It’s story time! Today, I want to tell you the tale of the time I very nearly got caught on a physical penetration test.
Target: Medium size office attached to manufacturing facility.
Goal: Gain physical access to the office area to plant a dropbox.
Goal: Gain physical access to the office area to plant a dropbox.
A couple years ago when I was first starting in infosec, I got a series of jobs from the same company. 10 of their buildings all over the country. Office buildings, manufacturing facilities, distribution centers. For those who don't know... that's a LOT of targets.
At this point, I didn’t have any covert entry training. I was almost solely relying on social engineering and ideas I’d picked up from life & talks on YouTube from DEFCON.
A very handy trick I learned early on was that usually, anyone with what looked like an employee badge tended to have a free pass most places in a large office. I was able to photograph and recreate one of their employee badges. "In Badge We Trust."
I didn’t have a badge printer. I printed their design with my photo out on a piece of printer paper, TAPED it to a plastic card, & stuck the whole Frankensteinian creation into a fancy leather badge holder.
After successfully getting into a couple of their buildings this way, I decided that I had made my point. I needed to try something different. So, while I was at the third site I rummaged through the receptionist’s desk and found a visitor’s badge.
Some people have asked if I take “trophies” when I successfully breach a building. I usually leave more than I take (dropboxes, USB drops, listening devices, etc). If I take anything, it’s something like a business card or a visitor badge. Maybe some candy…
I showed up at the fourth site In Dallas about a week later. It was a sunny day around noon. I sat at a picnic table near a side entrance with my visitor badge & a Lunchable to see if I could tailgate into the building or convince someone at lunch to let me in.
A few minutes after I arrived, I watched as one of the site’s guards came out of the side entrance and sat down at a table beside me. I smiled at him, playing it cool. I had my badge and felt like it gave me enough credibility that he wasn’t going to pay much attention to me.
He was a big man, broad shoulders, balding head, a small gut hanging over his belt. He smiled back as he pulled his lunch out of his bag. As soon as he smiled at me I knew he was a talker. Which is by the way, an excellent quality in a guard.
“How are you doing today, miss…” He looked at my badge hoping to get a name. His brow furrowed. “Oh, you’re visiting us?”
“Hi! Sarah Whitman, I’m with Employee Vibe. What’s your name?” I used my alias & reached over to shake his hand.
Keep it simple and ordinary. Keep the conversation off of yourself as much as possible. Don’t offer answers to questions they haven’t asked.
“Nathan,” he replied, brow still furrowed. “Employee Vibe, huh? What do y’all do?”
“We help companies determine employee satisfaction,” I answered. “A third-party middleman that can ensure anonymity of the feedback and such.” I couldn’t understand why he still looked perplexed.
“We help companies determine employee satisfaction,” I answered. “A third-party middleman that can ensure anonymity of the feedback and such.” I couldn’t understand why he still looked perplexed.
“That’s interesting. And you’re working with us?” He asked.
“Yeah, we were contracted a few months ago. I’ve been doing the rounds. But this is my first time in Dallas.” He seemed like a very friendly person. I was hoping he’d want to give me advice on what to do in his city.
“Yeah, we were contracted a few months ago. I’ve been doing the rounds. But this is my first time in Dallas.” He seemed like a very friendly person. I was hoping he’d want to give me advice on what to do in his city.
He didn’t bite. “Sarah, did you check in with the front desk when you got here?”
I was getting a serious sense that I was in dangerous territory. Something told me that there was a very specific reason for this question. “Um, no. Not yet. Why?”
I was getting a serious sense that I was in dangerous territory. Something told me that there was a very specific reason for this question. “Um, no. Not yet. Why?”
Nathan nodded. All his attention was on me, lunch sat forgotten on the table. “Because Miss Sarah, I’ve been at the front desk all morning and I know I never checked you in. I remember faces. I also know I didn’t check you in because that’s not the visitor badge we use here.”
“Oh, it’s not?” I looked down at my visitor badge, inspecting it. “Well this is the one I’ve been using at the other sites I visited. Well that’s ok! I don’t mind picking up another.”
I tried to blow it off and change the subject. But Nathan insisted on taking me to the front office right away and trying to get the badge situation sorted. I went along with his questions and answered them confidently. I tried to keep the mood light & keep conversation flowing.
I. Felt. So. Foolish. I expected the visitor badges were the same across the company’s nationwide system. This, boys and girls, is why we don’t make assumptions and do through reconnaissance.
There were obviously questions that I couldn’t answer, and to these I just shrugged and played it off like I was just another cog in the system. I made a couple “phone calls” to my boss who knew our contacts in the company. He was conveniently unavailable.
At this point, I just wanted to get out without getting properly caught. After about 10 minutes of not being able to get in touch with my boss and my new friends unsure of what else to do with me, they let me go.
I felt like I did well at setting them at ease, but Nathan’s attentiveness had made me more wary. I needed to lay low for a while.
Normally, I only have a few days on a single physical assessment. In this case, the job was in my home town. I took advantage of the proximity and with the blessing of my client, took two extra weeks to do surveillance. Do you want a realistic adversary simulation or what?
I parked in a spot across the street from the target-location and watched. I watched the changes of shift and found out when the cleaning crew & dump truck came and went. I observed when people actually left work and figured out who the over-achievers were.
I learned so much by simply being patient and watching, hidden on the other side of the road, in a disguise and driving a different rental in case Nathan or his friends caught sight of me around the area.
The most profitable information for me however did not turn out to be the schedule employees were coming and going or when the guards did their rounds. It was that there was a small on-site cafeteria I didn’t know about previously.
The vendor arrived twice a week to restock the café’s supplies. A lanky man in his 30s who didn’t seem to know quite what planet he was on. He would walk to a side entrance (looking down at a clipboard, only to get to the door and realize he had forgotten his key card.
A walk back to the van and he’d bring the keys back. What followed was 2-3 trips into the building with a bulky cart brimming with sodas and chips and protein bars. He’d occasionally drop some things and always struggled getting the cart through the door.
Think Mr. Bean... not quite that bad... but it's a fun comparison.
Are you seeing where I am going with this? I never said I was nice.
The next time I knew he was due for a visit to the facility, I arrived a bit before and parked near the side entrance he used. I waited till his van came around the corner and he had gone back and forth from the door to his van for his keys.
As he was carting his first batch of goods to the entrance, I got out of my rental decked out in a wig, glasses, & much nicer business attire than I was wearing the first time I was there. I was on my phone, seemingly talking to someone inside using my best Southern Belle.
“Yes ma’am, I’m here. I checked in with the front desk, I just forgot my purse in my car. I’m just having one of those mornings. Hold your horses, darlin’ I’ll be right there.”
Right at that moment, Mr. Vendor’s cart went over a bump in the sidewalk and several bottles of soda fell onto the ground. “Oh goodness, Karen I’ll see you soon,” I said to my imaginary phone buddy and put my phone away.
I rushed to help him pick them up and he apologized several times. “Oh hunny, don’t you worry, we all have those days. I left my keys in my house this morning when I went to my car and now I’ve made myself late to a meeting by forgetting my purse.” Building rapport.
As I was talking, he continued pulling his cart towards the door & badged in. I held the door open for him as he wiggled his bulky burden through the two sets of entries controlled by badge readers. All the while we were chatting, and I was still holding several bottles of soda.
Mr. Vendor had obviously not gotten the same tailgating training as everyone else. The company needs to set these people up for success. Provide training, or have a guard accompany them. This helps to protect the entrance & gives the vendor an extra set of hands. I digress...
Past one set of doors. Past two. Now I’m in the guts of the office building. I helped him get everything to the cafeteria and then said my goodbyes. I found an empty conference room and planted the dropbox. After talking to my team & making a little more mischief, I wiggled out.
So much of what I’ve learned in this field, I learned the hard way. I’ve had to feel around in the dark and make semi-disastrous mistakes, like this one. But there are SO MANY resources out there now. So many people who want to help those new to infosec build their skillsets.
The covert entry training I received from The Core Group has been absolutely priceless.
And people like @tinkersec @_sn0ww @malcomvetter and @jaysonstreet are some great folks to follow for pentesting/red teaming adventures, just to name a few.
And people like @tinkersec @_sn0ww @malcomvetter and @jaysonstreet are some great folks to follow for pentesting/red teaming adventures, just to name a few.
As always, I LOVE sharing these stories with you and I hope to keep them coming. Keep being awesome, y’all and stay legal!
If you want to learn more about covert observation, there’s a surveillance course being taught by Robert Pingor & @iamredshift of @redteamalliance. I’ve worked with them and been through some of their classes. They are fantastic at what they do.
If you’re interested, here’s the link. And you can contact Robert directly at beta@enterthecore.net.
eventbrite.com/e/surveillance…
eventbrite.com/e/surveillance…
