WEBVTT

00:00:00.780 --> 00:00:05.720
JACK: There’s this story of a guy named Michael Fagan, and it fascinates me.

00:00:05.720 --> 00:00:09.849
This is a story that took place in June 1982, in London.

00:00:09.849 --> 00:00:13.700
Michael was thirty years old and he was an interior painter.

00:00:13.700 --> 00:00:18.300
He had a wife and six children, but times were tough for him and he was having trouble

00:00:18.300 --> 00:00:22.000
supporting all those kids, and he wasn’t mentally stable.

00:00:22.000 --> 00:00:25.600
His wife couldn’t take living with him anymore, and she left.

00:00:25.600 --> 00:00:28.700
That was the night of June 7, 1982.

00:00:28.700 --> 00:00:32.000
Here’s Michael in his own words saying what happened next.

00:00:32.000 --> 00:00:34.089
MICHAEL: Me nerves were pretty bad.

00:00:34.089 --> 00:00:38.320
They were going up and down and I was going through this breakdown.

00:00:38.320 --> 00:00:43.300
I walked around the streets of London and I suddenly come across Buckingham Palace.

00:00:43.300 --> 00:00:49.210
JACK: [MUSIC] So, this audio is from a BBC interview they did with Michael in 1993.

00:00:49.210 --> 00:00:53.399
Now, Buckingham Palace is where the Queen of England lives.

00:00:53.399 --> 00:00:59.989
It’s a huge building three stories tall, 775 rooms, and at night it’s clearly closed

00:00:59.989 --> 00:01:00.989
to the public.

00:01:00.989 --> 00:01:06.310
But the palace is in the heart of London, running along some public roads.

00:01:06.310 --> 00:01:08.729
Michael was walking down one of those roads.

00:01:08.729 --> 00:01:10.280
MICHAEL: I could see the window open.

00:01:10.280 --> 00:01:14.210
It was there so close; I saw into it, probably.

00:01:14.210 --> 00:01:18.539
I just hopped over the wall, up the drain pipe, and in.

00:01:18.539 --> 00:01:20.360
JACK: Wait, what?

00:01:20.360 --> 00:01:25.539
He just hopped the wall, climbed up the drain pipe, and got in through an open window on

00:01:25.539 --> 00:01:29.579
the second floor of Buckingham Palace?

00:01:29.579 --> 00:01:31.180
That should not be possible.

00:01:31.180 --> 00:01:39.430
MICHAEL: Walked around the palace for about an hour, looking at the pictures on the wall,

00:01:39.430 --> 00:01:40.430
paintings.

00:01:40.430 --> 00:01:41.880
But it wasn’t how I would have imagined it.

00:01:41.880 --> 00:01:47.789
I don’t think people imagine it the way it is; dusty and squeaky floorboards.

00:01:47.789 --> 00:01:50.219
Very ordinary, you know.

00:01:50.219 --> 00:01:52.429
They spend too much on decoration.

00:01:52.429 --> 00:01:55.630
Maybe they have it done up now.

00:01:55.630 --> 00:01:57.670
Maybe it was during a re-dec.

00:01:57.670 --> 00:02:02.240
Passed a few doors, and I came across a throne room.

00:02:02.240 --> 00:02:04.979
[MUSIC] Evidently the knighthood’s in there and whatever.

00:02:04.979 --> 00:02:07.790
Went in there; that was quite interesting.

00:02:07.790 --> 00:02:10.670
I had a little sit on the throne.

00:02:10.670 --> 00:02:13.220
I’m walking about willy-nilly, actually.

00:02:13.220 --> 00:02:14.750
I’m not hiding.

00:02:14.750 --> 00:02:18.310
HOST: Didn’t you see any security staff?

00:02:18.310 --> 00:02:19.330
MICHAEL: No.

00:02:19.330 --> 00:02:22.090
Not up to now, not up to this point.

00:02:22.090 --> 00:02:26.620
Went into Prince Charles’ private secretary’s office, I found out later, and there’s all

00:02:26.620 --> 00:02:33.769
these presents round the walls, presents that people send him from the far reaches of the

00:02:33.769 --> 00:02:40.410
globe, you know; teddy bears and cups.

00:02:40.410 --> 00:02:45.819
There was this bottle of wine from California, and I was so thirsty and I couldn’t find

00:02:45.819 --> 00:02:46.819
a tap.

00:02:46.819 --> 00:02:49.909
I didn’t actually intend to steal anything.

00:02:49.909 --> 00:02:56.060
Took the bottle down from the shelf, and I couldn’t find a corkscrew.

00:02:56.060 --> 00:03:03.060
Was sitting on the desk with me feet up, pushed the cork into the bottle, drank it out of

00:03:03.060 --> 00:03:04.060
the bottle.

00:03:04.060 --> 00:03:07.360
Then all of a sudden I thought my god, where am I?

00:03:07.360 --> 00:03:09.530
I’m in Buckingham Palace.

00:03:09.530 --> 00:03:12.239
What am I doing here?

00:03:12.239 --> 00:03:18.580
It was just like this – as if me brain had arrived in a [inaudible].

00:03:18.580 --> 00:03:21.680
It was, you know, how do I get out?

00:03:21.680 --> 00:03:28.739
So, as I walked out into the passageway, I saw a security guard with a dog.

00:03:28.739 --> 00:03:35.629
I looked round the corner and I stood back; he went into a room and I found my way out

00:03:35.629 --> 00:03:36.629
then.

00:03:36.629 --> 00:03:43.510
I made my way downstairs, out the window, crossed the grounds at the back, and over

00:03:43.510 --> 00:03:44.510
the wall.

00:03:44.510 --> 00:03:51.080
Then I’m walking up The Mall five minutes later, and I thought as I got to sort of – towards

00:03:51.080 --> 00:03:55.209
Nelson’s Column, I thought my god, Buckingham Palace.

00:03:55.209 --> 00:03:58.629
JACK: [MUSIC] What a crazy story.

00:03:58.629 --> 00:04:04.350
Michael Fagan just popped into Buckingham Palace, drank some royal wine, and left?

00:04:04.350 --> 00:04:05.560
Incredible.

00:04:05.560 --> 00:04:09.469
What if he was a spy or there to cause harm to the place?

00:04:09.469 --> 00:04:11.970
This place should have been much more secure than this.

00:04:11.970 --> 00:04:15.079
This shouldn’t have been possible.

00:04:15.079 --> 00:04:17.019
But things got worse for Michael.

00:04:17.019 --> 00:04:22.940
His wife took the kids, and he stole a car to try to find her, but he ran out of gas

00:04:22.940 --> 00:04:25.020
and got arrested for stealing the car.

00:04:25.020 --> 00:04:28.120
He was out on bail and more distraught than ever.

00:04:28.120 --> 00:04:31.940
July 8 came along, and he couldn’t sleep at all that night.

00:04:31.940 --> 00:04:37.320
At 5:00 AM, he’d go for a walk down the road that goes towards Buckingham Palace.

00:04:37.320 --> 00:04:40.350
He was just trying to clear his head and take a walkabout.

00:04:40.350 --> 00:04:44.060
MICHAEL: I think I knew what I was doing at that point.

00:04:44.060 --> 00:04:46.750
Started walking towards Buckingham Palace.

00:04:46.750 --> 00:04:51.400
About 5:00, I see all these women cleaners going to work.

00:04:51.400 --> 00:04:55.720
The intent’s there now; I’m gonna see it.

00:04:55.720 --> 00:04:58.650
I’m gonna get in there and I’m gonna see the Queen.

00:04:58.650 --> 00:05:02.530
[MUSIC] One direction; nothing’s gonna stop me.

00:05:02.530 --> 00:05:08.919
Through St. James’ Park, up over the wall, into the palace, saying good morning to the

00:05:08.919 --> 00:05:11.120
servants as I’m walking past them.

00:05:11.120 --> 00:05:14.830
I don’t know how the hell I found her room.

00:05:14.830 --> 00:05:15.830
I really don’t know how.

00:05:15.830 --> 00:05:17.360
People have said to me, how did you find it out of all those rooms?

00:05:17.360 --> 00:05:19.370
I really don’t know.

00:05:19.370 --> 00:05:21.870
I’m in the Queen’s bedroom.

00:05:21.870 --> 00:05:26.840
So, to make sure it’s the Queen, I walk to the window.

00:05:26.840 --> 00:05:27.840
She’s looking very small in her bed.

00:05:27.840 --> 00:05:28.840
HOST: She was asleep, was she?

00:05:28.840 --> 00:05:29.840
MICHAEL: Yeah.

00:05:29.840 --> 00:05:33.289
Walked past her bed; it looks too small to be the Queen, so I go over and I draw the

00:05:33.289 --> 00:05:35.440
curtain back just to make sure.

00:05:35.440 --> 00:05:36.440
Suddenly she sat up.

00:05:36.440 --> 00:05:37.440
What are you doing here?

00:05:37.440 --> 00:05:40.630
So I said – well, I was dumbstruck, to be honest.

00:05:40.630 --> 00:05:47.479
I just – I was thinking what to say.

00:05:47.479 --> 00:05:48.479
Get out, get out.

00:05:48.479 --> 00:05:51.200
She jumped out of bed; what are you doing here?

00:05:51.200 --> 00:05:55.660
And walked out of the room, so I stood there.

00:05:55.660 --> 00:05:58.479
Maybe I sat on the corner of the bed.

00:05:58.479 --> 00:06:02.490
All this about long conversations – I mean, a lot has been said about what went on in

00:06:02.490 --> 00:06:03.780
that room.

00:06:03.780 --> 00:06:05.120
This is the truth, you know?

00:06:05.120 --> 00:06:07.361
Nothing; she just said ‘get out’ and that was it.

00:06:07.361 --> 00:06:11.520
The footmen came in and they looked at each other – say oh my god, what we got here?

00:06:11.520 --> 00:06:16.260
There was a rebellion going on in me head.

00:06:16.260 --> 00:06:22.020
HOST: Do you think you were actually trying to get caught when you went in that second

00:06:22.020 --> 00:06:23.020
time?

00:06:23.020 --> 00:06:24.170
MICHAEL: Yeah, yeah.

00:06:24.170 --> 00:06:27.940
Just to make that statement, you know?

00:06:27.940 --> 00:06:31.650
I am; I am.

00:06:31.650 --> 00:06:39.740
JACK: [MUSIC] The guy snuck into Buckingham Palace twice, and with the second time, getting

00:06:39.740 --> 00:06:43.750
all the way into the Queen’s bedroom while she was asleep.

00:06:43.750 --> 00:06:46.080
Creepy and incredible.

00:06:46.080 --> 00:06:49.840
The chaos he could have caused was huge.

00:06:49.840 --> 00:06:52.660
He was arrested and he went to court at the Old Bailey.

00:06:52.660 --> 00:06:57.830
MICHAEL: I was actually charged with stealing half a bottle of wine.

00:06:57.830 --> 00:07:04.660
It was just unbelievable, actually, to be tried at number one court, Old Bailey, the

00:07:04.660 --> 00:07:06.470
hanging court.

00:07:06.470 --> 00:07:08.630
It intimidated me.

00:07:08.630 --> 00:07:10.680
People have been sent to Australia from there.

00:07:10.680 --> 00:07:12.669
They’ve been sent to the gallows from there.

00:07:12.669 --> 00:07:14.510
There’s me, for half a bottle of wine.

00:07:14.510 --> 00:07:21.490
JACK: The jury found him innocent of wrongdoing and he was not sentenced to any jail time.

00:07:21.490 --> 00:07:26.920
However, the judge found his mental health to be something to worry about, so they sent

00:07:26.920 --> 00:07:30.550
him to do time in a psychiatric ward.

00:07:30.550 --> 00:07:35.110
While there, he wasn’t able to go home and see his wife or kids, which caused him more

00:07:35.110 --> 00:07:36.110
stress.

00:07:36.110 --> 00:07:39.300
But he eventually got to go home, but he wasn’t well, though.

00:07:39.300 --> 00:07:44.250
He was arrested a few more times for fighting at the pub and dancing in the streets naked.

00:07:44.250 --> 00:07:49.200
HOST: Certainly, Michael Fagan isn’t the kind of man to fade quietly from the public

00:07:49.200 --> 00:07:50.200
eye.

00:07:50.200 --> 00:08:04.020
[MUSIC] He even made a record, a version of the Sex Pistols’ song, God Save the Queen.

00:08:04.020 --> 00:08:10.740
[GOD SAVE THE QUEEN LYRICS]

00:08:10.740 --> 00:08:17.750
JACK: He finally divorced his wife, but got custody of his kids, and spent a lot of time

00:08:17.750 --> 00:08:18.770
just being a dad.

00:08:18.770 --> 00:08:25.449
MICHAEL: Sarah’s in her first year of school and someone said her dad broke into Buckingham

00:08:25.449 --> 00:08:26.449
Palace.

00:08:26.449 --> 00:08:31.169
She just turned round and said yeah, and your dad hasn’t, has he?

00:08:31.169 --> 00:08:39.920
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet.

00:08:39.920 --> 00:08:44.520
I’m Jack Rhysider.

00:08:44.520 --> 00:08:48.090
This is Darknet Diaries.

00:08:48.090 --> 00:08:55.120
[INTRO MUSIC ENDS]

00:08:55.120 --> 00:09:04.220
JACK: So, let’s start out with you telling us your name and what do you do.

00:09:04.220 --> 00:09:08.850
JEREMIAH: Yeah, my name is Jeremiah Roe and I’m a solutions architect for Synack.

00:09:08.850 --> 00:09:13.220
JACK: So, what drew me to Jeremiah is his background in penetration testing.

00:09:13.220 --> 00:09:17.510
Companies have hired him to see if they have any security holes, and if he can find them

00:09:17.510 --> 00:09:20.320
and break into their buildings or network.

00:09:20.320 --> 00:09:24.130
Because if someone could just walk into your building, that can be bad.

00:09:24.130 --> 00:09:28.580
So, companies want to test how hard it is to break into their buildings.

00:09:28.580 --> 00:09:30.820
How good is their security?

00:09:30.820 --> 00:09:35.340
These stories of how people break into buildings always fascinates me, and today, Jeremiah

00:09:35.340 --> 00:09:37.900
brought us a penetration test story.

00:09:37.900 --> 00:09:41.950
Now, when Jeremiah was a kid, he liked building little websites, and this was the seed that

00:09:41.950 --> 00:09:43.950
made him decide to go into a tech career.

00:09:43.950 --> 00:09:49.250
He went into the military and then got a job at Geek Squad troubleshooting customers’

00:09:49.250 --> 00:09:50.400
computer problems.

00:09:50.400 --> 00:09:54.010
But then he landed a better job where he learned more about technology, and this got him into

00:09:54.010 --> 00:09:58.860
cyber-security, and eventually he took the OSCP certification.

00:09:58.860 --> 00:10:04.160
This is an advanced cert that quizzes you on how to use hacking tools and exploitation

00:10:04.160 --> 00:10:08.210
techniques, and it’s a pretty serious exam that you have twenty-four hours to complete.

00:10:08.210 --> 00:10:11.290
Well, he passed that, which gave him new opportunities.

00:10:11.290 --> 00:10:18.850
JEREMIAH: I was able to transfer that over to a government contracting role, which I

00:10:18.850 --> 00:10:23.140
got hired for out in the DC area.

00:10:23.140 --> 00:10:29.760
From there, we really primarily focused on conducting network-level penetration testing,

00:10:29.760 --> 00:10:32.840
web application penetration testing.

00:10:32.840 --> 00:10:40.650
We were both the internal pen test team and the internal red team operations all in one

00:10:40.650 --> 00:10:41.650
for this organization.

00:10:41.650 --> 00:10:44.680
JACK: This taught him how to think like an attacker.

00:10:44.680 --> 00:10:50.660
Not just any attacker, but one that would attack government networks and systems.

00:10:50.660 --> 00:10:55.440
Attackers like this have a lot of resources, and sometimes stop at nothing to get into

00:10:55.440 --> 00:10:56.650
certain networks.

00:10:56.650 --> 00:11:02.430
So, Jeremiah learned how nation state actors would think, and was able to try some pretty

00:11:02.430 --> 00:11:05.040
wild things to gain access into facilities.

00:11:05.040 --> 00:11:09.250
I think they even had ex-military working on his team too, like ones who were trained

00:11:09.250 --> 00:11:11.510
by the military to hack into things.

00:11:11.510 --> 00:11:13.910
Yes, the military trains troops to be hackers.

00:11:13.910 --> 00:11:17.070
I mean, there’s the Army Cyber Command, just to name one group.

00:11:17.070 --> 00:11:21.260
So, learning from people like this really gave him some interesting insight.

00:11:21.260 --> 00:11:25.840
[MUSIC] Now, what Jeremiah did there was internal red team assessments.

00:11:25.840 --> 00:11:31.040
That is, he was attacking the contractor he worked for itself to try to find vulnerabilities

00:11:31.040 --> 00:11:33.360
in the buildings and the network.

00:11:33.360 --> 00:11:38.280
See, this Washington DC-based contractor that he was working for did a lot of work for the

00:11:38.280 --> 00:11:42.410
federal government and it was growing and expanding, and there were offices and remote

00:11:42.410 --> 00:11:44.470
locations scattered all around.

00:11:44.470 --> 00:11:50.300
Here’s the thing; when other nations want to hack into our government, they don’t

00:11:50.300 --> 00:11:53.150
always go directly towards the government’s networks.

00:11:53.150 --> 00:11:58.340
They might attack a contractor and try to get into the contractor’s network, which

00:11:58.340 --> 00:12:01.380
might give them access into the government’s network.

00:12:01.380 --> 00:12:05.250
Because if a contractor is doing work for the government, then it must have some sort

00:12:05.250 --> 00:12:07.470
of access to the government, right?

00:12:07.470 --> 00:12:11.610
So, this is sort of coming-in-through-the-side-door kind of attack.

00:12:11.610 --> 00:12:15.820
Jeremiah knew this, and this is why he was tasked with attacking the company he worked

00:12:15.820 --> 00:12:21.640
for to try to find ways a nation state attacker might get in and what damage they could do.

00:12:21.640 --> 00:12:26.320
At some point, Jeremiah found a remote satellite office which did a lot of business for the

00:12:26.320 --> 00:12:31.560
federal government, and he wanted to conduct a penetration test on this office to see if

00:12:31.560 --> 00:12:32.660
it was vulnerable.

00:12:32.660 --> 00:12:35.860
JEREMIAH: Basically, we came up with the idea.

00:12:35.860 --> 00:12:39.340
We wanted to go and test out this location.

00:12:39.340 --> 00:12:46.420
We felt that there were risks to the organization and to the clients that we work with through

00:12:46.420 --> 00:12:51.940
this organization that maybe weren’t being addressed or thought of.

00:12:51.940 --> 00:13:01.020
So, we wanted to conduct a nation state style of an attack from a physical perspective,

00:13:01.020 --> 00:13:06.260
just because physical assessments or physical red team operations or physical pen tests

00:13:06.260 --> 00:13:12.730
just really aren’t done all that much, and we wanted to take it upon ourselves to go

00:13:12.730 --> 00:13:16.600
ahead and conduct one towards this satellite location.

00:13:16.600 --> 00:13:21.190
JACK: When you pitched this idea to them, they said okay, go for it…

00:13:21.190 --> 00:13:22.190
JEREMIAH: Yeah.

00:13:22.190 --> 00:13:23.190
JACK: …full speed ahead.

00:13:23.190 --> 00:13:24.930
JEREMIAH: Not at all.

00:13:24.930 --> 00:13:25.930
Nobody wanted to do it.

00:13:25.930 --> 00:13:27.660
Nobody liked it; nobody liked the idea.

00:13:27.660 --> 00:13:33.050
It was very risky and of course, this is a risk-adverse organization.

00:13:33.050 --> 00:13:37.470
I think it’s fair to say that government as a whole is fairly risk-adverse.

00:13:37.470 --> 00:13:40.630
JACK: [MUSIC] See, to me, this is backwards thinking.

00:13:40.630 --> 00:13:44.450
How can you say you’re risk-adverse without looking to see what risks you even have?

00:13:44.450 --> 00:13:48.580
If you’re going to claim to be risk-adverse, then you better be out there every day looking

00:13:48.580 --> 00:13:53.700
for any and all risks that your business faces, and re-evaluating them constantly.

00:13:53.700 --> 00:13:58.390
You won’t turn down a security assessment because you’re afraid of what it might uncover.

00:13:58.390 --> 00:14:04.230
JEREMIAH: In a way, I think people were scared of the – of things being found, right?

00:14:04.230 --> 00:14:10.820
I think people know that things are there, but nobody really wants to – wants the big,

00:14:10.820 --> 00:14:14.950
red punch in the face to show you the things that are there.

00:14:14.950 --> 00:14:19.130
JACK: Okay, yeah, so it’s embarrassing when you realize that you’ve got a few security

00:14:19.130 --> 00:14:23.920
holes in your business, and I suppose that embarrassment can be pretty bad.

00:14:23.920 --> 00:14:28.860
Like, what if the pen test found some major security hole and saw evidence that someone

00:14:28.860 --> 00:14:31.940
had used that hole to get in and steal things?

00:14:31.940 --> 00:14:37.630
Now the business has lots of consequences they may face; they would have to notify their

00:14:37.630 --> 00:14:40.320
customers or may lose some government contracts.

00:14:40.320 --> 00:14:45.100
They may be fined or sued, and they may get a lot of bad PR if it turned out that the

00:14:45.100 --> 00:14:47.220
security was really bad.

00:14:47.220 --> 00:14:51.970
But I guess it’s still better to know that you’ve been hacked to not know at all.

00:14:51.970 --> 00:14:55.190
Or what if a penetration test ended up damaging the network?

00:14:55.190 --> 00:14:59.870
Like, what if by trying to exploit a server, they accidentally took that server down?

00:14:59.870 --> 00:15:01.250
Now there’s a network outage.

00:15:01.250 --> 00:15:05.780
So, I guess there are some risks to doing a penetration test, but I still think it’s

00:15:05.780 --> 00:15:10.290
important to do these tests, especially on big businesses and government contractors,

00:15:10.290 --> 00:15:14.430
because I’ve seen news article after news article about how foreign governments have

00:15:14.430 --> 00:15:19.760
hacked into our government through a contractor, and that’s how they got access.

00:15:19.760 --> 00:15:23.590
So, contractors should take their security very seriously.

00:15:23.590 --> 00:15:27.680
Jeremiah had to convince them that testing this remote office was important.

00:15:27.680 --> 00:15:34.010
JEREMIAH: Yeah, I think quite honestly, our convincing argument was one, persistence,

00:15:34.010 --> 00:15:37.860
and two, naming those very things that you just mentioned, right?

00:15:37.860 --> 00:15:43.450
Really painting a picture as to what could potentially happen should there be things

00:15:43.450 --> 00:15:46.880
in these locations that we don’t know about.

00:15:46.880 --> 00:15:53.280
That persistent argument that we would make over and over again ultimately led to the

00:15:53.280 --> 00:15:56.670
decision to give us the green light to go ahead and conduct this, right?

00:15:56.670 --> 00:16:02.050
Because – so, this is just a saying that I have, which is the best defense is a good

00:16:02.050 --> 00:16:09.610
offense, and unless you’re putting things and stressing them and really challenging

00:16:09.610 --> 00:16:16.210
what is there from a technical capability’s perspective, you really don’t know what’s

00:16:16.210 --> 00:16:17.950
possible within that environment.

00:16:17.950 --> 00:16:22.110
JACK: [MUSIC] So, it wasn’t easy, but he got the green light.

00:16:22.110 --> 00:16:26.540
The business said okay, you can try to break into that remote office physically and through

00:16:26.540 --> 00:16:28.960
the network, but we have some rules.

00:16:28.960 --> 00:16:37.710
JEREMIAH: Not installing any shells or backdoors or malware on physical devices itself.

00:16:37.710 --> 00:16:42.010
JACK: They didn’t want to have to clean up any malware left behind or cause any damage

00:16:42.010 --> 00:16:43.010
to the network.

00:16:43.010 --> 00:16:47.680
A lot of companies have a strict configuration change policy; things need to be approved

00:16:47.680 --> 00:16:51.480
by a committee when installing new stuff on production servers.

00:16:51.480 --> 00:16:55.570
So, they didn’t want him to just come through and plop a whole bunch of hacker tools into

00:16:55.570 --> 00:16:57.410
a network that’s heavily in use.

00:16:57.410 --> 00:16:59.210
It could cause things to break.

00:16:59.210 --> 00:17:04.300
JEREMIAH: So, they wanted to have as little impact as possible while still trying to prove

00:17:04.300 --> 00:17:06.290
the point of impact.

00:17:06.290 --> 00:17:08.420
So, that was kind of our bounds.

00:17:08.420 --> 00:17:10.610
That’s what we had to play within.

00:17:10.610 --> 00:17:17.069
But from an operational perspective, we were kinda given some wide latitude as to how we

00:17:17.069 --> 00:17:23.680
were gonna plan this out, and to be fair, we – other than the time of day when we

00:17:23.680 --> 00:17:30.370
wanted to go and scoping a few things out prior to it, we kind of also left it up – open

00:17:30.370 --> 00:17:34.740
to a target of opportunity for what we would do when we were there as well, ‘cause we

00:17:34.740 --> 00:17:36.300
didn’t know what was gonna happen.

00:17:36.300 --> 00:17:39.380
We didn’t know how this whole thing was gonna – played out.

00:17:39.380 --> 00:17:44.230
We could have at some point had the cops called on us and we could have potentially gone to

00:17:44.230 --> 00:17:47.610
jail or we could have – we just didn’t know.

00:17:47.610 --> 00:17:51.750
JACK: So, Jeremiah and his team started coming up with their own objectives.

00:17:51.750 --> 00:17:55.610
JEREMIAH: Basically, can you get access to this location?

00:17:55.610 --> 00:17:58.520
When you do get access, what can you see?

00:17:58.520 --> 00:18:03.540
From what you see, what types of scenarios can you play out, and out of those scenarios,

00:18:03.540 --> 00:18:06.180
how risky are they?

00:18:06.180 --> 00:18:12.790
Then separately, can you obtain access to devices that are on the network?

00:18:12.790 --> 00:18:17.350
Can you obtain access to the network itself?

00:18:17.350 --> 00:18:23.930
Is there information that you can obtain from this operation that would potentially compromise

00:18:23.930 --> 00:18:28.310
any contracts that we were working on?

00:18:28.310 --> 00:18:29.700
Sort of all of the above.

00:18:29.700 --> 00:18:33.000
JACK: [MUSIC] Okay, so he’s all set and ready to begin the test.

00:18:33.000 --> 00:18:36.280
Now, he wanted to conduct this test like he was an outsider.

00:18:36.280 --> 00:18:40.430
Yes, he did actually work at this company that he was testing, but he had never been

00:18:40.430 --> 00:18:44.870
to that building before and wasn’t going to use any internal resources that he had

00:18:44.870 --> 00:18:47.450
to get information to help him break in.

00:18:47.450 --> 00:18:52.920
This test had to be as if he didn’t work there, so he started by simply Googling the

00:18:52.920 --> 00:18:53.920
location.

00:18:53.920 --> 00:18:58.340
Of course, this landed him on Google Maps, which he started noting all the relevant information

00:18:58.340 --> 00:18:59.590
that he saw there.

00:18:59.590 --> 00:19:02.550
JEREMIAH: What surrounded the building?

00:19:02.550 --> 00:19:05.310
Were there any coffee shops that were attached to it?

00:19:05.310 --> 00:19:11.810
Were there any other third parties that were also in those buildings?

00:19:11.810 --> 00:19:15.550
What access did they potentially have?

00:19:15.550 --> 00:19:19.490
Were there satellite, aerial images of the location?

00:19:19.490 --> 00:19:25.110
What were the entry points to that building, the ingress and egress points?

00:19:25.110 --> 00:19:30.090
How do – how many people went to and from the location?

00:19:30.090 --> 00:19:33.250
Who worked at that location?

00:19:33.250 --> 00:19:36.820
When was the normal scheduling for when people arrived?

00:19:36.820 --> 00:19:39.920
When did they go to lunch?

00:19:39.920 --> 00:19:40.920
That sort of thing, right?

00:19:40.920 --> 00:19:45.470
JACK: Okay, so he’s picked up quite a bit from Google, and now it’s time for him to

00:19:45.470 --> 00:19:51.290
take it to the next step; drive to the building and do some light surveillance and take notes

00:19:51.290 --> 00:19:52.590
along the way.

00:19:52.590 --> 00:19:58.720
JEREMIAH: [MUSIC] I went there to take a look at what was happening when people would generally

00:19:58.720 --> 00:20:04.900
show up, when they were leaving, where their locations were for when they would smoke,

00:20:04.900 --> 00:20:06.730
and I was in my vehicle.

00:20:06.730 --> 00:20:11.150
I parked and I would hang out and just watch.

00:20:11.150 --> 00:20:16.120
Then I drove around the building itself, and then I would note locations on a map that

00:20:16.120 --> 00:20:21.860
I had with me as to what I thought that was based off of what I was seeing.

00:20:21.860 --> 00:20:27.330
Then I ultimately left for the day and took that information back to add to the portfolio

00:20:27.330 --> 00:20:29.700
that we were putting together for the location.

00:20:29.700 --> 00:20:33.660
JACK: He takes the intelligence he’s gathered and regroups back at the home office.

00:20:33.660 --> 00:20:36.720
JEREMIAH: I was working with another individual.

00:20:36.720 --> 00:20:39.040
Call him BC.

00:20:39.040 --> 00:20:49.200
I was working with BC and we both collaboratively decided to go about checking every external

00:20:49.200 --> 00:20:53.720
egress point just to see what we could see, walking around the building’s perimeter

00:20:53.720 --> 00:20:59.890
just to see what we could notice, if there was anything open, what locations we could

00:20:59.890 --> 00:21:06.450
actually get into the building from, and then to kind of follow that breadcrumb trail to

00:21:06.450 --> 00:21:07.450
see where it led.

00:21:07.450 --> 00:21:13.000
JACK: Okay, so that’s the grand plan; just to walk the perimeter and see what doors are

00:21:13.000 --> 00:21:14.000
opened?

00:21:14.000 --> 00:21:15.450
It’s not a bad plan.

00:21:15.450 --> 00:21:19.270
Often the front entrance is where all the security is, so trying to slip in through

00:21:19.270 --> 00:21:22.190
a side door or a back door bypasses all that.

00:21:22.190 --> 00:21:23.500
So, that was Plan A.

00:21:23.500 --> 00:21:29.870
JEREMIAH: Plan B was to walk directly into the front of the location, the front doors.

00:21:29.870 --> 00:21:34.790
JACK: Do you have any idea what’s in those front doors, like a security guard, another

00:21:34.790 --> 00:21:35.790
locked door?

00:21:35.790 --> 00:21:36.790
JEREMIAH: No idea.

00:21:36.790 --> 00:21:38.680
No idea how the layout is.

00:21:38.680 --> 00:21:44.100
We assumed that there was some sort of foyer that was there, but we had no clue.

00:21:44.100 --> 00:21:46.310
We had never been there before.

00:21:46.310 --> 00:21:51.590
JACK: So, Jeremiah and BC have their plans, and BC has also done a few of these penetration

00:21:51.590 --> 00:21:52.590
tests before.

00:21:52.590 --> 00:22:00.210
JEREMIAH: This was a junior to me at the time, and so, I was bringing him along as one, a

00:22:00.210 --> 00:22:06.680
backup to look more realistic like I belong, like I had company.

00:22:06.680 --> 00:22:10.360
The more individuals that you’ve got with you in a party, the less likely you are to

00:22:10.360 --> 00:22:11.360
be challenged.

00:22:11.360 --> 00:22:14.790
So, that was a benefit towards the location.

00:22:14.790 --> 00:22:24.450
But separately, it allowed me to spread the workload that was involved in checking things

00:22:24.450 --> 00:22:25.630
to see what was there.

00:22:25.630 --> 00:22:29.230
JACK: They pick a day when they’re going to go there and start preparing for it.

00:22:29.230 --> 00:22:37.320
JEREMIAH: Yeah, so we decided that the best way to dress was obviously business casual,

00:22:37.320 --> 00:22:41.300
to make sure that we were both groomed professionally.

00:22:41.300 --> 00:22:48.580
We got haircuts the day before, we’re – made sure that we were kind of wearing polos and

00:22:48.580 --> 00:22:53.860
slacks and were looking very business casual.

00:22:53.860 --> 00:22:56.780
JACK: The haircuts were specifically for this engagement?

00:22:56.780 --> 00:23:04.820
JEREMIAH: In a way, yes, but at the same time, we kinda wanted to look like we were blending

00:23:04.820 --> 00:23:07.250
into everybody else within the environment as well.

00:23:07.250 --> 00:23:10.280
JACK: I wonder how that worked out with your junior.

00:23:10.280 --> 00:23:12.080
Like, was it your idea?

00:23:12.080 --> 00:23:13.900
Like hey man, get a haircut.

00:23:13.900 --> 00:23:16.900
What? Why? I’m fine.

00:23:16.900 --> 00:23:17.900
No, we’re gonna – we want to look this part.

00:23:17.900 --> 00:23:20.100
Maybe you had it in your head like man, this guy really needs a haircut; I could use this

00:23:20.100 --> 00:23:23.110
as an excuse to tell him to get a haircut.

00:23:23.110 --> 00:23:30.680
JEREMIAH: Yeah, when – so, the best thing about this particular guy’s – he kinda

00:23:30.680 --> 00:23:35.370
got it, too, because he is also former military.

00:23:35.370 --> 00:23:43.440
So, he was totally cool with making sure that he was well-groomed, had a haircut, and well-dressed

00:23:43.440 --> 00:23:45.000
for the event.

00:23:45.000 --> 00:23:51.770
In addition, we brought our – we had separate laptops to conduct red team operations, so

00:23:51.770 --> 00:23:54.100
we had those with us.

00:23:54.100 --> 00:24:03.950
I had a lockpick set and a Raspberry Pi as well as a Bash Bunny, and I had network – sort

00:24:03.950 --> 00:24:05.140
of a network star tap.

00:24:05.140 --> 00:24:07.140
What’s it called? Like a…

00:24:07.140 --> 00:24:08.140
JACK: Lanstar.

00:24:08.140 --> 00:24:09.260
JEREMIAH: Lanstar; thank you.

00:24:09.260 --> 00:24:14.990
I had a Lanstar just in case I wanted to tap something in there.

00:24:14.990 --> 00:24:22.090
I also had actually a mobile version of Kali Linux installed on my – on a burner phone

00:24:22.090 --> 00:24:25.170
that I had, and that was about it.

00:24:25.170 --> 00:24:27.280
JACK: [MUSIC] So, it’s now the day of.

00:24:27.280 --> 00:24:28.510
It’s go time.

00:24:28.510 --> 00:24:31.690
With their equipment and fresh haircuts, they drive to the building.

00:24:31.690 --> 00:24:35.790
There are no gate guards or security to just get on the property, so they’re able to

00:24:35.790 --> 00:24:40.150
drive right into the parking lot, park the car, and they immediately split up and walk

00:24:40.150 --> 00:24:42.400
around the outside perimeter of the building.

00:24:42.400 --> 00:24:45.170
JEREMIAH: That’s exactly what we did, yeah.

00:24:45.170 --> 00:24:50.140
So, BC went to the right, I went to the left, and we both walked around the perimeter of

00:24:50.140 --> 00:24:56.290
the building and just sorta – we each had a copy of the aerial photography that we had

00:24:56.290 --> 00:24:57.970
marked up.

00:24:57.970 --> 00:25:03.190
He had a folder; I had a folder that was inside of it that was inside of our bags, and as

00:25:03.190 --> 00:25:10.220
we were walking around, just kind of checking doors along the way to see if they were open,

00:25:10.220 --> 00:25:13.800
to see if they were locked, and/or if we could get access to them.

00:25:13.800 --> 00:25:19.400
JACK: They walk around, tugging on every door they came across to see if one opened.

00:25:19.400 --> 00:25:25.160
Jeremiah tugged and tugged, but he didn’t find a single door that opened.

00:25:25.160 --> 00:25:28.710
He came around the back side of the building, and that’s where he saw BC coming around

00:25:28.710 --> 00:25:30.050
from the other side.

00:25:30.050 --> 00:25:33.070
Jeremiah told him that he didn’t find any doors open.

00:25:33.070 --> 00:25:38.790
JEREMIAH: He let me know that on one of the doors on his side – actually happened to

00:25:38.790 --> 00:25:39.790
be open.

00:25:39.790 --> 00:25:44.020
JACK: [MUSIC] So, together they walk back towards that door that BC found open.

00:25:44.020 --> 00:25:52.830
JEREMIAH: It was a back door, but it was a door to a stairwell that led to all the floors

00:25:52.830 --> 00:25:55.920
in the building itself.

00:25:55.920 --> 00:26:01.280
This door was just kinda left open and it was by sheer happenstance then.

00:26:01.280 --> 00:26:10.080
It was most likely due to a particular implementation flaw in the physical door itself and that

00:26:10.080 --> 00:26:13.630
someone didn’t actively make sure that it was shut.

00:26:13.630 --> 00:26:18.520
Otherwise it would have been locked, which in this particular instance, it was open,

00:26:18.520 --> 00:26:21.970
hanging out, and there was a crack, and we were able to open the door.

00:26:21.970 --> 00:26:27.030
JACK: So, they slip in through this partially-open door that wasn’t locking properly and go

00:26:27.030 --> 00:26:28.290
into the stairwell.

00:26:28.290 --> 00:26:32.200
At this point, they need to make a decision; go up the stairs or just try to go to the

00:26:32.200 --> 00:26:33.200
first floor.

00:26:33.200 --> 00:26:34.200
JEREMIAH: Yeah, yeah.

00:26:34.200 --> 00:26:40.550
So, we didn’t want to mess with the door on the first level, to begin with.

00:26:40.550 --> 00:26:50.280
We knew that the contractor that we worked for had offices on the second and third floors.

00:26:50.280 --> 00:26:55.800
So, we wanted to…we knew that we could gain access to the first floor through the front

00:26:55.800 --> 00:26:57.650
of the building, anyways.

00:26:57.650 --> 00:27:05.230
So what we did is we walk into this stairwell, we took photos of the open door just kinda

00:27:05.230 --> 00:27:10.440
as it was, took photos of us inside of the stairwell, and of course going to the second

00:27:10.440 --> 00:27:11.440
and third floors.

00:27:11.440 --> 00:27:15.820
JACK: Now, in a lot of office buildings, the stairwell doors are locked from the stairwell

00:27:15.820 --> 00:27:16.820
side.

00:27:16.820 --> 00:27:20.200
You can go into the stairwell from the office, but you can’t go into the office from the

00:27:20.200 --> 00:27:21.320
stairwell.

00:27:21.320 --> 00:27:24.840
They were walking up the stairs, expecting to face this, and trying to think of ways

00:27:24.840 --> 00:27:29.980
that they could bypass the door and get into the office, perhaps wait for someone to come

00:27:29.980 --> 00:27:33.340
out or maybe get some lock picks out and try to pick the lock.

00:27:33.340 --> 00:27:35.640
They’ll have to see when they get there.

00:27:35.640 --> 00:27:39.760
But when they got to the second floor, they just tried pulling on the door, and to their

00:27:39.760 --> 00:27:41.110
surprise, it opened.

00:27:41.110 --> 00:27:46.010
JEREMIAH: We could; we could get direct access to those floors as well, which were supposed

00:27:46.010 --> 00:27:47.280
to be secured floors.

00:27:47.280 --> 00:27:51.679
JACK: [MUSIC] So, they got into the second floor office, took pictures of themselves

00:27:51.679 --> 00:27:54.429
in the office, and got right back into the stairwell.

00:27:54.429 --> 00:27:58.750
Then they went up to the third floor and again, that stairwell door opened right up for them,

00:27:58.750 --> 00:27:59.750
and they got in.

00:27:59.750 --> 00:28:04.360
JEREMIAH: Yeah, so we walk in, take a quick photo to show that we were in the floor, and

00:28:04.360 --> 00:28:05.900
then we just kinda walked right back out.

00:28:05.900 --> 00:28:09.510
JACK: They walked all the way back down the stairs and out of the building.

00:28:09.510 --> 00:28:11.460
They regrouped and made a new plan.

00:28:11.460 --> 00:28:16.190
JEREMIAH: The goal of a pen test is to identify as many exploitable vulnerabilities or findings

00:28:16.190 --> 00:28:22.940
as you can, and then present that and have them fixed as much as they can be fixed.

00:28:22.940 --> 00:28:26.400
JACK: So, they were able to successfully get access into this building.

00:28:26.400 --> 00:28:28.520
JEREMIAH: So, that was kind of check one.

00:28:28.520 --> 00:28:30.520
Now let’s test another avenue.

00:28:30.520 --> 00:28:35.270
JACK: They regroup at the front of the building and this time go in through the main entrance.

00:28:35.270 --> 00:28:38.980
They have no idea what might be there, and they know the office they want to get access

00:28:38.980 --> 00:28:41.330
to is on the second and third floor.

00:28:41.330 --> 00:28:45.670
There should be some kind of thing to stop them from getting just directly into the office

00:28:45.670 --> 00:28:51.690
and roaming free, but where and what exactly would stop them, they didn’t know.

00:28:51.690 --> 00:29:04.310
Stay with us, because after the break, they head inside.

00:29:04.310 --> 00:29:09.110
Jeremiah and BC open the doors to the front of the building and walk in, with their goal

00:29:09.110 --> 00:29:13.020
to get into the second and third-floor offices.

00:29:13.020 --> 00:29:17.230
JEREMIAH: As we were going through, we didn’t initially see any kind of front desk on the

00:29:17.230 --> 00:29:18.890
first floor.

00:29:18.890 --> 00:29:24.570
We did see some stairs that were spiraling down from the second and third floors in the

00:29:24.570 --> 00:29:27.580
center of the building in the foyer.

00:29:27.580 --> 00:29:32.460
JACK: They look around and see some elevators, which tells them there’s two ways to get

00:29:32.460 --> 00:29:36.340
to the second floor; the stairs in the foyer or the elevator.

00:29:36.340 --> 00:29:40.710
They also looked around in the lobby of the building there and noticed a few Ethernet

00:29:40.710 --> 00:29:44.850
ports on the walls, and they wondered if that connected to anything, but they just took

00:29:44.850 --> 00:29:48.950
a mental note of that and decided to go up the stairs to the second floor.

00:29:48.950 --> 00:29:57.160
JEREMIAH: [MUSIC] So, we were able to move up to each floor, and we noticed as we got

00:29:57.160 --> 00:30:02.210
to the second and third floors, there were doors to either side that were – that would

00:30:02.210 --> 00:30:05.740
grant access to the business operations of this contractor.

00:30:05.740 --> 00:30:14.110
Now, the entry doors were closed, and they’re – they had locks on them that were – that

00:30:14.110 --> 00:30:19.220
you utilized from your key card to unlock the door so you could go in, and that was

00:30:19.220 --> 00:30:22.410
for authorized employees for those locations.

00:30:22.410 --> 00:30:26.370
JACK: Okay, so just by walking by the office doors, they could see that you need a key

00:30:26.370 --> 00:30:28.510
card to get into that door.

00:30:28.510 --> 00:30:32.690
On one of these floors was a person sitting at a desk in the lobby, but on the other floor,

00:30:32.690 --> 00:30:33.960
there was nobody in the lobby.

00:30:33.960 --> 00:30:42.170
JEREMIAH: There was public seating in the lobby on each floor as well, and we both sat

00:30:42.170 --> 00:30:47.650
down on one of the couches just so we could figure out what it was that we wanted to do

00:30:47.650 --> 00:30:48.650
at this point.

00:30:48.650 --> 00:30:53.320
We pulled out our computers; we’re looking like we were collaborating together for work.

00:30:53.320 --> 00:30:57.860
JACK: This gave them an opportunity to just sit in front of the door of this office and

00:30:57.860 --> 00:30:59.460
watch what was going on.

00:30:59.460 --> 00:31:02.929
Since nobody was in the lobby to really bother them, they could act like they’re working

00:31:02.929 --> 00:31:06.560
on something right there in the lobby, but really scouting around watching what’s going

00:31:06.560 --> 00:31:10.680
on, like seeing how people get in and out of this office, or are there opportunities

00:31:10.680 --> 00:31:15.120
to tailgate behind someone as they come in or out, and that sort of thing.

00:31:15.120 --> 00:31:19.809
But as they were looking around, they noticed that in this lobby there was a kiosk, a little

00:31:19.809 --> 00:31:23.670
computer that lets visitors check in or gives them information or something.

00:31:23.670 --> 00:31:27.870
Well, this was curious; an unattended computer in the lobby?

00:31:27.870 --> 00:31:30.799
[MUSIC] What’s a couple of pen testers do with that?

00:31:30.799 --> 00:31:32.710
Well, they start messing with it.

00:31:32.710 --> 00:31:37.050
It was running some kind of software that lets users only use this one app, but they

00:31:37.050 --> 00:31:41.610
were able to figure out a way to close that app and get into the operating system on that

00:31:41.610 --> 00:31:42.610
computer.

00:31:42.610 --> 00:31:46.980
JEREMIAH: We were able to access the underlying Windows OS that was running on it and from

00:31:46.980 --> 00:31:51.600
there, there was an exposed USB port on the back of it, and we were able to plug in a

00:31:51.600 --> 00:31:54.400
Bash Bunny to execute the previously-written script.

00:31:54.400 --> 00:31:59.370
JACK: Okay, so a Bash Bunny looks like a normal USB stick, but when you put it into a computer,

00:31:59.370 --> 00:32:01.350
the computer asks hey, what are you?

00:32:01.350 --> 00:32:04.270
The Bash Bunny says oh hi, I’m a keyboard.

00:32:04.270 --> 00:32:08.480
The computer’s like oh, okay, got it; I’ll let you type stuff if you want.

00:32:08.480 --> 00:32:14.430
So, the Bash Bunny has this pre-loaded script and it says okay, here are some key presses,

00:32:14.430 --> 00:32:18.549
and it sends a pre-created set of keystrokes to the computer.

00:32:18.549 --> 00:32:22.770
Well, the computer thinks it’s a keyboard, so it just starts accepting these keystrokes.

00:32:22.770 --> 00:32:27.730
You can do things like open up a command terminal or a program and then start typing commands

00:32:27.730 --> 00:32:28.860
in that.

00:32:28.860 --> 00:32:33.710
In the case of Jeremiah, he made the script open up a word program and start typing on

00:32:33.710 --> 00:32:34.710
the screen.

00:32:34.710 --> 00:32:38.990
It was just enough so that he could take a photo to prove that he has control over this

00:32:38.990 --> 00:32:43.080
computer, because I mean, if you can open up a program on a computer and start typing

00:32:43.080 --> 00:32:46.150
words on the screen, then you have control of that computer, right?

00:32:46.150 --> 00:32:50.920
So, while this kiosk computer didn’t have an actual keyboard connected to it, Jeremiah

00:32:50.920 --> 00:32:54.990
could prove that it’s not locked down and he’s able to plug a keyboard into it and

00:32:54.990 --> 00:32:58.090
take control of that computer, and nobody would stop him.

00:32:58.090 --> 00:33:03.530
They also noted that this kiosk had an Ethernet connection to the wall, and this is interesting

00:33:03.530 --> 00:33:09.160
because this Ethernet jack might be on the same network as the computers inside this

00:33:09.160 --> 00:33:12.350
office, and you don’t even need to go in the office to get into the network.

00:33:12.350 --> 00:33:15.080
But they didn’t plug into this Ethernet jack.

00:33:15.080 --> 00:33:19.200
They wanted to see if they could get into the office now, and after examining the doors

00:33:19.200 --> 00:33:23.290
for a little while, they understood that there’s a key card reader there, and you need to swipe

00:33:23.290 --> 00:33:26.230
your key in order to get the door to unlock.

00:33:26.230 --> 00:33:31.090
But they wanted to see if that was true, so they walked up to the door and tried pulling

00:33:31.090 --> 00:33:32.090
on the handle.

00:33:32.090 --> 00:33:35.980
JEREMIAH: They should have been locked, but as we pulled them, the doors were just unlocked

00:33:35.980 --> 00:33:42.880
this particular day, so we were able to open the doors as they were and walk right into

00:33:42.880 --> 00:33:43.880
the floor.

00:33:43.880 --> 00:33:48.220
JACK: [MUSIC] So, that’s another photo that they took that was going into the report.

00:33:48.220 --> 00:33:52.000
They were able to walk right in through the front door, go up the stairs, and just open

00:33:52.000 --> 00:33:54.710
the office door and go inside the office.

00:33:54.710 --> 00:33:59.040
Now they were in an office where there’s a whole bunch of private information around,

00:33:59.040 --> 00:34:03.130
and now that they’re in this office, they might as well try to see what kind of private

00:34:03.130 --> 00:34:04.800
information they could obtain.

00:34:04.800 --> 00:34:09.850
JEREMIAH: So, at this point we took pictures of us freely being able to open the office

00:34:09.850 --> 00:34:15.450
doors from the lobby and us walking around in the internal office space.

00:34:15.450 --> 00:34:21.160
As we walked through the office, we noted again other network ports, printers, network

00:34:21.160 --> 00:34:29.090
TVs, projects that were being worked on, so things that were written on whiteboards, labels

00:34:29.090 --> 00:34:36.639
that were labeling files that were just out in the open space, different IP addresses

00:34:36.639 --> 00:34:43.740
as we walked through; we were able to map out the IP address schema from IP labels that

00:34:43.740 --> 00:34:50.750
were written and addressed to the printers that were around the office space, looking

00:34:50.750 --> 00:34:55.160
for any other kind of information that could be leveraged in some way.

00:34:55.160 --> 00:34:59.560
So, the whole time we’re walking around, keep in mind, we didn’t have our badges

00:34:59.560 --> 00:35:02.020
on at all.

00:35:02.020 --> 00:35:05.920
We walked by many people, saying hi to folks.

00:35:05.920 --> 00:35:12.280
We even at one point went into the employee break room and grabbed some coffee and kinda

00:35:12.280 --> 00:35:18.120
hung out there for a few minutes just to see if anybody would challenge us, like at all,

00:35:18.120 --> 00:35:21.120
because we were not wearing our badges, again.

00:35:21.120 --> 00:35:24.580
Nobody said anything at any point.

00:35:24.580 --> 00:35:30.890
People kinda said hi, how you doing, nodded at us, but for the most part, nobody ever

00:35:30.890 --> 00:35:32.000
challenged us.

00:35:32.000 --> 00:35:36.320
JACK: I think what worked here is they looked the part and acted with confidence.

00:35:36.320 --> 00:35:41.340
If they dressed differently than the other workers or looked suspicious in some way,

00:35:41.340 --> 00:35:45.340
like the way they were moving around, it would have made them more likely to be stopped.

00:35:45.340 --> 00:35:49.520
There’s something that makes us more accepting of someone if they’re already passed the

00:35:49.520 --> 00:35:50.520
security barriers.

00:35:50.520 --> 00:35:53.910
If they’re in the office, they must belong there, right?

00:35:53.910 --> 00:35:56.330
Or else they wouldn’t have been able to get in.

00:35:56.330 --> 00:36:00.740
As they were moving around, they saw an open conference table, a little spot where people

00:36:00.740 --> 00:36:03.730
can gather to do work, but not quite in a conference room.

00:36:03.730 --> 00:36:10.750
JEREMIAH: So, we sat down at this table and we noticed that there were some Ethernet jacks

00:36:10.750 --> 00:36:11.970
on the wall.

00:36:11.970 --> 00:36:18.390
We both had cables that we brought with us and so, we plugged into the wall.

00:36:18.390 --> 00:36:23.280
JACK: [MUSIC] Now, finding an open Ethernet jack could be a gold mine.

00:36:23.280 --> 00:36:27.850
They saw the Wi-Fi networks were in this place, but they didn’t know what the Wi-Fi password

00:36:27.850 --> 00:36:28.850
was.

00:36:28.850 --> 00:36:32.820
But you don’t need a password when you’re plugging into a port on the wall; all you

00:36:32.820 --> 00:36:33.850
need is a cable.

00:36:33.850 --> 00:36:38.590
So, plugging in could potentially get you access into the internal network.

00:36:38.590 --> 00:36:41.400
These Ethernet ports can be configured a lot of ways, though.

00:36:41.400 --> 00:36:45.040
They might give you internal access or they might give you no access at all.

00:36:45.040 --> 00:36:48.710
It’s not a sure thing that just because you’re physically in the office means that

00:36:48.710 --> 00:36:50.970
you’re gonna be able to plug in and use the network.

00:36:50.970 --> 00:36:55.450
A properly-configured office will make it so you can’t just walk up and plug into

00:36:55.450 --> 00:36:57.420
any Ethernet port.

00:36:57.420 --> 00:37:02.920
But they plugged their computers into the Ethernet jacks and saw that the ports were

00:37:02.920 --> 00:37:05.880
alive and gave them IP addresses.

00:37:05.880 --> 00:37:09.950
Then they quickly scanned around the network to see what was on this network, but there

00:37:09.950 --> 00:37:12.100
were no other computers on the network.

00:37:12.100 --> 00:37:17.020
All they could do was access the internet, nothing internal in the office.

00:37:17.020 --> 00:37:22.340
Okay, so this might be a sign that this company was using NAC.

00:37:22.340 --> 00:37:26.980
NAC stands for Network Access Control, and it means that when you plug a computer into

00:37:26.980 --> 00:37:31.900
a port, the router takes a look at your MAC address of your computer to see if that computer

00:37:31.900 --> 00:37:33.330
should have special access.

00:37:33.330 --> 00:37:38.250
A MAC address is the hardware address on an Ethernet port which is on your computer.

00:37:38.250 --> 00:37:42.760
So, this network was checking the computer’s MAC address to see if it was allowed on the

00:37:42.760 --> 00:37:43.760
network.

00:37:43.760 --> 00:37:48.490
If so, it would give you special access, but if not, it would just give you very restricted

00:37:48.490 --> 00:37:49.490
access.

00:37:49.490 --> 00:37:53.540
In this case, since the router didn’t know Jeremiah’s computer’s MAC address, it

00:37:53.540 --> 00:37:58.330
just gave him very restricted network access, sort of like guest access.

00:37:58.330 --> 00:38:00.010
I guess this is good security.

00:38:00.010 --> 00:38:05.020
You want your Ethernet ports to require users to check for some authorization before giving

00:38:05.020 --> 00:38:08.800
them network access, because you don’t want anyone to just be able to walk up and plug

00:38:08.800 --> 00:38:12.810
their computer into any Ethernet jack and get full access to the soft underbelly of

00:38:12.810 --> 00:38:13.810
the network.

00:38:13.810 --> 00:38:19.359
So, if you were a penetration tester and noticed that this network had NAC to restrict your

00:38:19.359 --> 00:38:23.770
access when you plug in, what can you do to bypass this?

00:38:23.770 --> 00:38:29.310
Well, you could find a MAC address that is on the allow list, and you could change your

00:38:29.310 --> 00:38:33.640
computer’s MAC address to be one of those, and you might be able to get in.

00:38:33.640 --> 00:38:41.060
JEREMIAH: So, what we did is we noted a couple of the printers that were there in those locations,

00:38:41.060 --> 00:38:48.420
and we went to those printers and we were able to look up the MACs online for the style

00:38:48.420 --> 00:38:49.420
of printer it was.

00:38:49.420 --> 00:38:53.359
JACK: See, what you need to know about MAC addresses is that the first part of the MAC

00:38:53.359 --> 00:38:55.930
address is assigned to a vendor.

00:38:55.930 --> 00:39:01.550
So, if you had Cisco equipment, every single Ethernet port on all Cisco equipment starts

00:39:01.550 --> 00:39:05.270
with the MAC address 94:36:CC.

00:39:05.270 --> 00:39:08.910
Then the second-half of the MAC address would be different for every Ethernet port, making

00:39:08.910 --> 00:39:10.040
them all different.

00:39:10.040 --> 00:39:15.040
So, Jeremiah saw which types of printers they had and looked up what that vendor’s MAC

00:39:15.040 --> 00:39:19.080
address started with and then changed the MAC address on his computer to be the same

00:39:19.080 --> 00:39:21.470
as what the printer started with.

00:39:21.470 --> 00:39:25.330
Then he tried plugging the Ethernet cable back in to see if he would get a different

00:39:25.330 --> 00:39:31.340
IP, and boom; [MUSIC] this gave him a totally different IP, which gave him totally different

00:39:31.340 --> 00:39:35.290
access, which was the access he needed to get to the inside of this network.

00:39:35.290 --> 00:39:38.110
JEREMIAH: We were ecstatic.

00:39:38.110 --> 00:39:45.000
We were super excited just because well, one, we were able to accomplish a goal, and that

00:39:45.000 --> 00:39:48.460
was to get access to the network.

00:39:48.460 --> 00:39:52.820
Being able to conduct network access bypass with something so simple as changing your

00:39:52.820 --> 00:39:57.980
MAC, one, was super exciting and it was like we totally got a finding out of this.

00:39:57.980 --> 00:39:59.110
It’s crazy.

00:39:59.110 --> 00:40:01.710
JACK: There are other ways to configure NAC.

00:40:01.710 --> 00:40:04.550
I think they got lucky that this worked.

00:40:04.550 --> 00:40:08.599
The network team had to find a more secure way to check if a computer should have this

00:40:08.599 --> 00:40:13.400
sort of network access, such as having a certain registry file on that computer or something

00:40:13.400 --> 00:40:14.400
like that.

00:40:14.400 --> 00:40:21.300
JEREMIAH: So, we gained access to the network, we again took screenshots and photos of our

00:40:21.300 --> 00:40:25.330
steps of what we did to get access to it, we showed that we had access to it, we showed

00:40:25.330 --> 00:40:29.720
that we had an IP, we showed that we were able to navigate the internet while being

00:40:29.720 --> 00:40:31.260
connected to the network.

00:40:31.260 --> 00:40:40.420
We kinda packed up, we disconnected, put our laptops back in our bag, and we went around

00:40:40.420 --> 00:40:46.880
the floor just to kinda look for any additional target of opportunities that we may not have

00:40:46.880 --> 00:40:49.859
noticed before.

00:40:49.859 --> 00:40:55.770
As we were walking around the floor, we noticed there were kinda actually two separate situations

00:40:55.770 --> 00:41:01.490
of individuals who had just kinda walked away from their laptops [MUSIC] and left them unlocked

00:41:01.490 --> 00:41:05.349
and open at their desks.

00:41:05.349 --> 00:41:12.620
We took photos of us sitting at those computers, kinda pretending to plug in a device, because

00:41:12.620 --> 00:41:18.700
again, our organization was very risk-adverse and we didn’t want to overstep any boundaries

00:41:18.700 --> 00:41:22.690
of what we’ve been allowed to do up until this point, because we wanted to be able to

00:41:22.690 --> 00:41:25.560
conduct these kinds of operations again in the future.

00:41:25.560 --> 00:41:31.290
So, instead of plugging anything into these particular laptops, we just kinda sat down

00:41:31.290 --> 00:41:35.231
and showed that they were unlocked and we could mess with them if we wanted to, and

00:41:35.231 --> 00:41:39.480
oh, by the way, here’s a Bash Bunny; we just got done plugging one into a kiosk.

00:41:39.480 --> 00:41:42.430
We could plug it into here, too, sort of a thing.

00:41:42.430 --> 00:41:48.640
So, we took photos to prove impact instead of actually having to conduct something on

00:41:48.640 --> 00:41:49.640
those.

00:41:49.640 --> 00:41:51.990
They were already unlocked; we already had access to them.

00:41:51.990 --> 00:41:53.030
Someone had walked away.

00:41:53.030 --> 00:41:57.120
So, we left that floor as we were walking out.

00:41:57.120 --> 00:42:01.770
We went to the elevator, and as we were walking to the elevator, there was someone from the

00:42:01.770 --> 00:42:05.270
other side of the floor that was also walking to the elevator and also happened to be going

00:42:05.270 --> 00:42:06.270
up.

00:42:06.270 --> 00:42:12.450
So, we rode with them in the elevator, kinda said hi, or pleasantries, sort of things,

00:42:12.450 --> 00:42:13.619
nodded.

00:42:13.619 --> 00:42:19.220
We got off on the third floor and as they walked out, I decided I was gonna impromptu

00:42:19.220 --> 00:42:23.859
follow this person and try to see if I can do tailgating to see if they would challenge

00:42:23.859 --> 00:42:27.720
me at all, to see if there were any issues there.

00:42:27.720 --> 00:42:31.880
Sure enough, he walks up, scans his badge, and opens up the door; holds it for me.

00:42:31.880 --> 00:42:37.190
I’m like thanks, appreciate it, and just kinda walked on in, and he never challenged

00:42:37.190 --> 00:42:38.750
me, this particular individual.

00:42:38.750 --> 00:42:43.670
JACK: Jeremiah saw that his coworker, BC, stayed behind in the lobby and was walking

00:42:43.670 --> 00:42:45.930
towards a different set of office doors.

00:42:45.930 --> 00:42:50.349
Jeremiah tried to loop around towards the other doors to let BC in, but when he came

00:42:50.349 --> 00:42:53.970
around the corner, BC was already in the office.

00:42:53.970 --> 00:42:58.840
Apparently those other doors didn’t require a badge to get in, and BC just pulled on them

00:42:58.840 --> 00:42:59.840
and got right in.

00:42:59.840 --> 00:43:04.550
JEREMIAH: [MUSIC] So, I didn’t even need to tailgate in, but I did, and kinda proved

00:43:04.550 --> 00:43:07.080
that that was possible.

00:43:07.080 --> 00:43:11.109
But the doors themselves weren’t locked either, so we could have just opened the doors

00:43:11.109 --> 00:43:12.490
on that floor, too.

00:43:12.490 --> 00:43:14.060
JACK: Another finding for the report.

00:43:14.060 --> 00:43:24.170
JEREMIAH: Yeah, so while we were on the third floor, we kinda focused on doing intelligence-gathering;

00:43:24.170 --> 00:43:29.010
were there any kind of programs that we could identify that were being worked on that maybe

00:43:29.010 --> 00:43:32.270
shouldn’t be public information?

00:43:32.270 --> 00:43:35.920
What other things could we obtain about the programs?

00:43:35.920 --> 00:43:41.880
As we were walking around, we were taking photos of whiteboards, of desks, of paperwork

00:43:41.880 --> 00:43:49.600
on desks, of files, the file names, trying to collect and obtain as much information

00:43:49.600 --> 00:43:57.270
about these programs as we could so that we could then go back and see who these potential

00:43:57.270 --> 00:44:03.220
programs belong to, or what level of sensitivity should really be associated with this kind

00:44:03.220 --> 00:44:06.180
of information.

00:44:06.180 --> 00:44:12.320
We also noted network ports on this floor, whether or not there were people who were

00:44:12.320 --> 00:44:17.990
at their desks with their computers unlocked, or if they were away from their desk and they

00:44:17.990 --> 00:44:23.600
were locked, we just noted those things as well and carried on with the – or used the

00:44:23.600 --> 00:44:26.740
carryover of the previous floor; like hey, if they weren’t there, we could have also

00:44:26.740 --> 00:44:32.750
done it on this floor, too, and hey, by the way, there were these exposed network ports

00:44:32.750 --> 00:44:38.340
in the public-accessible zone inside of the office location as well.

00:44:38.340 --> 00:44:44.240
These are the IP addresses that were associated with printers on this location, that sort

00:44:44.240 --> 00:44:45.240
of thing, right?

00:44:45.240 --> 00:44:48.470
So, we were walking around just very much trying to collect as much information and

00:44:48.470 --> 00:44:52.010
data as we could as to what was being worked on within the location.

00:44:52.010 --> 00:44:55.970
JACK: Once they gathered enough information, they packed up their stuff and headed to the

00:44:55.970 --> 00:44:59.060
office, down the steps, and out the front door.

00:44:59.060 --> 00:45:01.900
Not a single person challenged them the whole time.

00:45:01.900 --> 00:45:06.210
JEREMIAH: [MUSIC] That was a pretty successful day for us.

00:45:06.210 --> 00:45:14.790
One, our team hadn’t conducted a physical penetration test to this measure since I’d

00:45:14.790 --> 00:45:23.010
been there, and two, we wanted to prove an impact to the organization, and three, we

00:45:23.010 --> 00:45:27.570
wanted to make it successful enough that they wanted to conduct these kinds of things going

00:45:27.570 --> 00:45:31.320
forward, because they’re really huge impacts, right?

00:45:31.320 --> 00:45:36.970
Like, if you break these things down, they’re really huge impacts to the organization and

00:45:36.970 --> 00:45:42.780
who the organization works with that could be potentially compromised here from a number

00:45:42.780 --> 00:45:51.840
of avenues, not only for internal business operations but also potentially things that

00:45:51.840 --> 00:45:58.630
affect the government and the Department of Defense in some way, should certain programs

00:45:58.630 --> 00:46:00.660
be compromised.

00:46:00.660 --> 00:46:07.720
Or think of any kind of code that might be worked on at these locations that might be

00:46:07.720 --> 00:46:12.330
incorporated as part of a end product for a certain entity, right?

00:46:12.330 --> 00:46:18.320
If there’s malicious code that’s added to a software development life cycle that’s

00:46:18.320 --> 00:46:25.970
being conducted within the confines of this location, that could be almost like a time-based

00:46:25.970 --> 00:46:30.730
malware or a time-based backdoor that gives someone access to something after the fact,

00:46:30.730 --> 00:46:34.500
maybe six months to a year down the road if they wanted to leverage it.

00:46:34.500 --> 00:46:37.530
There’s a lot of implications from this kind of a thing.

00:46:37.530 --> 00:46:38.530
JACK: Definitely.

00:46:38.530 --> 00:46:43.150
So, you put that in the report and you submit it, and how is it received?

00:46:43.150 --> 00:46:49.670
JEREMIAH: So, this was something that hadn’t been conducted before.

00:46:49.670 --> 00:46:57.500
They were – to put it frank, they kinda – everybody kinda had an ‘oh shit’ moment,

00:46:57.500 --> 00:47:00.470
because it was certainly an avenue that most people didn’t think about.

00:47:00.470 --> 00:47:04.310
It was an avenue that was foreign.

00:47:04.310 --> 00:47:12.800
Again, not many people think malicious entities and/or what they might go through or what

00:47:12.800 --> 00:47:17.099
– the things that they would try to accomplish to prove their goal.

00:47:17.099 --> 00:47:23.440
So obviously, this kinda showcased the ability of the malicious entities to obtain unfettered

00:47:23.440 --> 00:47:25.420
access to a location.

00:47:25.420 --> 00:47:28.160
This was very much an ‘oh shit’ moment for leadership.

00:47:28.160 --> 00:47:32.450
So, what they did after the fact, we found out, was obviously they went through that

00:47:32.450 --> 00:47:33.450
location.

00:47:33.450 --> 00:47:39.950
I spoke with the facility’s management, asked questions as to why these doors weren’t

00:47:39.950 --> 00:47:40.950
locked.

00:47:40.950 --> 00:47:43.980
The next time we were there, the doors were very much locked, and oh, by the way, we didn’t

00:47:43.980 --> 00:47:47.440
have access to it via the badges.

00:47:47.440 --> 00:47:55.340
A lot of things were fixed that we had previously pointed out after the fact.

00:47:55.340 --> 00:47:59.970
JACK: [MUSIC] Leadership was particularly surprised when they saw how easily they got

00:47:59.970 --> 00:48:01.050
control of that kiosk.

00:48:01.050 --> 00:48:05.380
They didn’t know it was possible to take over that computer in the lobby, so they just

00:48:05.380 --> 00:48:07.260
removed it from the lobby.

00:48:07.260 --> 00:48:11.040
They were also really surprised to see them sitting at someone’s computer at an unlocked

00:48:11.040 --> 00:48:15.520
workstation, and how they were able to plug in the Ethernet jacks and bypass NAC to get

00:48:15.520 --> 00:48:17.040
into the inside network.

00:48:17.040 --> 00:48:22.119
The leadership was impressed by Jeremiah and BC, and allowed them to do further testing

00:48:22.119 --> 00:48:24.810
to help keep that place secure.

00:48:24.810 --> 00:48:30.190
Since then, Jeremiah has moved on to a different company called Synack, where he conducts offensive

00:48:30.190 --> 00:48:31.190
operations.

00:48:31.190 --> 00:48:32.190
Alright, very cool.

00:48:32.190 --> 00:48:34.050
Thank you for sharing this with us.

00:48:34.050 --> 00:48:35.150
JEREMIAH: Thanks, man.

00:48:35.150 --> 00:48:36.620
Thanks for having me.

00:48:36.620 --> 00:48:40.720
It’s certainly a pleasure to chat with you.

00:48:40.720 --> 00:48:50.660
(OUTRO): [OUTRO MUSIC] A big thank-you to Jeremiah Roe for sharing this penetration

00:48:50.660 --> 00:48:51.720
test story with us.

00:48:51.720 --> 00:48:54.130
This show is made by me, the dream-weaver, Jack Rhysider.

00:48:54.130 --> 00:48:58.320
Sound design and original music was created by the acrobat, Garrett Tiedemann, editing

00:48:58.320 --> 00:49:02.410
help this episode by the frame-maker, Damienne, and mixing is done by Proximity Sound.

00:49:02.410 --> 00:49:05.820
Our theme music is by the premiere, Breakmaster Cylinder.

00:49:05.820 --> 00:49:12.490
Hey, pop quiz; what weighs more, a gallon of water or a gallon of butane?

00:49:12.490 --> 00:49:15.950
Water weighs more; butane is a lighter fluid.

00:49:15.950 --> 00:49:17.720
This is Darknet Diaries.