Brian and Jon are red teamers at RedTeam Security which means that when organizations hire us for a red team engagement, they’re the attackers. As red teamers, it’s their job to uncover network and physical vulnerabilities to help organizations identify weak points in their security that a real bad guy could exploit. Once an organization identifies those vulnerabilities, it can address them before an actual breach could occur.
When hired for a red team engagement, we look for ways to hack into the network or sneak into buildings to get past security and ultimately gain access to an organization’s most sensitive information and assets. Our team is well trained at bypassing physical security measures such as unlocking doors, evading security cameras, and social engineering their way into otherwise off-limits locations and access points.
Setting the Objectives | The Company
We were hired by a company we’ll call, The Company, looking to test their physical security to see if we could find weaknesses and ultimately get in. With five total locations, we decided to save headquarters for last because it was the most heavily defended facility. While the four remote locations did not have people working in them, they were essential to The Company’s overall security because they housed sensitive technical data that needed to be protected. They had all sorts of physical security measures already in place around these other areas, including 24/7 monitoring and a perimeter intrusion detection system meant to detect the presence of any approaching visitor. It was clear that they had spent a lot of money on their existing security measures. However, a strong focus on one area of security can often lead to the neglect or oversight of another area of security. No matter how well defended one place of security might be, you are still vulnerable to an attack without a layered and diversified security plan covering all facets of risk.
Getting in was, of course, the first objective, but what happens next? Brian and Jon either look for a network connection to plug in their bag full of Raspberry Pis or leave behind calling cards as proof that we reached a certain level of access. Depending on the project’s scope, we may be asked to go as far as possible or access a specific area of their facility or network.
As a primarily covert mission, only the Director of Security and one direct report knew we were coming. In an operation like this, companies also test their employee awareness and security team to see if they could catch us as we tried to break in. That being said, we communicate a lot with our clients throughout the entire project, not just during execution. We let the client know when we arrived in town, where we would start, and provide real-time updates throughout the process. Not only does this ensure an open line of communication between the client and those executing their project, but it is also an essential part of the process to ensure the safety of everyone involved.
Information Gathering | The Secret to Blending In
It’s time to get to work. We start by collecting information about The Company online, looking for any shred of information that might give us a better knowledge of the building or the people inside. We map out the facilities and locations ahead of time using the exceedingly advanced hacking tool, Google Maps. After some initial information gathering, we were able to see where the cameras and perimeter sensors were located and if they’ve moved over time by looking at historical images of the facilities.
Just as important as insight into physical locations is gathering as much information as possible about the employees. From employees’ social media accounts, we try to determine what the dress code might be. Are there any visible badges in photos that might indicate a company policy? This information can make or break an engagement and helps ensure that we blend right in when we get there. We’re looking for any information that might be helpful, like an Instagram photo of a company party that not only gives us insight into dress code and company policies around badges but, if we’re lucky, might also give us valuable information about the office layout. For example, in the photo, we might see a visible server closet behind Sally. In our current engagement, however, we didn’t have much luck on social media, which might mean that The Company has a policy for employees not to post about work on social media for security reasons. All in all, Brian says, “The best piece of information we gathered during this stage of the engagement was discovering that The Company had a fleet of cars and trucks. From the Google photos, we were even able to see the color of the vehicles and were able to get a rental car to help us blend in.”
Perhaps a less obvious route to gaining insight into a company’s physical buildings is county assessor websites. Company websites are another excellent place for recon work because they often have lots of imagery and information offer good PR and marketing. Still, they might not realize this also provides a lens into the company that attackers can exploit. Why? Jon says it’s because, “You can often find fairly detailed drawings of, if not a complete floor plan, at least a partial floor plan which gives us some insight into the building layout and what we’re going to be looking for when you go for the in-person reconnaissance.”
Covert Observation | We Take a Trip to Walmart
With only a little information from our initial information gathering, we decided to fly out to the site location and gather more information on the facilities in person. Not there to break in just yet; our goal on this trip is to understand better each facility we are meant to break into eventually. In our covert rental car, we drive by, take pictures, and watch for patterns around who comes and goes and at what times, looking for an edge to getting in undetected. Once their business had closed, we continued noting important spots regarding perimeter protections they have in place, where the cameras are, the different sensors, and mapping it all out.
The following day, Brain and Jon got a text message from our point of contact at The Company. In the message, pictures of our faces that their security operations center took of us as we drove around their different locations. As it turns out, Brian says, ” What tipped him off was that we drove by in the same rental car three times and they had a security operator who was watching cameras and said, ‘Hey, there’s a rental car driving in circles around all of our locations,’ and that’s when they got put on alert to hey something weird might be happening.” Was our cover blown? Yes. But all that meant was that we needed to get a little more creative.
Knowing that The Company was now on the lookout for their specific rental car of a particular color with specific plates, Brian and Jon decide it’s time for new wheels. They drive to the nearest rental car place, about an hour away, and ask for a new vehicle. Now they have a car that looks like a local car and has local state plates on it. With better insight into local attire, the pair stop at a Walmart and pick up some new clothes sporting the local school mascot in hopes that they would blend in a little bit more. So while The Company is laser-focused on spotting a very specific car and two very specific people, our goal is to sneak by undetected in our Go Lions! baseball hats.
Even though we were caught during on-site reconnaissance, we learned that The Company had phenomenal security cameras and a vigilant security staff looking out for things like this. Like sacrificing a pawn in chess, these insights helped us plan accordingly for the execution stage, asking questions like avoiding these cameras. With the high-resolution photos taken of them sent by their contact, Brian and Jon were able to deduce that The Company was using a fantastic Peter Pan Tilt Zoom camera at a very high vantage point, likely with zoom capabilities. Even though the success of our work comes from security weaknesses, we enjoy getting caught because it means that the client is doing the right thing and asking the right questions. So now we need to break into the facilities without being spotted from the vantage point of this tower that also has a camera on it capable of taking high-resolution photos from nearly two blocks away. No problem.
Exploitation | Better to Have it and Not Need it
With our attack planning done and pretexting in place, Brian and Jon got their plan approved and were ready for execution. On packing tips, Brian adds, “We actually have what’s called a pack-in-and-pack-out list so that we don’t forget things, and often we pack a lot more things than we need because we’d rather have it and not need it than end up needing a piece of equipment that’s now 2,000 miles away.” In this case, their packing list included;Long-range RFID readers (cloning badges such as entry access badges), Landstar, Proxmark3 (cloning RFID cards), Small wireless router, Shortwave radios (communication), Binoculars, Night Vision Goggles, Bag of Raspberry Pis (tiny computer the size of a wallet), Under the door tools, Double-Door Tools, Lock Picks, Handheld Flashlights, GoPro Cameras, Shove-it tool, LAN cables, Disguise Gear (hard-hats, safety vests), Collapsable Periscoping Ladders, Heavy Wool Blanket (for climbing barbed wire fences), Borescope, Lanyards, Plug-Spinner, Hinge-Pin Tool, Shrum Tools, Set of Common Keys, Toolkits, Multimeter, and SeaRAT.
For the safety of everyone involved, we asked our contact at The Company to notify local law enforcement so that if the police were to be called at any point during the engagement, they would know that this is a test.
Exploitation | Making Friends and Cloning Badges
Looking to clone an employee badge, Brian and John set out to ‘bump into’ employees out in public. Since everyone knew everyone at The Company headquarters, they’d need to get their clone off-site. So, they tailed employees around lunch, attempting to clone their badges as they were waiting in line at a coffee shop or sitting down for lunch. With social distancing in place during the engagement, they used their long-range reader in a laptop bag that vibrates when it gets a read. Despite following multiple people out of the building, they never got a good read on an employee that day. Because of the pandemic, nobody was going into any coffee shops or restaurants, just hitting up the drive-through. Cloned badges are often their means of entry into buildings, so Brian adds, “The pandemic made a lot of companies more secure because of that.” As a security tip, don’t bring your badge into public places like coffee shops. This will help ensure that your badge doesn’t get cloned.
Exploitation | Under the Cover of Night
After arranging the order of the locations they were going to hit, their goal was to break into all five locations in the same night, starting around midnight. Knowing that the SOC (Security Operations Center) team at The Company operates around the clock, Brian and Jon decided that their best window of opportunity to hit this location would be around 4:00 a.m. when the SOC team was finishing up a long and tiring 12-hour shift in the hopes that they would be less diligent due end-of-shift fatigue.
Location 1 – Escape Room
The first was a shed in a residential neighborhood that contained critical equipment like radio and transmitting equipment. The facility had no employees on-site, but a tall, barbed-wire fence guarded the perimeter. During reconnaissance work, it looked like there were very minimal perimeter detections in place, and while there was a sign that said there were cameras in use, they didn’t see any. Brian and Jon park a couple of blocks away and walk up to the gate. While the gate was locked, tall, and rimmed with barbed wire, there was a gap so large between the gate itself that they were able to slip right through. They never had to use their wool blankets to get over the barbed wire or worry about setting off any sensors. That being said, we hadn’t accomplished our objective. Breaching the fence was not enough; we needed to keep going.
Now at the shed, the team became acutely aware of, even at night, how well-lit the building was. They needed to work fast. Two doors into the building faced Brian and Jon, two unique and separate doors that led to two different areas inside the building. They approached the first door, heavy-duty with a deadbolt on it. When you pulled, there was no wiggle, no gaps around the bottom of the sides to snake a tool under. Knowing that picking the lock would surely take time and not wanting to spend any more time under the lights of the building, they move on to the second door in hopes of better luck.
Door number two was not installed the same way as the first door and had a looser fit, which gave Jon an idea. Kind of like in the movies when someone takes a credit card, sticks it in the gap of the door to push the latch open, Jon explains, “In this case, the door wasn’t properly hung, so the deadlatch falls into the frame of the door, allowing a type of bypass tool called a mini jam to open it in about 20-30 seconds.”
Now inside and looking around, the pair noticed that the space was mostly empty. Ready to move on and attempt the lock on the first exterior door, they see a set of keys tacked on the wall and wonder, could these be the keys to the first, heavy-duty, dead-bolted door outside? They gave it a try, and sure enough, the keys opened up the properly hung door. No fancy bypass tools were needed; Jon just took the keys, unlocked the door, and now had access to the secured area of the building. Jackpot. Network devices galore, Brian takes lots of pictures to demonstrate potential impact but decides not to plug in a Raspberry Pi because to do so, they would have had to unplug another piece of critical equipment, and the goal is never actually to cause harm or business disruption.
On their way out, they also noticed a security panel in the facility meant to monitor and alert when the door was opened, but the panel wasn’t correctly hooked up and therefore not detecting or transmitting data back to the SOC. They locked up on their way out, slipped through the gate, and were back in their rental car, ready to hit their next location.
Keeping in contact with their point of contact at The Company, who decided to pull an all-nighter to receive real-time updates from our team, he let them know that they had gotten in and out completely undetected so far. Location 1 was a complete success.
Location 2 – The Shed of Dread
In a remote area surrounded by fields, Brian and Jon pull off the country road and approach their next target. Unmanned even during the day, you would think this location should be accessible. But having done their recon and research, they learned that this location wasn’t as simple as slipping through the front gate. This location was armed with multiple layers of perimeter defense and cameras that, if triggered, would alert the SOC team, and they would be detected. They knew this because it was these cameras that took photos of them during their initial on-site reconnaissance. With this insight, they determined that the rear of the facility was the best approach because while two high fences surrounded the entire facility, both topped with barbed wire, the back fence was older and out of view from the cameras. So while the cameras were focused heavily on the front entrance, they would sneak in through the back fence. Barbed wire or not, this was their best option, and they came prepared with all of the necessary tools.
They make it over the first fence and notice that the second fence had a 12-foot tall shed in line with the fence that didn’t have barbed wire over the top, so Brian suggests climbing the shed and breaching the fenceline that way. Jon pulls the telescoping ladder from his bag, and Brian starts climbing. Once at the top of the shed, Brian pulls up the ladder to place it on the other side of the fence line for his descent, but the ladder slips from his hand and crashes to the ground, Brian still on top of the shed, with no way down.
Listen to the full episode to hear the whole story.