Tactics of Physical Pen Testers

freeCodeCamp Talks

22 Sept 202044:16

Summary

TLDRThe speaker, a physical security expert, debunks the myth that lock picking is the primary method used for covert entry. Instead, he shares practical and often overlooked techniques such as hinge pin removal, latch slipping, and exploiting poor door fitment. He also discusses electronic access control vulnerabilities, the use of common keys for access points, and the importance of being confident and appearing to belong when gaining unauthorized access. The talk is filled with real-world examples and advice on improving physical security measures.

Takeaways

🔓 The speaker emphasizes that lock picking is often the least common method used to gain unauthorized access to buildings, suggesting that other techniques are more frequently employed.
🛠️ The script highlights various physical security vulnerabilities, such as easily removable hinge pins and improperly installed latches, which can be exploited to bypass locked doors.
🔑 The importance of understanding the type of lock and security system in place is underscored, as knowing the common keys or methods to exploit them can be advantageous in physical penetration testing.
💡 The concept of 'social engineering' is implied through stories where confidence and appearing to belong can lead to successful unauthorized access, such as posing as an elevator repair technician.
🛡️ Simple and inexpensive solutions, like security hinges and jam pins, are suggested to improve physical security and prevent easy access through doors.
👮‍♂️ The role of security guards and their interaction with intruders is discussed, noting that their training and vigilance can vary significantly.
🚪 The script points out that electronic access control systems, such as HID proximity cards, can be vulnerable to cloning and sniffing attacks.
🔍 The use of everyday objects and tools, such as under-door tools and wire bridges, to gain access is demonstrated, showing that specialized lock-picking skills are not always necessary.
🏢 The speaker shares anecdotes from physical security testing jobs, illustrating the diverse methods used to infiltrate buildings and the human elements that can be manipulated.
🔗 The importance of cross-training in both physical and electronic security domains is suggested, as knowledge in both areas can enhance the effectiveness of a security professional.
📈 The script concludes with a call to action for security professionals to be aware of the physical side of security, implying that a comprehensive approach is necessary to ensure robust security measures.

Q & A

What is the common misconception about the job of a physical security expert as described in the script?
-The common misconception is that physical security experts, often referred to as 'break-in guys', primarily use lock picking to gain access to secure spaces. However, the script clarifies that lock picking is actually a less common method and is far down on the list of techniques used.
What is the first method mentioned in the script that can be used to bypass door security without picking the lock?
-The first method mentioned is knocking out hinge pins, which allows the door to be removed from its frame, bypassing any locks on it.
What is a security hinge and how does it prevent the hinge pin removal method?
-A security hinge is a type of hinge that has a peg which goes into a hole when the door is closed. This prevents the door from being removed from the frame even if the hinge pins are knocked out, as the peg blocks the attack.
What is a jam pin and how does it help in making a conventional hinge more secure?
-A jam pin is a security-enhancing replacement for the screws in a conventional hinge. It transforms the hinge into a security hinge by preventing the hinge pin from being knocked out without the need to rehang the door.
What is the importance of properly installed latches in door security as highlighted in the script?
-Properly installed latches, specifically dead latches, are crucial for door security because they prevent the door from being opened by latch slipping tools. If the latch is not installed correctly, it can be easily manipulated, compromising the security of the door.
What is a crash bar and why is it vulnerable to certain attacks as described in the script?
-A crash bar is a type of door mechanism often used for emergency exits. It is vulnerable to attacks because it can be triggered by inserting a rod or other object through a gap in the door and pressing the bar, allowing unauthorized access.
What is the purpose of the 'thumb turn flipper' tool mentioned in the script?
-The 'thumb turn flipper' is a tool used to manipulate thumb turn locks or deadbolts from the outside. It is used to unlock doors that have a thumb turn on the inside, allowing access without the need for a key.
What is the significance of the 'under door tool' in the context of the script?
-The 'under door tool' is significant because it demonstrates how attackers can exploit poorly secured doors with lever-style handles. By reaching under the door and manipulating the handle, an attacker can open the door without needing to pick the lock.
What is the role of the 'postal switch' in a Door King access control system as described in the script?
-The 'postal switch' in a Door King system is a momentary switch that, when activated, can trigger the door's relays to fire, effectively unlocking the door. It can be used as a bypass method if an attacker can access the switch.
What is the 'CH-751' key mentioned in the script and why is it significant?
-The 'CH-751' key is a very common key used for various locks, including filing cabinets. It is significant because it can often open many locks by default, making it a useful tool for physical security testers.
What is the '1284X' key and why is it noteworthy in the context of the script?
-The '1284X' key is a key used by the Ford Motor Company for their fleet vehicles, such as Crown Victorias. It is noteworthy because it is not a restricted key and can open many police vehicles and even start their engines, highlighting a potential security vulnerability.

Outlines

00:00

🔓 The Misconception of Lock Picking in Physical Security

The speaker, a professional in physical security, dispels the common myth that his job primarily revolves around lock picking. Despite the excitement associated with being a 'break-in guy', he clarifies that lock manipulation is far down the list of techniques used to gain entry into secured spaces. He emphasizes that his role involves various other methods, including covert entry tactics, and that the romanticized idea of lock picking is not the central aspect of his work.

05:01

🚪 Exploiting Door Vulnerabilities in Physical Penetration Testing

This section delves into the reality of how physical penetration testers gain access to buildings, focusing on the weaknesses of doors and their components. The speaker discusses the ease of removing hinge pins as a method of entry, regardless of the number of locks on a door. He also introduces the concept of security hinges and jam pins as solutions to strengthen door security. Additionally, he touches on the ineffectiveness of certain latch installations and the importance of dead latches in preventing unauthorized access.

10:01

🛠️ Practical Solutions to Common Physical Security Flaws

The speaker provides practical and cost-effective solutions to address common physical security issues. He highlights the use of security hinges and jam pins to prevent hinge pin removal, and discusses the importance of proper door fitment to ensure dead latches function correctly. He also addresses the risks associated with electronic strike plates and the use of thumb turn flippers as potential security threats, suggesting that understanding these vulnerabilities is crucial for improving physical security measures.

15:02

🕵️‍♂️ Advanced Techniques for Bypassing Physical Security

This paragraph explores more sophisticated methods used by physical security professionals to bypass security systems. The speaker describes using tools to exploit gaps under doors, reach through to thumb turns, and even manipulate request to exit sensors using cold gas clouds. He also touches on the use of dual-technology sensors that combine passive infrared and microwave radar to prevent such bypasses, emphasizing the need for robust security measures.

20:03

🛡️ Creative and Inexpensive Security Solutions for Doors

The speaker shares unconventional yet effective methods for enhancing door security. He discusses the use of door shrouds, clips, and other simple devices to prevent unauthorized access through under-door tools. These solutions are not only cost-effective but also easy to implement, demonstrating that creativity can play a significant role in improving physical security.

25:04

🔑 The Art of Key Stealing and Its Implications for Security

In this section, the speaker humorously discusses the ease of stealing keys from lock boxes and the surprising prevalence of universal keys across security systems. He highlights the lack of security in using common keys for access control boxes and the potential risks of not securing these keys properly. The speaker encourages security professionals to be aware of these vulnerabilities and to implement more robust key management practices.

30:05

🛠️ Leveraging Common Keys and Simple Tools in Security Breaches

The speaker shares anecdotes about using common keys and simple tools to breach security systems. He demonstrates how easily accessible keys, such as those for elevators, filing cabinets, and vehicles, can be used to gain unauthorized access. He also discusses the use of jigglers and wire bridges to manipulate locks and suggests that security professionals should be aware of these simple yet effective techniques used by intruders.

35:05

💼 The Importance of Confidence and Belonging in Physical Security Breaches

This paragraph emphasizes the power of confidence and the appearance of belonging when attempting to breach security. The speaker recounts stories of individuals who successfully gained access to facilities by acting as if they were authorized personnel, such as armed guards or service technicians. He suggests that security professionals should be trained to question and verify the credentials of anyone entering a secured area, regardless of their appearance or demeanor.

40:05

👮‍♂️ The Role of Armed Guards and the Potential for Security Breaches

The speaker discusses the challenges of interacting with armed guards and the potential for security breaches due to human error or lapses in judgment. He recounts a story of attempting to clone electronic credentials while posing as a police officer to gain the trust of the guards. The anecdote highlights the importance of vigilance and the need for guards to maintain a high level of suspicion and awareness to prevent unauthorized access.

🏢 Real-World Applications of Physical Security Breaching Techniques

In the final paragraph, the speaker wraps up his presentation by summarizing the various techniques and strategies discussed for breaching physical security. He encourages the audience to consider the physical aspects of security alongside digital measures and to test their own security systems for vulnerabilities. The speaker also hints at additional stories and insights that can be shared during a Q&A session, emphasizing the importance of continuous learning and adaptation in the field of security.

Mindmap

Keywords

💡Lock picking

Lock picking is the art of manipulating the components of a lock to open it without using the original key. In the context of the video, it is portrayed as a common yet not the primary method used by physical security experts to gain access to secured spaces. The speaker clarifies that while lock picking is often romanticized, it is actually quite low on the list of techniques they use.

💡Covert entry team

A covert entry team is a group of specialists who infiltrate secured areas discreetly, often for testing security measures. In the video, the speaker mentions running such a team with Robert Bobbik, emphasizing the variety of skills and tactics beyond lock picking that they employ.

💡Hinge pins

Hinge pins are the metal rods that connect the door to its hinges. The script describes a technique where these pins can be knocked out, allowing the door to be removed from its frame as an alternative to picking the lock, illustrating a physical security flaw that can be easily fixed.

💡Jam pins

Jam pins are a security enhancement for door hinges that prevent the door from being removed by removing the hinge pins. The speaker recommends jam pins as an inexpensive and effective solution to improve physical security against hinge pin removal attacks.

💡Latch slipping

Latch slipping is a technique used to open doors without a key, where a tool is used to manipulate the latch into the unlocked position. The video describes how improper installation of latches can make them vulnerable to this attack, and the importance of using dead latches to prevent it.

💡Dead latch

A dead latch is a type of door latch mechanism that cannot be opened from the outside without a key. The script explains that modern doors should have dead latches to prevent latch slipping, and that proper installation is crucial for security.

💡Electronic access control

Electronic access control systems are used to manage and monitor entry to a building or room using electronic credentials like keycards or fobs. The speaker discusses various ways these systems can be compromised, such as by credential cloning or sniffing.

💡Credential cloning

Credential cloning involves copying the information from an access control card or fob to create a duplicate. In the video, the technique is shown as a method to gain unauthorized access by capturing credentials from a distance using specialized equipment.

💡Door fitment

Door fitment refers to how well a door is installed and aligned within its frame. The script points out that poor door fitment can lead to security vulnerabilities, such as the ability to bypass locks using simple tools or techniques.

💡Crash bars

Crash bars, also known as panic bars, are mechanisms used on emergency exits that allow the door to be pushed open. The video describes how weather stripping or other barriers can be bypassed to activate the crash bar from the outside, demonstrating a security oversight.

💡Under door tools

Under door tools are devices used to manipulate the locking mechanism or handle of a door from underneath, allowing it to be opened without a key. The speaker mentions these tools as part of their arsenal for gaining access to rooms, highlighting the need for proper door handle protection.

Highlights

The speaker runs a covert entry team and discusses the misconception that their job primarily involves lock picking, which is actually a less common method.

Photo shoot for an article showcasing the team's work led to a demonstration of lock picking, though it's not the main technique used.

Lock manipulation is described as the ninth method tried to gain entry, emphasizing there are more common techniques.

The importance of understanding door hardware and installation, such as hinge pins and security hinges, is highlighted as a way to improve physical security.

Jam pins are recommended as an easy and cost-effective solution to enhance door security.

The use of latch slipping tools to bypass doors without picking locks is demonstrated, showing a common vulnerability in door installations.

The concept of dead latches is introduced, explaining how they prevent latch slipping attacks.

Proper door fitment, including the correct installation of strike plates and latches, is emphasized as crucial for security.

The exploitation of gaps in door installations, such as with crash bars and weather stripping, is shown as an easy entry method.

The use of tools to flip thumb turns on the other side of the door is demonstrated, bypassing the need for a physical key.

The vulnerability of frameless glass doors and the use of simple tools to reach and operate handles or locks from the outside.

The speaker discusses the use of under-door tools to manipulate lever-style door handles from underneath, bypassing the lock entirely.

The effectiveness of simple measures like clips or shrouds on door handles to prevent under-door tool attacks is mentioned.

The potential for stealing keys or key information from lock boxes or access control panels is highlighted.

The use of common keys for certain access control systems, like the Door King and Linear keys, to gain unauthorized access is demonstrated.

The speaker shares stories of successful physical penetrations using confidence and the appearance of belonging, such as posing as service technicians.

The importance of cross-training in both physical and electronic security to better understand and exploit vulnerabilities.

The use of long-range readers and other electronic devices to capture credentials for cloning purposes.

The speaker concludes by encouraging the audience to consider physical security methods beyond lock picking and to utilize simple yet effective techniques.

Transcripts

00:00

so yeah many of us have fun gigs though

00:02

many of us have really fun jobs people

00:04

come up to me a lot

00:05

and they say oh my gosh deviant you know

00:07

physical security and break it in that's

00:09

your job is so cool i like it and yes i

00:12

get it right like

00:13

being the break-in guy is fun if you've

00:15

never met me that i run a covert entry

00:17

team

00:17

robert bobbik and our crew of hooligans

00:20

in places we shouldn't be

00:22

but the funny thing people kind of

00:24

romanticize this notion like yes

00:27

our ops division does very dynamic door

00:29

kicker stuff

00:31

but for this one scene here this was a

00:33

photo shoot when an article came out

00:34

about what we do

00:36

they were like oh yeah get some pics and

00:37

get some pics in your hands right

00:39

and so like i'm here picking a door

00:42

now everyone has said to me i'm known as

00:45

this lock picker and like maybe i've

00:47

taught some of you about lock picking if

00:48

you've ever seen like any of these

00:49

animations that tool has on all of our

00:51

slides like

00:52

if you've ever learned how a lock works

00:54

you saw the little pins and they

00:56

they bind but they push up with a key

00:58

and if i don't have a key like how do i

01:00

get in the lock like

01:01

i've taught about lock picking forever

01:04

and everyone thinks of me as this lock

01:05

picker and they say oh yes so like i'd

01:07

love to have that job man

01:09

like that's you know you at a door at

01:10

two in the morning with those picks out

01:11

i wish i could do that and get paid

01:13

which again like sure that's fun and i

01:17

have

01:17

picked locks to get into secured spaces

01:20

but this [ __ ] here manipulating the pins

01:23

with like pick tools

01:25

it's something like the ninth thing on

01:27

the list of stuff we try

01:28

to get into buildings and this whole

01:31

talk is not this is like the last

01:33

lock-picking slide in the talk

01:35

because this is not a lock-picking talk

01:37

i am i know hooray is what i say because

01:39

i'm so

01:40

tired hey you made it i'm so tired of

01:43

talking about lock picking

01:44

i love like i love when someone new is

01:46

learning it right and if someone's never

01:47

done this and they get it

01:49

and it's this whoa moment that's fun but

01:52

i gotta

01:52

stop this illusion that we are picking

01:55

lock like how many times do you pick a

01:56

door

01:57

you don't johnny like [ __ ] yeah vince

02:00

and you like you don't really pick

02:01

doors this this [ __ ] is great that's not

02:04

what we do

02:06

so let's talk about how physical pen

02:08

testers actually get into buildings

02:10

how real covert entry tends to work and

02:12

how you fix almost all of it

02:15

dumb [ __ ] right like right off the bat i

02:16

have not i've legit

02:18

knocked hinge pins out of doors you just

02:20

bang a hinge pin out walk the door i

02:22

don't care how many locks are on the

02:23

door

02:24

if you can walk that door away from the

02:26

frame walk in

02:28

this is a thing that you can do with

02:29

like a nail or a nice little orange tool

02:31

so you don't bust up your fingers

02:33

but again like all these locks in the

02:35

door what you don't see are hinges

02:36

hinges are on the outside of this door

02:39

this is an absolute method that gets you

02:41

into places

02:42

and stupid easy to fix i'm giving you

02:45

like easy ones off the bat here

02:47

this is a security hinge the door swings

02:50

shut

02:51

little peg goes in a little hole doesn't

02:53

matter if you bang the hinge pins out

02:55

you can't wrench that away from the door

02:56

frame

02:57

because the peg is in the hole like

02:58

literally it puts it it puts a block

03:00

from that attack

03:02

if you don't want to buy new hinges and

03:03

re-hang all your doors i'm huge into

03:06

recommending what are called jam pins

03:08

i don't sell any of this stuff like i

03:10

know some of the firms that make it but

03:11

like

03:12

brilliant idea what are jam pins you

03:14

have a conventional hinge

03:15

take out these two screws replace them

03:18

with jam pins

03:19

take out these two screws replace them

03:22

with [ __ ] all

03:23

you just made a security hinge and you

03:25

didn't rehang your door

03:27

like two dollars i think brilliant kind

03:30

of solutions

03:31

easy easy stuff slipping latches and

03:34

such

03:35

like people see me like oh he's taking a

03:37

tool out of his pocket he's going to

03:38

open that door what's he doing

03:39

i'm not taking pics out of my pocket

03:41

most of the time

03:42

i am doing sound by the way oh no sound

03:45

we're gonna need sound

03:46

who's my sound guy back there let's see

03:52

anybody you hear it all right oh well

03:55

well i don't know why we're not getting

03:56

sound but yell the guy in the back he's

03:57

not doing anything

03:59

so yeah like this is a completely locked

04:01

door this is a water treatment facility

04:03

this is like the room where they

04:04

chlorinate and prep the water for the

04:06

supply and i'm not picking the lock i'm

04:08

just attacking it with a little

04:10

latch slipping tool you should not be

04:12

able to do this

04:13

on most systems right

04:17

here's a door

04:20

there we go is there some sound can

04:22

anyone in the back turn the sound the

04:24

[ __ ] up please

04:27

there's a remote oh wow this is like

04:30

dad's living room

04:31

way too many buttons is that a thing

04:34

is that happening i don't know whatever

04:37

all right i don't care i'm gonna keep

04:38

going

04:39

but yeah like this little tool this

04:41

little stupid hook that we've been

04:42

selling in our student kits we give them

04:44

to you you give them to students

04:45

it's like a five dollar part and it gets

04:48

through so many doors what we're doing

04:50

here

04:50

it's not that you can like reach the

04:52

latch here's a latch you can't reach

04:54

with a hook because it's got that big

04:55

plate over it right

04:56

get yourself a big piece of wire

05:00

oops the problem is not that you can

05:03

touch or can't touch the latch the

05:05

problem in all these bits of footage

05:06

here

05:07

is that the latch is not installed

05:08

properly latches

05:10

in a modern environment should be what

05:12

are called dead latches

05:14

in fact this is a picture of a dead

05:16

latch well let's talk about

05:18

what is a dead latch what is not well

05:20

this is the latch

05:21

right this is what goes into the strike

05:22

plate holds the door shut

05:24

if you lean on the door the door does

05:25

not pop open

05:27

you might remember doors that only ever

05:28

had this this is what a door used to

05:30

look like

05:31

long time ago and then all of a sudden

05:32

you started getting this extra little

05:34

button

05:34

sometimes called a guard bolt sometimes

05:37

called the dead latch

05:38

plunger has a lot of names but that

05:40

extra button that i will highlight in

05:41

red here

05:42

that indicates that you have a dead

05:44

latch mechanism

05:46

the dead latch plunger or the guard bolt

05:49

many people only see it when the door is

05:50

open

05:51

and you know it's not always in this

05:52

configuration sometimes it's next to the

05:54

latch it's

05:55

there's a lot of styles no matter what

05:57

style you have

05:59

you might not know when the door shuts

06:02

that's supposed to be held back

06:04

it's supposed to be pressed back into

06:06

the door by the strike plate

06:07

it's not supposed to pop out into the

06:08

hole if that is pressed back

06:11

that latch is now dead you can't hook it

06:14

slip it shim it anything like that

06:16

that's how this is supposed to work but

06:18

the problem is door fitment

06:20

if you don't have the right hardware

06:22

mounting and you don't have the door

06:23

hung

06:23

properly we see this all the time on

06:26

doors man

06:28

this we've got a nice door properly

06:30

locked okay this is a piece of trash

06:33

literally a piece of plastic garbage

06:35

shoved in

06:37

boom server room look at the size of

06:39

that strike plate hole

06:41

you could drive a truck into that why is

06:43

it so huge is this the strike plate that

06:45

came with this

06:45

handle set what do you think this is

06:49

yes i heard it say it louder electronic

06:52

strike plate this is a card reader

06:54

access door

06:55

so they retrofit the additional like the

06:57

original plate of strike plate they put

06:59

like a

06:59

separate unit a solenoid powered strike

07:02

and there's all different configurations

07:03

of this kind of hardware

07:05

we literally know integrators and

07:07

installers who are like oh make sure you

07:09

always get like the jp 41 that's the one

07:11

with the big hole

07:12

it always works no matter what door the

07:14

client has it's no problem

07:16

no that is not how this is supposed to

07:19

work you are

07:19

really undermining your security another

07:22

door

07:22

another water facility right nice lock i

07:26

mean

07:26

i'm i'm a decent enough picker i'm not

07:28

going to try to pick this

07:29

why not because boom bad door fitment

07:32

over and over and over

07:33

and like you know you don't want me in

07:35

there i don't belong in this room

07:38

five dollar hook gets me in when a nice

07:41

lock could have prevented me

07:42

if they had properly set the door up

07:45

let's talk about this kind of door

07:46

fitment problem you got crash bars let's

07:48

just reach through

07:49

you've told stories like this forever

07:52

what

07:52

happened there i was like talking to

07:53

point of johnny right let's watch that

07:55

again crash bar

07:56

let's get a bent rod and just slip it

08:00

through and bam

08:01

hit the door right absolutely works

08:04

why because weather stripping is not a

08:06

security device

08:08

weather stripping is not the same thing

08:10

as a plate or even a movable astragal of

08:12

metal

08:13

if that is just rubber or that little

08:15

brush material

08:16

if i can slip something through and

08:18

smack on that crash bar they make

08:20

specially designed tools

08:22

just for this here's robert one our guys

08:25

on our team reaching through with a

08:26

reinforced tool

08:27

hitting the crash bar bam

08:31

exit paddles smaller target how many

08:33

times do you see glass doors glass doors

08:35

are wonderful because you can see

08:36

exactly what you're hitting or not

08:37

hitting

08:38

but going back you can barely see it's a

08:40

really dark photo you can't see it here

08:43

easily you can see it in the video

08:44

though sometimes

08:46

is this daytime or night time

08:49

this what is it it's not it's like three

08:52

in the morning i know it's a little bit

08:53

white out here but it's it's very dark

08:54

out this is a low occupancy structure at

08:56

night what could they have done and not

08:58

violated code

08:59

they could have set the deadbolt it's

09:00

right [ __ ] there right

09:03

well this tool is there's a tool that

09:05

exists for this the idea of a deadbolt

09:07

again for code many of these attacks as

09:09

you all know like

09:10

fire code and actually egress like

09:13

restrictions and allowances

09:14

you have to set up doors certain ways if

09:17

you have a deadbolt it probably has a

09:18

thumb turn on the inside

09:20

this tool exists i have it in my room

09:22

this is a thumb turn flipper

09:24

you stick it through the door and you go

09:26

boop

09:29

absolutely that like these tools are out

09:31

there man they are not expensive

09:33

and again like here we have a nice

09:36

this is a classic california office

09:38

building why because it has

09:40

frameless glass doors oh my god

09:42

california where the weather is so nice

09:44

you don't care about insulation

09:45

frameless glass doors everywhere

09:49

so yes reach through with the tool the

09:50

hardest part was just getting it to stop

09:53

slipping off the knob was so tiny but

09:55

eventually

09:56

sure enough you get it on there you twit

09:58

it's just like a braided cable

10:00

attached to a it's not a sophisticated

10:03

tool right

10:04

but eventually bam well that's open

10:07

post office near where i live you can

10:09

see like right on the other side of the

10:10

door i'm not gonna go steal a bunch of

10:12

mail or anything but the gap is huge you

10:14

could get through there

10:15

tesla dealership of course it's

10:17

california why because frameless glass

10:19

doors that's why

10:21

middle of the night no one around i'm

10:23

not saying i wanted to uh duplicate

10:24

tiger team

10:25

like steal a car but absolutely like

10:28

frameless glass doors boom

10:30

thumb turns that's the only thing

10:32

preventing anyone from getting in here

10:33

and the gap is like a half inch wide

10:36

talk about another gap problem here's a

10:39

locked door

10:41

there's some noise and then dr tran

10:44

comes through like ninja in a cloud of

10:46

smoke

10:47

what happened there many of you know

10:48

this one already i hope

10:50

this is a lab where we do a lot of

10:51

prototyping and we just show like bobbik

10:53

in the hat just showed ross

10:55

and ross is like hey building owner evan

10:57

come here i want to show you this thing

10:58

i just learned so you'll see he's trying

11:00

to do something with a tool up in the

11:02

time

11:02

bobbit says no reposition it a little

11:04

bit out here and look through the glass

11:06

you'll see the same thing you'll see

11:08

this sort of

11:08

cloud of vapor and all of a sudden this

11:11

locked door

11:12

is no longer locked yay

11:15

well who knows what government there's a

11:17

very restricted government tool that

11:19

they're using

11:19

i don't know if you can get it like talk

11:21

to someone you know who's kind of spooky

11:23

you can find out how to order this it

11:25

comes with a one-page

11:26

idiot proof government instruction

11:28

manual that says hold tool like this

11:30

so all you're doing if you invert one of

11:32

these spray dusters

11:33

you're boiling off that r134a

11:36

essentially is what's in there

11:37

and you're creating this cold gas cloud

11:40

what's actually tripping

11:42

many doors have sensors on the inside

11:45

especially electronic lock doors

11:47

they are called request to exit sensor

11:49

if you have a system where you badge in

11:51

but you don't have to badge out you just

11:53

walk to the door and just open it

11:55

you might not realize you have a request

11:57

to exit sensor you have

11:59

most of the time a simple passive

12:01

thermal sensor

12:02

it's not the only technology out there

12:04

it's far and away the most common one

12:07

and if you can get that sensor to trip

12:09

in this case just by blowing a cloud of

12:10

gas through the door

12:12

the door unlocks these are old tricks

12:15

you should know them

12:16

dave if you saw his keynote this morning

12:18

dave did he's a big

12:19

you know vape guy he's a big ecig guy oh

12:21

yes so he and ben 10 recorded this is

12:24

one of the best videos ever of it

12:26

so like i don't know if you sub ohm your

12:28

coils or something because he makes this

12:29

amazing cloud through there

12:32

but he's just listening to hear that

12:33

solenoid he's listening to hear it

12:35

trigger

12:36

and when he knows that electromagnet is

12:37

done bam

12:39

door's unlocked boom

12:42

now unlocked yeah chris up here i think

12:45

is the he was like hey dave you should

12:47

try this on that door this is totally at

12:48

we don't [ __ ] where we eat right yeah

12:51

this was this this was the dirty derby

12:52

class yeah

12:53

yeah and like i think eventually people

12:56

other people kept trying it until the

12:57

point where there was staff

12:58

in that because it's like a staff area

13:00

and staff was like what's the smoke

13:01

coming through the door are they like

13:02

freaking out

13:04

i don't smoke uh i do drink too much my

13:07

wife caught this video once

13:08

we're walking home from like a bar this

13:10

was late at night this is a bank the

13:12

bank is closed

13:14

but i'm like well there is a wreck

13:15

sensor up there and i had just kind of

13:16

walked out of a bar with a drink

13:20

so i just spit that through the door and

13:22

like that works

13:23

so yeah man passive infrared doesn't

13:27

understand hot cold it just says

13:29

different oh different must be a human

13:31

this one up top here the honeywell

13:34

passive infrared sensor

13:35

i guarantee you've seen it or you've

13:37

seen it rebranded and re-badged as

13:39

somebody else's

13:40

almost always white sometimes you see

13:42

them in black or beige you will see that

13:44

everywhere all over the place and why

13:47

are they calibrated this way well you

13:48

don't want someone with a bunch of boxes

13:50

to like bang into the door and fall over

13:52

these are tuned

13:54

and the installers mount them in a way

13:56

to get the most wide spectrum hit

13:58

because they don't want to be called out

13:59

repeatedly hey the rec sensor's not

14:01

working it's not picking us up it's

14:03

causing you know mary just fell down

14:04

with her cane and her walker

14:06

the installer doesn't want that

14:07

installers and integrators want to

14:09

always have these things trip so you're

14:11

going to see that on a lot of doors

14:13

because it's got really good coverage

14:15

and you're going to always see it open

14:16

the door what is this on the bottom

14:18

though

14:19

that's your solution ge is the only one

14:21

i've ever seen that

14:22

reasonably brings to market a dual

14:24

technology rec sensor

14:26

yes it does passive infrared it also

14:28

does microwave radar

14:30

so it has to see some temperature change

14:33

and it also has to see something

14:35

vaguely human-sized coming vaguely

14:37

toward the door

14:39

we knew like um tr a hacktrust hector

14:42

zo9val

14:43

val actually she'll put balloons through

14:45

doors and blow them up

14:46

and let them go because the old trick

14:48

with the pirs you usually just put them

14:50

further away from the door you just put

14:52

them down the hall

14:53

and you know if i'm trying to gas the

14:55

dog i'm not hitting it so her solution

14:56

for that was like

14:58

like send balloons like blowing down the

15:00

hall to try to trip them

15:02

ge's product will stop that i don't work

15:04

for ge i'm not here shilling for like

15:06

mubics and his buddies moving still with

15:07

ge i don't know

15:08

no all right but yeah it's the only

15:11

dual technology sensor that i've ever

15:13

seen that's good for this

15:16

also code let's talk about door handles

15:19

when's the last time you've seen a door

15:20

knob like in an office

15:22

you don't because if someone like has

15:25

reduced grip and tactile function or

15:27

what if someone doesn't have a hand

15:28

they need to be able to get in and out

15:29

of the building especially in

15:30

emergencies

15:32

lever style door handles are are the

15:34

norm now

15:35

well inside i mean you see the front one

15:37

facing me that's locked and has a

15:39

you know shitty little hid prox reader

15:42

on the inside there's also

15:43

a lever handle which many times that's

15:45

going to be the case

15:48

there are tools like this that exist

15:50

this is an under door tool

15:51

i'm doing a little show with a guy named

15:53

tyler gray he's like well show me this

15:54

tool and his cameraman is like how would

15:56

you get in here

15:57

and they expected me to do something at

15:58

the door they didn't realize i just

16:00

knelt down

16:01

and kind of banged the door open and

16:03

actually it's one of the cameraman was

16:04

like

16:05

can you do that like again like slower

16:07

that was way too fast i didn't

16:08

understand what was happening

16:10

well these are actual tools that we use

16:12

on jobs

16:13

what we're doing with this tool it's

16:14

called an under door tool

16:16

we're reaching a rod under the door and

16:19

because

16:20

modern doors have those lever style

16:22

handles

16:23

they're really really trivial to grab

16:26

that handle

16:26

and hit it on the inside i'll show you a

16:29

picture from flipped around in a second

16:30

this is robert

16:31

middle of the night getting into a

16:33

server room you know people see this

16:35

video and they thought they see him

16:36

crouched down like oh he's going to

16:37

unscrew like with a multi-tool to get

16:39

through that crawl through the grate no

16:40

he's not

16:40

he's going to lean his head into the

16:42

door and just push it open because on

16:43

the inside

16:44

we're just swinging a rod pulling down

16:47

on a line

16:48

and yanking this handle absolutely works

16:52

because when's the last time you've been

16:53

in the server room and had to badge out

16:55

some some real secure facilities maybe

16:58

most of the time you hit the handle and

16:59

you leave

17:00

there are solutions for this there are

17:02

what are called dynamic

17:04

door bottoms this little animation

17:07

shows you a black plunger if this black

17:09

plunger gets pushed in

17:11

what happens you'll see this bottom bar

17:13

drops down

17:15

so when the door shuts that bar drops

17:17

down now this is not a security product

17:19

this is like a heating and cooling

17:20

insulation product but the same

17:22

principle applies

17:24

to much more robust models so a company

17:26

called pemco p-e-m-k-o pemco makes the

17:29

door bottom now they're sold by assa

17:31

abloy big contoured floor plate

17:34

interlocks in this metal bar and unless

17:36

that plunger is

17:37

relieved of its pressure that door

17:39

bottom is dropped down you're not

17:40

getting a tool

17:41

underneath the door now you might get

17:44

something

17:44

over the door this is a video from utah

17:48

a buddy of ours named the infosec pope

17:50

he loves demoing this

17:51

all he uses is 35 millimeter film for

17:54

the young kids of the room film

17:56

is what we used to take photographs with

17:59

but he literally just feeds a bow of

18:01

film over the door

18:03

walks it over to the handle and then

18:05

pulls and

18:06

you might not do this as a user but if

18:08

you pull up on a handle it's usually

18:10

going to open the door

18:11

so pull bam that door is open and i i

18:14

mean pemko makes the door bottom i've

18:16

never seen anyone sell the door topper

18:18

so like what do you actually do to

18:19

prevent this problem well

18:21

consider a shroud i was one time

18:25

working an underdoor tool in this one

18:26

job and i'm like

18:28

[ __ ] [ __ ] god damn it [ __ ] i've like

18:30

radioed to robert like robert get in

18:32

here can you and robert's trying he's

18:33

like son of a [ __ ]

18:35

bobbitt comes around from another

18:36

building and he throws a boar scope

18:38

under the door

18:39

and we're like oh crap what is that and

18:41

eventually like with the borescope we

18:42

could kind of see

18:43

and shove the wiggle the tool we got it

18:45

open and i asked the client i was like

18:48

man that one door gave us freaking hell

18:50

where did you get these things that you

18:52

installed in the server room

18:53

and they're like ah they were like on

18:55

the building when we got here i don't

18:56

know what that this

18:57

used to be like a storeroom or something

18:59

these are like ingrainger catalogs these

19:01

are so

19:02

carts don't crash into door handles when

19:04

you they're just shrouds for like

19:05

protecting the door handle

19:07

not for like security they're just so

19:08

you don't bang into it with stuff

19:11

brilliant no money solution if you've

19:13

ever been in a hotel

19:14

and you've seen the door handle mounted

19:16

like down who's seen this before

19:19

hotels know about this man hotels have

19:21

had break-ins with under door tools

19:23

they mount these handles down for a

19:24

reason this is one of my favorite

19:26

pictures render man sent me this

19:28

and i've started to see hotels and other

19:31

doors with these like little clips

19:33

i was like i stayed in a hotel once for

19:35

like a week in san francisco on this job

19:37

and

19:37

you know talking to the staff late at

19:39

night hanging out [ __ ] and i'm like

19:40

hey so i got i got to ask you

19:43

the freaking clip thing that looks very

19:45

out of place on the doors

19:47

is that like un under door tools and the

19:49

guy was like oh yeah

19:50

we have people breaking into rooms and

19:52

stuff we i was like i

19:54

gotta know where you get these my

19:55

clients could rip because i could that

19:57

would be a [ __ ] nightmare trying to

19:58

get an underdoor over door attack

20:00

he's like well you know the closet in

20:03

your bedroom with the the sliding doors

20:05

yeah these are just those little feet

20:07

that like you put in the carpet on slide

20:09

like

20:09

literally at home depot four dollars if

20:12

you don't care that it looks a little

20:13

weird

20:14

put these on your server room door man

20:16

it will completely frustrate the hell

20:17

out of me

20:19

so i love this kind of thinking i love

20:22

weird and hilarious ways of getting in

20:24

and i've got just i just i'm guessing

20:26

this crowd i added some funny [ __ ] right

20:28

like

20:30

stealing keys you think we're above

20:32

steel just outright stealing stuff

20:34

this was the security cart on a facility

20:36

once

20:37

we just found it and i was on a job with

20:39

a guy i was actually subbed in on a job

20:41

had every

20:41

f and key like everything all over the

20:44

building

20:45

and of course like yes we still i'm not

20:47

gonna i guess we're allowed to say jay

20:49

wouldn't mind i'm not gonna say who it

20:50

was but like eventually we just stole

20:51

the cart and just drove it around

20:53

because if you get to that point i mean

20:55

you don't want jobs where you're like

20:56

you've gotten everything

20:57

and there's still time and you call the

20:59

client and you're like so we're

21:01

in every they haven't stopped us do you

21:02

want to start doing stupid [ __ ]

21:04

and the client's like yeah just push it

21:06

so yeah we literally took this little

21:07

golf carty thing and drove it around the

21:09

parking lot until it ran out of juice

21:11

and we're like puttering back at like no

21:13

miles per hour just to try to get it

21:15

back to where we left it

21:16

so it looked really and we're not in

21:18

uniform no one stopped us

21:20

but i love that like all the keys were

21:22

there

21:24

lock boxes oh my god talk about stealing

21:26

keys stealing keys from a lock box

21:29

these show up on a ton of buildings

21:31

possibly your buildings

21:32

if you have con if you have

21:33

infrastructure like cell towers and

21:36

stuff on high buildings

21:37

and other contractors are coming in to

21:39

service that gear

21:40

i bet you there's lock boxes somewhere

21:42

that you might not even know about

21:44

tunnelers one two three four five six

21:46

seven

21:47

different people have to get into this

21:48

building i can't even think of that many

21:51

cable and wireless providers

21:52

i don't know what's going on here

21:56

these kind of boxes oh my god telephony

21:58

boxes right

22:00

this i just throw in because mostly you

22:02

know

22:03

chris knows this guy in this slide you

22:04

guys dennis like dennis is a good cat

22:07

right dennis is standing next to

22:08

a lanier access control box i am

22:11

standing next to another brand called

22:12

door king

22:13

let's talk about these two big players

22:15

in the industry just because this is

22:17

stuff that's not usually in my slide

22:18

deck

22:19

i just had to throw you some fun [ __ ]

22:20

right most of the stuff that cracks me

22:22

up when it comes to stealing the key

22:25

like i don't even think it counts as

22:26

stealing in the instance of like linear

22:28

you got this nice lit up keypad you got

22:30

the little w grill

22:32

linear boxes all have the same key it

22:34

used to be called the a126 key it's not

22:37

really it's the 222343 key but

22:39

if you google like linear key or linear

22:42

two two two three four three or linear

22:43

a126

22:45

you'll get this key it's the same key on

22:47

all the freaking panels

22:49

it's not a restricted key or an

22:51

expensive key

22:52

but it lets you do crap like this so

22:55

here we have a locked door

22:57

now my wife is going to enter through a

22:58

different technique

23:00

beep whoops this is actually the

23:02

apartment where we stuck marcus hutchins

23:04

while he was waiting for trial so we

23:05

only got one key fob we cloned it to her

23:07

hand so she could come and go and have

23:09

an extra key

23:10

but now i don't have a you know the key

23:12

fob the door is locked

23:14

so what can i do well linear boxes are

23:16

all key to like

23:18

a126 key there's a little momentary

23:20

switch and just boom flip the relay

23:22

so that works same key on all these

23:26

boxes man

23:27

absolutely so yeah door king the one i'm

23:31

standing next to here

23:32

i personally think door king has even

23:34

more market penetration

23:36

do they have the same key yes they do

23:38

the 16 120 key it's been the door king

23:40

key i think since 1992

23:42

and it's never like i go to trade shows

23:45

i go to like the trade shows with all

23:46

this gear and the door king booth is

23:48

huge

23:48

and i take i just walk around like use

23:50

my key just open stuff and just walk

23:52

away

23:52

every few hours just walk by the boot

23:54

this was like a giant parking gate

23:56

arm like a huge crash barrier thing and

23:59

it's again

23:59

16 120 key they're all the same key

24:03

door king systems let's let's dive into

24:05

this for a moment here we got a lot

24:06

going on here

24:07

all right you can always always always

24:10

tell a door king system

24:12

boom boom boom a-z call those three huge

24:14

buttons

24:15

you'll spot them a mile away now there's

24:17

not just that

24:18

we have a we clearly have hid procs

24:20

going on here we'll talk about

24:21

electronic credentials

24:23

but let's get right into it all right

24:24

let's use our 16 120 key

24:26

look at all these electronicals well

24:28

there's a lot of stuff going on in there

24:30

we got a big bank of connections here

24:33

what's going on in this terminal block

24:34

well punch in doorking manual.pete file

24:37

type pdf

24:38

in google you get a big manual with this

24:41

on one of the pages

24:42

what's the most giant writing you see on

24:44

this page relay one relay two those are

24:47

the door relays right there

24:48

they're just dry contacts on the

24:50

freaking panel

24:52

so if you have like door relay one

24:54

either normally open or normally closed

24:56

you can just bridge that circuit and

24:58

like boom

24:59

fire the relay open the door fire relay

25:02

2 open that door

25:03

so in this case do you see how this is

25:06

wired by the way you can see one common

25:08

and you can see what normally open so

25:11

that tells you this is probably a

25:12

solenoid powered door lock so

25:14

normally there's no power put power just

25:16

literally by bridging that with a piece

25:18

of wire

25:18

the door suddenly is open there's

25:21

another

25:22

useful feature however if you don't want

25:23

to like carry around wire and i'll show

25:25

you what i carry around

25:26

way up top let's look at this psw

25:29

function what is psw

25:30

it's postal switch a closure between

25:33

these terminals and the common

25:34

will cause whatever relays are set up

25:36

however they're set up

25:37

to fire how does this normally work in

25:40

fact is the postal switch wired up

25:42

yes it is it's right there a little

25:44

white and a little blue a little white

25:46

and blue that come down you've got these

25:47

two beam connectors and they come

25:49

somewhere else let's look all the way

25:50

down in the front

25:52

amazingly low tech this is the postal

25:55

switch right here

25:56

it's literally just a momentary and on

25:59

the front of the panel you'll see they

26:00

they have these knockouts that you can

26:02

just bang out a piece of metal and

26:03

install your own lock

26:05

and the tail piece of that lock just

26:07

comes around and hits the momentary

26:08

switch many

26:10

many door kings are installed this way

26:13

so we got a locked door now of course

26:16

you know we could clone the hid prox we

26:18

could install a sniffer or whatever we

26:19

want

26:20

we don't really care what lock they're

26:22

using for the postal switch

26:24

because it could be a good lock it could

26:25

be a bad lock i don't give a damn

26:26

because i have the 16 120 key oh no

26:28

oh laptop don't do things that laptops

26:31

sometimes do

26:32

you're killing me who's phoning my

26:34

laptop

26:36

so ultimately here hopefully we can get

26:38

it to play because it's really hilarious

26:40

this is outside of like

26:41

romer's apartment i think we're in town

26:43

for band practice and

26:45

you know we called him up he wasn't

26:46

answering like try shaggy he wasn't

26:48

answering

26:48

and i was like do you want me to just

26:50

let us in so you know we walked inside

26:51

so

26:52

you know we have this postal switch

26:54

let's see if my 16 120 key works if

26:56

our video plays nice here we go

26:59

momentary switch

27:01

fires doors unlocked how many buildings

27:05

have these on them

27:06

and people don't realize many times it's

27:08

not like your office right it might just

27:10

be the front

27:11

vestibule but if i can get in if i can

27:13

leverage this access in

27:15

and find a way then i get the next step

27:17

i get the next step i ride the elevator

27:18

etc if you're keeping keys like on you

27:21

oh my god

27:22

there's a whole talk i did with howard

27:24

payne the ch-751 is like the everything

27:27

key

27:28

it's the most common key in this country

27:31

for

27:31

all kind of dumb dumb stuff every little

27:34

wafer lock

27:35

everything like steel toilet paper i

27:36

don't know what you're doing if you're

27:38

you know you

27:38

live in a trailer you need toilet paper

27:40

i'll steal it from this hotel whatever

27:41

like the ch-751 my favorite story was we

27:44

were on a job

27:45

we got into an office like a room in

27:48

this office building and there were all

27:49

these filing cabinets on the wall

27:51

and we're like i don't want to pick

27:53

every one of these open

27:54

to see which one has the valuable [ __ ]

27:56

but let's try a ch751

27:58

totally worked and it turns out every

28:01

one of them had valuable

28:02

[ __ ] it was like their hr archives going

28:04

back

28:05

years the great part and i just added

28:07

this story because kjoe gave his talk

28:09

and he talked about finding the exploit

28:11

from the last job you were on like still

28:13

on the server

28:14

we found this we showed the client we're

28:16

like boy these are really terrible

28:18

filing cabinets and you're leaving this

28:20

around in a room that we just waltzed in

28:22

so the client was like oh my god we'll

28:23

get on that we were hired seven months

28:25

later to a different office

28:27

and we got into like another room and

28:29

we're like whoa look at all these

28:30

falling cabinets

28:31

and we open them we're like are these

28:32

the same [ __ ]

28:34

well these are the same filing cabinets

28:35

they had moved them from one office

28:38

to another office but didn't actually

28:40

change them so we had the same finding

28:42

just in a different state

28:44

ch 751 all day long for maximum low

28:47

larity in the key to like

28:49

space stick 1284x

28:52

into your google engine right look some

28:55

look at some image searches you're

28:56

seeing a lot of the same

28:57

vehicle here the 1284x is the ford motor

29:00

company's fleet key

29:02

the number of crown vics and excursions

29:05

and explorers in this country

29:06

that are keyed alike to 1284x tons of

29:10

police departments in this country

29:12

will all and not even knowing it that

29:14

all of their cruisers

29:15

are the same key and what's the most

29:16

common use of a

29:18

crown vic after it's got enough use

29:20

hours and they have to kick it out of

29:21

the force

29:22

taxis they auction them off and maybe

29:24

become taxis there are cities in this

29:26

country

29:26

where the entire taxi fleet is key to

29:29

like and it's key to like to the entire

29:30

police fleet

29:32

1284x is not a restricted key it's not a

29:34

special like

29:35

this is the paper still attached to it

29:37

from home depot you get a 1284x take it

29:39

to home depot cut as many as you like

29:42

yes it will open the doors yes it will

29:44

open the glove box

29:45

yes it will open the trunk nothing

29:47

interesting in a cop's trunk right

29:49

and it's not a chipped key it's not a

29:51

key lock it's nothing like that yes

29:52

it'll start the freaking car

29:54

so if you have cop friends and we have

29:57

plenty

29:58

show them the 1284x if you get your

30:00

hands on one it might pop their eyes out

30:03

if you're curious my like everyday

30:04

keyring that sometimes people will see

30:06

me with

30:07

they say what do you actually have in

30:08

your pocket all the time well i have an

30:09

elevator key the most common elevator

30:11

key on me at all times i have the two

30:13

most common filing cabinet keys the c47

30:15

c41

30:16

c415a ch751 i definitely carry that

30:20

1284x because it's funny

30:22

right i have a couple jigglers because

30:24

why not little

30:25

tiny jigglers that we make if i can't

30:27

get through a simple shitty lock

30:29

this is my wire bridge when i'm

30:31

attacking door king in other boxes it's

30:33

just a paper clip

30:34

that i burned the insulation off the

30:35

tips and looped it around

30:38

door king key if you didn't get it

30:39

earlier is the 16 120

30:41

linear the 222343 which is sometimes

30:44

called a126

30:46

and a cuff key that is that that's my

30:49

smash right there that's like deviant's

30:50

devious key ring

30:52

giving you pearls here i don't think

30:53

i've ever shown the slide before outside

30:55

of our training so woohoo

30:56

there you go because i love you john

30:58

strand and everyone else who invited me

30:59

here

31:02

if you are not an electronic person in

31:04

fact you know

31:05

we were talking about this earlier about

31:06

where i hire people from our team

31:09

we either have people that came from the

31:11

electronic digital world

31:12

and we sort of train them up on physical

31:14

or we've pulled people who are door

31:16

kickers they're just cops and other

31:17

people

31:18

that were like hey want to make a better

31:19

salary and not be evil come come work

31:21

for us and like

31:21

we have to train those people on

31:23

electronic learn some

31:25

things about electronic access controls

31:27

learn a little bit about badge systems

31:30

it's not that hard to get you spun up we

31:32

can get you spun up in a day or two

31:34

on basic cloning and sniffing and a lot

31:37

of credential stuff

31:38

the the fact that we take long-range

31:40

readers and weaponize them bobbik our

31:42

electronics dude

31:43

changes the guts packages up a

31:45

self-contained power supply

31:47

power on this reader let it sit in a bag

31:50

you know the the idea of like very mr

31:52

robotish kind of stuff right if you've

31:53

seen that

31:54

credential grabbing scene this is real

31:56

this is about 18 inches away

31:58

credential grab out of someone's pocket

32:00

because with a nice antenna and a good

32:02

power supply

32:03

inside that backpack that reader is

32:05

going to grab that card and it's going

32:06

to work

32:07

we can talk about that later if you want

32:08

we can talk about how if you get the

32:10

reader off the wall

32:11

you can install a sniffer on the

32:13

backside of the reader

32:14

and you can sniff replay get credentials

32:17

that way there's a whole world out there

32:19

and it's not

32:20

hard if you've never done any kind of

32:22

digital electronic work like this if you

32:24

are just a door buster

32:26

this is within your grasp and i

32:27

encourage you to get kind of

32:28

cross-trained like that

32:31

a little story time for you now new

32:33

stuff i promised as i tweeted earlier

32:34

it's not i've given

32:35

versions of this talk in the past this

32:37

is all this is all new

32:39

because war stories are great and we've

32:40

heard about them from other speakers

32:42

so let me give you a few good ones most

32:44

of which if you had to distill this down

32:46

the lesson is just be confident and look

32:49

like you belong

32:50

if you've never seen this footage here

32:51

this is a robbery of a walmart

32:54

where a guy came in and said oh i'm here

32:55

from loomis i'm here for the the pickup

32:57

you know i'm the armed guard he's not

32:59

he's not the armed car guy he's wearing

33:01

a runner's vest

33:02

with like you know weights and the

33:03

tactical pants and his hats down i think

33:05

they found out later he had an airsoft

33:06

pistol

33:07

and he took 75 he's i'm here from loomis

33:11

no he got into chevy lumina

33:12

and drove away this dude another guy

33:16

keep your hat down and don't bother

33:17

anybody look i'm just here from you know

33:19

your beverage services i'm stocking your

33:21

shelves

33:22

no you're not this guy hit seven stores

33:24

in one weekend in alabama

33:26

he's just stealing beer he just went in

33:28

with a cart

33:29

loaded the thing up and just freaking

33:31

left

33:33

look like you know what you're doing and

33:35

people will tend to believe that [ __ ]

33:37

so the elevator repair story all right

33:41

we got into a building it was an

33:43

interconnect we we gassed off you know a

33:45

wreck sensor because again

33:46

you could see it on the ceiling

33:47

honeywell pir boom

33:50

gas the rec sensor get through okay

33:52

we're in the building

33:54

now we've got to go if you like where

33:56

come in we're the first time you get in

33:57

you get that like adrenaline rush

33:59

and i'm with somebody on this other job

34:00

another company we're partnered with

34:02

and this guy's like man what do we where

34:04

do we go what do we do i was like calm

34:06

down i got an idea let's come walk

34:07

find the nearest elevator we just got in

34:09

an elevator

34:11

okay why because i mocked myself up i'm

34:14

here from i've got my little otis badge

34:16

i've got my clipboard i'm an elevator

34:17

repair technician why not

34:19

you want another like great tip from me

34:21

to you this is your cover story for

34:23

being any elevator repair guy ever

34:25

have a stupid clipboard and learn these

34:27

three steps

34:29

you press that e phone somebody picks up

34:32

it's many times it's a computer if it's

34:34

a human

34:35

hello this is a test of the emergency

34:38

phone in this elevator

34:40

step two can you hear me clearly right

34:43

now

34:44

step three where am i calling from

34:47

and that last one flummoxes the hell out

34:49

of people a lot of the time because they

34:50

should be able to know where you are in

34:52

event of emergency

34:53

you will sound like a legit elevator

34:55

tech if you do that you're not really

34:56

breaking any laws you're not causing any

34:58

harm to the elevator

34:59

you can just sit there and just try

35:01

elevator you know like try elevator

35:02

phones and

35:03

just to get this dude to calm down i was

35:05

like hey just relax let's try some

35:06

e-phones man

35:07

so we're just being the elevator tax and

35:09

it turns out

35:10

the third question really flummoxed

35:12

somebody because it wasn't like a

35:13

service that went out to otis line

35:15

it was the the front desk and we wound

35:17

up consistently hitting the front desk

35:19

and like

35:20

oh is this another one of those elevator

35:21

tests yeah i i don't know where you are

35:24

though it just says extension 39

35:26

and i'm like so you can't tell me where

35:28

i'm calling from

35:29

like i mean you're in an elevator i'm

35:31

like

35:32

okay sir i'm gonna have to write down

35:34

that you uh don't know where i'm calling

35:35

from and it got them all panicked right

35:38

turns out the security guard was so

35:40

flummoxed by not knowing where the

35:42

elevator emergency was i'm like don't

35:43

worry so there's just

35:44

a test you're not at fault here we just

35:46

we just have to put this in the notes

35:47

that came into play later so while we're

35:50

in the elevator

35:51

the guy says to me he's like okay so all

35:53

we got to do is get the pwn plug and

35:54

deploy it

35:55

and oh [ __ ] oh man i didn't grab it i'm

35:58

like oh you didn't grab the phone plug

36:00

well you know the hotel's like 10

36:02

minutes away just drive back and get it

36:04

i'll stay in the building and i'll let

36:06

you back in he's like

36:07

uh okay that sounds good you're gonna

36:09

look okay i'm like dude i got my metal

36:11

clipboard like come on

36:12

who's going to mess up metal clipboard

36:14

is great because you can hide a bunch of

36:15

tulle and gear in it and like

36:17

all your stuff's in there but the better

36:19

thing about the elevator story is if you

36:22

actually watch the elevator hacking talk

36:23

we have a lot of keys that do things

36:25

well my partner was back at the hotel

36:27

which was not going well

36:28

he was like hey man i got some delays

36:30

here i'm like all right i'll just hang

36:31

out in an elevator so i just disabled an

36:33

elevator with my keys

36:34

i'm just in the elevator just hanging

36:36

out nothing i'm like reading twitter and

36:38

stuff

36:39

occasionally asking like hey how's that

36:41

going at the hotel it turns out what

36:42

happened is his usb keyboard wasn't

36:44

playing nice

36:45

with the phone plug he was hooked up to

36:47

the hotel tv

36:48

and he couldn't get the so he had to use

36:50

on-screen keyboard to like

36:51

set up all the scripts and it was taking

36:54

forever

36:55

and i'm like dude that's fine i got

36:56

twitter i'm fine i'm just sitting in an

36:58

elevator

36:59

until i almost had a heart attack

37:01

because i thought i heard someone

37:02

banging

37:04

on the elevator door because it's like

37:06

you're camping in the woods like

37:07

everything sounds loud in the woods when

37:08

you're asleep

37:09

in the i thought someone was pounding on

37:11

the elevator i was like oh my god

37:12

there's is there like a camera i didn't

37:14

see

37:14

is there a security trying to kick their

37:16

way in i'm like no calm down

37:18

it's it's 5 5 15. the cleaners are here

37:21

they're probably like

37:22

windexing the fingerprints off of the

37:24

hoistway doors like

37:25

all right calm down eventually the guy

37:28

comes back

37:28

and he's like all right let me in like

37:30

okay i go to let it it turns out it

37:31

wasn't the cleaners

37:33

turns out security had come by the

37:34

elevator not because they thought i was

37:36

in there

37:37

i had been in there so long that they

37:39

had stuck

37:40

a sign on the elevator that said

37:43

elevator out of order

37:45

do not use this elevator use other side

37:46

of building which was great because when

37:48

we came back in my buddy and i now we're

37:50

the only people in the damn building

37:51

security came down a hall of sauce saw

37:54

my otis badge

37:55

and went wow you got here fast

37:59

and i was like oh yeah i got that uh you

38:01

got that otis elite care service so like

38:02

they dispatched us out here

38:04

i'm you know doing things with keys that

38:06

because clearly the elevator's working

38:07

now that i turned it back on

38:08

but he was so thrilled he's like were

38:10

you guys doing that elevator test

38:12

earlier i was like

38:13

no that was the other team but i heard

38:14

you had some problems but

38:16

you know what the elevator dispatcher is

38:18

in this room can you let me in this room

38:20

and sir sure enough the guard just like

38:21

led us everywhere we wanted to go

38:23

because you know who wouldn't want their

38:24

elevators to run right right i'm the i'm

38:26

the helpful elevator guy

38:28

i'm getting the light on time i'll give

38:29

you i'll give you one more story i got a

38:31

couple more stories here

38:32

but how much time do you actually have

38:34

five or ten minutes five

38:36

we can do another story and a half and

38:37

five so the armed guard story is it's a

38:40

good story

38:42

most guards a crap shoot a lot of guards

38:45

are under trained a lot of guards are

38:47

third party

38:48

this was a guard desk that literally had

38:49

no one at it and one time i just sat

38:51

there i actually took the binder of keys

38:53

and key cards and just kind of like spun

38:55

around in the chair

38:56

just waiting for a guard to come up to

38:58

see i wanted to like know what the hell

38:59

they would say

39:00

and it took so long that i just got up

39:02

and left like the guard literally never

39:03

showed

39:05

arm guards are a different story they're

39:07

a little more mastered

39:08

they're a little better with interaction

39:10

and they're going to be more cautious

39:11

now this was an instance where we needed

39:13

electronic credentials

39:14

we really wanted to get in using a badge

39:17

and all the employees like we couldn't

39:18

get close to the employees at all they

39:20

were using a separate entrance so like

39:21

the vestibule was the only place we

39:22

could get in

39:24

and during the day the only people in

39:25

the vestibule were the armed guards this

39:26

was a private development space

39:28

well we know how to do credential

39:31

cloning right we have our gear we have

39:32

our long range reader

39:34

that you saw earlier right shove that in

39:36

a backpack once you power it on

39:38

shove that oh we already saw this video

39:39

shove that in a backpack

39:41

get somebody to go in just try to get

39:42

close enough you saw 18 inches or so

39:46

so when we said who's going to go in

39:47

right well what does every guard

39:49

especially armed guards kind of wish

39:51

they want to be or maybe they're trying

39:53

to be

39:54

they're trying to be cops right sending

39:56

a cop like rob's on our team rob used to

39:58

be a cop we're like just get in there

39:59

and cop it up man just talk about cop

40:01

stuff

40:02

so he goes in bobik is in the back seat

40:05

of a rental car

40:06

in the parking lot like remote onto the

40:08

reader he's like trying to check the

40:09

status of it and goes out of range

40:11

because robert goes in all the way to

40:13

the vestibule so bobbix like man i

40:15

really hope

40:15

i really hope that reader is getting

40:17

some credentials and robert's trying

40:19

everything robert's like getting close

40:20

but they're armed guards

40:21

so they keep blading off every time he

40:24

gets near them

40:25

at one point he put it like his bag on a

40:27

counter and he was like asking the guard

40:29

he's like hey is this a good restaurant

40:30

i started on yelp trying to get the

40:31

guard to like lean over the counter

40:33

wouldn't do it

40:34

so he keeps trying he keeps trying he

40:36

keeps trying getting nothing

40:37

finally at the end of the interview he's

40:39

telling cop stories right so he's

40:40

friendly with him

40:41

he's like all right well i gotta if he

40:43

stays any longer he's like this is just

40:44

weird

40:45

it's like all right fellas i gotta i

40:46

gotta go all right take it easy man it's

40:48

nice meeting you

40:48

and the last guard he just [ __ ]

40:51

surprise hugs

40:52

him and like very very kennedy he's like

40:54

make it a little weird make a little

40:55

weird all right brother all right

40:58

and gets out of there in the car

41:01

bobik is in the back seat like what did

41:03

you do i was

41:04

dying back here it's like well here

41:05

check check the logs man

41:07

bobby check dumps the creds he's like

41:09

you were in there

41:10

47 minutes and you got one read

41:15

and that was it but then who are we

41:17

we're the armed guard at that point

41:19

so getting you never know exactly what's

41:22

going to work out for you

41:23

in terms of getting in i had one other

41:26

story about you know find me in the bar

41:27

i'll tell you about uh

41:29

about some other stuff what i really

41:30

wanted to get to i'm going to quiz you

41:32

at the end here we got a little we got a

41:33

little q

41:34

a and i promise i'm wrapping it up right

41:36

so this is i hope you're paying

41:37

attention right

41:38

what kind of unit is this here door king

41:41

why'd you know that

41:43

three [ __ ] huge buttons who remembers

41:44

the door king key

41:47

16 120 key buy it buy it online

41:50

what kind of unit is this it's one of

41:52

the ones we talked about has a little

41:53

recess

41:53

lit keypad linear linear absolutely

41:56

what's the linear key

41:58

a126 or technically 222343

42:02

blurry dark picture but who is it door

42:05

king exactly three buttons

42:07

you can do this [ __ ] on google street

42:09

view

42:11

we got a building here let's zoom on in

42:13

you can't see it clearly but you see a

42:15

recessed lit keypad what do you got

42:17

you got a linear a126 key absolutely

42:20

let's look at this john over here all

42:21

right

42:22

can't see it from here but let's zoom in

42:23

and google what do you see three giant

42:25

freaking buttons door king

42:28

absolutely door king we got a lot going

42:31

on here let's let's talk about this all

42:32

right first of all we clearly got a door

42:34

king system

42:35

we're using what key is the door king

42:37

key

42:38

16 120 go buy one they're also using hit

42:42

old school [ __ ] prehistoric hid procs

42:44

so prox card two

42:45

you know they're using cloneable

42:46

credentials you know you could sniff the

42:48

back end of this

42:49

because you could pop that circuit board

42:50

open easily they've got a ton of key

42:52

boxes this was for deliveries

42:54

i don't know if that was a ch-751 but

42:56

i'm sure i tried it in there

42:58

little freaking you know kitty access

43:00

point in here what is what is this one

43:02

turns out it's also a key box it's just

43:03

a different key box so we have multiple

43:06

key boxes

43:07

we have a lock that we know the key for

43:08

we have a clone a clonable cred

43:10

there's one more thing that you can also

43:12

see in this picture

43:14

can anyone tell what i what i would look

43:15

for through the windows maybe

43:17

you could tell what elevator fixtures

43:18

they have so i know what elevator keys

43:20

i'm gonna need

43:21

so i can prep my story and i can bomb in

43:23

there

43:24

all equipped and ready to rock so keep

43:27

these kind of attacks in mind

43:28

keep physical side in mind try it out if

43:31

you think it's all about lock picking

43:33

you're not exactly right

43:34

most of the time we're just doing dumb

43:36

stuff to bypass our way in

43:38

but i love sharing this and i love

43:40

trying to give a little hope you got a

43:41

couple of pearls in this one

43:43

to make your jobs easier and your life

43:44

better and my job harder

43:46

because that's in the end that's a win

43:47

for me like i like being the guy in the

43:49

server room

43:50

but i also like telling people what they

43:51

did right and a lot of it's not hard to

43:53

do

43:54

so thank you very much for listening and

43:55

i hope you enjoyed this

44:16

you

Weitere ähnliche Videos ansehen

Introduction to Physical Security

Penetration Tests - CompTIA Security+ SY0-701 - 5.5

Access Controls Part 1: Computer Security Lectures 2014/15 S2

WiFi Pentesting Using Aircrack-ng | [Hindi] | Cyber Academy

CIA Triad

Physical Security - CompTIA SY0-701 Security+ - 1.2

Rate This

★

★

★

★

★

5.0 / 5 (0 votes)

Ähnliche Tags

Physical SecurityLock PickingPenetration TestingSecurity HackingDoor Entry SystemsCovert EntryKey ManipulationElevator HackingCredential CloningSecurity Awareness

Benötigen Sie eine Zusammenfassung auf Englisch?