Happy Hump Day y’all, it’s storytime!! It’s been while, I know. I hope you forgive me. I’ve been busy getting into trouble and collecting more stories to tell.
For newcomers, hello! I’m Jek and I get paid to legally break into buildings. Yes it’s a real job and yes I love it. Occasionally I get to share some of my stories with you crazy people.
You guys LOVE stories about when I wear my fake pregnancy belly, which is funny because I almost to use it. But here goes!
By the way, the “baby” is named Mercedes… because she puts me on the fast track into buildings... Cheesy, I know. But it's been 3 years and it still makes me giggle everytime I say it.
A while back a client wanted a physical-to-internal test in which I would try to break into their headquarters and plant some rogue devices (Ma! Ma! Look! I spelled it right this time!).
There were a couple types of these rogue devices in my kit. The first was a little raspberry pi that would allow my fellow hackers access to the internal network, thus beginning the internal pentest.
I also had several keyloggers, physical man-in-the-middle hardware devices that I had to plant between the keyboard & the computer. This could include usernames and passwords, & sensitive technical or financial info.
These weren’t the fancy type that would email the results to you. It was only locally stored. This meant I would have to break into the building AGAIN in order to retrieve it and get the goodies off.
You might be able to guess that these jobs that would take a real criminal weeks or months to scope out. If I were genuinely worried for my hide (jail/prison time, a criminal record, getting SHOT) I’d be taking the same precautions.
I want to know EVERYTHING. Is your facility 24/7? When do people leave/arrive? Does anyone show up on holidays? What sort of clothing style is common? Is there a café or restaurant inside?
What do the entrances/exits look like? Who handles the trash/janitorial services/plumbing? What’s the lighting like at night? Do you have blind spots in camera coverage?
I could go on but I think you get the point. Side note, an awesome movie that walks step-by-step through this on-site surveillance process is called Street Thief. It’s one of my favorites. 
Where a real criminal might want weeks for a target, a contracting or internal red teamer/pentester has days. The short time frame testers are generally allowed has become an offensive security testing trope.
In this case, for a large office building in the middle of a major industrial part of town next to a POLICE STATION… I was given 4 days. Yeah. Not ideal. But that’s a cool part about my job. I’m not going to jail. Well… not for long.
Because I have so little time in the city, state or country my target is located in, I want to find everything I can about it through OSINT. I spend ridiculous amounts of time on your empoyees’ Instagrams, Youtubes, Facebooks…
What I find for this location is several photos/videos of office parties and various other shenanigans around the building. Now I know the office layout, rough schedules, and what the badges look like.
There are turnstiles to get into both entrances so tailgating isn’t going to be an option here. They use iClass SE Elite with special protections against cloning. I salute your security design team.
Day 1 onsite. I approach my target building. It was pouring rain, & the forecast says it wasn’t going to stop the whole week. Between the rain & the crowded parking lot I’m didn’t get much helpful information.
Day 2. Taking the average of these two days, it seemed most employees left around 5pm and the building completely emptied out around 6:30-7pm. Not even a guard was left after 8 pm. Good news for me.
On day 3 I decided to go for it. I waited till roughly 6 pm and arrived back on site. I stepped out of the car into the rain with a backpack containing my rogue devices & my pregnancy belly strapped on tight.
FAQ: Do I keep things in the belly. NO. Why? Because when people see a pregnant belly everybody and their Great Aunt Lucy and their creepy neighbor Steve wants to put their paws on it. Quick as lightening…
When those sausage phalanges reach out without any sign of consent from the belly’s owner, I don’t want them to feel hard plastic or styrfoam.
I like a silicone belly with a thick adjustable Velcro strap. The silicone is great so they get the real-flesh feeling before I say, “Excuse me, you shouldn’t touch people without permission.”
Anyway back to the story… I was drenched within seconds. Synthetic wigs are some my favorite things in the world. But they are miserably itchy when they get wet.
I ran to the covered entrance and pretended to dig through my bag. Finally I opened the door and went inside, soaking wet, panicked, and 8 months “pregnant.”
The young guard behind the counter looked stricken as I approached him. I quickly read his badge. “Hi Aaron, I was upstairs for meetings today and I lost my keys somewhere. Did someone turn them in here?”
“Um..” he started looking, rummaging through drawers and ducking back into a side office. He came out looking apologetic. “No ma’am, I’m sorry. No one has turned anything in.
I let the bad news hang in the air for a second. One hand went to my belly and the other to my face as I rubbed my eyes and leaned against the desk in emotional frustration.
“I have to pick up my son from daycare and I’m already late. My husband is going to have to pick him up and bring me my spare key if I can’t find it. Can I please go upstairs and look real quick?”
My hope was that he would just buzz open the turnstile and let me through. But I’d played my damsel in distress card a little too well. He insisted on accompanying me to look for the keys I hadn’t actually lost.
Since I knew the layout of the building from a very generous “tour” given by an employee on YouTube, I was able to lead the charge. This gave a lot of credibility to the story that I had been there before.
We spent about 15 minutes looking before I gave up & sat down hard in a chair. “I can’t believe it,” I said, sounding like I was about to cry with my head in my hands. “Thank you so much for your help, Aaron, but I am going to just call my husband now and have him pick me up.”
My goal was to get him back to his desk so I could plant my devices. And it worked. He was very solicitous, asked if I needed anything, & also asked for my number just in case someone turned the keys in.
As he was walking away he turned around and said, “Just so you know, I’m leaving now and the building’s alarm system turns on at 8. Do you think your husband can be here before then?”
What useful information… “Oh yes I will be out by 8. Thank you so much, Aaron.”
What useful information… “Oh yes I will be out by 8. Thank you so much, Aaron.”
I stayed there for a while. I walked around the office space and looked out the windows. Only two cars, one mine, the other parked in a far corner. I watched as Aaron walked to it & drove away.
No more cars. Parking lot empty. Building silent. It was barely 7. I had an hour to plant the raspberry pi, install the keyloggers, & search for other sensitive information. Here’s a rough timeline of what transpired.
7:20pm. I found a messy desk with terrible cable management beneath it. I installed the raspberry pi there. This person won't notice a couple new wires. This is one of the reasons a clean desk policy is so important. You have a dirty desk and you're immediately my target.
7:30pm. I open the filing cabinet next to the desk and sure enough, there’s a journal with a list of passwords on the very last page. Not just work credentials, but login info for social media accounts, utilities, banking…
PSA: If you think putting your creds on the very last page of a book is a unique and secure idea, I have some bad news for you. Literally every time I break into an office I find a bunch of these.
I sign onto her computer, pop in a Rubber Duckie, and off goes the shell to my team.
7:36pm. I turned my attention to planting the keyloggers. I needed a physical connection between keyboard & computer to make this work. Almost every keyboard in this office was Bluetooth connected. Drats.
I had 4 keyloggers. I walked through the entire office & found 2 keyboards with wired connections. I planted the key loggers & kept looking.
7:42pm. I’d like to get out of here soon. I’m seeing motion sensors everywhere. I don’t want to lose track of time and risk being in the building when the alarm is activated. This belly is hot. My wig is itchy.
I’ve run out of options in the open-plan area. I start looking into private offices. Bluetooth keyboard. Bluetooth keyboard. Bluetooth keyboard... Is that a cable? It’s dark, I can’t tell. So I reach for the light switch.
Flick… Flick. Flick… nothing. The light in this office wasn’t turning on. The clock was ticking. Whatever. I needed to see this keyboard. So I turned on the flashlight on my phone.
I approached the desk and *yes* there was definitely a wired connection. I set down my phone so the light was shining on the computer, unplugged the keyboard cable and --
“Hi there!” a friendly voice said. My heart leapt into my throat & I jumped two feet backwards. There in the doorway was the silhouette of a man.
Here's some actual footage of my face in this moment
Here's some actual footage of my face in this moment
As he came into the room and into the light I recognized him from my recon.
This was the CFO of the company. He just walked into the room. A dark room. Where I was standing. All by myself. With a flashlight. Pointed at a computer. With a cable in my hand.
He came in with a smile on his face but as he took in the scene the smile slowly turned into a confused expression. I had to take control of the situation back. Fast.
“Aaron came to me before he left,” Mr. CFO said. “He told me you lost your keys. I’m so sorry to hear that. Who were you here meeting with? Any idea which conference room they might be in?”
“Mr. CFO. It’s really nice to meet you,” I said, reaching back and plugging the keyboard back in, pretending like I was feeling behind the computer. “You scared the crap out of me, I thought everyone left for the day.”
I have to be honest with you all… I was shaking. I was so convinced that the building was empty that I had let my guard down. Far too much.
He smiled, still confused and said, “I am usually the last person to leave for the day.”
Luckily I had looked at the nameplate on the door of this office before I entered. “That's admirable,” I said, reaching out to shake hands. “I’m Teresa. I was here meeting with Jessie.”
Luckily I had looked at the nameplate on the door of this office before I entered. “That's admirable,” I said, reaching out to shake hands. “I’m Teresa. I was here meeting with Jessie.”
He took my hand still looking confused. “Meeting with Jessie… ok.” We were still standing dark. I laughed and grabbed my phone. He tried the lightswitch and it didn't work for him either.
"I was looking for my keys here, I thought when I set my stuff down in here maybe they fell,” I grabbed my phone with & pretended I was looking under the desk for the keys. I was doing my best to turn this suspicious thing into a prop.
“Well, um… Teresa… Would you like a ride? My wife is picking me up soon…” his wife picks him up… no wonder there was no car in the parking lot. “I’d gladly give you a ride home.”
He wanted to see me out. He wanted the comfort of knowing that I had left the building. But I had set my pretext with Aaron. My husband was going to come to my rescue… eventually.
“Thank you so much, Mr. CFO, but my husband will be here any minute,”
“Ok…” he said. “Well good luck. I hope you have a good night.” He walked out and I thought that was it. I took a deep breath and my heart stop beating so fast. I’d never been caught so red-handed before.
“Ok…” he said. “Well good luck. I hope you have a good night.” He walked out and I thought that was it. I took a deep breath and my heart stop beating so fast. I’d never been caught so red-handed before.
I walked out of the office and there he was again. He wasn’t a few feet away from Jessie’s office door. “Are you sure you don’t want a ride, Teresa?” He asked, pulling his umbrella out from his bag.
“Yup! Thanks again!” I smiled at him and waved. I walked back to the conference room and he walked downstairs. I heard the door shut behind him. I was now officially (I think) alone in the office.
7:50pm. I look at the time. Damn it. I have to get out of here. I watch and wait for the CFO to ride off with his wife. I grab my things and leave the office. The pi is in place. We have one shell. 2 keyloggers are logging. That’s going to have to be enough.
There’s a police station next door. If this guy is here every night till nearly 8pm, he’s probably got friends in blue.
I woke up the next morning early to a series of texts blowing up my phone. The campaign was over. No further testing was allowed. Why? What happened? I called my point of contact to find out.
One of the two keyloggers I planted died. No particular reason that anyone could tell, other than maybe crappy soldering from manufacturing. We tested and tested it. Equipment malfunctions are the worst.
The keyboard belonged to a guy who worked in tech. Because of course it did.
He immediately knew what the little piece of hardware was and took it directly to his management. Simultaneously, Mr. CFO was making phone calls demanding to know who I was & who I was with.
He immediately knew what the little piece of hardware was and took it directly to his management. Simultaneously, Mr. CFO was making phone calls demanding to know who I was & who I was with.
He had figured out pretty quickly that Jessie had no idea who I was. He asked some of his law enforcement friends to come look around shortly after he left the night before. I must have just missed them.
A sweep of the office ensued. They were looking behind every desk and under every table. Before 8:30 am they had found both keyloggers AND the raspberry pi. The situation escalated till the security team who hired me got involved.
There are moments in physical penetration testing - much like in actual crime – when your plausible deniability goes out the window. The Moment of Dedication when you might have to give up the safety of your pretext.
The moment you jump a fence you go from being a pedestrian to a trespasser, slip someone else’s stuff into your bag you become a thief.
In my case, I started off as a poor pregnant woman who lost her keys and the moment I ducked behind someone’s computer in the middle of the night with a flashlight I became workplace enemy #1.
The name of the game is to minimize the frequency and duration of sketchy activities as much as possible, do your best not to get caught when you do them… and to do them smartly.
I learned some lessons from this campaign. I made some mistakes that I’ll try not to repeat in the future. The first is not to lose my cool under pressure of time. I made silly blunders because I was in a hurry.
Second lesson is that the flashlight just isn’t worth it most of the time. Nothing screams *SUSPICIOUS* quite like a person standing alone in the dark with a flashlight.
The third is that I should have been paying more attention to where I was leaving the keyloggers. Taking the time to make sure you’re leaving it on an appropriate target’s computer is wise. Someone in HR or finance maybe… Ideally someone who won't immediately know what it is.
Their security performed well in the test! Covert entry would have been difficult because of the turnstiles & badge technology. Someone let me in, but he made sure to pass me off to an authority before he left.
I personally think Mr. CFO did the right thing by leaving me in the office. He didn’t know me, & felt something was wrong. I could have had others with me, or might have been armed.
He immediately contacted law enforcement and started making inquiries with his own staff.
What do you think? What would you have done differently? Do you think they responded to the incident correctly? Are these stories helping you as members of security teams, offensive or defensive?
I love hearing from you so keep the conversation going. I’ll keep the stories coming as I can. Stay legal! I hope to see you at Hacker Summer Camp!
And yes, I recognize the irony in that while I was telling this story I was in such a hurry that the thread isn't as organized as it should have been... I fudged up guys. I'll put the whole thing in a Moment so it's cleaner.
