallet too and it's a little powered thing and it will glow whether it's low frequency or high frequency yeah cool so one of the things we love to do with clipboards we like to I guess weaponize them that's still the cool terms that I use but we basically put a bad corners in there this is my cheap quick setup you can tell I took the proxmark I just used some gaffers tape to fix the antennas and the device and then a battery inside of course on the top all the way papers on top of it like you know some printouts to make it look like it's something legitimate for whatever the case is one of the things I like to do is inventory so I'm doing an inventory of I'm getting the serial numbers off of the servers for different things I walked up to a security guard and I was like went over to the security system and I started writing stuff down he didn't really he was like we do it I'm like oh we're just taking inventory because we're gonna replace these later just need to get the serial number and then we had a conversation established for core and he let me in a bit a Center later but using the clipboard is a handy prop this is a fancier older version this is Tim's of my covert clipboard fancy-shmancy you know so I've just got a PI in there I've got a few different antennas on the top there and I've also got the proxmark there he can watch Netflix with it - yeah I got a wireless wireless USB that you can SSH into so you can as somebody else can just as you're sitting there reading badges they can clone them from the car or something I like the wave at the end so this is actually one of my favorites yeah love this one is a great favorite stories Brett and I it was a really highly secured facility and we knew it was gonna be hard to get into there because we did an assessment there a couple years before we also knew that some of the people there watch our Def Con talks and such and we found that out Deering yeah Deering which is funny because they let us in we tailgate it and we're going through like they turn it around they're like wait a minute like aren't you Kevin branch away like wise like I saw your talk at Def Con it was like are you social engineering yeah I know and they say are you are you doing an assessment against us right now and we're like no man we're just here to meet with through everything I was like okay I'm going to keep my own we're like all right all right while you're keeping your eye on this we're gonna go sitting here in this conference room while we're waiting for so-and-so so it was like his desk is right on top I start running yeah we both like the phone so I get that Network tax that's ten plugs directly in the wall so we're both sitting there with our laptops that both have these this is a laptop it's got hacker stickers all over it and we're facing the dude so he sees the back of the laptop and he's just sitting there looking at us and talking like whatever he's talking about to his coworkers so I you know make a fake phone call it's like oh that sucks you're not gonna be able to make it all right all right we'll meet you at the other place and like a man's phone so I can't make it sorry to bother guys we'll see you later and then we yeah because the garage goes straight so yeah yeah we walk out of there with some information yeah it was fun all right so but real quick on this this guy here how do we get into the building Brett and I had set those badge readers we shoved them in a coffee cup and we shoved them in a muffin bag and then we went out where actually people were smoking we hung out pretend to be smokers as well which you know there are still some smoking areas some places there's not anymore but this place fortunately had one and we went over the guy had a lanyard and it was the same color as mine it looked like from a conference and I had my coffee cup I was like hey man you got that same same lanyard yeah and I had my muffin bag and I was like oh we both cloned his badge and then we waited for her to go and we just went to the front door and I'm using his badge to go through the front door as he went into the back door but the funniest part about that was as you go in the main door there was the guard station right there and with the glass and there they can be conscious of who's coming and going so the employee uses his badge ten badges in with his coffee cup and then I badge them with my muffin bag you know the female name right there's a dude here and there's a female name just popped up using that badge it's the same thing if the guys badging in three times in a row that's probably uh there's something going on there right something's like we used that same badge to badge in across the facility and he went upstairs we went downstairs we gotta have a data center using his badge yeah so this is one of my toys that I like this is kind of a long long range low frequency cloner kind of a big footprint seen at a decent size backpack for it but it's cool I can set it up somewhere clone badges connect to it wirelessly and see what I have and then use a smaller proxmark to write that badge if you've seen a mr. robot - that's that's what they use in the coffee shop there so this is a I actually got this from a security guard walk up to the security guard was just making friendly conversation Brent was talking to him distracting him and I cloned his badge and then I got through through the okay last man trap using the security cards match which is handy security guard badges are great to replicate because they have access of everything so so Tim is holding the bad cloner his hand like this and he's talking to the security guard early career and they said this is the guards badge and he's like you thought yeah man he's and he's getting it sets in there like pushing the button doesn't know what I'm doing I was just consumer tried it this one to get caught and we're like yeah and while he's talking to the guy looking at him he just does that clueless he didn't even I don't think he even noticed Tim just put his hand up to him yeah it was amazing it's awesome there's different little things you can do too for example the garage readers this is what actually built his his proxmark into to get that heart that bigger antenna but the garage readers here you can use a blinky you can use ESP key these are things that you just plug in a little vampire clips plug in there any can bluetooth into it and you can replay ask people badge in and out you can replay their badges via bluetooth yeah and they have a mobile app too which is super handy so just as you walk up to it you just pick what badge you want to replay and you're you're in so we're gonna speed through the rest of this here running sometimes so yeah USB attacks don't expose these things where anybody can walk up and just plug something into it this was from a pretty large place they were remodeling so excuse our mess I'm just like okay thanks for the free be there don't do this if you don't need USB ports on your systems disable them physically block them or just disable them here's some of the you know attacks you can use you know whatever hack five comes up with their verbage name in there we gave them some name options there at the bottom if if Darren wants to use any of those so one of my favorite tools too it's it's basically the rubber ducky but it has a wireless access point into it built into it so when you plug that in and there's a really cool mobile app and these things are super cheap so once you plug it in I connect to the access point on this thing and I inject whatever commands I want directly into that system it's really cool disguising your USBs to like this go my internal putting tape on it says do not remove yeah do you notice a theme there so you see that and then on this next one speed test you know I'm gonna remove all of my all of my devices that I drop I put that on there big yellow tape because I don't want somebody saying oh I'm not totally even that old-school a capo employ years ago have you know we still use that case like sometimes because it's a people don't really question it you know unless you've got your don't don't use what I'm saying is don't use a Raspberry Pi with a clear case and all your hacker stickers and antennas sticking all over it well oops oops so another thing to look forward that's the top of my head cuz Tim's a lot taller than I am taking a picture that way yeah we're here in the we're in the server room and they had their camera system there so why not you know disable the cameras for a bit or whatever else we wanted to do with that particular system and this other side is funny I got into a human resource like a dimple lock I was able to pick it and get into where they store employee records and they kept the Social Security numbers on the top of the things with the names so it would be like like Street Jason and then it's so that's how they organized everything so I took a picture of that and then I had like I don't know how many identities in one picture yeah is that the one or is it a different one where you are point of contact you actually pulled it it was his yeah I found the Donskoy record and I stole it and then I went to his office where he wasn't there we got into his office and our latest his employee record on his desk with a post-it that said here you go in our card which later on he said man I can't see that this is a funny one too they so we had been in this place for a while and this is Tim on top of a vending machine with his head in the ceiling or to the right right here was the entrance for the cafeteria this was at lunchtime people weren't going in and out for lunch no one stopped and said hey why is that guy on top of the vending machine with his head in the roof and why was I doing because in front of me is the data center and they didn't have a firewall or floor-to-ceiling yeah and so I was able to write all over it you know again your shredder bins don't have crappy shoulder bins yeah we had this game we play where we stick our hands in there and pull it out and it's called shredder bin bingo so whoever whoever gets the coolest document wins and the other person buys them a beer or something later so unlocked workstations we always look for this stuff you know if it's already unlocked and you know thanks for the help you guys have done us a solid it's kind of hard to see this but this was this was left unlocked and it was on product price management so that that could have been leaving keys in your server racks that you're trying to restrict and keeping ladders in there for us because this is funny because if you look at the top where they run the cable this is segmented because it's two different companies I fit through there just not why I stay out yeah if you want somebody to stay out of something don't put that on there because then they're going to go in there yeah so what was in there was a bunch of keys to desk yeah in an unmarked that I was like well I have to take a picture of this so Jason mentioned this to post-its and then writing your password underneath the keyboards you know yeah it we'd see this all the time I'm home all the time all the time and it's ridiculous we also see yeah but wait there's more these yes I have I have seen probably I don't know I've seen probably ten of these and burned the last few years because you know targets and stuff they sell these things and and it's actually litter like titled you know your password log book yeah password yeah don't use those just to speed through this because I know we're kind of running over a little bit you know a couple different assessments where you just establish that rapport you get close to them you get nice with them even tell them that you're like this security guard that I'm making laughs Brent and I went up there that I reckon them to be an auditor Brent was one of the guys from another office who was a manager and he was escorting me as a contractor they're doing a NIST assessment he's wearing and I was wondering how they handled their badges there one day badges and such and she began to explain to me and I said oh do you have these badges are these badges active yes here's a whole binder full and then they give me like a binder full of badges and I've got that board there and we'd like this like Tim once you go around there and sit it looks like it's gonna take you a while so he's sitting behind the desk next to the guard putting these on top of his clipboard cloner yeah she didn't say anything he would pull one out and it's plastic and so the cards plastic ins to read it he would lay it on there and like kind of go everybody knows like reading you know making it always like and she never thought okay why is this guy rubbing all the cars on his clipboard and then putting him back in just to like this lady was super nice so she had a picture of her daughter or granddaughter playing soccer and Brett began to talk to her about you know the soccer game and their kids and stuff and while they did I said hey I'm doing a network assessment test I just need to get access to your system to the locker system I plugged in a key logger then I said actually you know I need to check one thing could you log back in and then she logged back in that's okay thanks I'm Brent the continues talking to her and now I've got her domain username password and then I was like all right I think we're wrapped up I need to get your name first cuz your name if your name spelt weird I was like can I see your badge so I can write it down because it was a long name it was a mouthful she was a girl sure gave me her badge and we cloned your badge and wrote it down I felt so awful because he said he felt so bad after that he was like man I feel like I got a fun girl voice I apologized to her so I don't care Tim's a jerk yeah clean desk policy again into some things Jason talked about earlier you don't very high password management is not a post-it so well you do the security awareness training if you do if you lead your security by checkbox you're doing it wrong stop just because you want to be compliant doesn't mean that you're secure just because you've met some standards doesn't mean you're secure just because you do a annual security awareness training with a few questions at the end of your fancy slideshow doesn't mean you're secure and it certainly doesn't mean that the employees that are taking that are going to retain that information and apply it so this is where security culture needs to take place and it needs to over take precedence over security we're answering now check check box security that's a good baseline to get start you obviously need that but consider real-world scenarios actually push it to the limits put more budget to that so this is this is from Google but you'd be surprised how many times we've seen really stupid stuff like this you know don't leave gaps on your door and you guys can read this I know we're running out of time and we're here at our last slide but yeah if you guys have any questions or anything you'd like to talk to us feel free to meet us after in the in the hallway or just follow the zanshin hacks on on twitter brent w design or just ntt security calm cool yeah thank you guys [Applause]

Info

Channel: Adrian Crenshaw

Views: 147,548

Rating: 4.9128571 out of 5

Keywords: irongeek, security, hacking, infosec, New, Orleans, NolaCon

Id: eft8PElmQZM

Channel Id: undefined

Length: 54min 50sec (3290 seconds)

Published: Sat May 18 2019

Reddit Comments