 Hi folks, welcome to Lock Bypass Village and to my talk all about physical reconnaissance. So this is going to be a fairly low tech talk. It's all about how we can use our human senses in our eyes to walk around and tell as much information as we can about a physical facility before we ever actually step inside. So I gave a different version of this talk at Hope a few weeks ago. That one is a little bit more formal on sort of the architectural plans and inferences there. This one will be taking a more red team perspective. It's got a lot of new examples that weren't in the other one as well as a lot of content that was cut. So I'm going to try to be a little bit faster with this one and take advantage of the more intimate environment that a DEF CON village gives to make this talk all about the Q&A afterwards and having some interesting discussion. So to get started with the basic information, intelligence follows a cycle. So we collect information, we analyze it into usable intelligence and that's going to determine if we need to then collect more to decide ultimately what our course of action is. So that's the end goal that we need to keep in mind while we're collecting this information. Reconnaissance is something that we want to do of our physical facility of course but we're going to start with the area of influence both physical and political. So looking at nearby streets, nearby shops, looking at nearby utilities, etc. As well as if the organization has multiple facilities, what are those facilities like? Do they have, well they usually will have very similar layouts and usages and security situations there. And we want to observe at a range of times, day and night, week and weekend and normal operation and during an anomaly to get a sense of how the organization handles that. We want to look at the people as well as the facility. So when are they entering, what the general demographic is? We can keep track of how many enter and leave at each time to get a sense of the occupancy of the building at a particular time. We want to look at what entrances and exits they use as well as any security steps that they take inside such as keys and credentials. And if they sign in or do anything else on entry. We can then go up to the main entrance and look at all the information we can get from that. So this particular picture is very telling. We can see the fire panel off to the side. You can get a very good sense of the occupancy and layout of the building from all the different fire zones that are going to exist. We have our fire safety plan blocks here telling us that this is the main entrance. We look at all the ways that are access controlled on this building. So there are a number, a keypad, a credential reader, a doorbell, a video doorbell and a different one used at night apparently. We can see the elevators through in this lobby so we know exactly how to get to those and we can infer that the hallway is going to go perpendicular to that which makes sense given the layout of this building. We can notice these magnetic contact sensors there. So that gives us an indication that we're going to see more of those throughout the building and there might be a networked alarm or intrusion detection system. So there's a lot that we can tell just by looking at the front doors. We can zoom in a little bit on the locks so we can see something like Medico or Schlage Primus lets us know that they take security a little bit more seriously as well as an electronic straight plate lets us know that there is an electronic access control system involved. We can look around back and we might see what's happening in terms of things being disposed of. So if there's a dumpstrobe back that tells you that the area is in flux. There's construction going on or something within it. You might see something like a specialized disposal bin. So in this case, it's a cooking oil bin that tells us that there is a restaurant inside and they fairly universally look like this even if they're not so blatantly labeled. We can find the parking garages. So we know that this one is a full underground garage rather than just a number of vehicles because it starts to slope down. And we can find the ventilation grates near that and see how deep they actually go based on seeing in this case the light coming out from two levels down. We can look for the loading docks and so that'll give us a sense of both where the service entrances and service corridors are going to be within the building as well as what type of material they actually accept at this particular facility. And then looking around the back, this is a great sign of a site that does not have any alarm system installed on it. So that starts to give us a sense of what all the entrances around the perimeter of the site are going to look like. Now we can switch gears a bit and figure out what happens inside of that building envelope. To do that we're trying to infer the floor plan of the site which generally is going to include a signable space so that's going to be our offices, residences, etc what people are actually using. Circulation space such as halls, stairwells and elevators and building support space so washrooms, custodial closets, mechanical space, etc. And by identifying where all of these elements go we can then help to improve our red team operation with this information before we even begin it. So with that we can get the best plan for how to get from A to B and we can then filter that into a timeline so if say we need to go faster than the response is going to be coming in after we've set off an alarm or some other trigger for the response to come we can use this information to determine if that's going to be feasible. We can figure out where it would make sense to put the cameras and work around that space as well as we can do a bit of auditory analysis to see where we could be heard and where we can hear other people. And of course if we plan to do any social engineering in the space once we enter it it really helps to know where we're going. So you can get floor plans often from the fire safety plan box if that happens to be available to you. If not you can usually do a search online and sometimes get good information there so searching for a pdf and a number of keywords that I've outlined here that tend to be found in floor plan files online and not in a whole lot else is going to really help narrow down your search to get floor plans there. And if it's a public building there's usually a public tender's website that has loads of plans for it. When we had floor floor plans we're not going to get very detailed diagrams but we'll get a topology that's good enough for all of these purposes for a red team engagements. The first thing we'll start with to infer floor plans is the massing of the building. So what is its overall shape? We have a primary mass which is the main shape and anything smaller sticking out of it is called a secondary mass. This then has surrounding it as a skin is the building envelopes which envelops the massing. It has doors such as the doors loading docks etc that we looked at before. Windows which will use the architectural term of fenestration. It would have mechanical equipment so vents and loops coming out of it as well as potentially equipment on the roof and external structural members all of which are clues to the internal layout. We can get this massing information from Google Maps often has it for many cities. Many cities also often have their open data releasing this information. We can look at satellite views as well as local governments open data and of course taking pictures in person. So from the exterior massing and envelope how do we determine the floor plan? So here's an example of a very large complicated facility looking at it from an aerial view. We can start to see that it is very well set out as a linear layout so it's branched but otherwise we can infer well there's probably going to be a hallway in the center there with rooms branching off to either side. The size of those rooms going to be quantized by the positioning of these windows here. And so as it turns out that's exactly what we see hallway in the middle with rooms quantized by the windows equal depth on either side. The stairwells we can start to guess where they are based on where it makes sense given fire and egress requirements. In the entire facility we see that that holds true as well with hallways in the middle and it very closely follows what we could infer from looking at that external massing. So sometimes we can also get the hall location directly from fenestration or massing so in this case we have both windows and a very thin mass element that tells us that the hall must be in the middle here is usually in the middle but not always so in this case this bridge tells us that this hall is on the edge. An interesting case study for these long massings long thin massings is prisons so cell blocks tend to be laid out that way in terms of the inside of them once you've seen one you've seen them all they all pretty much look like this but there's one interesting aside about prison escapes and that is that every prison needs to have a lavatory in it and every lavatory needs to have plumbing and that plumbing has to get out somewhere and so that will usually be in a crawl space and in older prisons it will often be in a fully fledged service tunnel that already exists and that must therefore be connected through a wall from the cells so when you hear about people tunneling out of prisons you think well that's a very daunting task they don't actually have to go very far just a couple inches of brick or concrete or whatever it might be to get to the crawl space where the plumbing gets out. We can use this when we're not trying to break out of a prison to determine where washrooms are in a facility before we ever set foot in it so washrooms need plumbing and multi-story plumbing needs pipe riser shafts so you tend to see the washrooms are the same place on every floor so that the plumbing can be co-linear in that regard. Pipe riser shafts usually end in mechanical equipment at the top of the building and so by seeing this mechanical penthouse jutting out on the roof we can infer that the pipe riser shafts are under it as likely are the washrooms. So in this particular example we have this t-shaped building and we can infer that there's going to be likely a t-shaped hallway in the middle. If we did a bit more research we determined that this was a long-term care home and so given the dimensions of this building that would be abnormally large for the suites to extend right the way to the center so we might infer that there's going to be two hallways per wing and support space in the middle as a building or a facility of this type would need a lot of support space. We can also see this large vertical window here indicating some sort of large common room in this area on every floor. Looking at the floor plan that is what we find so we have this large common room where the window was as well as suites around the edges and a loop of hallways in each wing and then support space in the center including stairs on each of the three wings it makes sense for egress purposes that they would be located there and central elevators. Tire rises are a lot easier to determine what the layout is because they're relatively small horizontally and there's a number of things that are often stacked so they're the same place floor to floor to floor. Obviously elevators, structural columns and stairwells that make sense. Washrooms need their pipe space behind toilets so in this case the pipe space is here but it's nearby to it. Telecom closets, electrical closets, pipe shafts, mechanical rooms and vents all of which have vertical risers that ensure that they tend to be vertically stacked. What this gives rise to is generally have a central core that's going to contain all of these building support elements so your mechanical room, washrooms, stairs, elevators. Here we can see in this diagram that pipe space behind the toilets there and that's the reason that's stacked and that also makes sense to use this space that's very far from the windows where people like to occupy for these central core elements and then let people occupy the outside. This indicates the column grid here so this might be partitioned by the final user of the space and those partitions are generally going to follow the column grid some way or another. It also makes sense for egress purposes to have the stairwells and elevators in the central core because it's about equidistant from everything in that floor. Most high rises have entire floors dedicated to mechanical equipment and we can locate them by noticing very clear differences in the fenestration so instead of windows it's mechanical vent louves. If we see the top level of fenestration is well below the roof level that indicates that there's a mechanical penthouse at the top and there's also often mechanical basements or partial basements that are going to house that equipment. So in this particular case we see a number of mechanical penthouses well concealed within the architecture of the building and in this case we see loads where the fenestration doesn't extend all the way up to the roof and that indicates that that's what's going on there. We can also do a bit of math so we can get the height of the building either by public records as many of them are or we can measure it fairly simply with simple trigonometry and angle measurements. With the height of the building counting the floors we can then determine what the average floor height is and that gives us a sense of both what the occupancy is what the usage is as well as where the mechanical equipment will go. So very very tall floors will likely have false ceilings or false floors and that does affect our ability to bypass in certain ways since we know we can get into places through the ceiling or the floor if that exists and then shorter ones are then going to have mechanical corridors instead and they'll tend to be smaller with a central core housing that mechanical equipment. In terms of high rise residential it's not nearly as open as an office floor plan it's going to be set up into separate suites but they're going to follow a central core as well housing the stairs elevators and building support systems and it will tend to have a ring shaped or u-shaped corridor for circulation space to give access to all of those units and so in this particular case we see a slightly abnormally shaped building but stairs elevators support space in the center with a ring shaped corridor following that general outer perimeter. In terms of identifying where in the core each things are positioned relative to one another and in a larger building where these elements are in general we can sometimes look at the parking garage so right away we can see where the structural columns are and that's going to extend all the way up the building we can find where the elevator banks are we can find where the telecom riser shafts and pipe riser shafts are by the location of mechanical rooms in the basement so in this case security system room is very likely going to be located very close to the telecom riser shaft and that will notice is right beside the elevator lobby which makes sense in the high rises going to be above this the elevator and the riser shafts and all this other building support space is going to be in the central core so it will be close to one another in the parking garage of course we can identify stairs as well in older buildings the stairs tend to be located on the outside of the building and so we can identify those using a number of tricks sometimes you can just see the stairs very clearly stairs tend to have egress doors at the bottom of them since they are provided for egress purposes as well and when you look at the building at night if there's one column of windows that's entirely lit up that is usually a stairwell because it needs to be lit for egress purposes here's an example of the stairwell being unfenestrated it's this secondary mass that runs along the side of the building a cue that it's a stairwell well one is its general dimensions this makes sense for being a stairwell as well as extends up onto the roof level of the building so this is likely a stairwell that goes up and opens up onto the roof indicating that that is likely what that is and then we also have some cell towers on this building stairwells that are fenestrated we can tell what they are from the fenestration so if we see windows that are halfway between the regular floor heights it's a very good indication that that's a landing on a stairwell in this case we have windows zigzagging up the building and that's likely going to be following stairs that are zigzagging up landing to landing we also see that this is a secondary mass taking out of the building and it sticks up at the top creating a little exit onto the roof from the top of that stairwell and it makes perfect sense that that's located where it is relative to how these windows are laid out in this particular case we have windows that are not aligned with the rest of the windows in the building this is a residential building you can tell based on the litness or how lit the windows are what that pattern is and then this column of everything lit with the exact same intensity that's got to be a stairwell and here's another example of these half height windows indicating that it's a stairwell terminating in a door at the bottom and it's a column of lit windows so that's very clearly what that is in this case where there's a fire escape we can tell that there's likely no stairwell near it that's about all we can tell because they are retrofits if there's multiple exit doors and the exit doors are only q as to where the stairwell is it might also be to a hallway we can tell which one's the primary exit door by looking at some safety features so this light up here to provide illumination to people exiting as well as we have a parking lot there so we have some vehicle ballers to protect pedestrians exiting from being rammed into by vehicles parking in the case that this is the primary door and these are likely mechanical doors that's helped along by the fact that this vent lube exists there so in this case looking at this building can we tell if it's an office building or residential based on the pattern of lighting in the windows we can tell that it is almost certainly an office building with the lower floor is lit the upper floor is likely on timers and not lit up we can tell where the elevators are by looking for the associated machinery that goes with them a hydraulic elevator they tend to be shorter because there's a hydraulic ram that goes as deep into the ground as the elevator is tall and so they can't go very high and as well they don't tend to show up in very old buildings because they're a newer technology every other type of elevator and most of them are this second type which is a traction elevator so they're the typical ones that are hanging off of the cable and they require a machine room at the top with some exceptions but they're rare that machine room needs to be sticking out above the top level that the elevator serves so if the windows go all the way up to the top level all the way up to the roof we can see that if the elevator is going to serve that top level it's going to need an elevator penthouse extending out excuse me onto the roof and that's what we see here we see three elements uh three secondary masses extending onto the roof this central one makes sense to be the elevator both based on the size if we compare it to these vehicles down here as well as the positioning relative to the main entrance to this building and these secondary masses on the side are likely where the stairwells are coming out exiting onto the roof another couple examples we can see an elevator penthouse up here indicating that's likely where the elevator is in a building of this age and height it's unlikely to be a hydraulic elevator and here we can see the elevator directly exiting out the back and this very likely is a hydraulic elevator in this case we can point out the stairwell very quickly by this column of lit windows there's likely going to be one on the other side of the building as well and we can infer the rest of the floor plan by noting that there are two balconies per side each balcony is partitioned into two so eight units per side or four units per side eight per floor so there's going to be four more on the other side we can see this uh mechanical penthouse only covers part of the building's roof so the elevator's got to be in the central core which makes sense for circulation purposes and we can tell that this building is likely symmetrical all around utilities are also very helpful for us to determine what a building's used for what its occupancy is and where things are within it so here's an example we can see this particular box coming out is a remote meter reader so the um it's for water so the water meter reader can go and tap an electronic device onto this to read the meter and that tells us that this is a mechanical room down here that it goes into here's another example where we have both that box as well as the gas meter leading into that and looking into this grate it's a bit hard to see in this picture but there is a vent louvre there further indicating that that is a mechanical room down there in this case we can spot the bedrooms by looking at what we can see pipes directly in this room we can see the fire stand pipe coming out of it so it tells us something about the size of that mechanical room on the second floor we can tell that there is none here because we can see in the windows and on the third floor there likely is a mechanical room up here based on this louvre and the lack of windows and of course there's likely going to be some pipe shaft connecting this first and third floor mechanical room recessed somewhat into the building because we know it's not on the edge we can look at incoming telephone utilities to determine the occupancy of the building so a cable coming up from an underground conduit in this case we can look at it and see that it by its diameter is about a 50 pair copper cable so this building had a design maximum of 50 phone lines in the building and that's going to estimate the occupancy we can also look at where the phone lines split up to if they split up into separate units to identify where the units are so we can see a phone line coming along here entering the building at this point it's a little hard to see but there is a line swinging up there and entering at this point and then there's one along the side here entering at that point so from where these phone lines are entering the building we can identify where the units are that combined with the fenestration will give us a very good sense of what the internal partitioning of the walls is going to look like here's an interesting case that gives us a sense of the history of the building we see a whole rat's nest of phone lines all going to the same place what likely happened there is this is a rental building and it changed hands many times throughout its life and every time it did a new phone line was installed and the techs were lazy and just added a new one without removing the old one so that's likely why we see this pattern here and so that tells us something about what happens within the building we can also look at heating ventilation and air conditioning so in older buildings these tend to be external units visible and we can look at what their capacity is to get a sense of what the internal capacity of the building is in newer buildings we have cooling towers on the roof and those are going to have a certain capacity feeding chillers on the inside that are going to then cool a water ethylene glycol mixture down to what it needs to cool the rest of the building and operate the HVAC systems we can also look for specialty HVAC equipment so if you see something like this kind of looking like jet engines on the top that's for creating and creating an extreme negative pressure generally to drive fume hoods or other chemical exhaust disposal systems and so if you see those that indicates that that's going on in the building if you see fans like this which operate on a similar principle but lower pressure these are highly associated with cooking spaces so here we have an axial fan this is common to see over restaurant spaces and here we have a centrifugal fan that pulls up from event here indicating that there is likely a restaurant in this location as well and in this particular case we have a large industrial dust collector system indicating that there's a machine shop or some sort of industrial fabrication system going on in this building we can look at the incoming power if we have pad mount transformers on the outside we can look at the capacity of those transformers to figure out what the power requirements are inside that building and if it's a volt transformer we can see if it's a double or a single giving us a sense again of the capacity to a bit less granularity kind of an interesting aside about how those are actually maintained these concrete slabs at the top of them are crane lifted up and then we can crane lift in and out new transformers to maintain those so that's kind of interesting how that works these all look similar to this with an access hatch and a vent since transformers do need to be vented or cooled in some way as well as these crane liftable concrete slabs so now that you know what these look like you will start seeing them everywhere in urban settings inside of them we have power coming from the underground duct bank and it then goes in a separate conduit to the basement of the customer's building and so that gives us a sense based on the positioning of the hydro vault where that customer's basement mechanical room is going to be positioned if they have a stand by generator they look something like this of course we can't see that from the outside but that does indicate if it's present that it's a highly critical facility that's doing something with high importance if it that it doesn't get interrupted we can tell the presence of that by looking for these diesel fuel refilling stations they look like this on the inside it's just a pipe that you dump the diesel fuel into but if you see that it indicates not only where the diesel stand by generator is but also that one exists in that facility looking at the meters gives you a sense of how many separate units are being metered in that particular site so in this case we have attack of the gas meters here and we can count these and that's exactly how many separate metered units exist within this building if we see something like this on the ground it's a groundwater test well and so they're going to dig down and essentially leave a pipe a well and they can test whenever they need to how deep that groundwater actually is that could be used for flood prevention but you also see this happening anytime there is new construction planned that's going to involve excavation so if you see this and it's not in a flood plane that likely indicates deep construction is being planned we can also get a sense from the security pick security features what might be happening inside of a building so in this particular case we have vehicle ram bollards here fairly beefy as well as very bright glare lighting these vehicle bollards are to protect from vehicle impact attacks as well as truck mounted bombs if this particular facility has that in its threat model it gives you a good sense that whatever is going on in there must be fairly serious as a bonus here we have these half height windows indicating a stairwell and this lack of fenestration here indicates that there's very likely an elevator shaft there possibly with a little window vent in the penthouse at the top here so looking at the fenestration in this particular case study we see a weird pattern we can tell immediately that there's going to be a basement suite there so likely from this entrance door there's going to be some stairs up to a fairly tall first floor when we have a tall floor the rooms tend not to be partitioned very small so it's likely either a large open event space or some a number of larger rooms within that anytime we see a strange looking fenestration pattern like in this case we can infer that that's certainly because of whatever requirements the inside of this building has for its layout here's a really great example so we have this L shaped building immediately gives us a sense of the circulation layout within it we can see the elevator penthouse here as well as a chimney stack indicating that the boiler house is going to be below that we can see that the boiler house is indeed spanning floors three and four here and the entire central core supporting this building's utilities is going to be located near there as well by looking at the roof and what exists on the roof we can also see this framing here that used to support some heavy HVAC unit it's going to be anchored on the columns of the building and those columns line up with the breaks and the fenestration alongside of this building so from this and from the fenestration we can actually infer the entire structural diagram of this particular building so that was sort of a whirlwind tour if you're interested in this sort of thing would like to see a little bit more of the details of how these things are are done i encourage you to check out my hope talk as well but this now gives us a great opportunity to have some q and a chat about this chat about some interesting cases that you've seen in your life and see what else we can infer from these types of tricks so i'm hoping that this will make you more situationally aware in your everyday life look at your built infrastructure differently and when you're going to an unfamiliar building know where you're going i'd like to extend a huge thank you to Cara and Bobby, Josh and Eric for their help in preparing this talk and i'd be happy to take any questions and start the discussion on this thank you very much folks