Adaptive Penetration Testing 5: Physical Part of the Compromise

The InfoSec celebrities narrate the details of another facet of the assessment, where the company’s premises and IT infrastructure were physically trespassed.

Dave Kennedy: Kevin, by far, is one of the most meticulous people I’ve met. I mean, for me it’s kind of a hack job, I’m like “Oh, this is cool, this will work,” I figure out things and I go ahead and do it. Kevin is like “100% this has to work or else I fail,” which is obviously a pro. I have ADD, so I try to do different things at times…

Kevin Mitnick: I think with enough of upfront preparation it’s really critical to be successful in this stuff. Or you can just throw stuff at it and hope it works, and get detected. And I don’t like to be detected.

Dave: Didn’t you do a physical part of this as well?

Kevin: Yeah, that was also a cool one. The client also wanted to see if there were other ways to get in besides social-engineering somebody over the telephone, so my next step was look up one of the facilities they had in Google Maps. I saw it was a pretty big building for this company, and I did a little bit more research and found out they just rented an office suite. Then I tracked down the realty company and I set up an appointment under the pretext I wanted to rent office space. So I had some business cards printed with the name “Pinkerton Investigations”.

I had a colleague of mine – actually, a friend of mine that’s in the “Ghost in the Wires”, my friend Alex – he used to do all this physical stuff with me back years ago. I said “Let’s go down south to where the company was.” We show up, we’re wearing suits, we have out Pinkerton business cards and we ask for the tour of the office space. And then I said “Listen, do you know we are a security company?” He goes “Yeah, I’ve worked with Pinkerton before on getting them office space when I was in New York.” And he asked me if I knew these people – of course I did, when I’d never even heard of them before. So I had the credibility and then I said “As a security company, we are really concerned about security controls of this physical building, so I need to know how everything works.”

HID cards used in the facility

HID cards used in the facility

So the realty guy told me all the security controls that were in place. Was there live surveillance? No. When the cameras were turned on, how would the alarm work? Basically, all the security controls that the building had, the perimeter patrol – how often did the security guard go around the perimeter? The doors were unlocked in business hours. They used HID cards to get in. And when we were walking around I saw they were using Schlage Everest locks. My goal was to find out the janitorial company – because a lot of these office suites combine janitorial services – that served as the client, because I thought the janitorial crew would be the easiest to convince to let me into the facility so I wouldn’t need a key.

In the server room they had a nice post-it note with the administrator password.

So I ended up calling the janitorial service, trying to work out who the actual people are that clean the building. I wanted to talk to them because they are the lowest level. And if I could use caller ID spoofing, call from the office, maybe I could convince them “If these people show up, go ahead and let them in.” So I found out who the supervisor was and then I decided to change tack – I wanted to get home and I wanted to do this quickly. So I called the supervisor of the janitorial crew and I said we had a system crash in our building, and the access cards wouldn’t work for their janitorial crew to come in Sunday morning to clean. But we have a solution: I have a new card. So the whole idea was to drive out to the janitorial crew employee, to this one lady’s house, give her a new HID card that, obviously, didn’t have any credentials on there, and get her old one so that we could get into the building.

The hard-to-breach Ace II lock

The hard-to-breach Ace II lock

So, as we were setting this up, the supervisor calls me and says “We don’t use access cards to get into the suite, only into the building.” And he went on to tell me that on the janitorial door they had a little lock box, and in that lock box were all the master keys to everything in the building. So I go look and, lo and behold, there’s this lock box, I jiggle it and I hear the keys, but it’s an Ace II lock, and those are the hardest to pick. I called my friend from Amsterdam and I said “Hey, I got this Ace II lock, what tool do you suggest?” It was a tool sold by Peterson International. I found these great guys that actually do some work at Defcon in the Lockpicking Village, and I said “Hey guys, I need you to come out and help pick an Ace II lock.”

Schlage Everest lock

Schlage Everest lock

I set one team on the lock, and the other team to actually pick the suite door, because it was kind of a trap door and, again, it was a Schlage Everest lock, so it has a security pin in the back. And they were actually able to breach the suite door before they were able to breach the Ace II lock. We got into the suite of the client and we realized all the administrators had secondary “locks” on the doors – they put their trash cans outside their doors, so even if I got in with the janitorial crew I would have been stopped at that point. So it was good luck that I decided to go the lockpicking route. It didn’t take long, they picked those locks as well and we got all the way into the server room.

In the server room they had a nice post-it note with the administrator password, which was helpful. I took a picture of it and sent to the CSO. I said “This is a bad idea.” But they felt secure because there were so many doors to go through. We actually found the machine that made the access cards and made our own, so we had full access to the building. And then I found out who the administrators were and rebooted their boxes to a USB tool so that we could, basically, set administrator level password and install encrypted Meterpreter shells. We used task scheduler to connect every 30 minutes.

What was cool about this attack is, because the building management was being so helpful and letting us know about the security controls and especially letting us know that the clients did not have alarms (there was just alarm on the main structure), we were actually able to duct tape the lock. So after we left we were actually able to walk back into the building to do more reconnaissance before the real attack. So this was kind of a cool attack, because it was going in, physically doing it, doing some lockpicking and owning their entire infrastructure that way.

It was extremely successful, and they never detected it. I think about four weeks later I asked them “Did anyone report anything suspicious or anything going on?” And they go “No.” Then I said “Well, do me a favor, the Linksys access point in this office – go ahead and unplug it from the network.” Then the realized they were hit, because I wanted to wait a while to see if the attack would be detected, and it never was. I think that’s important, too. It’s not only “Did you get in?” It’s whether or not the IT staff or the security staff realize there has been a compromise once you get in.

Read previous: Adaptive Penetration Testing 4: Windows UAC Bypass

Read next: Adaptive Penetration Testing 6: The Teensy Attack

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: