I had to pull out all my elicitation tricks during this investigation. It was incredibly personal, but left me feeling very confident in my abilities to get at what information I needed.
I first started helping friends with OSINT, vishing and phishing, and that quickly led to working with them under contract on actual pen tests.
There was just so much crossover with skills I already had with journalism and the investigation. I proved to be quite helpful.
I began taking more of a lead during the cooperative tests. So much so that when the company took on a flood of physical pentests, several of them were assigned to me personally. Without real backup from my colleagues who were all backlogged with their own projects
Which launches me into my Very. First. Physical. Penetration test.
The target: a large manufacturing facility. The goal: to gain physical access and gain proof-of-concept access to the network.
It was set away from any major roads and there was very little information I could gather from satellite or street views. The target location was several states away from me, and the client was only willing to pay for 2 days on-site.
I started doing homework. I read everything from @humanhacker I could get my hands on. I started watching @ihackstuff talks on a loop. @jaysonstreet became my spirit animal.
And I formed a plan
The first day on-site I called the VP of the facility, info I found through LinkedIn. I spoofed my number, making it appear as if it were coming from their headquarters.
I claimed to work for human resources, telling her we were going to start outsourcing hiring for their branch to a third-party hiring service. The rep for this service was going to be at the facility the next day to do an "observational assessment."
The VP, we will call him Carl, was flustered. "I wish the folks at corporate would warn us when they were making these changes. Fine, your rep can come tomorrow. But please tell her not to come before 10 am. I'm taking my jeep into the shop."
The poor man proceeded to vent to the HR lady (me) all about his very frustrating battle with his beloved jeep, and how he hoped this service he was getting in the morning would make it right.
He didn't realize that he had given me very important pieces of information. That he was having problems with his jeep, and that he wasn't going to be in the office before 10.
So I showed up at 8 am of course! I waltzed up to the receptionist, presented the fake card I had made for the recruitment agency, and asked to see Carl.
"Carl isn't in right now," the confused receptionist said. I replied shaking my head, "Oh goodness, still having issues with his jeep?"
This is intentional. As his receptionist, I knew she had probably gotten an earful from Carl about his vehicle.
This is intentional. As his receptionist, I knew she had probably gotten an earful from Carl about his vehicle.
By mentioning this personal detail, I was establishing myself as an insider who knew Carl. If he was waxing poetic about his vehicular woes to me, he must trust me too. Right?
I asked to see another manager by name, someone else whom I had found through OSINT. "If Carl isn't here can I talk to Tracy?" The receptionist turned around & dialed Tracy's extension. "I have someone here from XYZ Recruiting. A friend of Carl's. She wants to see you."
By establishing rapport with the right supporting details, I was able to bypass all of their security measures. Now that I was able to observe them up-close, I realized those were pretty significant.
Each entrance was designed as a man-trap set up with a guard posted inside. To get onto the manufacturing floor itself required not just a badge, but a pin and fingerprint as well. Something you have, something you know, and something you are.
But I was Carl's friend! I was unquestioningly given a visitor badge and an escort who was willing to answer ALL of my questions. Questions like, "What do the different color badges mean?" and "Who is responsible for issuing laptops?"
The trick is to hide the questions that might be considered suspicious in amongst innocuous sounding ones like "What is company culture like?" "How often do you hold office events?" and "What does your ideal candidate look like?"
My favorite answer came after asking, "Who is responsible for watching security camera feeds?" I was lead to a door secured with a multi-factor authentication access control system. My escort used his credentials to let me in.
It was a dark room lit with LED strips and a whole bunch of screens. There was a singular guard in that room, who was clearly too busy with whatever was on his phone to be paying attention to the live-action film from the security cameras playing out before him.
I feigned concern with the relaxed guard, making my way into the room while explaining that my firm was serious about the security of the applicants we placed.
What I was really after was a computer in the corner, where I was able to plug in a USB with a proof-of-concept malicious payload while the guard was being reprimanded. Yes, I know, I'm a terrible person.
After this, my escort was particularly interested in impressing me with just how secure the facility was, making sure that I understood that authorized users only were allowed, and each authorized user was issued a Badge.
A magic Badge. A piece of magic plastic encoded with voodoo that would only part the gates of the kingdom for those who were true at heart and served its purpose.
Looking back on the video from my covert-camera glasses now, I recognize the readers as low-frequency HID cards, which are uncomfortably easy to bypass.
I was able to plant my "malware" on at least three separate occasions during this, my very first physical penetration breach.
People are security's purpose and it's downfall. As technological vectors become harder to penetrate, do you think that malicious hackers are just going to shrug their shoulders and say "Oh well! Guess we can't hack 'em!"?
Or do you think they are going to adapt & craft traps that a lot of people will fall into? Especially those who have no reason to be suspicious of a small, nonthreatening woman with curly hair. I couldn't possibly do any damage! I'm adorable!
We toss around this concept of "APT." Advanced. Persistent. Threats. I was a journalist and a mother, who had two days on-site to dole out damage. What part of that is Advanced? Persistent?
I fell in love with this life-sized labyrinth. A giant game of chess in which I always had to stay in control of the situation, else risk being unmasked.
It has been over two years since this engagement. If I were an attacker targeting this facility today with the knowledge I've built up and my team beside me... I can only speculate. But I think it would be glorious.
For the sake of closure: I was leaving the facility right as Carl walked through the front door. I briefly shook his hand and introduced myself. He was disappointed that I was concluding my visit & I said I was running late to another meeting. "Perhaps we can catch up later?" 😇
