 Hello everybody! Welcome to Locked Bypass Village. My name is Karen and today I'm going to be taking you through Bypass 101, an introduction to basic bypass methods. So before we get started, what is bypass? Very often when people think about physical hacking, they think about showier methods, things like lock picking. However, there are plenty of other methods that can allow people to access locked out locations, and this is known collectively as lock bypass. So to get things started, I have a fun video here, which is a really great example of lock bypass. It involves finding a security vulnerability, exploiting it, and then gaining access to areas that should otherwise be locked out. This next video shows what can happen if your security system is poorly designed or poorly thought out. My mom wanted to lock her door. She's got a sliding door, and this was her solution. Bypass often involves ignoring the lock altogether, and finding an alternative way to open the door, and sometimes even avoiding having to use the door altogether. Lock bypass methods are used often because they're much faster and more reliable than lock picking, and they're used much more frequently in physical red teaming. So as you can see here, we have our agenda for today, and there are a lot of different types of bypass here. In addition, the items that are in bold are available to play as games on our website, bypassvillage.org, so feel free to go check those out. So let's get started with latch targeted bypass. Latch targeted bypass, or carding, targets the latches that hold the door closed. Depending on the orientation of the latch, you can either shove or pull the latch. There's a variety of tools that you can use for this. Most commonly, you'll see latch flips or traveler's hooks, plastic cards, or even a well bent piece of wire. Circled here in red is what is known as a dead latch. When the dead latch is pushed in, it prevents the latch from being pushed in as well. This prevents you from being able to card a door. Here's a quick video demonstration of how a dead latch works. So as you can see, when the dead latch is pushed in, you can no longer get the latch into the door. Sometimes the door is installed in such a way that the dead latch is already in a hole in the strike plate that is in the frame of the door. Other times the dead latch is installed almost properly, but you can get it to fall into the hole by shoving, pushing, maneuvering, or shaking the door. This is a dead bolt. They're different from dead latches, and often you'll see them with a thumb turn on the other side. These prevent you from being able to use latch targeted bypass techniques, and it also prevents you from using the under the door tool. So the instructions for use for pulling. So first you want to make sure that the dead latch isn't actuated. After that, you want to place the latch slip tool behind the latch. You then want to wiggle the latch slip to move the latch slowly into the door. And then, without removing the tool from holding in the latch, you want to pull the door open. Here's a quick video demo of how to do it. So as you can see, the door is locked, and we take our bypass tool and we put it behind the latch, and then we slowly wiggle it back and forth, slowly moving the latch into the hole in the door, and thus it can be pulled open. So what exactly is happening here? Pretty much what the tool does is it takes advantage of the fact that the latch is at an angle, and it follows that angle to slowly push the latch into the hole in the door. So for shoving, first, again, you want to ensure that the dead latch is not actuated. Once you've done that, you want to shove the shoving tool between the latch and the strike plate. And then, without removing the tool from holding in the latch, you want to pull the door open. Again, here's a quick video demonstration of exactly how to do it. So you can see he has the fin plastic card here, and that door is locked. You maneuver the card between the door latch and the strike plate, and you can push it open. So again, how exactly does this work? Pretty much what you do is you take this latch, and again, you're taking advantage of the angle of the latch, and this card slowly pushes the latch into the hole, allowing the door to be pulled open. Again, here's a quick little visual demonstration for you guys. Have you been curious about wanting to try to make your own? We have several DIY bypass tools workshops over the DEFCON weekend, so here's the information there, so be sure to check that out. It'll be going over a variety of different physical red team tools and how to make them using things you probably already have at home. In addition, there's also a game. We have a latch slipping game at bypassvillage.org, so it's an interactive game where you can latch-slip doors and there's varying levels of difficulty. Next, we'll be discussing handle-targeted bypass. Sometimes the dead latch is actuated and the door absolutely cannot be carted, but there is still hope. There does exist lock bypass methods that target the handle of the door instead of the latch. This method mimics a person exiting through the door from the other side. So, the under-the-door tool allows us to access areas that do have properly functioning dead latches. This bypass method targets doors that have lever-type handles. The tool itself is thick wire, about five feet long with string tied to the end. The tool is measured against the door handle and bent into a hook shape at the top. As I mentioned before, this bypass method targets doors that have lever-type handles. In addition, you'll also need enough room under or beside the door to fit the tool. As you can see here with different types of levers, S-type levers and T-type levers are the easiest to use this bypass on, with U-type and Q-types being much more challenging. So, here's a quick video demonstration of how it's done. Time, here's how it's done. In this video, I'm going to show you how to use an under-the-door bypass tool. They allow us to gain entry through doors with locked door handles. First, the tool is slid through the gap between the door and the floor. It is then maneuvered onto the inside door handle and pulled downwards, replicating the motion of someone opening the door from the inside. There you go. Nice and easy. So, step by step, what you want to do is you want to insert the tool under the door and then maneuver the tool until the top hook rests behind the door handle. You then move the tool to the end of the handle and pull on the string, actuating the lever. Again, I'm going to plug our DIY bypass tools workshop. In the workshop, we will be covering how to make this tool, and again, this will be using materials that you probably already have at home. Alright, let's talk about door knobs. Door knobs are often very difficult to bypass. Thankfully, they're slowly being phased out of use, but you may still encounter some of them in the wild. The tool for this bypass is a bent piece of wire, which is used to deposit a piece of string onto the door knob. Tape, rubber, or other materials can be added to the string to help increase friction on the door knob. So, on this image, I have some tape. So, here's the tool again, but from slightly different angles. And as you can see, the wire is meant to go around the frame and have access to the front of the door. So, the requirements for this bypass method is a door knob, of course, and similar to the under-the-door tool, you also need enough room under or beside the door to fit the tool. So, the instructions for use are very simple. The tool is used to deposit this piece of string onto the door knob, at which point the wire piece is removed, and then the string is pulled back and forth, creating tension, which slowly turns the door knob. So, here's a quick little video demo for you guys. So, as you can kind of see, the tool is slowly being moved up the side of the door, and the string has tape attached to it to increase the friction on the door knob. Once the tool is high enough, the string is maneuvered so that it lands over the door knob, and then both sides of the string are pulled back and forth to create friction, which then unlocks the door. Again, a little closer, you can see the friction on the door knob as it slowly turns. Next is crash bars. Crash bars, not to be confused with push bars, are relatively simple in concept. The bar across the crash bar pushes down and unlocks the door. The tool for this is very similar to the under-the-door tool. The wire is cleverly bent and with some string used to actuate the crash bar and unlock the door. The requirements for this is a crash bar on the other side of the door and, again, enough room beside the door to fit the tool. So, to use this tool, you want to insert the tool through the side of the door or start at the bottom and move up depending on how much room you have on the side of the door, and then rotate the hook until the hook lands on the crash bar. Once it's on the crash bar, you can pull down string, which pulls the crash bar towards the door and unlocks it from the inside. So, here's a quick demo video to demonstrate how this tool works. Once I get it up the door frame, it hooks onto the bar of the crash bar and then you can pull on the string and it'll open the door. So, again, step by step, you want to get the tool into the side of the door and up, and then once it's high enough, you hook it onto the frame of the crash bar and then you pull on the string, which pulls it towards the door. Now let's talk about push bars. Push bar targeted bypasses tend to be more difficult due to there being less things for tools to hook onto. Often the best bypass for a push bar is a latch-targeting one, but this isn't always possible. So, the tool for this bypass is a piece of string. Optional is stiff wire or sticks for positioning the string, ideally in a hook or an L shape. For this bypass method to work, the push bar must be either on a door with holes or with room above and below the door. Pretty much how this bypass works is you feed the string through the top of the door or through a hole above the push bar, use the wire pieces to move the string over the push bar and through the bottom of the door or through a hole below the push bar, and then you grab both pieces of the string and you pull, and this pulls the push bar towards the door, thus actuating it as if someone were exiting from inside and unlocks the door. This next bypass is pulling really hard. So pulling really hard is a long-standing tradition of physical hackers, and there are a lot of doors that are loose in the frame and can be pulled open with a strong enough arm. This is the easiest bypass method to pack for. All you need is a reasonably strong pair of arms. So, not all doors can be pulled open this way, but a surprising number of them can be. You want to look for springy, loose-in-the- frame kind of doors that have an amount of flex when you pull on them. Multi-bank doors often do have at least one door that is pullable. So, here's the instructions for use. Very complex, very difficult, so just feel free to take your time going over that. The next bypass I'm going to be talking about is removing the hinges. So sometimes the easiest way to unlock a door is to not unlock it at all. Some doors are installed with the hinges backwards, which allow you to unscrew the door from the frame and take the door out. The tool for this is obviously a screwdriver. For this torque, the screws of the door hinges must be exposed and accessible. And it's pretty self-explanatory how to do this. You unscrew the hinges and then you remove the door and, boom, you can enter. However, seeing hinges installed like that are not very common. However, doors that have the pin of the hinge exposed are very common. This pin can be removed and then allow the door to once again come off of the frame. The tool for this is a screwdriver or a nail, a hammer, and then optional but recommended vice grips. For this to work, the door must be an outward swinging door with exposed hinges. And in addition, this will not work on security hinges, so things like set screws or stud hinges. So how this works is if there is a decorative bottom cap, you can remove it with a screwdriver and hammer. And then once you've done that, you place the screwdriver under the hinge with the point touching the hinge pin. Then you can use your hammer to gently tap the screwdriver until the pin can be pulled out. After you've finished that, you want to repeat that with the other hinge and then you can remove the door. Here's a quick little demo video for you guys. So we gently tap it. It has a hinge pin come out of the hinge and once it's out enough, you can use the vice grips to pull it out the rest of the way. And then again, you want to repeat this with the other hinge pin. And once it's out enough, you want to take your vice grips and you can pull it out. And now that both hinges have their hinge pins removed, you can gently move the door out of the door frame and boom, you have entry. So these are padlock shims and they can be bought online in plastic or metal versions. You can also make your own at home using aluminum cans. Lock works in normal operation when you have a key and you're unlocking it. Padlock shims take advantage of the mechanisms inside of padlocks and force the mechanisms together that hold the shuffle down, allowing you to pull it open. Of course, this doesn't work on all padlocks and there are padlocks now that are designed to specifically prevent them from being used, but you would be surprised at the number of padlocks that are still in use that this can be used on. Again, I'm going to plug our DIY bypass tools workshop and they'll be going over how to make your tools as well, so drop by if you can. Now, let's talk about bypassing button push combination boxes. So, button push combination boxes allow access without needing to have a physical key. There are also boxes that can contain keys inside of them. I'm sure you've seen these before in communal spaces, apartments, things like that and I'm sure you've seen boxes like this outside of areas that have a lot of storefronts. So these are used because when a company, an employer provides access to a store for a whole bunch of people but doesn't want to create a key for every single person what they do is they'll have one key and they'll put it inside of this box and then give each opening employee the combination then they can use the key to unlock the door, put it back and leave it for the next person to use. So you can use UV ink or powder and you can use that to figure out which buttons are being used to unlock the door. Using a UV light and a little bit of patience, you can reduce the possible combinations enough that you can brute force it. So how you do this is you apply UV ink or powder to all of the buttons on the box and then you wait for the lock to be used a few times. As people use it, the ink will rub off of the buttons. After a while you can return with a UV light. The buttons used to unlock the box will have less ink on them than the others. Then you can try all of the possible combinations with the inkless buttons. In addition to that depending on the UV ink or powder that you use, it's possible for pigment to transfer from one button to another with someone unlocking the box. You can use this to figure out the combination order without brute-forcing the combination. And then sometimes you don't even need to use a UV light to figure out the combination if anybody out there could guess how to unlock this lock. In addition to that these are simplex locks and when they come from the factory their default code is pressing 2 and 4 at the same time and then 3. Very frequently people will not bother to set a new combination and so there's a lot of simplex locks out there that still use that default code. And there's a game for it. So we've made a really really cool button push combination lock game and they have several different button push combination locks to try out and it's a really fun interactive game. You get UV ink and UV light and it's a really good time. So head over to bypassvillage.org and go and try that out. Next let's talk about hacking enter phones. So I'm sure you've seen these around before but enter phones are devices that are used to let people into buildings most commonly apartments, condos and high rises of that sort. They allow visitors to contact someone that lives in the building who can then remotely unlock the door to let them in. There's a few major companies that make enter phones and they're often key to like meaning that one key can open all the enter phones made by the same company. So what you want to do is you want to open the enter phone panel using corresponding key and you want to find the unlocking mechanism. Once you found the unlocking mechanism you want to use something inductive to jump for the mechanism. At that point the door should unlock as if someone from inside buzzed you in. So here's a quick little video on an enter phone bypass. Similar to the combination boxes there is a game for this as well. So if you've always wanted to try your hand at enter phone hacking now is a really great opportunity to do so. The next bypass method I'm going to be talking about is wheelchair buttons and request exit sensors. So wheelchair buttons allow the door to automatically open when the buttons pressed. Sometimes the button is installed so that it'll unlock and open the door regardless of if the door should be locked otherwise. So I have this great little clip here for you guys. So as you see the door is locked but with a push of the wheelchair button it's open. In addition to wheelchair buttons there are also exist request exit sensors. So these are installed for the convenience of people that are inside exiting the building. Some are set up so that they automatically open as you approach them from the inside but some just unlock and allow the person that's inside to exit the building. If you can trick the sensor into thinking that there's someone inside that wants to exit then it'll unlock itself allowing you access. So here's a great clip from the YouTube channel We Hack People where they pass the sensor using canned air. Next I'm going to be talking about elevators. So elevators are pretty much everywhere nowadays and very often in buildings and high-rises and things like that there will be floors that are locked out and require a key card or a fob or something to get into whether that's through the stairway or through the elevator. Luckily there are a lot of ways to bypass these and you can get to lock out floors through elevator hacking. So this is our elevator panel and pretty much this is where we're going to be spending a large part of our time. So common keys. A lot of elevator keys for various service modes are standardized. So here's a list of some of the more common ones. I recommend you look into these at your leisure. And these elevator keys can allow you to use special service modes. So things such as independent service mode, inspection service mode, attendant service mode, and fire service mode which give you a lot more access privileges than you would when it's running in normal service mode. In addition to using common keys you can also jumper and short the elevator panel. So electronics run off of signals representing open and shorted. And if we can trick this elevator into thinking that an open signal is being sent when it's not or the other way around then we can get it to behave the way that we want it to. So we accomplish this by jumpering or shorting connections that are in the elevator panel. So to do this you want to disconnect the panel, whether that's unscrewing it, coaching it open, etc. And then you want to find the thing that you want to bypass. At this point it makes sense to identify the state of the mechanism. So if the mechanism is open then you want to short it and vice versa. So to short it you want to use something conductive, whether that's wire, keys, alligator clips, anything of that sort to connect both terminals. If you want to open the circuit then you want to disconnect the leads or snip the wires. If you're unable to determine the state of the mechanism then it is safe to attempt both methods. So again you want to take a look at it and if your mechanism is shorted then you want to disconnect the leads or snip the wires. And then if the mechanism is open you want to short the mechanism by using something conductive to connect both of the terminals. So there's a game. So if you head over to bypassbillage.org we have a nice little elevator hacking game that you can try out and you can learn a bit more about elevator hacking in a safe environment. Another method of bypass through elevators is hoistway access. Hoistway access or getting on top of an elevator car and controlling it from there is another way that you can access locked out floors using an elevator. I'm not going to be going more in depth for this today because this talk is being recorded and putting it on the internet but if you come out to our elevator hacking talk next year at bypass village it will be covered. Next let's talk about unlocked or improperly locked doors. Now this sounds like it'd be very obvious but you'd be surprised at the number of doors that are left unlocked or completely open. So give times that you can access an area just by pulling on some doors and seeing which ones are unlocked especially in larger buildings ones that have a lot of doors and a lot of entrances. So there's a lot of reasons why a door won't be locked whether it's human error so something like a worker propping it open and forgetting to un-prop it or someone leaving clutter at the door and that holds it open or environmental so whether there's a worked door frame or the lock is broken or there's simply no lock there at all all of these can cause the door to not be locked. So here's a really great example of what appears to be a lab perhaps of some sort and someone seems to have propped the door open with a stool despite the sign saying keep this door closed. Here's another great example so this door seems to have some sort of concrete at the base and so this prevents the door from closing at all so this door is just permanently open and permanently unlocked for anyone to stroll in. Here's another example there's simply no lock and again anyone can just pull open the door and just walk in. Finally, let's talk about ceilings, windows and going around. So here's a clip from a while ago we encountered this very large fence with barbed wire on top and everything but it really didn't provide too much trouble like I mentioned before it's very easy to gain access to areas through windows especially if they're low to the ground. Here's a great example of a bypass this is a ladder with a ladder cage around it and if you look at the photo on the right there is a ladder grate at the bottom and what this does is it prevents people from being able to climb the ladder. Unfortunately, if you go around to the other side of the ladder there's plenty of space between the ladder and the wall and you can easily climb up it and get to wherever it is without having to go without ever having to interact with the ladder cage or the grate. In addition to that you can always go through the ceiling. So a lot of places nowadays have false ceilings and very often the walls will not rise up past these false ceilings meaning that it's very easy to go from room to room or hallway to room over the walls without ever having to interact with the door. So here's a really great clip from a while back in this case we were very fortunate that there was a ladder that led up to a upper hatch but we were able to take advantage of this to gain access into a room next door. So as you can see he's very very carefully undoing the ceiling tile, the holds that keep it there moving it to the side and there he is. Now he has access to an area that he otherwise shouldn't simply by going into the ceiling and over the wall. So the thing to keep in mind with this though is you want to be very very careful. There's a lot of places that you can't step or can't hold your weight and when you're up in a fragile area like that one wrong move can prove to be very dangerous. Well Tom the right aid here just off route 11 in Farmington has security cameras that are activated by movement and police tell us they only had a few moments to switch on before the suspect came crashing through the ceiling. Bringing ceiling tiles, air conditioning ducts and wires down with him this burglary suspect broke into the Farmington right aid just before 2am Tuesday morning gaining entry through the roof. So again you have to be very very careful you need to know where you can and can't step and which areas can and can't support your weight. So here's another great example so you just want to always be careful whenever you're trying this kind of bypass method or really any other type of bypass method or this could happen. So that wraps up my presentation for today at this point I'll be able to take some questions. Some big takeaways come try out some of our games at bypassvillage.org where it's really really hard on them to make sure that they were available and ready for you guys to try out and get that hands-on experience learning about physical bypass and also come to the DIY bypass tools workshop. So we'll have a lot of tools being made it'll be a really fun time it'll be using materials you probably already have at home so you might as well and then you can also try these things out at home. If you guys have any questions for me we'll now be going into a Q&A session a live Q&A session and if you missed that and still have questions feel free to send me an email or send me a tweet at Quinnab or at bypassvillage. Special thanks to Sunny, Agay, Bobby, Bill and Paul for all of your help with getting footage putting together photos getting everything ready for this presentation. Thank you so much guys!