WEBVTT 00:00:01.189 --> 00:00:03.499 JACK: Hey, it’s Jack, host of the show. 00:00:03.499 --> 00:00:05.990 For a while, I was doing photography as a hobby. 00:00:05.990 --> 00:00:08.170 I specifically liked taking pictures of old buildings. 00:00:08.170 --> 00:00:13.000 My town had a lot of old buildings and sometimes at night I would go for a drive looking for 00:00:13.000 --> 00:00:14.700 an old building to photograph. 00:00:14.700 --> 00:00:19.189 I liked going at night because it was quieter and I could light it the way I wanted, making 00:00:19.189 --> 00:00:23.789 extra drama or intrigue to it, and I just feel more active at night. 00:00:23.789 --> 00:00:26.730 I took a drive towards the old part of town. 00:00:26.730 --> 00:00:29.490 It was down by the river and the train tracks. 00:00:29.490 --> 00:00:34.079 There was an abandoned train station which was cool, and an abandoned factory, but also 00:00:34.079 --> 00:00:38.309 a bunch of abandoned houses, some of which looked really interesting. 00:00:38.309 --> 00:00:41.410 [MUSIC] I drove around there, slowly going through the area. 00:00:41.410 --> 00:00:44.170 It was really quiet; no cars or people anywhere. 00:00:44.170 --> 00:00:46.680 I guess this area of town turned more industrial. 00:00:46.680 --> 00:00:50.129 There were factories all around because it was right on the river, and the train tracks 00:00:50.129 --> 00:00:53.379 made it easy to load up stuff and ship it out. 00:00:53.379 --> 00:00:57.129 As I was driving around, I passed by a facility of some kind. 00:00:57.129 --> 00:01:00.769 The place was huge; it covered a few blocks, actually. 00:01:00.769 --> 00:01:03.940 It was some kind of food processing plant. 00:01:03.940 --> 00:01:06.950 One of the larger food distributors in the country was here. 00:01:06.950 --> 00:01:10.619 Maybe some kind of cereal was made there or a beverage or something. 00:01:10.619 --> 00:01:11.970 It was big enough. 00:01:11.970 --> 00:01:16.740 It was a huge property with many big buildings on there, and this place was fortified like 00:01:16.740 --> 00:01:17.740 a prison. 00:01:17.740 --> 00:01:21.560 Like, there were twenty-foot fences with barbed wire and a massive guard gate. 00:01:21.560 --> 00:01:25.930 I drove up to the guard gate just to take a look, but then turned around and kept on 00:01:25.930 --> 00:01:30.750 cruising by because across the street there were some interesting-looking abandoned buildings 00:01:30.750 --> 00:01:36.630 and because nobody was around, I could go as slow as I wanted and just look at them. 00:01:36.630 --> 00:01:41.320 I was driving around and I found an abandoned apartment a block away. 00:01:41.320 --> 00:01:45.479 The front of it had partially fallen off and you could see through the wall to see the 00:01:45.479 --> 00:01:46.729 stairs going up. 00:01:46.729 --> 00:01:47.780 It was wild. 00:01:47.780 --> 00:01:51.009 I parked on the street and got out to take a look. 00:01:51.009 --> 00:01:52.799 I first got out just to take a look around. 00:01:52.799 --> 00:01:58.380 I didn’t even have my camera out, and not one but two police cars swarmed right over 00:01:58.380 --> 00:01:59.380 to me. 00:01:59.380 --> 00:02:03.380 They jumped out of their cars and started asking me questions; what are you doing here? 00:02:03.380 --> 00:02:04.689 Why are you here at night? 00:02:04.689 --> 00:02:06.619 Why are you driving around this part of town? 00:02:06.619 --> 00:02:08.929 I was like, what, what, what? 00:02:08.929 --> 00:02:10.080 I don’t understand. 00:02:10.080 --> 00:02:11.580 Did I do something wrong? 00:02:11.580 --> 00:02:13.660 Tell me, what did I do wrong? 00:02:13.660 --> 00:02:15.150 But they kept grilling me. 00:02:15.150 --> 00:02:17.320 They even called in more cops to come. 00:02:17.320 --> 00:02:20.420 The situation was getting tense and I was scared. 00:02:20.420 --> 00:02:25.980 There were three police cars here and literally no one else for like, a half-mile in any direction. 00:02:25.980 --> 00:02:31.580 Was this a dead-drop location that some drug dealers used and the police were surveiling 00:02:31.580 --> 00:02:33.160 it, waiting for someone just to come? 00:02:33.160 --> 00:02:37.830 Did someone commit a crime nearby and my car matched the description? 00:02:37.830 --> 00:02:40.330 Surely there had to have been some kind of mix-up here. 00:02:40.330 --> 00:02:45.341 I explained that I’m just a hobby photographer here to take pictures, but they didn’t seem 00:02:45.341 --> 00:02:47.629 to think that story was good enough. 00:02:47.629 --> 00:02:52.010 They wanted to see my camera and what other photos were on it, but I hadn’t taken any 00:02:52.010 --> 00:02:54.080 pictures yet, so my memory card was empty. 00:02:54.080 --> 00:02:59.200 I asked them if someone had called the cops on me or what this was about, and that’s 00:02:59.200 --> 00:03:05.220 when they asked me if I had anything to do with that food processing plant a block away. 00:03:05.220 --> 00:03:10.330 That’s when it all clicked in my head; me driving by that food processing plant, slowly 00:03:10.330 --> 00:03:15.480 just checking things out late at night, and then driving by it a few times, that was enough 00:03:15.480 --> 00:03:17.770 to make me look suspicious. 00:03:17.770 --> 00:03:22.280 Food companies take security very seriously because sabotaging the food supply is a serious 00:03:22.280 --> 00:03:26.680 risk, so some security guard thought that something wasn’t right with the way I was 00:03:26.680 --> 00:03:28.860 driving and called the police on me. 00:03:28.860 --> 00:03:32.409 Then, yeah, this was such a big company in this part of town that the police were more 00:03:32.409 --> 00:03:34.440 than happy to come right away. 00:03:34.440 --> 00:03:39.739 I was eventually let go but it took the police quite a while to be convinced that I was harmless. 00:03:39.739 --> 00:03:44.010 I think the only reason they let me go is because there were reports of some other people 00:03:44.010 --> 00:03:46.689 racing cars a couple blocks over. 00:03:46.689 --> 00:03:51.780 But this taught me a lesson that sometimes you have to be careful about looking suspicious 00:03:51.780 --> 00:03:56.760 near certain businesses or neighborhoods late at night. 00:03:56.760 --> 00:04:29.865 (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:04:29.865 --> 00:04:31.376 But who are Jon and Brian? 00:04:31.376 --> 00:04:33.096 BRIAN: I’ll kick it off if that’s cool. 00:04:33.096 --> 00:04:34.096 JACK: This is Brian. 00:04:34.096 --> 00:04:35.486 BRIAN: I’m Brian Halbach. 00:04:35.486 --> 00:04:38.226 I’m one of the red-teamers here at RedTeam Security. 00:04:38.226 --> 00:04:41.085 JACK: Ah yes, a red-teamer. 00:04:41.085 --> 00:04:45.266 That means he’s an attacker in an attack training scenario. 00:04:45.266 --> 00:04:49.666 In this case, companies hire him to attack their computer networks or try to physically 00:04:49.666 --> 00:04:54.226 sneak into a building and get into the network that way, because companies want to know if 00:04:54.226 --> 00:04:59.166 there’s any way a real bad guy can get in, which means Brian has to be good at many things. 00:04:59.166 --> 00:05:02.846 BRIAN: Physical pen testing, red-teaming, regular old pen testing. 00:05:02.846 --> 00:05:07.376 I also really love social engineering over the phone and in person. 00:05:07.376 --> 00:05:09.796 JON: My name is Jonathan Studebaker. 00:05:09.796 --> 00:05:12.486 JACK: Jonathan is on the same team as Brian. 00:05:12.486 --> 00:05:13.936 They both work at RedTeam Security. 00:05:13.936 --> 00:05:16.645 JON: Just like Brian, I do a little bit of everything. 00:05:16.645 --> 00:05:24.175 Primary background is in networks, internals, externals, pen tests, web apps, API tests, 00:05:24.175 --> 00:05:28.775 but also the physicals, the social engineering, phishing, stuff like that. 00:05:28.775 --> 00:05:32.456 JACK: Now, when you get hired to break into a company’s networks and buildings for a 00:05:32.456 --> 00:05:34.425 living, it can be exciting. 00:05:34.425 --> 00:05:39.736 They’ve gotta find ways to hack into the network or sneak into the building, get past 00:05:39.736 --> 00:05:43.816 security, and then get access to the most sensitive company information, and then get 00:05:43.816 --> 00:05:44.896 out with it. 00:05:44.896 --> 00:05:49.856 That’s why I wanted to bring them on, to hear a story about when they had to do that. 00:05:49.856 --> 00:05:51.966 They both are really good with computers. 00:05:51.966 --> 00:05:56.895 They can write code, take over computers using exploits, and know quite a bit about tech. 00:05:56.895 --> 00:05:59.986 On top of that, they’re well-trained at bypassing physical security. 00:05:59.986 --> 00:06:04.775 They’re good at getting locked doors open, avoiding cameras, and being able to sneak 00:06:04.775 --> 00:06:08.536 past stuff and social engineer their way into places. 00:06:08.536 --> 00:06:12.525 This story they’re about to share with us takes place when they were both sort of new 00:06:12.525 --> 00:06:13.766 at RedTeam Security. 00:06:13.766 --> 00:06:18.245 BRIAN: This story was both of our big breaks into physical. 00:06:18.245 --> 00:06:22.826 This is when we were earning our stripes and we were on our own. 00:06:22.826 --> 00:06:27.016 So, in the past, I had always been the guy in the background. 00:06:27.016 --> 00:06:32.666 I was the getaway driver in one case, or in another case, they – I was the sheep fed 00:06:32.666 --> 00:06:36.436 to the lions in essentially a social engineering attempt they knew was gonna fail. 00:06:36.436 --> 00:06:41.866 But this was the first time that Jon and I were assigned a full mission and said alright, 00:06:41.866 --> 00:06:46.555 you guys are – you’ve learned everything, you’ve practiced, you know the stuff now. 00:06:46.555 --> 00:06:50.656 Now, go out and apply it, and that’s the – what we’ll be talking about this time. 00:06:50.656 --> 00:06:53.406 JACK: [MUSIC] A new assignment landed in their inboxes. 00:06:53.406 --> 00:06:56.566 A company had hired them to test their security. 00:06:56.566 --> 00:07:01.055 They wanted to see if these guys could find weaknesses in their physical security and 00:07:01.055 --> 00:07:02.055 get in somehow. 00:07:02.055 --> 00:07:06.606 BRIAN: This one company did a lot of different things, so I can’t even put them in one 00:07:06.606 --> 00:07:09.756 industry ‘cause they spanned multiple industries. 00:07:09.756 --> 00:07:15.115 We were in charge of getting into their headquarters building which we deemed to be the last because 00:07:15.115 --> 00:07:16.995 that was actually the most protected. 00:07:16.995 --> 00:07:23.246 They also had these remote different locations that people didn’t actually work at but 00:07:23.246 --> 00:07:29.626 were – had sensitive technical things there that needed to be protected. 00:07:29.626 --> 00:07:35.076 They had a whole perimeter intrusion detection system that’s supposed to detect if somebody 00:07:35.076 --> 00:07:36.076 comes up. 00:07:36.076 --> 00:07:39.596 They had all sorts of different types of security around these different areas. 00:07:39.596 --> 00:07:44.835 They spent a lot of good money and they have people sitting there monitoring it 24/7, and 00:07:44.835 --> 00:07:45.835 that’s where we come in. 00:07:45.835 --> 00:07:48.936 They want us to point out some weaknesses, say hey, you’re doing good in this area 00:07:48.936 --> 00:07:51.305 but maybe this area could be beefed up a little bit more. 00:07:51.305 --> 00:07:55.645 JACK: The assignment seemed pretty straightforward; try to break into their main headquarters 00:07:55.645 --> 00:07:57.446 and four other smaller locations. 00:07:57.446 --> 00:08:00.895 BRIAN: Objective One is definitely, you know, can you get in? 00:08:00.895 --> 00:08:05.116 Objective Two; we actually had two different things we could go – is either look for 00:08:05.116 --> 00:08:08.656 a network connection and we had a bag full of Raspberry Pis that we were able to plug 00:08:08.656 --> 00:08:13.906 in, or we also kinda had calling cards and we would just leave behind a calling card 00:08:13.906 --> 00:08:16.375 as proof that hey, we got this far. 00:08:16.375 --> 00:08:21.875 ‘Cause there are certain buildings that they had already tipped us off that hey, don’t 00:08:21.875 --> 00:08:25.966 get into the networking area but just get into this spot over here so we can demonstrate 00:08:25.966 --> 00:08:34.176 impact to the people who get to decide budget, which is often a driving factor of these, 00:08:34.176 --> 00:08:35.926 and just show that we could get into this area. 00:08:35.926 --> 00:08:38.885 JACK: Now, this was mostly a covert mission. 00:08:38.885 --> 00:08:43.526 I mean, the company was paying them and the director of security knew about this, but 00:08:43.526 --> 00:08:48.125 pretty much no one else at this company knew they were coming, which meant that this was 00:08:48.125 --> 00:08:53.536 also a test for their security team to see if they could catch these guys as they tried 00:08:53.536 --> 00:08:54.536 to [00:10:00] break in. 00:08:54.536 --> 00:08:57.736 BRIAN: Yeah, we had two contacts; we had the director of security and then somebody else 00:08:57.736 --> 00:09:02.065 that worked for him that – only those two knew that this was going on. 00:09:02.065 --> 00:09:04.666 Everybody else didn’t really know. 00:09:04.666 --> 00:09:09.755 JON: I think it’s also important to mention how we communicate with those clients as we’re 00:09:09.755 --> 00:09:11.286 doing one of these engagements. 00:09:11.286 --> 00:09:16.616 This goes for not just the execution but for the recon and the planning stage. 00:09:16.616 --> 00:09:21.306 We communicate a lot with our clients through the entire experience. 00:09:21.306 --> 00:09:25.815 As soon as we arrive in town, we send them a text or give them a phone call and say hey, 00:09:25.815 --> 00:09:28.646 we’re here, we’re gonna start at this place. 00:09:28.646 --> 00:09:31.556 We give text updates as we’re going. 00:09:31.556 --> 00:09:36.826 I think it’s a pretty important part to this whole thing to ensure the safety of everybody 00:09:36.826 --> 00:09:43.125 involved and make sure that we don’t end up in a sticky situation like Brian was saying, 00:09:43.125 --> 00:09:49.826 going into the wrong door or doing something at the wrong time that could potentially not 00:09:49.826 --> 00:09:51.816 end well for somebody involved. 00:09:51.816 --> 00:09:55.516 JACK: Okay, their marching orders were given, they knew what they needed to do, but there’s 00:09:55.516 --> 00:09:58.706 a lot to do before jumping on a plane and heading to the location. 00:09:58.706 --> 00:10:04.696 BRIAN: [MUSIC] So, yeah, to kinda prepare, we did some mapping out of the facilities 00:10:04.696 --> 00:10:10.226 and the different locations ahead of time using the advanced hacking tool Google Maps. 00:10:10.226 --> 00:10:15.826 Yeah, we did a bunch of OSINT and kinda drew up oh, hey, this is – these are the different 00:10:15.826 --> 00:10:17.236 locations. 00:10:17.236 --> 00:10:21.516 From these old pictures, it looks like there’s cameras here and here, there’s perimeter 00:10:21.516 --> 00:10:25.896 sensors here and here, these are the areas we can probably drive by. 00:10:25.896 --> 00:10:34.516 JON: We also look at social media of employees, try to figure out what the dress code’s 00:10:34.516 --> 00:10:42.346 like, are there any visible badges that we can see, anything that might be helpful. 00:10:42.346 --> 00:10:47.586 A lot of stuff gets posted on social media and Instagram might have a photo of a company 00:10:47.586 --> 00:10:53.745 party but it could also provide insight like there is a room and right behind it, you can 00:10:53.745 --> 00:10:58.745 see – looks like maybe a server closet or something like that. 00:10:58.745 --> 00:11:06.836 You know, so, OSINT is a huge piece that company websites often have lots of imagery or information 00:11:06.836 --> 00:11:08.336 that’s beneficial. 00:11:08.336 --> 00:11:15.406 I like to go to county assessor websites too because oftentimes you can find fairly detailed 00:11:15.406 --> 00:11:20.636 drawings of – if not a complete floor plan, at least partial. 00:11:20.636 --> 00:11:27.796 It gives you some insight into the building and an idea of what you’re gonna be looking 00:11:27.796 --> 00:11:30.146 for when you go for the in-person recon. 00:11:30.146 --> 00:11:35.065 JACK: They spend time collecting information about this company, all which is available 00:11:35.065 --> 00:11:39.055 publicly for anyone to see, anything that might give them a better knowledge of the 00:11:39.055 --> 00:11:40.565 building or the people inside. 00:11:40.565 --> 00:11:45.195 This way they could be prepared, but they didn’t find much on social media. 00:11:45.195 --> 00:11:50.016 Perhaps this company had a policy not to post about work on social media because that could 00:11:50.016 --> 00:11:51.185 be a security risk. 00:11:51.185 --> 00:11:56.146 BRIAN: I guess the one really good piece of information was they have a fleet of cars 00:11:56.146 --> 00:12:01.986 and trucks, and from these Google photos, we were able to see the color of their cars 00:12:01.986 --> 00:12:07.216 and trucks, so we were able to actually get a rental to potentially blend in. 00:12:07.216 --> 00:12:10.486 JACK: Because they weren’t finding any good information online that would give them a 00:12:10.486 --> 00:12:15.736 clear way in, they decided to fly out to this place in person to gather more information 00:12:15.736 --> 00:12:16.736 on the facilities. 00:12:16.736 --> 00:12:20.676 BRIAN: Our first trip out there, before the trip for us to actually break in, was just 00:12:20.676 --> 00:12:22.796 us scoping everything out in person. 00:12:22.796 --> 00:12:29.296 So, that’s what we did first and we went and got a rental car and drove to these locations. 00:12:29.296 --> 00:12:33.916 JACK: Now, what they aim to do here is to get a better understanding of each facility 00:12:33.916 --> 00:12:39.255 that they need to break into without breaking into any; just sort of drive by, take pictures, 00:12:39.255 --> 00:12:42.755 watch for patterns of who’s coming and going and at what times. 00:12:42.755 --> 00:12:45.026 Maybe this can give them a better plan for how to get in. 00:12:45.026 --> 00:12:49.206 BRIAN: So, we were driving around the different locations and we waited until their business 00:12:49.206 --> 00:12:50.616 had closed up. 00:12:50.616 --> 00:12:52.885 Yeah, we did a whole bunch of nighttime recon. 00:12:52.885 --> 00:12:55.366 We went out to each of the five locations. 00:12:55.366 --> 00:13:00.616 We were trying to take covert pictures, covert videos for noting all the important, different 00:13:00.616 --> 00:13:05.246 spots of the different perimeter protections they have in place, where all the cameras 00:13:05.246 --> 00:13:09.536 are, the different sensors they have and all that kinda stuff, and mapping it all out. 00:13:09.536 --> 00:13:15.546 [MUSIC] Then in the morning, our point of contact sends us via text some nice pictures 00:13:15.546 --> 00:13:20.185 of our faces that their Security Operations Center took of us as we were driving around 00:13:20.185 --> 00:13:21.396 to all these different locations. 00:13:21.396 --> 00:13:22.646 JACK: What? 00:13:22.646 --> 00:13:25.456 They got busted in their recon phase? 00:13:25.456 --> 00:13:27.086 This was not supposed to happen. 00:13:27.086 --> 00:13:29.586 They didn’t go on any of the properties. 00:13:29.586 --> 00:13:33.656 They only drove by taking photos in a sort of covert way. 00:13:33.656 --> 00:13:37.046 BRIAN: Actually, what they said what tipped them off was we drove by in the same rental 00:13:37.046 --> 00:13:39.366 car three times. 00:13:39.366 --> 00:13:44.266 They had a security operator who’s watching cameras and said hey, there’s a rental car 00:13:44.266 --> 00:13:48.635 that is driving in circles around all of our locations. 00:13:48.635 --> 00:13:52.626 That’s when they kinda got put on alert to hey, something weird might be happening. 00:13:52.626 --> 00:13:57.046 JACK: So, their security team were able to use the cameras on the buildings to zoom in 00:13:57.046 --> 00:13:59.976 and get good, clear photos of both of them driving around. 00:13:59.976 --> 00:14:01.856 Their cover was blown. 00:14:01.856 --> 00:14:08.055 BRIAN: Yep, it’s like, you were trying to be covert but you still stood out and you 00:14:08.055 --> 00:14:09.055 got flagged. 00:14:09.055 --> 00:14:11.635 So, at that point we’re like oh, shoot. 00:14:11.635 --> 00:14:15.185 So, we actually went and we switched rental cars. 00:14:15.185 --> 00:14:18.796 We’re like hey, they’re already on the lookout for this car and they’re looking 00:14:18.796 --> 00:14:24.096 – they’re on the lookout for us dressed the way we were, so we went and we drove – I 00:14:24.096 --> 00:14:30.236 don’t know, we drove like an hour to the closest rental place and then said hey, we 00:14:30.236 --> 00:14:31.236 need a new car. 00:14:31.236 --> 00:14:37.625 We came up with some BS excuse, got a new car that looked totally different, then also 00:14:37.625 --> 00:14:39.096 went and bought different clothes. 00:14:39.096 --> 00:14:45.886 So, now we are in a car that looks like a local car that has local state plates on it, 00:14:45.886 --> 00:14:54.216 went to the local Walmart and bought clothes for the school that was in the same town in 00:14:54.216 --> 00:14:58.206 hopes that now we’re gonna blend in a little bit more ‘cause they’re looking for somebody 00:14:58.206 --> 00:15:02.365 in a blue car driving around and now we are in a white car and we are wearing – and 00:15:02.365 --> 00:15:06.255 we have plates of the same state and we’re wearing completely different clothes that 00:15:06.255 --> 00:15:11.636 hopefully help us blend in, ‘cause – I got a hat for the local school and everything 00:15:11.636 --> 00:15:15.375 to make it look like I belonged. 00:15:15.375 --> 00:15:23.805 JON: Even though we got caught, it was still super-useful information because it let us 00:15:23.805 --> 00:15:32.966 know that they had really phenomenal security cameras and a very vigilant security and staff 00:15:32.966 --> 00:15:41.776 who were looking out for things like this, and so, it really helped us plan for the execution 00:15:41.776 --> 00:15:48.106 stage, like how we avoid these cameras and how do we avoid being spotted? 00:15:48.106 --> 00:15:52.286 Because I think when they took those pictures of us, we were about a block and a half away 00:15:52.286 --> 00:15:54.136 from the actual building. 00:15:54.136 --> 00:15:55.316 JACK: Wow. 00:15:55.316 --> 00:15:58.846 JON: Yeah, really phenomenal cameras, yeah. 00:15:58.846 --> 00:16:05.966 BRIAN: They essentially had a very tall vantage point that they planted this amazing pan-tilt-zoom 00:16:05.966 --> 00:16:12.445 camera on and were probably able to zoom due to also the elevation, over half a mile, and 00:16:12.445 --> 00:16:15.586 get a nice, clear photo of the both of us. 00:16:15.586 --> 00:16:21.966 Yeah, we realized hey, we need to get out of the vantage point of this tower that has 00:16:21.966 --> 00:16:23.135 this camera on it also. 00:16:23.135 --> 00:16:26.046 JACK: Oh my gosh, these guys are really good. 00:16:26.046 --> 00:16:30.565 Yeah, there’s gotta be some stress going through your mind of like, oh my gosh, do 00:16:30.565 --> 00:16:33.606 we look like amateurs to this point of contact? 00:16:33.606 --> 00:16:36.915 Are we totally burnt? 00:16:36.915 --> 00:16:40.576 You know, you’ve probably – running through your head like oh crap, we want to look good 00:16:40.576 --> 00:16:43.836 here and we’re already screwing up and we haven’t even started. 00:16:43.836 --> 00:16:45.886 BRIAN: Yeah, that’s kind of exactly what I was thinking. 00:16:45.886 --> 00:16:47.695 I was like oh, shoot, this guy’s gonna hate us. 00:16:47.695 --> 00:16:50.815 He’s gonna be like oh, we got some amateurs on here. 00:16:50.815 --> 00:16:57.766 ‘Cause, I mean, we also brought a camera that has a nice, long-range zoom on it. 00:16:57.766 --> 00:17:02.915 There’s different techniques that we can use for covert observation. 00:17:02.915 --> 00:17:07.086 We just read the situation wrong from our OSINT, thinking that hey, we know we need 00:17:07.086 --> 00:17:10.946 to blend in but we didn’t think that we needed to go full stealth-mode on this whole 00:17:10.946 --> 00:17:12.525 recon operation. 00:17:12.525 --> 00:17:17.926 So, yeah, a learning opportunity for us but honestly, it was just great on them for being 00:17:17.926 --> 00:17:22.486 able to recognize that hey, there’s a weird rental car that’s clearly circulating around 00:17:22.486 --> 00:17:23.706 our different locations. 00:17:23.706 --> 00:17:27.456 JACK: Now, still at this time, only their point of contact knows what these guys are 00:17:27.456 --> 00:17:28.456 up to. 00:17:28.456 --> 00:17:32.775 The actual security team inside has no idea that this is just a test and is treating this 00:17:32.775 --> 00:17:33.775 very seriously. 00:17:33.775 --> 00:17:37.946 So, Brian and Jon took extra precautions to finish up their recon phase without being 00:17:37.946 --> 00:17:40.506 caught again and went back home. 00:17:40.506 --> 00:17:42.076 They came up with a plan of action. 00:17:42.076 --> 00:17:45.896 They told their point of contact everything; how they’re gonna try to get in, what weaknesses 00:17:45.896 --> 00:17:47.956 they saw in their recon, and more. 00:17:47.956 --> 00:17:52.296 At the same time, they waited a few weeks as a cool-down period, knowing that security 00:17:52.296 --> 00:17:56.405 team might be on high alert, looking for two guys driving by over and over, wondering what 00:17:56.405 --> 00:17:57.535 they were up to. 00:17:57.535 --> 00:18:01.146 They got their plan approved and a date set for them to come back. 00:18:01.146 --> 00:18:05.285 They specifically requested their point of contact notify local law enforcement so the 00:18:05.285 --> 00:18:10.645 police know that this is a test, because this was a major business in a somewhat small town, 00:18:10.645 --> 00:18:15.056 and so, the police might give extra-special attention at protecting a company like this. 00:18:15.056 --> 00:18:19.516 So, with their plan approved, they started packing for the execution portion of this 00:18:19.516 --> 00:18:24.265 assignment, but what do you bring with you to try to break into a very high-security 00:18:24.265 --> 00:18:25.265 building? 00:18:25.265 --> 00:18:28.336 Well, Jon and Brian have a checklist for that. 00:18:28.336 --> 00:18:33.466 BRIAN: So, we actually have what’s called a pack-in and pack-out list so that we don’t 00:18:33.466 --> 00:18:34.466 actually forget things. 00:18:34.466 --> 00:18:39.426 Oftentimes, we pack a lot more things than we think we’ll need because we’d rather 00:18:39.426 --> 00:18:42.836 have it and not need it than all of a sudden be like oh, shoot, we really need this piece 00:18:42.836 --> 00:18:46.395 of equipment and then it’s a couple thousand miles away. 00:18:46.395 --> 00:18:49.426 Jon, do you have the pack-in and pack-out list, or…? 00:18:49.426 --> 00:18:50.426 I think they’re… 00:18:50.426 --> 00:18:51.496 JON: Yeah, I’m gonna… 00:18:51.496 --> 00:18:53.846 BRIAN: ‘Cause then we can give you an actual list. 00:18:53.846 --> 00:18:58.556 JON: [00:20:00] Alright, I did find that load-out list for this particular one. 00:18:58.556 --> 00:19:05.926 [MUSIC] So, in this case, we brought some long-range RFID readers for cloning badges 00:19:05.926 --> 00:19:13.915 like entry-access badges, we packed a LANstar, we packed a Proxmark III for cloning RFID 00:19:13.915 --> 00:19:21.206 cards, we had a very small wireless router, we brought some shortwave radios for communication, 00:19:21.206 --> 00:19:26.196 a set of binoculars, a couple sets of night vision goggles. 00:19:26.196 --> 00:19:32.246 We use those for a couple different purposes; one of which is seeing when it’s dark at 00:19:32.246 --> 00:19:37.556 night, but the other thing they’re really great for is if the client has night vision 00:19:37.556 --> 00:19:39.446 cameras of their own. 00:19:39.446 --> 00:19:46.766 They emit infrared light out of a little LED, typically, and you can see that with the night 00:19:46.766 --> 00:19:50.775 vision goggles, so pretty much stands out like a beacon. 00:19:50.775 --> 00:19:52.066 We use that for night recon. 00:19:52.066 --> 00:19:57.706 In this case, went to each location with those night vision goggles and looked around to 00:19:57.706 --> 00:20:00.946 see if we could see any interesting points of light that maybe shouldn’t have been 00:20:00.946 --> 00:20:04.186 there that could have been cameras. 00:20:04.186 --> 00:20:05.946 A bag of Raspberry Pis… 00:20:05.946 --> 00:20:10.206 JACK: A bag of Raspberry Pis; now, they’re not bringing along tasty snacks. 00:20:10.206 --> 00:20:14.256 A Raspberry Pi is a little computer which is super-cheap and it’s about the size of 00:20:14.256 --> 00:20:15.396 a wallet. 00:20:15.396 --> 00:20:19.896 Its small size means you can plug it in and hide it behind a plant or a table so it won’t 00:20:19.896 --> 00:20:20.896 be seen. 00:20:20.896 --> 00:20:23.786 They’ve got these things pre-configured to phone home as soon as they’re plugged 00:20:23.786 --> 00:20:24.786 in. 00:20:24.786 --> 00:20:28.046 So, if they get into a building and they see an open Ethernet port, they can plug in their 00:20:28.046 --> 00:20:32.826 Raspberry Pi into the network and potentially have internal access into this network. 00:20:32.826 --> 00:20:40.246 JON: Yeah, so, all the bypass tools for actually getting in, so we brought some under-the-door 00:20:40.246 --> 00:20:45.726 tools, brought some double door tools, we brought a couple of sets of lock picks, hand-held 00:20:45.726 --> 00:20:47.636 flashlights, cameras, GoPros. 00:20:47.636 --> 00:20:51.566 There’s a tool that we refer to as a Shovit tool. 00:20:51.566 --> 00:20:55.076 It’s also known as a…what do they call it, Brian? 00:20:55.076 --> 00:20:57.076 A mini jim? BRIAN: Yeah. 00:20:57.076 --> 00:20:59.626 JON: It’s kinda like a Slim Jim. 00:20:59.626 --> 00:21:04.526 It’s a thin piece of metal with a hook on it and we use it to bypass doors. 00:21:04.526 --> 00:21:10.706 I brought a bunch of LAN cables, we also brought a whole bunch of disguise-type gear for social 00:21:10.706 --> 00:21:12.756 engineering like safety vests… 00:21:12.756 --> 00:21:14.066 BRIAN: …hard hats. 00:21:14.066 --> 00:21:19.226 JON: …hard hats, we brought a couple of ladders because some of the locations we were 00:21:19.226 --> 00:21:23.656 trying to get into had barbed wire fences. 00:21:23.656 --> 00:21:27.456 That was really the only access in, was going over a fence. 00:21:27.456 --> 00:21:29.236 JACK: Well, you can’t take a ladder on a plane. 00:21:29.236 --> 00:21:33.436 JON: Well, so, there’s a couple of different solutions for that. 00:21:33.436 --> 00:21:41.046 So, we have a…it’s like a periscoping ladder that collapses down to a little – it’s 00:21:41.046 --> 00:21:45.516 about two feet by eighteen inches, maybe. 00:21:45.516 --> 00:21:51.406 It’ll expand up to ten feet which is typically good enough to get over a fence. 00:21:51.406 --> 00:21:58.015 Then we also bring a fire escape ladder sometimes for the getting down, ‘cause we can hook 00:21:58.015 --> 00:22:02.486 them on the top of the fence and then just go over and get down that way. 00:22:02.486 --> 00:22:06.956 BRIAN: Or in the past, sometimes we would have so much equipment that we couldn’t 00:22:06.956 --> 00:22:12.767 fit the periscoping ladder, so we would actually go to a hardware store, buy the ladder, buy 00:22:12.767 --> 00:22:17.035 other equipment, use it for breaking in, and then when we’re done, return it. 00:22:17.035 --> 00:22:21.726 JACK: I just picture this place in your office somewhere that has all these tools and you’re 00:22:21.726 --> 00:22:25.546 just shopping around like oh yeah, we’re gonna need that, we’re gonna need that, 00:22:25.546 --> 00:22:26.596 let’s grab a couple of those. 00:22:26.596 --> 00:22:27.596 BRIAN: Yeah. 00:22:27.596 --> 00:22:32.136 We actually got a big old storage unit just full of physical equipment. 00:22:32.136 --> 00:22:33.136 Yeah. 00:22:33.136 --> 00:22:34.926 Fun stuff, fun toys. 00:22:34.926 --> 00:22:41.566 JON: [MUSIC] So, I mentioned the barbed wire fences, so we also brought a heavy wool blanket. 00:22:41.566 --> 00:22:46.876 Once we climb up with the ladder, we toss the wool blanket over, set down our other 00:22:46.876 --> 00:22:51.046 ladder on the other side, and then that allows us to get over there without ripping our clothes 00:22:51.046 --> 00:22:54.966 open or ourselves open. 00:22:54.966 --> 00:23:01.336 We brought along a borescope, basically a little camera that interacts with our cell 00:23:01.336 --> 00:23:06.666 phones, lets us see sometimes under doors or just through small gaps or around corners. 00:23:06.666 --> 00:23:10.636 Let’s see, we brought some lanyards along. 00:23:10.636 --> 00:23:14.206 This is if we were able to successfully clone badges. 00:23:14.206 --> 00:23:16.946 We brought a plug-spinner which is a tool. 00:23:16.946 --> 00:23:22.956 If you pick a lock and if you accidentally pick the lock in the wrong direction where 00:23:22.956 --> 00:23:28.346 it’s either not gonna open the door or unlock the lock, a plug-spinner is a device that’s 00:23:28.346 --> 00:23:35.426 got a spring in it and it basically – you pick your lock open and then insert the plug-spinner, 00:23:35.426 --> 00:23:41.076 and then when you release the spring, it spins it fast enough in the opposite direction that 00:23:41.076 --> 00:23:42.836 the pins won’t engage again. 00:23:42.836 --> 00:23:45.096 So, that can be a really handy tool. 00:23:45.096 --> 00:23:52.426 It’s also really handy to re-lock a door if you are leaving. 00:23:52.426 --> 00:23:57.996 We also brought a [00:25:00] hinge pin tool which is basically a little spring-loaded 00:23:57.996 --> 00:24:00.316 piece of metal. 00:24:00.316 --> 00:24:08.536 So, say you get to an – maybe an interior door but it’s locked and you – say it’s 00:24:08.536 --> 00:24:13.346 their secure room and the hinges are mounted on the wrong side; they’re outside. 00:24:13.346 --> 00:24:17.765 You can actually use this little spring-loaded tool, pop the pins out of the hinges, and 00:24:17.765 --> 00:24:22.135 then you can just take the door off. 00:24:22.135 --> 00:24:28.446 We also brought some tools which are similar to the Shovit tool that I mentioned earlier. 00:24:28.446 --> 00:24:33.316 Oh, a set of common keys which we also used on this engagement. 00:24:33.316 --> 00:24:42.785 There’s certain keys that are used a lot from – so, I’ll give you an example. 00:24:42.785 --> 00:24:50.426 Linear and DoorKing keys, so these are automated gate systems where you’re – you maybe 00:24:50.426 --> 00:24:55.796 go up and you enter in a pin on a pinpad, and it’ll raise your gate up or open your 00:24:55.796 --> 00:24:56.826 gate. 00:24:56.826 --> 00:25:03.385 Well, these DoorKings and the Linears, they’re very frequently keyed using basically a generic 00:25:03.385 --> 00:25:07.145 key that you can buy on eBay or Amazon. 00:25:07.145 --> 00:25:12.655 So, we brought some of those along and managed to use those on this engagement. 00:25:12.655 --> 00:25:17.186 Then, we also bring along other things like toolkits. 00:25:17.186 --> 00:25:21.255 On occasion something breaks and we need to repair it. 00:25:21.255 --> 00:25:28.316 Usually one of our tools is a problem, so we packed a multimeter in this case, and the 00:25:28.316 --> 00:25:32.946 reason for that is one of our long-range RFID readers was kinda fritzing out. 00:25:32.946 --> 00:25:38.736 I think a wire was coming loose, and so, being able to troubleshoot that while you’re there 00:25:38.736 --> 00:25:44.496 and not having to try to track down a multimeter and figure out those issues or if you need 00:25:44.496 --> 00:25:49.966 a custom wrench for something or something like that, so bring that kinda stuff along. 00:25:49.966 --> 00:25:52.066 I believe Brian brought his SEARAT. 00:25:52.066 --> 00:25:53.496 It’s on this list. 00:25:53.496 --> 00:25:54.496 BRIAN: Yeah. 00:25:54.496 --> 00:26:01.876 A SEARAT is just an entry tool that’s typically used by fire departments. 00:26:01.876 --> 00:26:06.116 Only in our case, we’re using it to get into places, different places. 00:26:06.116 --> 00:26:09.596 It’s kind of a all-in-one entry tool which is a lot of fun. 00:26:09.596 --> 00:26:15.876 It’s got the Shovit knife, a key blade, a window-breaker, gas shut-off, lots of other 00:26:15.876 --> 00:26:17.275 fun stuff. 00:26:17.275 --> 00:26:20.466 It’s your all-in-one entry tool, kind of. 00:26:20.466 --> 00:26:25.086 JACK: Alright, so you – man, you guys really packed it in. 00:26:25.086 --> 00:26:27.386 This sounds like five bags worth of stuff. 00:26:27.386 --> 00:26:32.386 BRIAN: I think it was probably just two bags, but yes. 00:26:32.386 --> 00:26:35.696 We had everything – everything kinda had its own little compartment and its spot, so 00:26:35.696 --> 00:26:40.486 we knew where to go to get different items so we wouldn’t be scrambling in the dark. 00:26:40.486 --> 00:26:45.276 JACK: Okay, so, at this point they did the recon, created a plan, got it approved, packed 00:26:45.276 --> 00:26:52.063 their bags, and flew to this town. 00:26:52.063 --> 00:26:56.093 Brian and Jon flew to the town where all five target buildings are located. 00:26:56.093 --> 00:26:59.323 They arrive and get settled, and then start getting to work. 00:26:59.323 --> 00:27:04.143 BRIAN: [MUSIC] We spent the entire day going around this town trying to find its – the 00:27:04.143 --> 00:27:07.673 employees of this company and clone their badges. 00:27:07.673 --> 00:27:11.103 JACK: This would be great if they could get an employee badge. 00:27:11.103 --> 00:27:15.603 These little badges typically contain RFID circuitry in them, so when waved at certain 00:27:15.603 --> 00:27:16.863 doors, it’ll open the door. 00:27:16.863 --> 00:27:21.363 Brian and Jon know they will need to try to get past doors, so having a badge to get in 00:27:21.363 --> 00:27:22.523 could be gold. 00:27:22.523 --> 00:27:26.753 They brought an RFID cloning device, so they really just need to get close to someone’s 00:27:26.753 --> 00:27:30.762 badge, like a foot or two away, and if they can do that, they can make a copy of it without 00:27:30.762 --> 00:27:32.673 that person knowing a copy was just made. 00:27:32.673 --> 00:27:36.303 BRIAN: Which was – [00:30:00] normally it’s a very feasible activity. 00:27:36.303 --> 00:27:41.743 It’s a lot more difficult of an activity when there’s a pandemic going on and you’re 00:27:41.743 --> 00:27:44.693 not supposed to be getting within six feet of people. 00:27:44.693 --> 00:27:49.193 But our long-range reader was on the fritz and we needed to get about two feet away from 00:27:49.193 --> 00:27:50.193 them. 00:27:50.193 --> 00:27:56.283 JACK: So, back up a second; how would you find someone who works there around town? 00:27:56.283 --> 00:28:01.723 BRIAN: Oh, so, we staked out their headquarters and we waited for their employees to drive 00:28:01.723 --> 00:28:06.813 off for lunch or drive off for – to other locations throughout the city that they’d 00:28:06.813 --> 00:28:09.262 have to go to do their jobs. 00:28:09.262 --> 00:28:16.673 We would follow them in our car and then we would bump into them around town because, 00:28:16.673 --> 00:28:23.394 yeah, we don’t want to tip our hand yet and try to just – well, everybody knew everybody 00:28:23.394 --> 00:28:26.263 at the headquarters, so we didn’t want to tip our hand there. 00:28:26.263 --> 00:28:30.183 So, we followed the employees as they would go around town and then clone their badges 00:28:30.183 --> 00:28:35.293 as they were waiting in line at a coffee shop or if they were going somewhere for lunch. 00:28:35.293 --> 00:28:41.083 JACK: Oh, that’s villainous, if you ask me. 00:28:41.083 --> 00:28:43.693 BRIAN: Yes, it kind of is. 00:28:43.693 --> 00:28:49.983 JACK: So, some poor guy is just, yeah, randomly picked ‘cause he was going for coffee and 00:28:49.983 --> 00:28:52.713 now he’s gonna be the door in. 00:28:52.713 --> 00:28:58.183 So, were you able to get close enough to scan, or how did it – what happened there? 00:28:58.183 --> 00:29:04.323 BRIAN: So, we had several occasions where we thought we were close enough to scan. 00:29:04.323 --> 00:29:08.693 Our long-range reader is actually in a laptop bag and it’s – it vibrates when we get 00:29:08.693 --> 00:29:11.103 a read. 00:29:11.103 --> 00:29:17.303 We never got a good read on the employees mostly because, well, because of the pandemic 00:29:17.303 --> 00:29:20.833 nobody was going into any coffee shops or restaurants. 00:29:20.833 --> 00:29:24.203 People were just hitting up the drive-through or they were going in and out of a shop real 00:29:24.203 --> 00:29:28.615 quickly and we just weren’t – and they were leaving the badges in the car or other 00:29:28.615 --> 00:29:33.992 areas and then we weren’t ever able to get a good read which was very surprising. 00:29:33.992 --> 00:29:38.762 That’s oftentimes our entry into all these locations is hey, we just got reads off of 00:29:38.762 --> 00:29:40.203 five different employees. 00:29:40.203 --> 00:29:44.323 Well, the pandemic actually made a lot of companies more secure because of that. 00:29:44.323 --> 00:29:50.463 JACK: What does it look like if you were – if I was the – your target and I’m getting 00:29:50.463 --> 00:29:54.892 some coffee and I look behind me and I see you trying to read my badge, what does it 00:29:54.892 --> 00:29:56.763 look like when you’re doing that? 00:29:56.763 --> 00:30:01.863 Are you just holding a bag, looking off in the distance or are you sitting at a table 00:30:01.863 --> 00:30:06.313 with a wire going to a bag and that’s on a chair that’s – you’re pushing closer 00:30:06.313 --> 00:30:08.363 and closer to me, or…? 00:30:08.363 --> 00:30:12.963 BRIAN: Well, normally these are pretty good long-range readers, so I don’t even have 00:30:12.963 --> 00:30:14.213 to get that close to you. 00:30:14.213 --> 00:30:19.323 If we’re in line in a coffee shop, if I can just step at the right angle to your badge, 00:30:19.323 --> 00:30:20.392 I can get a read. 00:30:20.392 --> 00:30:25.343 So, I’ll just put my phone up; I’ll be on a phone call and kinda pace back and forth 00:30:25.343 --> 00:30:31.402 as I’m talking on the phone, just naturally as somebody may in a coffee shop, try not 00:30:31.402 --> 00:30:37.113 to disturb everybody else, and just kinda pace around until I can feel my bag vibrate. 00:30:37.113 --> 00:30:38.923 I don’t have to hold it up. 00:30:38.923 --> 00:30:40.303 I don’t usually have to adjust it. 00:30:40.303 --> 00:30:44.793 I can pull on the strap and let it go up and down if needed, if that will help. 00:30:44.793 --> 00:30:49.563 But yeah, a lot of times I’m just walking around with my laptop bag having a phone call 00:30:49.563 --> 00:30:54.733 and if I get close enough and get the right angle and I’m a couple feet away, I’ll 00:30:54.733 --> 00:30:55.733 get a good read. 00:30:55.733 --> 00:30:59.943 JACK: So, despite following multiple people out of the building, they didn’t get to 00:30:59.943 --> 00:31:02.083 clone anyone’s badge that day. 00:31:02.083 --> 00:31:06.074 I guess the security tip here is if you don’t want your badge to be cloned, don’t bring 00:31:06.074 --> 00:31:08.532 it to public places like coffee shops. 00:31:08.532 --> 00:31:11.402 So, they waited for night to hit up the first building. 00:31:11.402 --> 00:31:15.193 Each of the buildings they’re supposed to test are within fifteen miles of each other, 00:31:15.193 --> 00:31:18.363 and they were going to try to hit all five locations in the same night. 00:31:18.363 --> 00:31:22.252 BRIAN: [MUSIC] We arranged the locations ‘cause we gotta pick which order we were gonna break 00:31:22.252 --> 00:31:23.252 into in. 00:31:23.252 --> 00:31:28.983 We arranged them in the order that we thought would be most to least successful, hoping 00:31:28.983 --> 00:31:34.433 that we would start around midnight and then about 4:00 AM, that the SOC team – since 00:31:34.433 --> 00:31:37.843 it’s a 24-hour SOC and they’re working 12-hour shifts, that their – it’s hopefully 00:31:37.843 --> 00:31:42.002 about the end of their 12-hour shift and they’re gonna be getting sleepy at the end of it. 00:31:42.002 --> 00:31:47.293 So, we wanted to target our last location in conjunction with when we were thinking 00:31:47.293 --> 00:31:49.093 the SOC team may be slipping. 00:31:49.093 --> 00:31:53.423 JACK: The SOC, or S-O-C, stands for Security Operations Center. 00:31:53.423 --> 00:31:57.652 This is where people are sitting watching cameras and computers for alerts in the network 00:31:57.652 --> 00:31:58.782 and facility. 00:31:58.782 --> 00:32:03.583 This was actually a joint SOC which watches both physical and network security problems. 00:32:03.583 --> 00:32:08.393 Jon and Brian know they have to defeat the people and computers and cameras in the SOC 00:32:08.393 --> 00:32:09.933 in order to be successful. 00:32:09.933 --> 00:32:15.183 So, they figured the overnight team was probably smaller and maybe less focused, because staring 00:32:15.183 --> 00:32:19.872 at monitors all night when nothing is happening can be boring to the point where you start 00:32:19.872 --> 00:32:20.872 getting distracted. 00:32:20.872 --> 00:32:27.413 BRIAN: Yeah, so, Location One was in a residential neighborhood and what they were trying to 00:32:27.413 --> 00:32:33.622 protect in this thing was this shed that held important equipment including radio and transmitting 00:32:33.622 --> 00:32:38.923 equipment [00:35:00] that would be bad if it was damaged by an outsider or if someone 00:32:38.923 --> 00:32:42.163 was able to put an implant in and take control of. 00:32:42.163 --> 00:32:44.573 JACK: This was a facility that didn’t have any staff. 00:32:44.573 --> 00:32:49.932 It was basically just a locked shed, but with a tall fence with barbed wire around the perimeter. 00:32:49.932 --> 00:32:53.053 BRIAN: It was actually in a residential area. 00:32:53.053 --> 00:32:58.853 We were less concerned also about the police and more concerned about potentially the neighbors 00:32:58.853 --> 00:33:03.673 taking matters into their own hands, because this was also close to around the time of 00:33:03.673 --> 00:33:05.663 civil unrest in America. 00:33:05.663 --> 00:33:12.373 So, I was more concerned about the neighbors thinking that I’m some radical super-soldier 00:33:12.373 --> 00:33:17.193 breaking into their neighborhood instead of just me doing my little security testing, 00:33:17.193 --> 00:33:20.913 so we’re – I personally was more concerned about the neighbors for this one location 00:33:20.913 --> 00:33:26.353 than I was about the police, just ‘cause from our recon it looked like they had very 00:33:26.353 --> 00:33:30.204 minimal perimeter detections on this. 00:33:30.204 --> 00:33:34.793 There was a sign that said there was cameras, but we didn’t see any cameras. 00:33:34.793 --> 00:33:38.962 We scoped out around it; there was a sign that said it had these other protections but 00:33:38.962 --> 00:33:42.743 we never saw anything being actually actively implemented. 00:33:42.743 --> 00:33:50.083 They had the signs there to say it’s there, but we didn’t really think that it was. 00:33:50.083 --> 00:33:57.933 [MUSIC] We showed up late at night when it’s dark, parked a couple blocks away and walked 00:33:57.933 --> 00:33:59.003 up to this area. 00:33:59.003 --> 00:34:05.043 That’s when we noticed that the gate itself had such a big gap on it that if you just 00:34:05.043 --> 00:34:11.473 gave it a good tug, you could actually get – pass a whole person through this gate. 00:34:11.473 --> 00:34:16.153 So, we never had to go over, didn’t have to go over the barbed wire, didn’t have 00:34:16.153 --> 00:34:21.753 to worry about setting off any sensors because once we were past it, our point of contact’s 00:34:21.753 --> 00:34:25.493 like oh, oh, you got – okay, I guess you’re already in there. 00:34:25.493 --> 00:34:29.923 So, we didn’t set off any sensors ‘cause nothing was ringing at the SOC. 00:34:29.923 --> 00:34:31.763 But we hadn’t accomplished our objective yet. 00:34:31.763 --> 00:34:34.623 Just getting past the fence was not enough. 00:34:34.623 --> 00:34:39.083 We needed to keep going, so that’s when we went up to this shed that had all this 00:34:39.083 --> 00:34:40.083 equipment in it. 00:34:40.083 --> 00:34:43.793 JACK: Now, even though it was dark out, this little building was well-lit, so anyone watching 00:34:43.793 --> 00:34:46.643 would clearly see two people going in. 00:34:46.643 --> 00:34:49.442 On top of that, there were street lights making them visible, too. 00:34:49.442 --> 00:34:55.192 BRIAN: So, we kinda needed to be fast because we didn’t want to dilly-dally in this good, 00:34:55.192 --> 00:34:57.663 well-lit area where everyone can kinda see us. 00:34:57.663 --> 00:35:01.192 So, yeah, we got through and kinda put our equipment on the side. 00:35:01.192 --> 00:35:04.823 Then we’re like oh shoot, okay, how are we gonna get past this next thing which is 00:35:04.823 --> 00:35:06.363 now a set of doors? 00:35:06.363 --> 00:35:10.903 JACK: There were two doors on this building but not like a double door. 00:35:10.903 --> 00:35:14.993 It was two different doors which probably meant there were two different areas inside 00:35:14.993 --> 00:35:17.003 the building to get into. 00:35:17.003 --> 00:35:20.643 They came to the first door which happened to be well-lit. 00:35:20.643 --> 00:35:23.653 The door was very strong; it had a deadbolt on it. 00:35:23.653 --> 00:35:27.053 They looked to see how well it was installed, but it was hung right. 00:35:27.053 --> 00:35:28.733 There was no wiggle when you pull. 00:35:28.733 --> 00:35:32.893 There were no gaps around the bottom or the sides to slide something into and try to unlock 00:35:32.893 --> 00:35:34.922 it from inside or the other side. 00:35:34.922 --> 00:35:39.172 It’s possible they could do something like pick the locks but that takes a while, and 00:35:39.172 --> 00:35:41.213 they’re standing right under a light. 00:35:41.213 --> 00:35:44.983 So, they just moved on to the other door to see if they could get that open. 00:35:44.983 --> 00:35:50.333 The other door was not installed the same; it had a bit of a looser fit to it, so Jon 00:35:50.333 --> 00:35:51.333 had an idea. 00:35:51.333 --> 00:35:59.133 JON: Yeah, so, in this particular case – so, with your typical door that you’d find, 00:35:59.133 --> 00:36:05.073 say, in – even your front door of your house; so, if you were to open the knob and look 00:36:05.073 --> 00:36:11.933 at there in – at the – kind of the end of the door, the latch part that seats in 00:36:11.933 --> 00:36:16.963 the frame, there’s what’s called a spring latch and then there’s what’s called a 00:36:16.963 --> 00:36:19.253 deadlatch. 00:36:19.253 --> 00:36:25.273 Deadlatches have an extra little post that when it’s depressed, will prevent the latch 00:36:25.273 --> 00:36:30.712 from being pushed and essentially lets you in the door. 00:36:30.712 --> 00:36:34.883 You can think of it kind of like – if you’ve ever seen in the movies or possibly ever done 00:36:34.883 --> 00:36:38.993 it yourself, when somebody takes a credit card and they stick it in that gap in the 00:36:38.993 --> 00:36:44.853 door and it goes behind the curved part of the latch and pushes it open, that’s essential 00:36:44.853 --> 00:36:46.283 what we’re doing. 00:36:46.283 --> 00:36:53.222 But with a deadlatch that’s properly hung, it’s not supposed to allow you to push that 00:36:53.222 --> 00:36:54.222 back in. 00:36:54.222 --> 00:37:00.202 In this case, it wasn’t properly hung and the deadlatch actually falls into the frame 00:37:00.202 --> 00:37:04.223 of the door which then allows that bypass tool to work. 00:37:04.223 --> 00:37:07.853 That’s what we did; we basically credit-carded the door open. 00:37:07.853 --> 00:37:14.273 Not with a credit card; we used a mini jim or a Quick Jim tool for it, but, you know. 00:37:14.273 --> 00:37:18.593 JACK: This took Jon about twenty or thirty seconds to get it open, and once open, they 00:37:18.593 --> 00:37:19.683 just both slipped inside. 00:37:19.683 --> 00:37:24.192 BRIAN: We’re taking a look around inside and there wasn’t really anything in this 00:37:24.192 --> 00:37:25.192 side of the shed. 00:37:25.192 --> 00:37:26.192 It was mostly empty. 00:37:26.192 --> 00:37:27.793 JACK: Huh, too bad. 00:37:27.793 --> 00:37:31.453 Nothing in here of value; no equipment, no computers, no network jacks. 00:37:31.453 --> 00:37:34.643 Time to go back out and try that other door again. 00:37:34.643 --> 00:37:38.393 [00:40:00] But as they were walking out, they looked up at one of the walls. 00:37:38.393 --> 00:37:41.983 BRIAN: [MUSIC] There was a set of keys tacked on the wall. 00:37:41.983 --> 00:37:43.962 I go well, I wonder what those keys are for. 00:37:43.962 --> 00:37:48.442 So, we looked at them and sure enough, the keys actually opened up the other door that 00:37:48.442 --> 00:37:53.223 was properly hung; the hinges weren’t able to be popped, couldn’t fit an under-the-door 00:37:53.223 --> 00:37:54.763 tool. 00:37:54.763 --> 00:37:58.233 It would have been way too difficult to lock pick, but the keys were just right there, 00:37:58.233 --> 00:38:01.333 so we didn’t have to worry about using any of those fancy bypass tools. 00:38:01.333 --> 00:38:06.253 We could just take the key, unlock it, and then get into that actual secured area. 00:38:06.253 --> 00:38:07.293 JACK: Bingo. 00:38:07.293 --> 00:38:11.933 Now they go in the other side of this building, and this side had many valuable things in 00:38:11.933 --> 00:38:12.933 it. 00:38:12.933 --> 00:38:17.093 BRIAN: Then, yeah, when we were inside of there, there were some network devices. 00:38:17.093 --> 00:38:21.193 All the ports were actually occupied, so we weren’t gonna plug anything in because we 00:38:21.193 --> 00:38:25.163 were supposed to demonstrate impact and demonstrate that something could be done, but this was 00:38:25.163 --> 00:38:29.753 also for some very important equipment, and we don’t actually want to cause any harm. 00:38:29.753 --> 00:38:35.243 So, took a bunch of pictures, left our calling card, decided not to plug in a Raspberry Pi 00:38:35.243 --> 00:38:38.823 because in order to plug in the Raspberry Pi, we have to unplug another piece of critical 00:38:38.823 --> 00:38:41.523 equipment which we deemed not worth it. 00:38:41.523 --> 00:38:45.843 JACK: They also noticed a security panel in this facility which should be monitoring and 00:38:45.843 --> 00:38:50.683 alerting when the door was opened, but for whatever reason, that panel wasn’t hooked 00:38:50.683 --> 00:38:51.683 up properly. 00:38:51.683 --> 00:38:54.553 So, they pretty much knew they weren’t detected at all. 00:38:54.553 --> 00:38:57.103 There were no cameras and they didn’t trigger any alarms. 00:38:57.103 --> 00:39:01.403 So, they gathered their evidence, took their pictures, and locked up behind themselves. 00:39:01.403 --> 00:39:03.702 BRIAN: Then again, I slipped through that gate. 00:39:03.702 --> 00:39:06.183 Jon then slipped past the gate after me. 00:39:06.183 --> 00:39:10.863 We got back into our rental car, let our contact know about everything we did and said hey, 00:39:10.863 --> 00:39:12.233 we’re onto our next location. 00:39:12.233 --> 00:39:15.043 JACK: The first building was a complete and total success. 00:39:15.043 --> 00:39:17.143 They got full access to the entire facility. 00:39:17.143 --> 00:39:19.422 When they got back to their car, they had a mini-celebration, even. 00:39:19.422 --> 00:39:20.643 It felt good. 00:39:20.643 --> 00:39:24.243 They told their point of contact what they did, and they were moving on to the next building. 00:39:24.243 --> 00:39:27.833 By the way, the point of contact, which is the director of security, decided to stay 00:39:27.833 --> 00:39:30.013 up all night to watch all this go down. 00:39:30.013 --> 00:39:34.393 He was logged into his computer remotely from home, watching what the SOC was doing about 00:39:34.393 --> 00:39:35.393 all this. 00:39:35.393 --> 00:39:38.932 So, he was texting back and forth with them, letting them know what the SOC had saw, and 00:39:38.932 --> 00:39:42.983 so far, they got in and out completely undetected. 00:39:42.983 --> 00:39:46.623 This sort of impressed their point of contact and he was excited to see what they were gonna 00:39:46.623 --> 00:39:48.153 do in the second building. 00:39:48.153 --> 00:39:49.793 They pulled up to it with their car. 00:39:49.793 --> 00:39:54.993 BRIAN: [MUSIC] This one is in a much more remote area, so there’s not really – there’s 00:39:54.993 --> 00:39:56.574 just fields and fields behind it. 00:39:56.574 --> 00:40:02.233 In front of it there was a country road and then across it, just more fields and fields 00:40:02.233 --> 00:40:03.233 again. 00:40:03.233 --> 00:40:07.962 It’s another remote location, multiple buildings, but they’re all unmanned. 00:40:07.962 --> 00:40:11.962 Even during the daytime, they’re all unmanned. 00:40:11.962 --> 00:40:19.153 JON: Although, there was another business that was next door to it, but they were closed 00:40:19.153 --> 00:40:21.343 in the evenings, so we didn’t think it’d be an issue. 00:40:21.343 --> 00:40:22.343 BRIAN: Yeah. 00:40:22.343 --> 00:40:27.303 So, this one was a lot trickier and we had already done our recon to figure out our approach. 00:40:27.303 --> 00:40:30.952 This one was not the same where, you know, you can just slip in the front gate. 00:40:30.952 --> 00:40:37.803 This one was well-armed, multiple layers of perimeter defense and cameras. 00:40:37.803 --> 00:40:43.323 This was actually one of the locations that when we drove by, we pulled into one of the 00:40:43.323 --> 00:40:47.743 side driveways and they snapped some nice, clear pictures of our face from that driveway. 00:40:47.743 --> 00:40:53.453 So, we knew that they – those cameras were triggered to alert somebody if they pick somebody 00:40:53.453 --> 00:40:55.823 up driving into their area. 00:40:55.823 --> 00:41:00.563 So, we needed to go with a different approach which we decided from our recon was gonna 00:41:00.563 --> 00:41:04.643 be from the rear of the facility. 00:41:04.643 --> 00:41:09.393 We thought that this was gonna be a great approach because it had two layers of barbed 00:41:09.393 --> 00:41:15.903 wire fences but in the back, some of that fence was old and didn’t have barbed wire. 00:41:15.903 --> 00:41:20.422 JACK: So, they parked their car out of sight from the facility, they got out with their 00:41:20.422 --> 00:41:23.493 gear, and went around back of the building. 00:41:23.493 --> 00:41:26.073 But when they arrived around back, it wasn’t what they expected. 00:41:26.073 --> 00:41:32.722 BRIAN: They have a brand-new fence on that area with newer and taller barbed wire. 00:41:32.722 --> 00:41:35.083 So, that one threw us for a loop. 00:41:35.083 --> 00:41:39.173 JACK: Apparently during that two-week cool-down period, someone saw this part of the fence 00:41:39.173 --> 00:41:42.923 was old and didn’t have barbed wire, and so, it was replaced. 00:41:42.923 --> 00:41:45.563 This company really did try hard to keep their buildings secure. 00:41:45.563 --> 00:41:48.722 Okay, so the guys’ original plan was foiled. 00:41:48.722 --> 00:41:50.712 BRIAN: Came up with a new plan. 00:41:50.712 --> 00:41:55.182 Wasn’t really hard to come up with because we could tell that all the cameras were focused 00:41:55.182 --> 00:42:00.653 so heavily on that front entrance that nobody was suspecting that someone was gonna climb 00:42:00.653 --> 00:42:06.793 over two layers of barbed wire fences through the back, which is exactly then what we were 00:42:06.793 --> 00:42:07.793 gonna do. 00:42:07.793 --> 00:42:10.093 JACK: [MUSIC] Okay, makes sense. 00:42:10.093 --> 00:42:13.103 The only way to get into this place undetected is to go through where there aren’t any 00:42:13.103 --> 00:42:14.103 cameras pointed. 00:42:14.103 --> 00:42:18.443 So, even though that area had two high barbed wire fences, it was the best choice. 00:42:18.443 --> 00:42:21.333 It sounds risky, but they came prepared to climb fences. 00:42:21.333 --> 00:42:23.253 In fact, it was pretty easy for them. 00:42:23.253 --> 00:42:27.233 They had their ladder with them which made it easy to climb up, and they brought a thick 00:42:27.233 --> 00:42:31.523 wool blanket to throw on top of the barbed wire, which made it easy to go over. 00:42:31.523 --> 00:42:34.662 Then they had an escape ladder that they could just hook on the top of the [00:45:00] fence 00:42:34.662 --> 00:42:36.643 and make it easy for them to get down. 00:42:36.643 --> 00:42:37.672 Easy stuff. 00:42:37.672 --> 00:42:39.853 They both go over the first fence no problem. 00:42:39.853 --> 00:42:47.183 BRIAN: As we’re going up, the next fence actually had a shed in line with the fence 00:42:47.183 --> 00:42:49.023 that didn’t have barbed wire over the top. 00:42:49.023 --> 00:42:52.713 So we’re like hey, you know what’s gonna be a lot easier than going over a whole ‘nother 00:42:52.713 --> 00:42:53.713 layer of barbed wire? 00:42:53.713 --> 00:42:56.963 Let’s just climb on top of this shed and go over it. 00:42:56.963 --> 00:43:01.942 So, that was our next step which sounds pretty easy. 00:43:01.942 --> 00:43:05.343 Jon pops the ladder up, I climb up on top. 00:43:05.343 --> 00:43:09.993 I got my bag full of equipment on me. 00:43:09.993 --> 00:43:14.523 Jon then hands me the fire escape ladder which I’m supposed to attach to the side and then 00:43:14.523 --> 00:43:17.183 climb down. 00:43:17.183 --> 00:43:24.603 But in this case, I actually drop the fire escape ladder [MUSIC] on the ground, so now 00:43:24.603 --> 00:43:27.373 I’m stuck on top of this shed on the other side. 00:43:27.373 --> 00:43:33.313 JACK: Hm, Brian made it over both fences but now he’s stuck on top of this shed with 00:43:33.313 --> 00:43:34.712 no way down. 00:43:34.712 --> 00:43:37.503 This shed is about twelve feet tall, too. 00:43:37.503 --> 00:43:39.263 He stands up and looks around. 00:43:39.263 --> 00:43:45.073 While on top of this shed, he looks at the neighboring property which has a building 00:43:45.073 --> 00:43:46.073 on it. 00:43:46.073 --> 00:43:48.483 BRIAN: That building was owned by a university. 00:43:48.483 --> 00:43:53.943 What we kinda forgot is universities have their own police department. 00:43:53.943 --> 00:43:59.843 We never notified the university police department that we were doing this activity. 00:43:59.843 --> 00:44:04.293 Nor did we tell the regular police hey, make sure you notify the university police. 00:44:04.293 --> 00:44:05.722 It was kind of a little oversight. 00:44:05.722 --> 00:44:12.603 So, I’m up there and that’s when I kinda realize oh shoot, I think there might be university 00:44:12.603 --> 00:44:16.103 police about two hundred feet away from me. 00:44:16.103 --> 00:44:21.452 There was a university police car over there, but then it just kept driving. 00:44:21.452 --> 00:44:27.573 But at this point my heart rate is up, adrenaline is up, I’m on top of this shed and I think 00:44:27.573 --> 00:44:28.573 you know what? 00:44:28.573 --> 00:44:29.573 It’s only twelve feet. 00:44:29.573 --> 00:44:32.673 It can’t be that high up, and I jump. 00:44:32.673 --> 00:44:36.972 JACK: He landed hard on the ground. 00:44:36.972 --> 00:44:41.212 His feet twisted and buckled under him and he fell all the way down to the ground like 00:44:41.212 --> 00:44:42.233 a rag doll. 00:44:42.233 --> 00:44:44.393 He doesn’t remember if he screamed or not. 00:44:44.393 --> 00:44:47.952 BRIAN: When I hit the ground, that – oh, that was a lot higher than I thought; I should 00:44:47.952 --> 00:44:52.193 have climbed down and come up with another plan or done something else, because I was 00:44:52.193 --> 00:44:53.293 in pain. 00:44:53.293 --> 00:44:56.133 JACK: His feet in particular hurt a lot. 00:44:56.133 --> 00:45:00.243 He sat on the ground holding them, rubbing them, trying to get comfortable. 00:45:00.243 --> 00:45:02.553 But the pain wasn’t going away. 00:45:02.553 --> 00:45:08.103 BRIAN: Then Jon, yeah, called over to me from the other side of the fence by the shed and 00:45:08.103 --> 00:45:09.833 was like, are you okay? 00:45:09.833 --> 00:45:11.643 I was like, I’m just gonna sit here for a second. 00:45:11.643 --> 00:45:13.952 I think I hurt my feet. 00:45:13.952 --> 00:45:22.773 [MUSIC] So, finally Jon gets on top, pulled up the ladder, properly gets off the shed 00:45:22.773 --> 00:45:25.212 and onto the other side of the barbed wire fence. 00:45:25.212 --> 00:45:27.422 JACK: Jon checks out Brian. 00:45:27.422 --> 00:45:33.672 It was too hard to tell what exactly he hurt, but Jon helps Brian to his feet and Brian 00:45:33.672 --> 00:45:36.703 is able to stand up and move around slowly. 00:45:36.703 --> 00:45:38.303 He thinks he can walk it off. 00:45:38.303 --> 00:45:41.823 BRIAN: We’re still in the blind spot of the cameras. 00:45:41.823 --> 00:45:46.952 We have been informing the – our point of contact that – where we are. 00:45:46.952 --> 00:45:48.993 He’s like, you’re what? 00:45:48.993 --> 00:45:50.263 We shouldn’t have any blind spots. 00:45:50.263 --> 00:45:54.274 But somehow we had managed to climb – or crawl into a blind spot of the cameras so 00:45:54.274 --> 00:45:59.583 we wouldn’t be noticed, which luckily was by two sets of doors. 00:45:59.583 --> 00:46:03.353 JACK: Jon goes up and inspects the doors but has no luck getting in. 00:46:03.353 --> 00:46:06.633 JON: Yeah, I mean, none of our bypass tools worked. 00:46:06.633 --> 00:46:13.263 We had – we eventually moved to lock picks which are usually the thing that we try last 00:46:13.263 --> 00:46:19.143 because they’re slow and not always successful. 00:46:19.143 --> 00:46:24.553 Even if you do get in with one, it can also be tricky to leave and leave the building 00:46:24.553 --> 00:46:28.422 secure, ‘cause you basically have to pick your way out. 00:46:28.422 --> 00:46:36.023 So, they’re always our last-ditch effort, but we gave it a try and we had limited success. 00:46:36.023 --> 00:46:42.423 I think we got a false set on one of the last pins and I just couldn’t get it all the 00:46:42.423 --> 00:46:43.423 way. 00:46:43.423 --> 00:46:45.853 We never got into that building. 00:46:45.853 --> 00:46:50.773 BRIAN: We were going at this one set of doors for a while and absolutely nothing. 00:46:50.773 --> 00:46:56.064 That’s when the campus police actually pulled around again, but this time decided to do 00:46:56.064 --> 00:47:01.503 a much closer inspection of the area as they actually got out with flashlights and were 00:47:01.503 --> 00:47:04.373 walking around the perimeter of the building next to us. 00:47:04.373 --> 00:47:07.303 So, we did have to hunker down for quite a bit of time. 00:47:07.303 --> 00:47:12.103 It was while we were hunkering down that all of a sudden I realize wow, my feet really, 00:47:12.103 --> 00:47:13.193 really hurt. 00:47:13.193 --> 00:47:20.713 I’m like yeah, we’re gonna keep carrying on, but I think something’s – I’m starting 00:47:20.713 --> 00:47:23.503 to get the notion that something is not right with my feet. 00:47:23.503 --> 00:47:26.833 JACK: [MUSIC] Now, this was quite the secure facility. 00:47:26.833 --> 00:47:31.223 They had to climb over two barbed wire fences just to get to this building, and there’s 00:47:31.223 --> 00:47:34.733 another building here that they want to try to get into, but the [00:50:00] problem is 00:47:34.733 --> 00:47:38.993 the other building is on the other side of yet another barbed wire fence. 00:47:38.993 --> 00:47:44.333 So, once the coast was clear, they put their ladder against the fence, threw the wool blanket 00:47:44.333 --> 00:47:48.023 up on top, and used the fire escape ladder to get onto the other side. 00:47:48.023 --> 00:47:50.442 They both make it over the fence and to the other building. 00:47:50.442 --> 00:47:57.412 BRIAN: The whole time I am aching in pain and Jon is trying to be as patient as possible, 00:47:57.412 --> 00:48:02.033 but we also can’t be slow because we can’t get picked up by cameras ‘cause we haven’t 00:48:02.033 --> 00:48:03.472 been noticed yet. 00:48:03.472 --> 00:48:07.703 JACK: They approach the building, trying to stay out of view of the cameras. 00:48:07.703 --> 00:48:14.402 BRIAN: Yeah, we had to stay very low because of where we thought they were pointed and 00:48:14.402 --> 00:48:17.053 the angle that we assumed that they were pointed at. 00:48:17.053 --> 00:48:19.623 We had to stay low to the ground to hopefully not be seen. 00:48:19.623 --> 00:48:23.793 JACK: They take a look at the door to see if there’s a way to bypass it. 00:48:23.793 --> 00:48:27.263 BRIAN: Jon right away notices a weakness on it. 00:48:27.263 --> 00:48:31.493 But we had to go a little bit slower this time because, yeah, on that first location, 00:48:31.493 --> 00:48:34.212 the security system was there but off. 00:48:34.212 --> 00:48:39.133 It had little sensors on the top of the door where when this magnetic connection is broken, 00:48:39.133 --> 00:48:42.983 it will alert the security center that oh, hey, this door has been opened. 00:48:42.983 --> 00:48:44.643 It’s not supposed to be being opened. 00:48:44.643 --> 00:48:47.623 So, we had to try to avoid that this time. 00:48:47.623 --> 00:48:52.233 I was gonna try to place essentially some magnets into the correct location, some supermagnets, 00:48:52.233 --> 00:48:57.222 some very strong magnets, into the correct location so that when Jon was able to pop 00:48:57.222 --> 00:49:00.462 this door open, hopefully we don’t set off the sensor. 00:49:00.462 --> 00:49:05.433 Yeah, Jon did his magic again, was able to get this door open. 00:49:05.433 --> 00:49:11.353 [BEEPING] Unfortunately ‘cause of the pain or just not paying close enough attention, 00:49:11.353 --> 00:49:16.313 I didn’t have it placed right and I guess the sensor did trigger. 00:49:16.313 --> 00:49:20.212 JACK: [MUSIC] When the alarm was triggered, someone in the SOC immediately saw it and 00:49:20.212 --> 00:49:23.893 began looking through the video footage of all the cameras around this building. 00:49:23.893 --> 00:49:27.243 There was nothing on the cameras, though. 00:49:27.243 --> 00:49:31.533 There were also cameras inside this building but strangely, none were actually pointed 00:49:31.533 --> 00:49:32.533 at this door. 00:49:32.533 --> 00:49:38.053 So, the SOC only had an alert that the door was opened; nothing on the cameras inside 00:49:38.053 --> 00:49:40.933 or outside, and no activity from the gate, either. 00:49:40.933 --> 00:49:43.023 BRIAN: We were going in the side door. 00:49:43.023 --> 00:49:46.353 These cameras are all pointed straight down at kind of – at a hallway. 00:49:46.353 --> 00:49:53.973 So, again, I stayed really low to the ground and the cameras didn’t pick me up. 00:49:53.973 --> 00:49:58.172 Somebody investigated the door being opened and flagged it as a false positive because 00:49:58.172 --> 00:50:06.462 they didn’t rewind the camera long enough to see me slipping in through the door. 00:50:06.462 --> 00:50:11.823 So, that was an interesting one because our point of contact at this point was also watching 00:50:11.823 --> 00:50:12.823 me. 00:50:12.823 --> 00:50:18.103 Well, he had the cameras up himself and wasn’t informing the SOC about all the operations 00:50:18.103 --> 00:50:19.293 going on. 00:50:19.293 --> 00:50:22.463 He watched me and he actually let me know at one point oh, hey, I just saw your head 00:50:22.463 --> 00:50:23.682 pop up on camera. 00:50:23.682 --> 00:50:28.263 It was actually when I tried to pop my head up and look through a window, so I know okay, 00:50:28.263 --> 00:50:33.033 as long as I stay lower than these windows, they shouldn’t be able to see me. 00:50:33.033 --> 00:50:38.673 Yeah, I was trying to find a network jack or something, but the only way to get to a 00:50:38.673 --> 00:50:42.253 network jack was actually to trigger another alarm. 00:50:42.253 --> 00:50:49.793 So, instead, I found some other important pieces of equipment, took pictures to demonstrate 00:50:49.793 --> 00:50:55.733 that if I was a true bad guy, I could have damaged this, some bad things could have happened, 00:50:55.733 --> 00:51:00.633 hid a calling card then so that they know we were there, took some nice pictures, and 00:51:00.633 --> 00:51:02.212 decided to call it quits and get out. 00:51:02.212 --> 00:51:08.383 JACK: Yeah, well, getting out required getting over some fences still, and with a hurt foot 00:51:08.383 --> 00:51:12.043 and the police on the prowl, it’s not as easy as the last one. 00:51:12.043 --> 00:51:13.043 BRIAN: Yeah. 00:51:13.043 --> 00:51:21.563 So, at this point we had to come up with another plan because our regular exfil plan was kinda 00:51:21.563 --> 00:51:23.192 thrown out the window. 00:51:23.192 --> 00:51:29.233 So, we talked it over really quickly as we were crouched down behind a shed so that they 00:51:29.233 --> 00:51:35.383 wouldn’t be able to see us, and kinda just readjusted how we were going to exit the area, 00:51:35.383 --> 00:51:40.672 and decided to take a – probably a little bit of a longer path. 00:51:40.672 --> 00:51:46.192 But yeah, we found another exfil point that we thought we could get to and get out of 00:51:46.192 --> 00:51:52.483 without being seen, climb over both fences, and then essentially run really far to the 00:51:52.483 --> 00:51:56.573 side and then all the way up this other side road so we could get back to our car. 00:51:56.573 --> 00:52:01.962 So yeah, we kinda regathered, we did our pack-out list, made sure we didn’t forget any gear 00:52:01.962 --> 00:52:06.373 or equipment or forget to do anything that we needed. 00:52:06.373 --> 00:52:13.233 It’s really hard climbing ladders with two broken feet, I found out. 00:52:13.233 --> 00:52:19.933 So, yeah, we – I was still able to do it but yeah, getting over that fence the second 00:52:19.933 --> 00:52:25.402 time is much harder than the first time. 00:52:25.402 --> 00:52:28.613 JACK: They make it back to their car. 00:52:28.613 --> 00:52:32.143 No mini-celebration this time; Brian was in too much pain. 00:52:32.143 --> 00:52:35.663 BRIAN: Yeah, at this point, I’m – [00:55:00] was I driving or were you driving? 00:52:35.663 --> 00:52:36.962 You were driving ‘cause I was in too much pain. 00:52:36.962 --> 00:52:41.153 JON: Yeah, I think I was driving. 00:52:41.153 --> 00:52:45.353 I think at this point you were saying it was okay when your weight wasn’t on it and you 00:52:45.353 --> 00:52:49.383 wanted to go to the next one and do it if you could. 00:52:49.383 --> 00:52:52.623 So, we drove to the next location and got out of the car. 00:52:52.623 --> 00:52:56.993 BRIAN: [MUSIC] Yeah, when we get to the next location, we get out. 00:52:56.993 --> 00:53:04.773 I said yeah, let’s do this, packed up the backpack full of gear, make it, I don’t 00:53:04.773 --> 00:53:07.352 know, thirty steps, and that’s when I had to stop. 00:53:07.352 --> 00:53:10.432 I look at Jon and I’m like, you’re gonna have to do this one on your own. 00:53:10.432 --> 00:53:11.962 I’m in too much pain. 00:53:11.962 --> 00:53:18.273 I can’t move my feet without having shooting pain go up my legs at this point. 00:53:18.273 --> 00:53:24.363 JACK: Brian transfers some of his gear to Jon’s bag and walks back to the car. 00:53:24.363 --> 00:53:28.483 Brian will just be on lookout now and sit in the car, and keep the point of contact 00:53:28.483 --> 00:53:30.823 updated while Jon goes at it alone. 00:53:30.823 --> 00:53:40.383 JON: Yeah, so, we kind of adjusted the game plan, we got out radios, and essentially – so, 00:53:40.383 --> 00:53:43.883 at this next location, it was, again, very well-lit. 00:53:43.883 --> 00:53:46.392 They had good camera coverage from the front. 00:53:46.392 --> 00:53:53.013 It was near a park as we mentioned before, but the whole back side of it was residential. 00:53:53.013 --> 00:53:59.722 It was on a very major road, very busy, so we definitely didn’t want to approach from 00:53:59.722 --> 00:54:00.722 the front. 00:54:00.722 --> 00:54:07.093 There was just way too much risk of getting caught, so kind of went through the back along 00:54:07.093 --> 00:54:14.993 the fence line that bordered the residential housing. 00:54:14.993 --> 00:54:18.373 Not well-lit back there, so there wasn’t a whole lot going on. 00:54:18.373 --> 00:54:25.743 I managed to get to the target building and there was a door there. 00:54:25.743 --> 00:54:31.053 Again, pretty well-hung; none of our bypass tools worked on it. 00:54:31.053 --> 00:54:38.692 I was in contact with Brian the whole time over radio and with our contact through text. 00:54:38.692 --> 00:54:43.873 There was an alternate point of entry but I decided it was too risky to try on my own. 00:54:43.873 --> 00:54:49.673 I would have had to go over another barbed wire fence. 00:54:49.673 --> 00:54:51.563 There was just too much risk involved. 00:54:51.563 --> 00:54:56.803 If I would have fallen in, I’d have had nobody there for me or if anything had happened 00:54:56.803 --> 00:55:01.123 once I was inside, again, no backup. 00:55:01.123 --> 00:55:09.993 So, I just tried the one door and – unsuccessfully for that one, but for the client it was a 00:55:09.993 --> 00:55:14.972 well-hung door with good coverage of lighting and cameras for the most part in the front 00:55:14.972 --> 00:55:16.152 part of the building. 00:55:16.152 --> 00:55:19.603 You can’t win them all. 00:55:19.603 --> 00:55:21.393 JACK: Jon heads back to the car. 00:55:21.393 --> 00:55:24.053 It’s getting late now; it’s past 2:00 AM at least. 00:55:24.053 --> 00:55:28.623 The point of contact is still awake and watching the SOC though, and still the SOC has not 00:55:28.623 --> 00:55:29.623 detected them. 00:55:29.623 --> 00:55:33.633 They’ve managed to stay in the shadows just well enough that nobody is aware that two 00:55:33.633 --> 00:55:37.063 buildings have been broken into and a third has been attempted. 00:55:37.063 --> 00:55:39.143 They drive to the last two buildings. 00:55:39.143 --> 00:55:42.392 Now, Targets 4 and 5 are actually very close to each other. 00:55:42.392 --> 00:55:46.113 You can see one building from the other and they planned to just park near one and try 00:55:46.113 --> 00:55:47.623 to access both at once. 00:55:47.623 --> 00:55:52.883 Now, these last two buildings are more like offices, not just sheds of equipment, so if 00:55:52.883 --> 00:55:56.303 they can get in these, they’re expecting to see desks and regular office equipment 00:55:56.303 --> 00:55:57.323 in there. 00:55:57.323 --> 00:56:01.662 In Building 5 is where the SOC is located, so the last building they’re going to try 00:56:01.662 --> 00:56:05.373 to get into actually has the people in there who are trying to watch to make sure nobody 00:56:05.373 --> 00:56:06.892 gets into these buildings. 00:56:06.892 --> 00:56:10.523 It’s somewhere on these two buildings that has those long-range cameras that took their 00:56:10.523 --> 00:56:11.613 photo earlier. 00:56:11.613 --> 00:56:16.662 So, arguably, these are the most secure buildings they’re going to try to get into. 00:56:16.662 --> 00:56:24.142 JON: [MUSIC] So, we were a little apprehensive about this one, or I was, at least, because, 00:56:24.142 --> 00:56:26.733 again, Brian couldn’t walk at this point. 00:56:26.733 --> 00:56:28.183 He was in the car. 00:56:28.183 --> 00:56:33.183 We were talking to the client and they wanted me to proceed. 00:56:33.183 --> 00:56:36.922 In this case, I approached from the back. 00:56:36.922 --> 00:56:42.493 From the recon phase, we knew where most of their cameras were, and I approached in the 00:56:42.493 --> 00:56:46.603 shadows along a tree line and wasn’t spotted at all. 00:56:46.603 --> 00:56:52.892 The main entry for this – there was a chain-link fence, there was another gate, and it had 00:56:52.892 --> 00:56:58.293 a gap underneath it, and that seemed like a really easy way past the perimeter. 00:56:58.293 --> 00:57:04.922 The downside was that there was a camera right next to it. 00:57:04.922 --> 00:57:13.793 I just kinda took a roll of the dice and shuffled my way underneath and ran into the shadows, 00:57:13.793 --> 00:57:18.472 looked at my phone, told the contact I was in the perimeter. 00:57:18.472 --> 00:57:22.533 He was like yeah, they didn’t see you. 00:57:22.533 --> 00:57:24.123 You’re good at this point. 00:57:24.123 --> 00:57:25.833 Go to the first building. 00:57:25.833 --> 00:57:33.123 So, I kinda sat there and, you know, you get nervous during these things. 00:57:33.123 --> 00:57:35.432 It’s definitely an [01:00:00] adrenaline rush. 00:57:35.432 --> 00:57:42.363 I kinda tried to breathe that off a little bit and then move to the first building. 00:57:42.363 --> 00:57:46.133 First door I tried, I couldn’t get in. 00:57:46.133 --> 00:57:53.132 None of the bypass tools worked; well-hung, proper installation. 00:57:53.132 --> 00:57:57.733 But the second door popped right open. 00:57:57.733 --> 00:58:08.323 [MUSIC] No issues, except that as soon as I got inside, they had motion-activated lighting 00:58:08.323 --> 00:58:12.452 and significant camera coverage inside this building. 00:58:12.452 --> 00:58:18.323 So, as soon as I popped the door open, all the lights turned on and I found myself staring 00:58:18.323 --> 00:58:20.432 a camera right in the face. 00:58:20.432 --> 00:58:24.932 JACK: Yeah, not only did this building have cameras outside, but it had cameras inside 00:58:24.932 --> 00:58:28.683 too, specifically pointed at the door that Jon just opened. 00:58:28.683 --> 00:58:33.413 What’s more is he triggered all the lights to come on inside and probably was ringing 00:58:33.413 --> 00:58:36.013 some kind of alarm when that door was opened. 00:58:36.013 --> 00:58:41.123 Even if Jon ducked behind a desk right now, the SOC team could easily rewind the tape 00:58:41.123 --> 00:58:43.583 and see him standing there, staring at the camera. 00:58:43.583 --> 00:58:49.343 So, what’s a penetration tester do when they’ve been caught on camera? 00:58:49.343 --> 00:58:50.343 Go for it. 00:58:50.343 --> 00:58:56.023 JON: I pretty much just sprinted through the building taking pictures, trying to find a 00:58:56.023 --> 00:59:02.003 network port, trying to get into the target locations, managed to bypass another door 00:59:02.003 --> 00:59:08.903 with a under-door tool and get into a secure location. 00:59:08.903 --> 00:59:13.983 At this point I’m looking at my phone and the contact’s like, you got about thirty 00:59:13.983 --> 00:59:16.513 seconds until the cops are there. 00:59:16.513 --> 00:59:17.753 I’m like oh, shoot. 00:59:17.753 --> 00:59:20.113 JACK: Wait, the actual cops are coming? 00:59:20.113 --> 00:59:24.923 Oh yeah, the SOC has no idea this is just a test and are reacting like they normally 00:59:24.923 --> 00:59:25.923 would. 00:59:25.923 --> 00:59:29.222 As it turns out, the SOC did see the alarm and they did check the camera footage and 00:59:29.222 --> 00:59:33.323 they did see Jon getting unauthorized entry into this building, so of course they would 00:59:33.323 --> 00:59:36.453 immediately call the cops, and they sprang into action. 00:59:36.453 --> 00:59:37.642 So, time is ticking now. 00:59:37.642 --> 00:59:41.142 What do you do in that thirty seconds, hide? 00:59:41.142 --> 00:59:42.222 Go back the way you came? 00:59:42.222 --> 00:59:43.733 Get on the roof or something? 00:59:43.733 --> 00:59:47.883 But whatever the protocol is for this, you can throw that out the window because when 00:59:47.883 --> 00:59:51.523 there’s adrenaline pumping and you’re scared, it’s really hard to make logical 00:59:51.523 --> 00:59:52.523 choices. 00:59:52.523 --> 00:59:56.152 JON: Well, actually, first I ran to the door in the front building, thinking that I had 00:59:56.152 --> 00:59:58.983 another building to go to and that other door was closer. 00:59:58.983 --> 01:00:01.033 JACK: He opens the front door and looks outside. 01:00:01.033 --> 01:00:03.763 JON: I heard honking and I heard something going on. 01:00:03.763 --> 01:00:07.593 I was like okay, I’m in trouble; I need to go back out the back door that I came in. 01:00:07.593 --> 01:00:13.063 JACK: What had happened is the person in the SOC who saw him at the building quickly jumped 01:00:13.063 --> 01:00:17.053 in the company’s security truck, went to the front gate, unlocked it for the police, 01:00:17.053 --> 01:00:21.053 and then proceeded to drive to the building honking and flashing his lights. 01:00:21.053 --> 01:00:23.902 This way when the police show up, they know exactly where to go. 01:00:23.902 --> 01:00:27.583 There was so much ruckus going on that when Jon opened the front door, he just immediately 01:00:27.583 --> 01:00:31.243 turned around and went back inside and headed for the door he came in through. 01:00:31.243 --> 01:00:34.923 So, he runs to the back door, gets it open, and goes outside. 01:00:34.923 --> 01:00:39.543 But as soon as he gets out that door, the security truck comes zooming closer to him. 01:00:39.543 --> 01:00:46.672 JON: Yeah, so the truck is coming at me with the lights on and I mean, I initially ducked 01:00:46.672 --> 01:00:48.503 down and tried to hide. 01:00:48.503 --> 01:00:54.662 There was kind of a loading-dock-type situation and I got as low and close to the concrete 01:00:54.662 --> 01:01:00.873 as I could, thinking that maybe he didn’t see me jump down, but he pulled up right next 01:01:00.873 --> 01:01:06.993 to me and – blasting his horn and flashing his lights. 01:01:06.993 --> 01:01:12.172 So, at that point, my only way out was to jump back up on this dock and try to run in 01:01:12.172 --> 01:01:14.422 the opposite direction that he had come from. 01:01:14.422 --> 01:01:17.442 JACK: He takes off running like a scared rabbit in headlights. 01:01:17.442 --> 01:01:23.193 He darts around the corner and runs directly in front of two police cars. 01:01:23.193 --> 01:01:24.193 The gig was up. 01:01:24.193 --> 01:01:26.313 He stopped running and put his hands up. 01:01:26.313 --> 01:01:28.233 The police get out and start asking him questions. 01:01:28.233 --> 01:01:31.583 JON: Yeah, the very first thing that I did – other than putting my hands up – was, 01:01:31.583 --> 01:01:36.773 I have the letter in my front-left pocket. 01:01:36.773 --> 01:01:42.672 Front-left cargo pocket and, yeah, so, he opened up my pocket, pulled it out, read it, 01:01:42.672 --> 01:01:50.682 made sure I was who I said I was, and yeah, so then I told him I want you to fake arrest 01:01:50.682 --> 01:01:52.853 me, which they did, and took me off-property. 01:01:52.853 --> 01:02:00.103 That was kind of interesting ‘cause in the car ride over, the police officer was talking 01:02:00.103 --> 01:02:03.472 to me and he’s asking me all sorts of questions. 01:02:03.472 --> 01:02:04.682 He’s super-interested in this. 01:02:04.682 --> 01:02:06.513 He’s like, how did you get this job? 01:02:06.513 --> 01:02:10.773 How many of these do you do in a year? 01:02:10.773 --> 01:02:12.863 Do you guys do this all the time? 01:02:12.863 --> 01:02:14.672 Do you do it around here all the time? 01:02:14.672 --> 01:02:16.243 Just loads of questions. 01:02:16.243 --> 01:02:18.993 I was just talking to him. 01:02:18.993 --> 01:02:26.182 It was kind of a fun car ride, more fun than I would have expected in the back seat of 01:02:26.182 --> 01:02:27.263 a police car. 01:02:27.263 --> 01:02:31.202 BRIAN: Jon just texted me and they’re like yeah, meet us at this gas station. 01:02:31.202 --> 01:02:35.803 So, I just drove, I don’t know, a mile away, [01:05:00] got to the gas station, and yeah, 01:02:35.803 --> 01:02:37.363 the police were really friendly. 01:02:37.363 --> 01:02:41.703 They had lots of fun questions, asked how my feet were doing ‘cause Jon told them 01:02:41.703 --> 01:02:42.703 that I got injured. 01:02:42.703 --> 01:02:47.722 They were really nice and handled the whole situation very well since we were able to 01:02:47.722 --> 01:02:49.903 communicate with them ahead of time of what was gonna happen. 01:02:49.903 --> 01:02:53.493 JACK: The police took a look at their authorization letter and called the number there. 01:02:53.493 --> 01:02:57.383 They spoke to the point of contact to make sure that they should let these guys go and 01:02:57.383 --> 01:02:59.343 yeah, the police let them both go. 01:02:59.343 --> 01:03:01.943 At this point, it’s like 3:00 or 4:00 AM. 01:03:01.943 --> 01:03:05.703 Brian’s feet hurt really bad, so they decide to go to the emergency room which is like, 01:03:05.703 --> 01:03:07.432 a 45-minute drive away. 01:03:07.432 --> 01:03:09.233 BRIAN: They originally took x-rays. 01:03:09.233 --> 01:03:11.212 I cannot walk on my feet. 01:03:11.212 --> 01:03:13.833 They tell me – ‘cause the pain’s in my heels. 01:03:13.833 --> 01:03:15.333 They said your heels aren’t broken. 01:03:15.333 --> 01:03:16.863 I’m like, but I can’t walk. 01:03:16.863 --> 01:03:21.903 JACK: They gave him some painkiller meds and crutches, and they finally got back to their 01:03:21.903 --> 01:03:25.103 hotel at like, 8:00 AM and fell asleep. 01:03:25.103 --> 01:03:29.143 But even though they only got to sleep at 8:00 AM, they both woke up at 11:00 AM to 01:03:29.143 --> 01:03:30.493 get back to work. 01:03:30.493 --> 01:03:33.442 It was really hard to wake up after only three hours of sleep. 01:03:33.442 --> 01:03:34.553 BRIAN: Yeah, lots of coffee. 01:03:34.553 --> 01:03:41.642 Lots and lots of coffee and some lunch, and then we said hey, we still have – during 01:03:41.642 --> 01:03:46.193 our recon, there were still other vulnerabilities that were pretty prominent that we’re like 01:03:46.193 --> 01:03:48.402 hey, we want to go at this again. 01:03:48.402 --> 01:03:52.613 We think we can get in another way during the daytime instead of doing this whole nighttime 01:03:52.613 --> 01:03:53.613 operation. 01:03:53.613 --> 01:03:55.883 JACK: [MUSIC] See, they were banking on a few things; first, there would be an entirely 01:03:55.883 --> 01:03:59.893 different security team during the day, one that wouldn’t recognize their faces or whatever. 01:03:59.893 --> 01:04:03.912 Second, as far as the security team knew, these bad guys were caught and they were probably 01:04:03.912 --> 01:04:08.583 happy and relaxed that they had a successful apprehension of a real intruder. 01:04:08.583 --> 01:04:10.533 They didn’t test the fifth building at all. 01:04:10.533 --> 01:04:14.182 How can you pay someone to test their headquarters and then you just not do it at all? 01:04:14.182 --> 01:04:16.063 They had to at least try. 01:04:16.063 --> 01:04:18.903 Jon was the first to try to get to the final building. 01:04:18.903 --> 01:04:23.952 He noticed that one of the buildings was under construction so he got a hard hat and vest, 01:04:23.952 --> 01:04:25.273 put it on, and showed up. 01:04:25.273 --> 01:04:33.303 JON: They had a access gate that required either a badge or a pin code. 01:04:33.303 --> 01:04:34.712 Construction workers were getting in there. 01:04:34.712 --> 01:04:41.432 I think they were even given either a temporary badge or something and so, I, just on foot, 01:04:41.432 --> 01:04:46.333 followed them through the gate once somebody opened it, like returning from a break or 01:04:46.333 --> 01:04:52.803 something like that, and just walked into the perimeter that way. 01:04:52.803 --> 01:04:56.783 Once I was in the lot, it was all torn up ‘cause they were doing construction back 01:04:56.783 --> 01:05:04.633 there, but I didn’t get any questions from any of the construction folks or anybody else 01:05:04.633 --> 01:05:12.212 and just approached the building, opened the door, and found myself in a hallway. 01:05:12.212 --> 01:05:18.053 That hallway – so, it was kind of a T. If you went to the end of it, there was a big 01:05:18.053 --> 01:05:24.682 garage full of the fleet vehicles and the other way went into an office building. 01:05:24.682 --> 01:05:29.083 I tried to bypass that door but wasn’t successful. 01:05:29.083 --> 01:05:33.843 It was locked and so, I dropped a USB drop near it. 01:05:33.843 --> 01:05:36.233 I took pictures and evidence. 01:05:36.233 --> 01:05:38.833 JACK: Oh, right; dropping USB sticks. 01:05:38.833 --> 01:05:42.823 They had actually been dropping USB sticks at every building that they entered just to 01:05:42.823 --> 01:05:47.182 see if anyone would pick it up and plug it in, and if so, that USB stick is programmed 01:05:47.182 --> 01:05:51.273 to just phone home back to Jon and Brian’s computer and make a reverse connection to 01:05:51.273 --> 01:05:54.402 that computer which would give them access to it. 01:05:54.402 --> 01:05:57.583 Jon could only get into the entrance hallway of this building, though. 01:05:57.583 --> 01:06:02.642 He wasn’t able to get any other door open or go further in, so he walked back out and 01:06:02.642 --> 01:06:04.912 was walking around, looking for other ways in. 01:06:04.912 --> 01:06:08.303 Maybe there was a door left open somewhere else or a window open. 01:06:08.303 --> 01:06:13.593 BRIAN: In the meantime, I go – get on my crutches, dress like a local college student, 01:06:13.593 --> 01:06:15.712 and go into the front. 01:06:15.712 --> 01:06:21.303 I was kinda doing a similar thing where, because there’s a pandemic, there is no receptionist. 01:06:21.303 --> 01:06:25.053 There is no front desk person to social engineer and talk to. 01:06:25.053 --> 01:06:31.243 So, instead, we adjusted – or, I adjusted my pretext which is well, I’m on crutches. 01:06:31.243 --> 01:06:34.342 You can’t get to a reception area because it’s actually locked off and physically 01:06:34.342 --> 01:06:40.823 – by two different doors, but there’s actually a elevator right away as soon as 01:06:40.823 --> 01:06:41.823 you enter this building. 01:06:41.823 --> 01:06:45.953 So, I was gonna make it seem like oh, I’m on crutches; I need help going up the elevator 01:06:45.953 --> 01:06:50.893 ‘cause people on crutches take elevators. 01:06:50.893 --> 01:06:54.973 But it ends up, you actually needed to badge-in to go up the elevator. 01:06:54.973 --> 01:07:00.933 But we have a backup trick which is we were going to use a set of elevator keys that would 01:07:00.933 --> 01:07:03.983 work for that whole state that I had in my back pocket. 01:07:03.983 --> 01:07:08.733 JACK: [MUSIC] He waited in the elevator for a few minutes to see maybe someone a few floors 01:07:08.733 --> 01:07:13.253 up will call the elevator and he could just go up and get off there, but since there was 01:07:13.253 --> 01:07:15.762 a pandemic, the place had minimal staff. 01:07:15.762 --> 01:07:19.733 They saw in their recon that nobody takes the elevator right now. 01:07:19.733 --> 01:07:23.813 So, he decided not to try the keys and inspect the lobby instead. 01:07:23.813 --> 01:07:29.083 He walked around looking for any open Ethernet jacks to plug in a Raspberry Pi or a packet 01:07:29.083 --> 01:07:30.083 sniffer. 01:07:30.083 --> 01:07:34.333 BRIAN: Yes, they – I was hoping there was gonna be one because they had a little [01:10:00] 01:07:34.333 --> 01:07:39.593 television screen on a rolling cart set up to give messages to people who would show 01:07:39.593 --> 01:07:40.853 up there. 01:07:40.853 --> 01:07:44.643 I was really hoping that there was gonna be a computer that it was hooked up to and I 01:07:44.643 --> 01:07:50.223 could attach that LANstar, that network tap that we had talked about, and I was really 01:07:50.223 --> 01:07:52.543 hoping I could take advantage of that. 01:07:52.543 --> 01:07:58.092 Unfortunately they used a different system that I was not used to and there was no – there 01:07:58.092 --> 01:07:59.393 was nothing to tap into. 01:07:59.393 --> 01:08:01.922 So, they did a real good job there. 01:08:01.922 --> 01:08:05.893 I did the same thing Jon did and just dropped a couple of malicious USBs. 01:08:05.893 --> 01:08:09.422 JACK: Jon was still walking around the outside of the building looking for ways in. 01:08:09.422 --> 01:08:15.603 JON: As I was walking around the building though, somebody from their SOC saw me on 01:08:15.603 --> 01:08:23.333 their cameras and somebody came out and started to confront me, at which point I basically 01:08:23.333 --> 01:08:29.703 just – I was kind of walking in the direction of the car already and so, I basically just 01:08:29.703 --> 01:08:32.443 pretended like I didn’t hear him and kept walking. 01:08:32.443 --> 01:08:35.463 Then we got in the car and took off. 01:08:35.463 --> 01:08:39.223 JACK: They might think this is it; the engagement is over and they’re done, they head back 01:08:39.223 --> 01:08:41.063 home, but nope, they don’t head home. 01:08:41.063 --> 01:08:43.633 They saw something that they wanted to go back and check out. 01:08:43.633 --> 01:08:47.783 The first location had a big fence around it and a gate, and they noticed what type 01:08:47.783 --> 01:08:51.363 of gate control system was used to open and close that gate. 01:08:51.363 --> 01:08:52.363 The model was DoorKing. 01:08:52.363 --> 01:08:58.103 There’s a certain vulnerability they knew about with this type of gate control system. 01:08:58.103 --> 01:09:02.123 JON: We talked to our contact about it and said hey, we noticed this. 01:09:02.123 --> 01:09:07.532 Do you want us to see if we can get it to work? 01:09:07.532 --> 01:09:13.433 Sure enough, the common key opened the faceplate to the DoorKing system and we were able to 01:09:13.433 --> 01:09:15.123 find the model number inside. 01:09:15.123 --> 01:09:20.802 A quick Google search pulled up that specific model with a wiring diagram. 01:09:20.802 --> 01:09:28.203 We carry a little jumper wire with us as part of our toolkit, and you just connect the appropriate 01:09:28.203 --> 01:09:29.203 terminals. 01:09:29.203 --> 01:09:33.253 It basically acts like a little button, and we basically just hot-wired the gate, and 01:09:33.253 --> 01:09:34.913 it popped right open. 01:09:34.913 --> 01:09:35.913 JACK: Huh. 01:09:35.913 --> 01:09:40.203 Clever stuff, another vulnerability they can put into their report, a fun one at that. 01:09:40.203 --> 01:09:43.302 A quick fix for this is just to change the key on the box. 01:09:43.302 --> 01:09:47.293 These things often have a sort of default key that you can pick up fairly easy and try. 01:09:47.293 --> 01:09:50.733 Yeah, once you get in the control panel, you can open it up. 01:09:50.733 --> 01:09:53.043 After that, their engagement was over. 01:09:53.043 --> 01:09:57.052 They got back on the plane and headed home, and once they got home, Brian saw his regular 01:09:57.052 --> 01:10:01.213 doctor who gave him an MRI scan and found out he fractured both heels. 01:10:01.213 --> 01:10:03.723 So, he had to sit out for six weeks. 01:10:03.723 --> 01:10:06.893 [MUSIC] During that time, they gave a debrief with the client. 01:10:06.893 --> 01:10:08.302 They learned a bunch along the way. 01:10:08.302 --> 01:10:12.063 For instance, they learned that if Brian had tried to use the key in the elevator, it would 01:10:12.063 --> 01:10:13.133 have triggered an alarm. 01:10:13.133 --> 01:10:15.483 So, he’s lucky he decided not to do that. 01:10:15.483 --> 01:10:19.623 Next, they learned that every single one of the USB sticks that they left behind got picked 01:10:19.623 --> 01:10:20.992 up and turned in. 01:10:20.992 --> 01:10:22.853 Not a single person tried to plug one in. 01:10:22.853 --> 01:10:26.603 The client was also happy to see that there were ways that they can improve security, 01:10:26.603 --> 01:10:27.603 too. 01:10:27.603 --> 01:10:32.143 As far as the SOC goes, this was a great confidence booster for them to find a live one, get someone 01:10:32.143 --> 01:10:33.143 caught. 01:10:33.143 --> 01:10:36.633 Overall, Brian and Jon were impressed at the security measures this company took. 01:10:36.633 --> 01:10:41.833 BRIAN: Yeah, honestly, one of the best things was just having those diligent workers. 01:10:41.833 --> 01:10:47.243 It ends up that during our recon, not only did the Security Operations Center notice 01:10:47.243 --> 01:10:52.513 that we were driving around with a rental car with plates from out of state, but because 01:10:52.513 --> 01:10:57.183 this was a tight-knit community, others from the community also noticed something was up 01:10:57.183 --> 01:11:04.293 and notified the friend of the friend that hey, we’re noticing something weird and 01:11:04.293 --> 01:11:07.713 you guys are probably the target just because we know our city. 01:11:07.713 --> 01:11:13.873 So, yeah, their tight-knit community also helped keep them safe which is something we’re 01:11:13.873 --> 01:11:18.512 not used to seeing or hearing, so that one kind of took us for surprise. 01:11:18.512 --> 01:11:24.853 But otherwise, they clearly took their door security very seriously because a lot of time, 01:11:24.853 --> 01:11:29.603 a lot of our simple, easy tricks were not as simple and easy as we were expecting them 01:11:29.603 --> 01:11:30.603 to be. 01:11:30.603 --> 01:11:36.293 JON: I think a lot of the time when you hear about these types of physical security stories, 01:11:36.293 --> 01:11:43.433 you usually only hear about the successes, and those are great; you know, when they happen 01:11:43.433 --> 01:11:48.183 and it’s a secret agent and you get in and you accomplish it, and that’s awesome, and 01:11:48.183 --> 01:11:50.433 they definitely happen. 01:11:50.433 --> 01:11:56.473 But I would say that there’s definitely failures too, and so much of it is thinking 01:11:56.473 --> 01:12:01.993 on your feet and just kind of rolling with the punches. 01:12:01.993 --> 01:12:07.203 No amount of planning that you do is ever really gonna be sufficient. 01:12:07.203 --> 01:12:10.203 Something always changes along the way. 01:12:10.203 --> 01:12:16.713 The other thing that I don’t ever hear anybody mention that does this is how physically and 01:12:16.713 --> 01:12:18.693 emotionally demanding it is. 01:12:18.693 --> 01:12:22.113 It is exhausting, you know? 01:12:22.113 --> 01:12:30.313 We’re up starting an engagement at 10:30 and it goes until 8:00 the next morning. 01:12:30.313 --> 01:12:32.733 Then three hours of sleep, and then doing more SE. 01:12:32.733 --> 01:12:37.933 [01:15:00] I mean, you get the adrenaline going through you, you got your nerves going, 01:12:37.933 --> 01:12:40.253 and it’s hard work. 01:12:40.253 --> 01:12:47.223 It’s fun but it’s hard work, for sure. 01:12:47.223 --> 01:12:56.643 (OUTRO): [OUTRO MUSIC] A big thank-you to Brian Halbach and Jonathan Studebaker for 01:12:56.643 --> 01:12:59.113 sharing this adventurous story with us. 01:12:59.113 --> 01:13:03.893 Recently, they were both on ABC News where they showed the Nightline camera crew how 01:13:03.893 --> 01:13:06.833 all this looks when they’re sneaking into places. 01:13:06.833 --> 01:13:10.643 On top of that, there’s another video of some other people at RedTeam Security who 01:13:10.643 --> 01:13:14.873 took cameras with them as they broke into an electrical power station. 01:13:14.873 --> 01:13:18.433 If you want to see how this looks in action, check out the links in the show notes or at 01:13:18.433 --> 01:13:20.242 darknetdiaries.com. 01:13:20.242 --> 01:13:25.293 Brian is still with RedTeam Security doing these pen tests, but Jon has since moved onto 01:13:25.293 --> 01:13:28.943 another company where he’s doing security architecture work now. 01:13:28.943 --> 01:13:33.233 If you like this show, if it brings value to you, consider donating to it through Patreon. 01:13:33.233 --> 01:13:37.123 By directly supporting this show, it helps keep ads at a minimum, it helps get people 01:13:37.123 --> 01:13:39.903 to make the show, and it tells me you want more of it. 01:13:39.903 --> 01:13:44.953 Please visit patreon.com/darknetdiaries and consider supporting the show. 01:13:44.953 --> 01:13:45.953 Thank you. 01:13:45.953 --> 01:13:50.143 This show is made by me, the 56th KBOT, Jack Rhysider, sound design by the shell-prompt 01:13:50.143 --> 01:13:54.663 Andrew Meriwether, editing help this episode by the VGA-supported Damienne, and our theme 01:13:54.663 --> 01:13:58.223 music is by the sound-blaster, Breakmaster Cylinder. 01:13:58.223 --> 01:14:04.793 Even though astronauts use Linux because you can’t open Windows in space, this is Darknet 01:14:04.793 --> 01:14:05.623 Diaries.