[MUSIC] When I was young, I used to like sneaking around places that I shouldn’t have been in. I liked getting in the back-of-house areas in performing theatres or casinos. This one time I went to explore a mall where I lived and I found a huge back hallway, a corridor that connected all the back of the stores together. It was such a big back hallway that a truck could drive through it. It was fun to explore and it was a major shortcut across the mall so I ducked down this corridor
from time to time. Every time I went down this back hallway, I saw signs hanging up everywhere that said JDLR. I used to stop and read these and try to figure out what it meant. JDLR? Just Don’t Litter Raisins? Junior Dining Living Room? What does JDLR mean? One day my friend got a job at the mall so I asked her. Hey, what’s JDLR? She tells me it means Just Doesn’t Look Right.
Just Doesn’t Look Right? What does that mean, I asked? She said it’s a reminder to look out for anything out of the ordinary in the mall and report it to security. JDLR was a security awareness campaign that the mall cops put up to report suspicious people like me sneaking through back hallways. But really, I wondered how effective this campaign was. Suppose you were told to report something that was just JDLR. Would you notice
when someone came into your office or store who didn’t belong? Would you then care enough or be brave enough to do something about it? How quickly could you even find the number to security? This is a story about a guy who got caught sneaking into a building because he just didn’t look right. JDLR. JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS] JACK: Let’s start out
with what do you want to be called, or what’s your name? What do you do?
My name is Kyle. Right now, I’m on the Red Team at McKesson.
Ah yes, another Red Team story. The Red Team is the offensive team in a simulated attack. In this case, Kyle’s day job or sometimes night job, is to physically break into buildings to test their security like a sophisticated criminal might do. Oh, and I should give a warning here. Kyle drops a few swear words while telling us this story so if you don’t like swear words, you might want to skip this one. This mission was to get access into a utilities company and I won’t even
say what kind of utility company this was. KYLE: They were a very large conglomerate made up of a lot of companies. JACK: When you’re dealing with the utilities, whether it’s electricity, gas, or water, it’s extremely important that these networks are secure because something going wrong here can result in a massive disaster. These services are such an integral part of our lives. In fact, I’ve even heard stories that the national guard sometimes
will do penetration tests on utility companies to help keep them safe from attacks. Now, there were only two people in the company who knew about this physical penetration test and it was the head of IT security and the head of physical security which is the boss of the security guards.
The point was to gain access to headquarters by way of anything we could do at any of the previous sites and then [00:05:00] leading up to going to headquarters.
[MUSIC] Okay, let’s underline the objective here; basically, it’s to get access into the headquarters of this utility company. Then once there, get network-level access and then see how far you can get into the network once doing that. For instance, if Kyle could break into headquarters and get onto the network there and get to network admin, that would be pretty ideal for him. But in this objective, he’s allowed to also test the security of other locations which
might help him gain access to headquarters. That’s interesting. Immediately I’m thinking about what I might do to get into headquarters. Maybe I would need an employee badge to get in, some passwords, or somehow, I hacked the network to let me in. Maybe a smaller, less secure location would allow me to get some of this stuff. Kyle starts profiling some of their other locations online to try to find an easy target. KYLE: I get on my browser and I just go to
Facebook; I go to LinkedIn; I go to Twitter. I look at the company pages; I find employees. I go to their individual pages and between all of that you start to amass obviously a lot of very useful information about the surrounding areas, the general temperament of the people who work there, you get a feel for how the company likes to present itself, how many events they have,
where you can blend in at. You get the obvious things that everyone goes for; badge, images, camera angles, things like that that you can see from Google Street View. When we were looking around in the social media, we started to notice that the companies that they owned in the Midwest had a lot more outdoors-type events like cookouts, BBQs, fun runs, march for the cures, whatever. All that stuff. Whereas some of the bigger cities, their acquisitions there
didn’t have so many outdoors events, right. JACK: Kyle decides to target locations in the Midwest part of the United States. KYLE: First I decided that well, okay, yeah, we’re going to do Midwest but there’s a couple of sites out there. Which one do we want to hit? There was one site specifically that was on four blocks within an industrial area. We’re talking a huge amount of space to cover. Obviously, there’s a lot of supplies laying around in one big lot, a
lot of vehicles parked in another. You’ve got your corporate building on this lot and then you’ve got your little warehouse buildings over here. Well more often than not, your target area is gonna seem like it should be the corporate building but it rarely ever is important that you go there. That small little garage where all the shop workers are who don’t really care so much about making sure that that door wasn’t left jammed open, or that that truck was locked; that’s
where you want to start because that’s where you get your easy privilege escalation. Before we flew out there and marked that building, told everyone that’s where we’re gonna meet up. As Kyle starts making his way out to the Midwest, he now starts focusing on trying to figure out who works in that building. By using LinkedIn and Facebook, he starts to get a list of people; drivers, managers, technicians, and by having this list of names and roles, it can help
him out if he needs to drop a name or try to lie his way into the building. He also looks on Google Maps to try to get as much information as he can about this building. What’s next door? What kind of fencing do they have around it? Where are the doors to get in and out? We take Google Maps for granted now but twenty-five years ago we really didn’t have access to satellite photos of every
place on earth. We definitely didn’t have street view photos. To get access to stuff like this, you had to be like a government spy but now everyone has this capability to freely access satellite imagery of pretty much anywhere on the planet. It’s kind of crazy. Okay, so Kyle and his co-workers fly out to this place. They rent a car, they get a hotel room, and they wait for nightfall, [MUSIC] thinking they’ll be a lot less people at night. Maybe nobody. They should
be able to sneak in somehow unchallenged. KYLE: Typically, you want to dress for the part, so we were dressed in darker clothes. I had a black beanie on. I’m a very pasty boy so I stand out pretty hard when there’s a little bit of light. I had a black button-down shirt. It wasn’t super crazy; tattoos hidden. Beanie can just be swept off with short hair that I had just freshly cut for the gig. I’m on the level as far as playing the part goes.
They get in their rental car and park next door to the facility.
It was a weird house-turned-business in this weird industrial area and it had a car port. We just slid in under there. It was a rental car. It wasn’t anything super flashy. It was like a Kia something. JACK: They knew the building had a chain link fence around it and started walking around the outside of the fence looking for a way through. That’s when they spotted a part of the fence that they might be
able to get under, so they tried. KYLE: Rolled up underneath the chain link fence and we just kind of hung out in between some trucks for a minute and got our bearings on the situation. JACK: From here they can look around [00:10:00] to understand the facility better. There were a lot of trucks at this building, company trucks, like trucks for workers to use to visit customers to fix or install lines. A
whole fleet of trucks were parked there for the night. Kyle and his co-workers kept looking around for any people, cameras, guards, lights, alarms, but it was quiet. We didn’t see any guards. There’s not really a whole lot of camera coverage. We saw one camera on the back of the warehouse building we were gonna go for. It was fairly well-lit so that was kind of problematic. JACK: They mapped a path to the building,
finding a way to hide in the shadows and get close to the door of the building. They had to take a long way around to avoid any cameras or lights but eventually they reached the door of the building. It’s like a typical warehouse building; there are loading bays and truck docks and that kind of thing. But also, there’s a regular door for people to walk in and out of. It’s late at night and they’ve been watching the area and nobody is around.
We take a little bit of time, come around, we get to the warehouse building and suddenly we go to pull on the door and voila, it’s just open, man. There’s no trick to it. It had an HID reader. There was supposed to be a locking mechanism but apparently it wasn’t functioning. We never really found out what happened there but that was a huge
stroke of luck right off the bat. JACK: Okay, so as we hear Kyle’s story, I’m going to point out a few things that I think this company should do to fix these problems. In this case it was way too easy to get on the lot, and there should have been better cameras, and maybe a guard watching over the fleet of trucks, and of course they should absolutely be locking the door to this place at night. Really, the door was completely unlocked into
a warehouse of a utility company? But this is why the company hired Kyle; to check these kind of things. This is why Kyle picked this building, thinking it might be easier for him to get into versus maybe the corporate offices. KYLE: We walk through the door. [MUSIC] We’re just in a shop. It doesn’t seem like much but we do see there’s some shop computers so we know we’ve got network access there. Then there’s smaller buildings or structures
that they build within these massive warehouses. They’re like a little office building within a warehouse on a lot. JACK: Kyle thinks that might be a manager’s office or something. It might have extra documents or extra network access so he heads over to that door. KYLE: There was a box of nails or screws jammed into the doorway into that office area. Again, thank you very much. Open the door right up, and in we go. JACK: Okay, next tip; if you have an office
that has any kind of sensitive documents in it, lock it up at night. Kyle and his co-workers are now taking cover in this office. It’s a good place to hide out and look around. They can hear if someone’s opening the door to the warehouse or if someone’s coming and they can keep watch from here. Kyle takes his backpack off and pulls out a dropbox. A dropbox is just a computer but it’s like a small, portable, self-contained computer and you can plug it into the network
and leave it behind if you have to. KYLE: It was a cell phone with a full battery and mobile hotspot enabled, attached to a Raspberry Pi attached to a wireless card connected to that mobile hotspot, connected to a battery pack all duct-taped together, plugged into the network. We bypassed the firewall. There’s no traversing out. You plug in, it’s out. Hacky as shit, dumbest thing I’ve ever done by far, technically speaking, but it did the job really, really well.
Kyle plugged it into the network in this little office and texted the co-worker who’s on the other side of the country who’s been waiting for this moment. The other person is a penetration tester and he checks the connection. The way this particular dropbox works is like this; this is a Raspberry Pi and it’s like a tiny little Linux computer. It’s about the size of a pack of cards. It has two network connections; one is the cell phone that it’s connected to and
the other is the network in this office. When it’s plugged in, it turns on the cell signal and tries to connect back to that pen tester on the other side of the country. This basically gives him access to this computer as if he’s sitting right there in the office with these two. But now that Kyle has plugged this thing into the network, he tells the pen tester it’s in, and the pen tester now quickly gets busy trying to figure out his way in and around this network.
He’s checking to see what kind of traffic he sees, what kind of VLAN he’s on, what servers they’re talking to, and he goes from there. He gets busy trying to find anything he can in this network. Man, this is such a effective technique. I just want to underline this a little bit. You walk in the building, you stick this computer in their network, basically, that allows your other Red Teamer to connect into it which just basically gives them access into the
network. Then from there, they’re aggressively – I mean, they’re probably a very skilled person who knows how to heat-sync straight [00:15:00] to the goods of this place. They’re aggressively trying to get things as you’re also in the building at the same time. Within minutes they’re probably already very successful. KYLE: Yeah, more often than not, honestly, I’ll be going through filing cabinets, throwing a few million dollars of competitive intel in
my backpack, and I’ll get a text message; yo, got DA. I just put it down five minutes ago, right? That’s absolutely correct. JACK: Got the A?
DA. Domain admin. JACK: Oh. Domain admin. Within a few minutes of walking into this building, the team has full administrator abilities in this network. They can now see any files on any drives in this location and they can read e-mails for anyone who works in that building. They pretty much have access to anything in this network. Amazing. I should point out that even though I don’t know how he got DA, domain admin, there are probably
a few security holes in this network that need to be patched. But besides that, this company might want to enable .1x or Knack or some kind of way that would prevent a computer to just plug into the network and be right on the network. What .1x or Knack will do is require the computer to authenticate before getting access to the network. That would prevent someone like Kyle to just walk in and plug their own computer in it. See, the goal with security isn’t to make
everything perfectly secure but it should exhaust the attacker’s resources. Imagine if every port was locked down in this warehouse. Kyle would have to go around trying every port he saw to see if that one was open and would allow him on the network. This might have taken him a long time for it to happen and maybe during that time a guard would come by or another employee would come by and they would catch these hackers in the act. Sometimes you just need to slow down the hackers
as best you can. But in this case, nothing was slowing them down at all. [MUSIC] I’m wondering how hard your heart is thumping at this point. Are you seriously looking over your shoulder a lot? Are you super nervous? KYLE: Not me, man. I don’t think my friend was either which is why he did a lot of physicals with me. I honestly have never really been a nervous person. It takes a lot to get me going. I just see it
as I’m there to do a job and it’s gonna get done so I already know that. What’s to worry?
Kyle keeps snooping around the office and grabs all kinds of documents and files and shoving all this into his backpack. KYLE: Yeah, yeah. We got some competitive intel which was something they were concerned about and it’s not just for competitive purposes. It can also be for more malicious or national security related. How do you know where to look? You’re actually like opening filing cabinets, looking
for anything that would be of value, right? KYLE: Yeah. If there’s not filing cabinets, more often than not, I think you would be surprised to find that there’s a lot of really good information just rolled up sitting in boxes right in front of you when you walk through the right door. It’s really, a lot of times, just a bunch of plans when you go into these sort of companies that you’re really after. At least me, ‘cause I look at it like I can take a lot
of this data and sell it to your competitors. I could take this data and I could sell it to enemies of the state. I could take this data and I could use it to leverage it for attacks against all of these other buildings or all of these other locations. Whether it’s gas, electricity, anything like that, if there’s diagrams and data to be had, I want it. I want it bad. [MUSIC] We did also take some reflective gear with company branding. We took some company cell phones that we
saw in bags that were obviously stored, not in use actively. We grabbed a couple of things like that, some lanyards. This is the sort of stuff you do when you do these multi-facility things, is you snowball the gear, is what I like to call it. You snowball the loot and by the time you get to the most important target, there’s no way you can fail. You have everything you
could possibly need for any situation. JACK: They even went back and grabbed their dropbox because at this point, they had so much access and lots of documents that they might as well take it with them to the next location and go with a running start next time. This looks like a job well-done. They got everything they came for and it’s time to bug out.
It was successful. We decided to bug out. We took the hardware with us.
Kyle takes a look at the objectives that the client wanted him to do. Get physical access into the building; check. Get network access; check. Get domain administrator access; check. Get competitive intel; check. Find any spare keys to doors or trucks that you can take; check. But there was one more thing on the list. KYLE: They wanted us to steal as many trucks as we could off the lot. We took like, a lot of F-350s filled with tools and had trailers on
them with back hoes, and Bobcats, and all kinds of shit, dude. We were instructed to park them down the street in a big parking lot and then just leave the keys somewhere inside of the building so that once they found the keys, they could go get the trucks. But they wanted to see what the [00:20:00] employees would do if they came in the next day and all their vehicles were gone. Unfortunately, I’m not capable of driving a semi or we would have made out with a lot more.
How many did you move? KYLE: I think twelve or thirteen, man. We took a lot of trucks and they were all full of shit. All of them. JACK: [MUSIC] Do I even have to explain the mistakes made here? First, lock up the keys to the fleet of your trucks and don’t leave whatever key you locked it up with just lying around for someone to find.
Second, there are no guards or anyone watching the cameras at this place. At least someone should be monitoring the gates when they’re opening and closing and look at the camera to see what’s going on, right? Kyle and his co-worker had a successful night and they acquired a lot of stuff but they weren’t really feeling ready to go to headquarters yet. They wanted to hit up a few more locations to what Kyle says, snowball the gear. They wanted more stuff and more access before taking on a big
building. The next day they called the head of security to give them a report on how it went that day. Security was shocked but wanted to see if they could take it a step further, like really teach that location a lesson. KYLE: They had us go back the next day in broad daylight, get into a truck ‘cause we had uniforms right, so no one’s gonna stop us. We had the key because we had stolen it from the building. They wanted us to go in broad daylight,
put the key in the ignition, start the truck, and try and drive off the lot. That worked. Then I called them. I was like, what do you want me to do now? I’m just sitting in front of your building in one of your trucks, fully dressed up and no one’s really doing anything even though we just stole all your shit last night. What do you want me to do now? Well, fuck it.
Just drive it to the headquarters. I drove it all the way to that particular company’s headquarters which was about an hour away and then I parked it in the parking lot and I was instructed to leave the keys inside. They were gonna tell the security guard there to go check it out. I don’t know what the plan was there but I did my part. Then I got picked up and that was that.
The next objective is to do a similar thing at a different location but this would be the headquarters of one of their larger acquisitions. This building is in a totally different city and state. They do a lot of passive reconnaissance like looking on social media to see if anyone posted pictures of what the badges look like so that they could maybe make a duplicate. They also look at what Google Maps has to offer.
This location was kind of more in a downtown-type area. This wasn’t the same as the previous. This was in a more business region than the other. I would say that equally dead at night, though. This was no exception in terms of the Midwest lifestyle. It was downtown but once 9:00 hit, there was nobody on the streets. We checked it out during the day; we wanted to see what the foot traffic was like and it actually was surprisingly high for
such a small area, being that it was downtown. We decided that we would try to walk around inside, see if security questioned us. No one said anything. We made it to the elevators, saw that there were badges and just kept walking along. We left the building, went out, saw there was a massive parking garage that was attached to the building and kind of wrapped around. We figured that could mean there are external doors into the parking garage from if not our client’s
offices, someone else’s offices which will be good enough. We wait until night because that’s just I guess what we liked to do. JACK: [MUSIC] This building isn’t a warehouse. It’s a seven-story office building and this utility company only occupies one floor of the building. KYLE: This office building essentially took up an entire city block including the parking garage.
Okay, so this isn’t the headquarters of the company. It’s the headquarters of a company they acquired. It was a big place. KYLE: We wait until nighttime. We parked just down the street. There seemed to be a couple of homeless guys. They kind of wandered up and down the street regularly in this spot so we wore ratty clothes, messed up our hair a little bit, I threw a dress shirt in my backpack, for example, and threw on a t-shirt that I ripped
a hole in. We just walked down the street in these clothes and the security guards would walk around inside the building and look at the street periodically and see these people walking about. As soon as we noticed, he turns around, he walks away. We dart into the parking garage and meanwhile there’s a homeless guy screaming at us as we’re doing it. I’m pretty sure that he started to come after us but the security guard came outside and started yelling at him
and he stopped. We didn’t go back to double check but we’re pretty sure that’s what happened and we were trying not to crack up. We started walking up the ramp into the parking garage. We saw the stairwell doors and [00:25:00] we thought well, might only get us to the roof but it might also let us into an office. JACK: Sometimes big buildings like this in downtown with parking garages have a stairwell that leads you right into the building. Kyle
and his co-worker go into the stairwell and take a look. Once they get in the stairwell, they see another door that’s attached to the office building, like an emergency exit to come out of the office. KYLE: We start walking up and down the stairs. We’re like well, there’s not exactly a fucking company directory on the wall inside the stairwell, is there? We really don’t know which floor is which and we don’t know which floor
we’re on. Let’s just start guessing. JACK: They find that in the stairwell are two doors on each level; one leads to the parking garage and the other leads into the office building. They try pulling on the office building door, but it’s locked. They go up a flight and pull on that door but it’s locked. They go up another flight; locked. They go up another flight and try the door. This one opens. It’s just totally unlocked and leads them right
into the office building. KYLE: We’ve got an open door. Cool. We walk out, we see a hallway. JACK: The hallway is like a common area. It’s not any particular office. It’s like the same hallway you’d be in if you just took an elevator up to that floor. As they walked down the hallway, they see doors to different offices. There were a lot of different companies in this building. KYLE: We see a couple of doors. We see some HID
badge readers on these doors. We don’t know who they belong to ‘cause they’re not marked. We decide not to fuck with them just yet and we decided to walk over to the elevator. We get into the elevator. We see the badge reader. We think shit,
we can only go down to the lobby. JACK: So far, so good. They’re in the building, bypassing the security guards who were there to make sure nobody got into the building late at night like this, but the badge reader on the elevator means that in order to get to certain floors they need to scan the RFID badge to get to those floors. But still, they have no idea what floor their client is on. They didn’t do enough passive reconnaissance
and there’s no directory anywhere; not in this elevator, nothing. They’re both standing in the elevator trying to figure out what to do. KYLE: [MUSIC] We had one option. Press one, go to Lobby, walk out, look like idiots. That’s our option one. Not gonna do that. The other option is to sit there and wait for someone to call an elevator to a floor. Could be a security guard so we gotta be ready to look normal like this was a coincidence.
But it could also be someone just manning the phones at night or some shit. That’s the safer option and while we’re doing that, might as well throw option three in there and brute force the fucking buttons. JACK: One by one they start pushing floors in the elevator. They pushed the button for the top floor. The elevator didn’t move. Rats, they need the badge to get there. They pushed the button to the next floor. The elevator didn’t move,
either. The number didn’t even light up. They tried another floor; nothing. Then they tried the next floor and boom, all of a sudden, the elevator started moving.
We didn’t know though. We didn’t know why. We just knew that it was moving. Was it ‘cause we pressed a button? Did someone call it? Are we going down to the lobby ‘cause we tried too many times? There was a moment of confusion and we just looked at each other like uh? But then the doors open and we see the company logo and we see the desk and we see the doors. We’re like ba-bing! JACK: When the doors opened, they saw the
company logo for the place they were trying to break into. The one floor that didn’t require a badge to access was the exact floor they needed to get on. What another stroke of luck. As you come out of the elevator there’s a reception desk and then two closed doors after that which leads into the office. KYLE: We checked the doors. Oh darn, they’re locked. We look over at the receptionist desk; a couple of drawers,
there’s a lock box on top of the desk. How much you wanna bet that they key for that lock box is underneath your keyboard or in one of those drawers? That was a correct guess. [MUSIC] We found the key to the lock box inside of the first drawer that we checked and inside of the lock box were guest badges, guest badges that were not deactivated when they were not in use.
After rooting around the reception’s desk, they found badges that let them in the door. This kind of reminds me of many video games I’ve played, but there’s another tip; don’t leave the keys under your keyboard or in drawers in areas like this because now the team is in.
Rinse, lather, repeat, essentially, from the previous site. Once we were inside, the objective was to find as much information openly accessible as possible, see if you could get on the network. JACK: A good place to always lay low for a while is the bathroom. The two head into the bathroom, change their clothes, and sort out their plan. KYLE: I was in the bathroom with my colleague. We were trying to figure out where we were gonna put the dropbox and we said well,
we didn’t get into the server room at the last site. Let’s see if we can get into the server room at this site. It’s gotta be on this floor. This is their only floor so we know it’s here. There’s at least an IDF, something. [00:30:00] We’re walking out of the bathroom and as soon as we walk out of the bathroom door, there’s the security guard and he jumps and we jump and we all go aah! I go holy shit, you scared me, man. He goes you scared me. Are you guys
okay? Are you guys working late? We’re like yeah, man. Jesus, you gotta let people know when you’re coming, you gotta put a bell on you or something. We all laugh, we part ways.
Security ran into them but because they dressed like they belonged and were already in the office, the guard didn’t question them. This is a bit odd. The guard failed here. He should have stopped them and asked them more questions but instead, he just walked off.
Then we continue walking around the building as I said earlier, collecting stuff, taking pictures, flipping keyboards, and then we walked by a door. We hear humming. You know the humming. JACK: [WHIRRING] Something on the other side of the door was making a loud whirring sound. There was no windows in this room so the team couldn’t tell exactly what was in there. But when you work in IT long enough, this whirring sound is something that you will instantly recognize as the fans of a server rack.
The team had scoured the whole floor at this point and didn’t find the server rack anywhere, either. They knew for sure that this had to be the room with all the computers but the door to it is guaranteed to be locked. With no windows, how do you get in? They look up and see there’s a drop ceiling. This is the typical office-type ceilings that have panels that can be pushed up and there’s a space above the panels. KYLE: There’s a broom in the janitor’s closet
just down the hall. We grab that. We poke it up into the ceiling and we see that there is no wall extending over. Easy enough. I just held out my hands and said boost up, bro. Up he went, no question. Then he slid the other tile out of the way, dropped down on the other side, and all I hear is I’m good! He plugs it in, and finds a way back over, slides the tile back into place, and that was that. JACK: Okay, where’s the security failure here?
This is a server room of the headquarters of a utility company that got acquired by this larger utility company. The server room of a place like this should be treated as a very secure room. It should have a security camera monitoring the outside of the door, the inside of the door, inside the server room, too, and definitely a very securely locked door that probably should be logged when it’s opened or closed. Maybe even some pressure-sensitive plates to
know if something heavy has come in or out of the room. When constructing the server room like this, you should extend the walls up into the drop ceiling to stop people from just going through the ceiling to get in. I’ve heard this done many times before and a few two-by-fours and some plywood would certainly slow these people down. Especially if you have guards wandering around the floors, if they heard sawing and hammering going in the ceiling,
they’d probably come check it out. KYLE: Yeah, there was a moment of giggling there, too. Like, there’s no way that there’s just not a wall, right. But that’s the thing with these multi-tenant facilities, is a lot of times you don’t have the leeway clearance pull, whatever it is you need to get shit done in that building because you’re too new there or the other tenants don’t like your company, whatever political reasons there
could be. But a lot of times you are barred from being able to make those kinds of very important changes to the structure of the building. JACK: They didn’t want to come out through the server room door because that might trigger some kind of log or event. They left the drop box in there, came out through the ceiling, putting everything back. They get their pen tester to then get into the device and start attacking the network from that
dropbox which is in the server rack. KYLE: We also went around and tried to see what other sorts of findings we could generate from this site for the client, things like are the shred bins unlocked? ‘Cause that’s a fairly common mistake. The data that needs to be gotten rid of is supposed to be locked up and a lot of times it’s either so full you can just grab the shit out with a picker or you can use your hands, or it’s just unlocked. JACK: They got everything they needed from this
location and they’re ready to leave. They knew that if they just went down the elevator through the front doors past security, that might raise some suspicion. They came up with a plan.
We decided we didn’t really have much of a choice. We had to get all dressed up in stuff that we found around the office; hard hats, reflective gear, we got a bunch of those big cardboard roll-up storage things so that we could put a bunch of stolen goods in there, we had files, we had a couple of Toughbooks that we wanted to take with us to a SCADA site, we had some truck keys, we had about everything you could need to be an employee of this company. We decided to just walk
out the front door in front of the guards. JACK: [MUSIC] When they walked past the guards, the guard spoke up. KYLE: He was like oh, you’ve got a hard hat on. You’re gonna be working hard, ha-ha. [00:35:00] Yeah. They were totally chill with it. They did even suspect a thing which I thought again, was very, very odd considering that it was three in the morning and he had just seen us in normal street clothes outside of the bathroom upstairs.
It was very weird, a very weird occurrence. JACK: They walk out of the building, down the road, load their stuff up in the car, and leave. I don’t care who you are; that’s gotta give anyone an adrenaline rush. KYLE: Oh yeah, of course, man. As soon as the car doors close, that’s generally when it’s okay to kind of cut loose. We were not on camera anymore, there’s no way a client could hear us, there’s no one. We can be a little excited. We can get a
little cocky amongst ourselves. We can have a good time and then get back to the hotel and party. If you’ve left the drop box there, honestly, that’s kind of the other half of the fun on physicals, where I leave the drop box and then we go back to the hotel and then you’re just hacking all night, having fun with whoever’s there with you or even your buddies who are out traveling on other engagements over the wire because you’re just passing the shell around.
At this point they have a lot of stuff from this company to try to get them access into headquarters. But they don’t feel like they have enough yet. They want to hit one more site to see what they can take from there. They go to another city in another state to another office for this utility company. This is a smaller office than the last, much, much smaller. This office is in a medium-sized building, one story, with other companies that
are also in this office building. KYLE: This is definitely one we have to hit at night. There’s no way we can do it during the day ‘cause the office is so small that unless we have an airtight cover story, they’re gonna know that we’re not supposed to be there and they’re gonna want to know who we are. Really small offices are just like that. The team arrives at the building at night. [MUSIC] They see a few cars in the parking lot and
people coming and going from the front lobby. They discovered that other companies in this building have overnight workers, like a call center. They go up to the front door and it’s open. They get into the building. There are no guards since it’s a small building and the front door’s always open to let this overnight staff get in. KYLE: We didn’t really do a whole lot of recon in this case because the building was pretty straightforward; one level,
just a long hallway with some doors. JACK: Kyle and his buddy go down the long hallway looking for the utility company inside. They finally find the door. It’s a glass door and they can see inside. It’s dark. Nobody’s in there. They pull on the door but it’s locked. KYLE: It was a glass door and it was one of those with the hook handles and the lock was inside of that. It wasn’t a deadbolt but it seemed industrial-grade. JACK: The team looks around. The hallway’s empty.
There’s no security in the building and nobody seems to be around. They pull out some lock picks and begin trying to pick the lock. Kyle’s okay at this but his friend is much, much better. His friend kneels down and slowly tries to open the door. Now, I say slowly because picking a lock is usually not a quick process. There are two basic tools; a rake and a tension bar. The rake goes into the lock and pushes the pin up, ideally to the same position to where the key would push
them up to, and then the tension bar is used to twist that lock open. On a tough lock you can literally try it hundreds if not thousands of times and get nowhere, and not even know if you’re anywhere close. When you try it, it either opens or doesn’t. Another big problem with picking locks is you don’t know if you need to twist the lock clockwise or counter clockwise to open it. Half your attempts have absolutely no chance of working since you’re twisting it in the wrong direction.
Kyle waits nervously as his friend keeps trying to pick the lock.
I’m just peering down the hallway in both directions, trying not to look really weird as this guy’s obviously picking a lock right next to me. If anyone came around the corner this is not gonna be explainable other than he’s my locksmith. That’s all I had on me, that’s all I had prepared. JACK: Insert rake, push pins up, twist the lock; nothing. Push pins up, try to twist; nothing. Push, twist; nothing. Push, twist; nothing. Over
and over he tries. To add to the stress, this is a very small office so they thought there might not be anything inside for them to even take. KYLE: It was stressful that we were sitting in this dark hallway working on a door handle for what we thought was basically no reason other than to appease the customer. If we got caught then we could have our cover blown for headquarters
because the security incident could get reported to everyone there. They would then tell their parent companies or alert everyone in their offices, whatever their procedures are, and then our photos get e-mailed to headquarters. That stuff happens when you get caught doing dumb shit. [00:40:00] Yeah, it was a little nerve-wracking, especially like I said,
we thought it was for probably nothing. JACK: After a while your hands start cramping up from this, your knees are getting sore from kneeling, and the pressure builds because you’re just hanging outside of an office for a long time looking really suspicious. Push, twist; nothing. Push, twist; nothing. But then push, twist; unlock. It worked! [MUSIC] They got the door open. Quickly they get inside. KYLE: We get in though, and we see there’s
like eight desks in here. It’s all open. There’s a kitchenette, there’s a bathroom, and that’s it. There’s nothing. Why are we here? I guess let’s look around and see what sort of data we can get access to. Let’s see if the network’s any different. Let’s see. JACK: Because it’s a small office, they can comb through things a little bit more carefully. They look in people’s desk drawers for anything worthwhile. They look in filing cabinets, they even start looking through any
backpacks that were left there overnight. KYLE: Well, as just by happenstance, it seemed that there was someone traveling to that office from headquarters that day or that week or that month. We don’t know. Maybe he had been relocated and just never sent back his original badge, but we found it in his backpack that he left at work. JACK: This badge looked like it would specifically work for the main headquarters, the main objective they
needed to access. Finding this badge absolutely was worth the trip coming down here.