 Welcome everyone. We'd like to invite Brent White and Tim Roberts. Brent White is a senior security consultant at TrustedSec and Tim Roberts is a senior security consultant with NTT security threat services group. Both have spoken at ISSA, international, DEF CON, Derby CON and various B-sides. Maybe not always together, but so we have them tonight together and we appreciate having them. Their theme is skills for a red team. Let's give them a hand. I think we almost died. That would have been interesting, huh? Short talk, right? So yeah, as you mentioned, I'm Brent White and I'm Tim Roberts. So as you can see, we're very mature. Yeah, as you can tell from this, we're extremely mature and highly professional, so, hey, I know, hopefully you're not too disappointed in that. So, you know, the wonderful English, over there. So, all right, let's get into it. So what do you mean by red teamer? Red teamer is often defined, it's kind of subjective in InfoSec. Like some people say, well, red teaming means this, while other people are like, no, it means this or whatever and it becomes this budding head thing. For us, we're defining it specifically for this talk as attempting to covertly identify gaps. This includes physical and social engineering gaps, security awareness, often in addition to technical. Some clients prefer we don't touch their systems, we just get to their systems and we have a perfect concept. And this we're going to focus primarily on the social aspects and the physical aspects. So therefore, red teamer means, you remember, red team. So show of hands, who in here has ADD, ADHD? I mean, you're not going to hear anything we're going to hear because of, you know, just a warning, you're going to in a few months go back and watch the video because you won't hear anything we say. So, yeah, squirrel. Yeah. So, okay, it's like a, this is a very poor standup comedy act apparently. So, yeah, so we're going to talk about a few different assessment types, covert, over and hybrid and we'll go ahead and jump into those. So, it's something else too. If anybody has any questions while we're talking, please raise your hand or just interrupt us so we can go ahead and throw something at Brent. Yeah, money or something. What's your name? That is Therisa. Yeah. She's really sweet. Yes, nice lady. Has a mouth on her though. All right. So, all right. See, I'm telling you this is going, this is going bad. This is going to go awful. So, covert, Tom you try to be all sneaky and covert and we had some trolls. It's like, the short guy reads too many Tom Clancy novels and it's like, no, I don't try to be sneaky. So, this is basically if a company has you come in and it's like, okay, see what you can do as an attacker and an authenticated malicious attacker. What can you do? Where can you go without, you know, without the approval of being there? So, we'll talk about some methods about staying covert trying to avoid detection and so on. You know, and some of these terms are available too depending on what pen testing group you work for or whatever. I mean, we're pen testers. So, like some of the service offerings we offer, we use verbiage like covert, overt, hybrid. It's easy to understand for clients when they're thinking, you know, how do we want these guys to approach their assessment? Do they want to do a walkthrough and hold their hand and tell us the issues that they have or do they want us to actually take the role of, you know, criminal. And that also depends on the maturity of the company's security program too. And the client relationship. Yeah. So, the covert assessments. We've got a couple different pictures in here from actual assessments. Oftentimes we will wear body cams or just have a camera with us. That way we can, the client request, take any of you guys film this interaction or this bypass or something like that because they don't get to see it. They just kind of take your word of mouth as soon as they get the report. Oh, it says you bypass this or that. How did you do this? Well, it says in the report. Well, but how did you actually do it? We want to see how you did it. So oftentimes we'll wear body cams. Sometimes we'll just take still photos. This top right one is pretty funny. It's a human resource office. And they had like a dimple lock. We were able to pick it, get into it. And there was all these cubicles around. And the cubicle walls are so high that nobody could see their closet that had all the employee records in it. Or me. Or Brent's. Yeah. I had to kind of get a little shorter, but nobody could see us pick this lock. And so we're right beside a cubicle, literally probably here. At the end of the hallway too, you look down the hallway at the end of it was a meeting room with glass doors and they were in a meeting and people were kind of looking around. But it was funny because we got into the HR room. All these employees records and files got the point of contact record and we ended up putting it on his desk. Later on that day it was kind of a roll in him. So we are for these covert assessors I was talking before, social engineering and physical are they're kind of driving factors for a lot of this. One of the number one as most people in here know compromises is through social engineering. Whether it's on-site, fishing, fishing, something like that. So what we do on-site is we really implement the social engineering. We push to test their instant response. We push to test the security awareness of all security culture in the company. So in this we'll really push the limits and the boundaries of what we do. From anything to trying to sneak in, okay well we got from A to B, we already did this. Now let's go troll the security guards or let's go talk to some people and ask them for information or to let us in the sensitive areas or let us touch different things. Electronic things. Electronic things. So we actually have a talk that we do called Security Guards LOL and it's... So we're not knocking security guards. The whole reason we do that talk and you'll see we'll actually mention a few of those things is because there's so many companies they'll have these large facilities and their entire physical security program minus a few biometric sensors or something like that. They put it all on like one or two minimum wage security guards and so once we walk in and we establish a rapport with them we have several times especially an awesome story from Tim where one of the security guards actually handed over their entire set of keys to him in exchange for his keys which was a ring of bump keys. You know yeah I'll come back and get these later. So you'll hear some of the stories with that too. So physical security bypassing methods. One of the things that we always focus on when we do this is we like to use tools that are available to the public. Like the under the door tool which is available I think from Rift Recon and a few other places for like 40 or 50 bucks and then the shove knife which is I think 15 or 20 dollars. Bump keys, they're 10 to 20 bucks depending on which set you get. Candairs, like $1. Yeah the Shrum tool is $2.50 piece of plastic that is made to go between strike plates and things to bypass locks. $10 or no it's $5 for a 10 pack. Or a credit card. So the point is we always make sure that we use things that are so easy to get and we can show you okay we had no access now we're in your data center using $50 worth of tools. So that picture is me reaching really high keyboard. That was the whole keyboard system where the security access showed all the security cameras and everything so yeah it was fun getting a shell on that and doing whatever I wanted to turn the cameras off if I wanted to and having our way about the building. So what can you do and cannot do? You know oftentimes during the kickoff call when you're discussing your roles of engagement how you're going to do things, what you're going to do. I don't like to go in specific details because you know that way if I decide to do something like I don't have to go you know it's better to ask for forgiveness kind of thing right? But it is important when you're talking about like after hours for example do you want us to do after hours assessments? Do you have cleaning crew? Do they prop open the doors at night? How do they handle that? Do you guys have after hours workers coming in? Do you have execs coming in and out? These are things that are important to ask because oftentimes people just focus on doing it during business hours. The windows we like to do most of these assessments on are during lunchtime, during close of business when a lot of people are coming in and out of the building. A lot of foot traffic. Yeah and then after hours depending on if they have armed security guards we like to try to avoid after hours for that because some people are trigger happy security guards. Breaking into a building at night with armed security guards is not a good idea. A friend of mine there in a report review at TrustedSec was talking about how one of the assessments they did that the security guard said yes if we would have seen you in that facility we would have fired at you. So from that point on they no longer do the physicals at night after hours when there are armed security guards. So something keep in mind for sure. You know we were talking before you know we're primarily discussing physical and social aspects but you know it's hacking in scope. I get into the building in the server room. Can I plug into the core switch? What's off limits? What's not off limits? I think having no scope is best for these types of assessments because it's more reality based. It's more scenario based or whatever. It's okay to be like alright well we just want you to focus on getting from here to I don't know the CTO's office. We want you to try to get on his system. Well of course that's a limited scope there. But if it's pretty open you want to try to sway the client to buy into that. So let's hope it all. Let us go in. Let us do our thing. If we didn't know anything this is like not a full disclosure or partial disclosure assessment type but it's kind of going in blindly. You know these are things we can do. Can we pick locks? Some clients don't like us touching their locks. They're trying to bypass things. Because they're afraid you know well am I damaged it or am I do this or that. Especially electronic locks. Sometimes they don't like us touching any of the electronics on those locks or security systems. Or if you see a laptop or an external hard drive or USB you know can we grab that and take it out with us. Things like that. So I know that penetration testing is a large part of a lot of these assessments. And so because this is social engineering village we're going to focus mostly on the physical part of things. But something to keep in mind when you do get inside and you are able to plug in and gain access to the network you know you want to try to stay covert. You want to do things like half open TCP scans where you're not having that full connection to potentially alert an IPS or an IDS. You know if you do gain access to a system you know what power shell scripts or things are you running. Are you trying to add a user or are you trying to brute force an admin level user or something that could potentially set off alarms. So you know those are things you want to keep in mind if you do get access that you're not you know freaking out the admins at whatever time of day you got into their system. So those are things those evasion techniques are things to keep in mind. You know the part of this too it's kind of this is a real quick story but did a red team assessment. We had gain access to the facility. We plugged in a rogue access point put it near the window. We were sitting in the parking lot in a van in a hotel right across the street by the river by the river. We had this high gain you know DBI antenna pointing up there we were able to connect to it. From there we were able to compromise some sequel databases dump some tables. We did a bunch of stuff completely on these people and then when we gave them the report they were so upset with the report that we did not report from a Nessus finding that they found a telnet was open and they're like you didn't add this to a report. Well this is a red team assessment we're not going to look at every little priorities plus it was an internal you know telnets open internally I mean it's kind of a deal I guess but to express that to a client and to say listen this is we're the bad guys here we're not doing a bone scan we're not doing reporting on every little thing. We're going from A to B. If you want a more overview or a bigger broader overview then you need to be specific about that. Yeah we try to make it more like a real real world scenario. Incident response part of the assessment you know oftentimes what we do is we'll try to try to be obvious we'll wear bright colors we'll go to the security guard you know Bram mentioned this story so we had already been around the facility did a whole bunch of stuff we found a security control room that had access to printing off badges it had access to a lot of different things they had keys in there to their company vehicles they had hard keys to the entire facility an aluminum box it had a key for core on it. They also had badges from employees that were just recently terminated and they were still active. The cards were still active but they had them securely hidden under a keyboard Super safe. So we get to this security control room and we couldn't get in it we couldn't pick the lock and it was heavily congested a lot of people walking by so I'm like you know what I'm just going to go up to the security guard and I'm going to ask you for keys okay so we go over there and we're done we're screwed thanks Tim. Yeah and we had already done quite a bit of compromise right we'd already gathered what we needed but at this point the client was really concerned about their security guards you know they were concerned about are they doing their job they do diligence are they following through can you guys test this so I walk up I have those keys in my hand I was like hey yeah I'm doing inventory and I need to do an inventory of hard keys and some of the servers in the security control room but my keys not working the key John gave me apparently doesn't work I called him he said I could just use your keys is that cool I'll bring him right back in fact I will leave my keys here that way you know I will bring him back. The bump keys right so she's like oh well just as long as you bring him back before five because I have to lock up the building. Absolutely not a minute later thank you. So we had these keys we ended up going down there we ended up getting into a lot more stuff you know we really pushed the envelope there and she gave us the security guard gave us her keys and it was to multiple facilities not just this one so if we wanted to leave and go to another facility after hours or whatever. In one of their company vehicles even. Yeah. With one of their badges. Yeah. So this picture is kind of funny the one this one. Yeah the up to skated this one so we walk over to this lady and she prints badges and she also she I think she does like scheduling or paychecks or something like that but this was near a cash kind of area where they handle a lot of money. We ended up walking over to her I told her hey I'm doing some inventory and I'm also doing some network test just scanning for I think I said something like network connectivity a lot of times what we use is hey we're just doing some network connectivity I'll be right real quick. We heard your yeah we're under their desk and say you know it's and they don't just move out of the way. Yep. So that's exactly what she did she rolled out of the way and Bryn said they're talking to her asking about her day she has some pictures of her kids on her desk yeah I felt awful because I started talking to her about her grand kid being in soccer and I was like oh yeah yeah that's great sport you know how many goals has she scored like all this stuff the whole time Tim's still in credentials and stuff and just awful. It's funny because you can see me doing it I think I plugged in a key logger and I was like well this is just going to test the network connectivity it's USB and I plugged it in and I was like actually before I do this could you lock your system so she locks her system I plugged it in I was like can you log back in now so she logs back in get her domain credentials done and now I'm on there and I'm doing my thing and then I have this clipboard which we have another story we're probably going to get into but I'm going to go ahead and talk about this because it's funny those shoes right there man nice shoes whose shoes are those so I have this clipboard that I've got I've got a Raspberry Pi and I've got a wireless stick on it so you can SSH into it so what Brink can do from his phone is SSH into this and see whatever I'm scanning of the badges so I've got all these sensors on here to scan badges so what I was doing with this is I had this inventory sheet it gets worse I promise you it gets much worse can I see your badge and she gives me your badge and I put it on there and I'm writing her name down you don't just put it on there so when you read this thing it doesn't you can't you know you can't just like set it on there like this you have to do you have to do this so that is not a joke it's like yeah can I see your badge I seem to write down a few things like that's pretty creepy she didn't ask any she's like yeah so go youth soccer right so where I'm totally just yeah well this next one where Brent is on the right there this was another assessment we did where we walked straight through the mail room we had telegated behind some people walked straight through there and they had all these cabinets containing like I think it was like some PCI data something like that I think this is actually a healthcare company but we actually walked through and Brent just opens the door and we're just kind of walking we're trying to purposely get caught at this point didn't have a lock or anything like that and this is the room where they stored they had all their backups so they had tons of hard printed off back up boxes and things like that we're picking up boxes we're being really absurd trying to be like really what do we have to do for you guys to ask what are we doing excuse me ma'am I'm not supposed to be here could you question me basically what state was it we're not at liberty to say that yeah sorry yeah but we will tell you that we were not allowed to use audio or video recordings in any way because it's against state law and they had armed security guards so that's why we focused on the the sweet lady and the cubicles so funny story so this is during the covert part and later on we actually did the overt assessment and as we were going through the HR ladies even though we were being escorted by the point of contact the HR lady was like I'm sorry you guys can't go in there and we're like okay even though we had we'd already been in there I was like alright I've already seen that room yeah we're good so usually wait until the end to try and get caught you know try to do our sneaky stuff first so there was one time where another co-worker and so we actually got into this building and they're like oh yeah there's security guards and he monitors remotely and we're like cool so we walk around for an hour looking at the camera the whole time trying to you know give them the benefit of the doubt because again we don't do these assessments to come and say look how bad you guys you know look how bad you are we like to give them an opportunity to catch us and for a teaching month especially as we've identified some really critical vulnerabilities that they've they suck yeah and at that point it's like okay we really need to see at what point is that and that's why we do the whole push kind of thing to really push the bounds yeah try to make people uncomfortable hopefully they'll say like what are you doing you know get out of my face so we were at this place and you know we'd gone around we found all this stuff and they had these double glass doors at the front that had enough physical gap where you could actually you know put tools through it so I had a code hanger took my time looking at the camera behind me the glass doors right here so I'm looking at the camera straightening this thing out this is not a joke this is a walk over to the receptionist table we'll get a handful of napkins yeah and I tied them into a big you know like flower like a poorly arts and crafts flower thing around so I put it through the door because they had a request to exit since we're on the other side so my whole goal was to see if I could trip that and so I'm looking at the thing and so I'm literally like going like this all the way up and down trying to get it to trip and no one came so so I look at co-worker and I was like okay we've been here an hour like you know what's going on he's like okay what are we going to do next and I was like jumping jacks and he was like okay that's cool so we turn around and we look at the camera and we do jumping jacks for at least 20 seconds and the guy never came so very secure alright let's move along alright so the overt assessments yeah I'll let you look at these pictures because they're funny first and kind of use your imaginations so before you get into it so you see that can you see that right there there's a hole there it's it can you over here on this side it's a gigantic hole you can put your it's like so a forklift can pick up their confidential data bin and move it around so the bin is this tall and I think it was about three and a half feet wide yeah something like that and they had a best lock on it like one of those really nice really good locks on it holding it holding the flat yeah and so yeah and so you could put your stuff in there but you could also we actually we call it what Shredder Ben Bingo is what we ended up calling it so you stick your arm in there and you pull out however many papers you want passport photos yeah we found some passports some background check forms a bunch of other stuff I mean it was it was it was ridiculous a loan for a house a home loan application and so we're like are you serious right now and yeah so you could do that on both sides oh yeah and this is also Tim on top of a vending machine going through the ceiling during the covert part in a major hallway and no one stopped well there's okay so the funny seriously no one stopped like there's got on top of the vending machine but the funny thing is that the other side of that wall is their data center and they didn't have Florida ceiling walls they didn't have an IDS on top they didn't have any kind of screen or fence or anything but they conveniently had an aquafino machine that let me get up and over thanks water okay so yeah this is just a quick demo you know and this is part we start getting into we're gonna start talking about the overt part where you walk through and the methodologies and stuff that we developed but before we before we talk and show the video though so again this goes back to what I was saying before sometimes we'll have body cans but if it's an overt sometimes we'll escort the client to the point of contact through the facility as we're doing these things and playing them out or we'll do a covert prior to doing that and then after we give them you know kind of an overview of what we found they'll say okay well can you kind of show me so we'll walk around and show them well for the sake of time because oftentimes we only do these assessments so we only have like a week maybe two weeks max well we'll just show them a video and that's kind of yeah so in this situation this highly secure facility but in their back highly secure facility they had two points of entry the front door the lobby where a rotating door is some security guards and then the back door where nothing is except for a big gap and a bad reader and a camera that didn't even really cover the door and a camera that was actually fogged over so it was one of those PTZ cameras but it had the dome was like weather worn and it was fogged it was bad so I'm like there's no way they're seeing me do this high definition so yeah click that so no we're good so yeah the audio is on a big deal yeah that sounds stupid so you can see Tim's outside in this cool taxi hat and just a shove knife for the 15 bucks for that in like seconds he's well they didn't have like so their plate too was deviated on this on the outside so you could get the shove knife over it and just kind of wiggle it around and open the door and it's very quick and very easy that's the same facility that so the previous year we had done a similar assessment and they're like oh yeah this year we installed dimple locks and you know good luck and they're like okay so we get to the server room where the new dimple locks were and the strike plate wasn't... I was on the opposite side but the lock was a bit tough because they had it kind of backwards it was kind of hard to explain so when I used my shove knife and I almost had it so Tim's like alright hold on and he brings his shove knife over the top and within a few seconds both of us like pushing our shove knives in there we were right in the data center and so that picture and there's a couple slides back let me see where's it at so that was on the other side of their you know new dimple lock door so that was you know that's where they had their security security stuff inside the data center alright let's see so often times if we're not able to clone badge or anything like that we'll just make fake badges and we talk about this a lot in our talks these are kind of the dimensions but we'll just go to our hotel we have a little printer we'll get some blank HID badges or whatever PVC if we see that they've got that we'll print them on PVC but we ended up you know just photoshopping our badges and making some generic badges we gather this information during the pretexting and kind of our passive reconnaissance when we're driving around often times we'll go the day before and as people are leaving we'll drive by the facility or go around the parking lot because cars are coming and going and we're not sticking out at that point and then we'll get a good look at their badges go back to the hotel play arts and crafts and then you know make some fake badges that we just piggyback and tailgate in because that's the easiest thing you don't even have to have some badge cloning or repeater or anything like that doesn't have to be fancy at all you just walk in behind people as they're coming up one thing that we love are company barbecues because you know social media like oh let's show how cool our company is put pictures of the barbecue online and they do and people are wearing their badges and so we zoom in and we usually try to schedule our assessments around that time that way we can have some barbecue before we get into the facility sometimes we've gone to companies and they've had the barbecue so we've gone into the barbecue fed ourselves and tailgated in right in so that is not a joke that's the oh we should have put that picture because it was like they had this big thing you know synergy so we had our barbecue we tailgated in and like you guys want to group photo we're like sure so Tim and I and it's an actual employee I guess he kind of got caught in he didn't want to be rude you know so it's Tim and I and then an actual employee and we're like like this you know synergy and like I was like whoa dude so it was so funny because it worked out perfect because we didn't know that the barbecue was going on at that time it was just like you know a free gift for us so so we had free food we got free entrance and we got a photo which they printed out on the spot so it's our cool little keepsake that we have now so we included that photo in the report yeah yeah and that was the reaction right there it was great perfect any friends show friends show friends the show friends some of you guys are all friends yeah I'm carrying out them so yeah and then he uses Mr. Robot which is Elliott Alderson like Bruce Willis or something stupid stupid like if I'm trying to get caught I mean I'm not going to do this if it's covert or I'm really not trying to get caught I'm always a legitimate co-worker Drew Colbertson he always uses a picture of Alec Baldwin kind of looks like Alec Baldwin so we're like we're going to use Alec Baldwin's face on your pages okay we'll talk about overt assessments again as we already mentioned this is where you know you're being escorted by the clients you have a lot more freedom so something like an under the door tool that's usually you know very loud is anybody using under the door tool in here play they're loud aren't they so they're you're not sneaky with those so if you try to go into a room and you don't know what's on the other door I mean just a matter on the other side of the door just imagine like like what the hell is going on you know it's like you hear this loud scraping and it's like yeah I'm maintenance and fixing your doors you know but anyway you have a lot more liberty to try that or bump keys or something which we kind of we don't really recommend bump keys because those are destructive so but you know the thing that you do with the overt assessment is we have a checklist that we make basically it's just best practices for things we don't we're not doing like you know compliance junk we're just saying here's what we normally attack time up compliance is not junk I'm sorry shape or form that's why I do my pen test yeah yeah yeah limited number of flair for these guys so we'll use this checklist and we just kind of go through but we also demonstrate tools I was kind of saying before in that video and this picture on the left with me and my awesome man bun we're using the under the door tool showing the client hey here's how we got into here because they didn't know what it was and they just blew their mind the picture on the right is funny because request for exit sensors there we found a see can you see the steam like I don't know if you see that the steam right here on the side that's shooting through the door sorry go ahead quit erupting I'm a jerk now we found out we found some candor and we ended up using that to bypass the request for exit sensors so they had a gap there turned the candor upside down just sprayed in there it was enough to trip the sensor so that's us doing that on the bottom was us opening the door so this was actually the same exact spot that as soon as we got into this area behind this door over here and this is over by the way this is after we had already done the covert stuff well when we had broken into this before a guy during the covert stuff a guy comes up to Tim and he looks at him and he's like let me see your badge and Tim's like okay and he goes you're not an employee you don't work here and Tim's like yeah I do and he's like no you don't let me see your badge and it was just a paper badge on top of an actual badge. We did it really quick so we just had to print it off like very quickly and arrive there so we just shoved it on a sleeve I didn't even have like an HID or a hardback or anything like that so just kind of a piece of paper slipped in so the funny thing was this guy was so sure he was catching us I think he knew we were going to be there or something but he was like that's not a real badge let me see it so Tim's like alright here you go rips up the badge in front of Tim hands it back to him and then walks off no joke so that went in the report you know thanks jerk guy there you go got your name in the report so not that we try to single out people or anything but you know come on. He kind of found out this guy was an exec too so he didn't know who we were he wasn't in the kickoff calls he wasn't in any of the preliminary planning or anything like that he was just the guy that was like you've got a man bun you don't belong here yeah but it was so odd because I was like okay we're done like thanks you know thanks Tim not he didn't do anything bad but you know it's like alright we're done and then he rips it up and hands it back and walks off and Tim and I were just like seriously is he coming back can we okay let's keep going so we did for like two more hours so yeah thank you oh that's a request for exit sensors you know you guys probably seen the videos like dvnol i'm using whiskey to open it right there Dave, Dave Kennedy used a vape you know some of them are kind of the needed heat so you're going to get more creative with that by hand warmers and stuff like that yep hybrid security assessments we're not going to go too much into this but basically what these are is a combination of both covert and overt if there's a large facility or there's multiple facilities sometimes they'll say hey on this facility we want you to covertly try to enter and on this next one we want you to walk through and kind of repeat what you did but with the client escorting you you know you don't repeat the social engineering in this but this is mostly like the physical stuff and how we got into the facility and then often times it will be social engineering if we go back and revisit the facility that we just compromised so they'll be like let's go through and then we'll walk past people we just lied to and convinced them to do stuff it's an opportunity to discuss things with them it's an opportunity to kind of blow up their security awareness to be like hey yeah so these guys are here doing an assessment I think you met them and yeah and then we say yeah we're the guys that lied to you and stuff like that but here's what you did a good job on here's what you can improve on and it's a security awareness training in addition to so that's kind of what the hybrid assessment model is for us yeah and then you know if we also obtain creds from doing a web app assessment or an external then whoever's in charge of that will say hey here's a set of username and passwords that way if you get inside you can try to log in you know to the domain or whatever that's like partial disclosure it's not like you're not going in blindly it's not a black box kind of assessment when is it appropriate to keep pushing so we were talking about being bold and versus safe it's appropriate when you get to that point where you're like okay I've exhausted all my efforts I've done what I can I have all my stuff now what I'm bored this is one of my favorite stories but it's so we're walking around you'll see a security guard there I wish I could like unhide her face because she's cracking up because I'm such a funny man so this is her and those are her hands and in a minute you'll see why that is just so bad so so walk over to her and I was like yeah he had a fake contractor badge on he had a fake employee badge on that's because when you don't look like you belong there like I was growing my hair out for like a role and I didn't look like I belong there it wasn't didn't adhere to kind of their dress code I had a beard but I'm a contractor so it's a little easier to do that as a consultant or contractor so Brent had like a suit on or like a button up and some nice outfit on so he was he was escorting me around as a contractor because I was there doing their policies on how they handle badges and keys yeah it gets awful wait I walk over to her and I was like hey yeah we're doing a I just draw I think it was off the top of my head so I was like yeah we're doing like an HIST 853 enterprise security assessment and we're just kind of looking to look at some of your policies specifically I wanted to ask you more about your employee replacement badges yeah and I jumped in you know it's it's fine security guard name insert here Elliot is with me and it's it's fine he can sign an NDA you know and she's like oh okay yeah it's only going to take a minute okay sure so how do you handle what employees forget their badges at home well in fact we have a binder here and all of these badges are active and then get around the facility and here let me show you so she draw a huge binder she probably had like 50 50 badges in it all these active I think they were called like replacement badges or whatever yeah one day badges that she gives to the employees and they sign their name they put the badge number on it and that's how they track it and they have to return it at the end of the day so I'm like okay well I'm just going to go through here and kind of do inventory and get the numbers off the back of them and she's like oh okay and Brent's like Elliot that's probably going to take you a while yeah that was about do you mind if he sits down oh no that's fine come on so she lets her come around on the security guard desk and sit down beside her so we have a picture that we couldn't show because it would sanitize like you know reasons so basically Tim you can see him on the left behind the security desk opening the binder you see her like oh let me show you where the contractor badges start and then so then we also have a picture of him like leaning back with his feet propped up on the counter while he's sitting there that's when I started being absurd I don't do that so if you guys are clients I don't just go drop my feet on the security guard reminder of this the whole time set it down pick up another one the whole time he's like you know like creeper look you know like I'm just talking to her and she's not going to say something you know awful so this is good this isn't good so this was good right what isn't good is when the security guard comes over to you and is like what are you doing I'm supposed to be here or I'm doing whatever testing the physical security latches or I'm looking at your sprinkler heads to make sure that there's a recall on them so no what are you doing here in the security guard to get angry and they want to punch me in the throat so at that point I'm going to change my tactics right I'm not going to sit there and just keep using the same line and we're going to get into this and I may be jumping ahead but I don't care we use a fake letter of authorization quite a bit if you've heard our other talks we discuss this so basically what this is is we have because when I first started using this I thought well if I were a bad guy and I wanted to get into a facility in the middle of the day and have free reign to do whatever what would I do well I'm here for security assessment I'm with whatever so what we do is wrote up a fake letter of authorization on the top it's got the White House's address and it says it has our company like I think we're calling ourselves like fish nugget security or something yeah fish nugget and through it it has Brent's name at the bottom has the point of contact he is the CISO himself from this company still haven't received the paycheck from that company by the way and I've got Easter eggs hidden in it just to make sure that they're paying attention and this is how we also test our incident response to or their incident response to are they following up are they doing their due diligence are they calling that point of contact and is that point of contact indeed the person that would authorize this do they even work there so that's kind of what I use when security guards get angry at one point I was picking a lock I didn't hear this guy really big guy which surprised me I was sitting there I'm trying to get into this door and it comes up behind me he's like what are you doing turn around he's armed and he's like what are you doing I was like I'm testing he's like I'm with facilities I'm helping facilities out we're going to replace these cores and just want to make sure they're good he's like no you're not alright he caught me here's my letter and I give him the fake letter of authorization and he reads through it he doesn't even look at it he doesn't read through it he glances at it and he's like oh cool and he gives it to me and I've told this story before if you've heard some of our other talks that's part of our security guards lol talk he goes oh okay here you go you can have it back actually I'm with security too and I was like yeah obviously you are with security and now we're buddies we establish a report and I was like well you know what man I'm going to be here for a couple more hours could you do me a favor and let the other guards know that I'm going to be testing some stuff that way they don't bother me he's like oh yeah sure right away sir yeah score or you know something to keep in mind the fake letter so if you do get caught in someone's like what are you doing you're not supposed to be here and you're like okay here's my letter and they look at it and they're like nope you don't work at the White House what are you doing here if you try to pull out another letter so yeah it's like David Copperfield how many do you need sir but that's seriously something to keep in mind because it could go really bad so if you strongly want to encourage them look at the point of contact you'll see that that is legit if you have to go to your global directory and pull up their phone number and call them right now before you call the police yeah please don't shoot me please read or I'll read it for you if you can't I mean you know that was awful why didn't I say that wow yeah and squirrel so let's say you do get caught I'll try to keep on track here so you do get caught you know it's okay if you get caught if you're supposed to be there and you get caught it's okay it happens so don't try to be cool and run away from the security guards hardcore yeah because all they're gonna do hey we had a guy that wasn't in here police you know this is what he looks like go find him now there's a manhunt for you so then if you get arrested by the police or worse you know then you've got all this explaining to do it's like okay well if you were supposed to be there while you why were you running away like an idiot so if you get caught and you're supposed to be there say okay you caught me like Tim said please call the number I'll comply with whatever requests that you make you know and and then it should de-escalate the situation you know and it's awesome if you're like some you know incredible parkour person right great use that to get to places don't use it to try to get away because there's a risk you're gonna hurt yourself somebody's running at you they're gonna slip and fall or on the fire escape or something like that if they're armed yeah you're not you didn't do anything wrong so there's no reason for you to run when you're caught you're caught right yeah see I just use your brain don't try to be cool and manhunt and you know five stars on Grand Theft Auto and all that stuff so not worth it alright let's see I think we got a few more minutes want to make sure we have time for questions um yeah again don't do that squirrel yeah so lock picking bypass methods so make sure that you know what you're doing before you go inside if you don't know what you're doing with lock picking and you're nervous and you're trying to get in somewhere you have no idea about how to use the tensioner all that stuff and you break it in the crap out of the lock yeah are you break it off in the lock or you know use bump keys and damage it all that's gonna do is upset the client you're gonna have to you know pay to replace that and all that stuff and you know you look stupid so just know what you're doing before you do it so same with running exploits and stuff the same with social engineering too right if you're not good at improv or lying to people maybe practice that before you go inside before you sweat yeah hey let me drink my drink I'm Todd from accounting are you walking around sir can I help you it's like they caught me I'm yeah they're really good they're very secure here's my letter to you know call my mom yeah exactly he was really good at interrogating me I buckled yeah yeah that guy was good he had a he had a knife to my throat I promise so yeah um talking about improv and stuff when we do our recon we always pack several sets of clothes or that suits t-shirts or whatever just do your recon figure out you know you want to fit in yeah figure out the dress code and then if you're not good with lying to people go sit down at the mall next to some random stranger strike up a conversation and never tell them the truth about yourself or do it during during def con that's a perfect place to do it I don't like totally calling I'm from Dublin Ireland and I'm here blah blah blah you know it's like you just make up stuff and you just just practice rolling with it and filling in the gaps and letting them fill in the gaps oh you have an accent where you from guess yeah I guess yeah you're right yeah my name is James I'm glad you guys could come I'm going to talk to you about how I'm the four time world NBA slam dunk champion and uh yeah so we'll talk about the training and stuff yeah that is a huge lie man so and and that's the reason I say that it's like you know don't be an idiot about it right you know we also talk about improv quite a bit in our talks as well um you know I think it's I think it's great to go into an acting community or some kind of acting gilder group um improv group practice that is perfect for social engineering and I think most of the people in here would probably agree with that I like I do I do a lot of acting and stuff and that has helped me tremendously I was actually a great magician too and that has helped me tremendously with his things because huh nothing what and uh so that that's that helps contribute to the manipulation too and being able to just roll with the punches and lie and like it's natural yep so I know we have a few more slides but it's mostly to talk about you know what's the main what's the main point of the assessment is it to get into the the uh data center data center yeah not domain control it's internal anyway so is it to get into the data center or is it to get to you know employee files yeah or is there something that's even more sensitive to this company so make sure that whatever you're going after that you understand what would be the worst thing to happen to this company and go after that it's not always the data center could be but it you know there could be things that could be a lot more detrimental to the company you know and another thing to consider too when you're doing these kinds of assessments is they're not safety assessments but keep that in mind when you're doing them if I were somebody wanting to hurt a bunch of people then how would I do that okay well I've gotten in here they let me in with a bag a huge bag or they let me in with this I got into this area uh you know where the power supply is or the backup generators and all that stuff um elevators you know you think about that kind of thing too not just hey I found a switch and I was able to plug in or I found you know the network department and I was able to get a bunch of stuff and check my email and check my email and get on Facebook yep so again isn't it response testing you know so is that part of it um yeah sorry um we like pictures and gifts yeah yeah so you know if you get in somewhere how absurd you have to be to give them the benefit of the doubt to see okay what do I have to do to get caught and then once you do get caught you work backwards from there and help secure you know help strengthen their security posture as far as physical goes so you know and also like with this incident response stuff I know we kind of talked about that quite a bit but it's it's also important to ask them even before during the kickoff call say hey what is your procedures how do you guys do this and then compare it to what they actually do are they actually following escalation procedures yep uh practical versus impractical and we only have about two minutes left so sorry for having to speed through this but uh if you are on site and trying to be covert you know it's probably not the best to wear some gigantic tactical bag with hack the planet stickers and stuff all over it so looking at you jason street yeah where you don't think he's in here right now but um so yeah just be mindful like I know whenever we're going on site if it's a more professional thing I have a leather sounds stupid it's like a briefcase but it's leather you know it opens and I use these gridded things um so I have a few of these and so it's like a filing system for either my backpack or uh the little side bag that I have that way if I need to grab something really quick it's all right there and I can just get what I need and I'm not having to dig through a man purse same thing with log picks too like I know at this bay just so I could easily access it and then have different different tools um so it's handy to have that readily available oh sorry it's handy to have things like that readily available that way you're not unzipping your uh your south word in a log pick set and dumping tensioners all over the place excuse me officer let me find my single pick first it doesn't go over well but you know it is great we only I know we only have a couple minutes or a minute here and so it's it's really important that you guys um when you're doing this uh you get a proper bag uh you know we we just about the patches and stuff it's great to have patches and stuff on your bag when you're at cons and walking around but when you're actually on site doing these assessments they are loud unless you want attention then it's it's probably best to avoid that um you guys can go back and look through all this but here's a positive video sorry here's some red team toolkit examples these are kind of what we have in the bag if we go back to this first slide with the image here uh all of that fits in in that little bag there um and there's tons of tons of little gadgets and things there and a pez dispenser and a pez dispenser and a game boy uh miscellaneous considerations we'll let you guys review that on your own uh some travel tips you know things you can consider uh keeping some tsa approved items yeah don't you know know what to get all bring in what not to bring in um and yeah we're rushing yeah so we'll we'll now we're good all right we'll hang out outside if you have questions let us know thank you thank you guys