Episode Show Notes
[START OF RECORDING]
JACK: [MUSIC] When I was young, I used to like sneaking around places that I shouldn’t have been in. I liked getting in the back-of-house areas in performing theatres or casinos. This one time I went to explore a mall where I lived and I found a huge back hallway, a corridor that connected all the back of the stores together. It was such a big back hallway that a truck could drive through it. It was fun to explore and it was a major shortcut across the mall so I ducked down this corridor from time to time. Every time I went down this back hallway, I saw signs hanging up everywhere that said JDLR. I used to stop and read these and try to figure out what it meant. JDLR? Just Don’t Litter Raisins? Junior Dining Living Room? What does JDLR mean? One day my friend got a job at the mall so I asked her. Hey, what’s JDLR? She tells me it means Just Doesn’t Look Right.
Just Doesn’t Look Right? What does that mean, I asked? She said it’s a reminder to look out for anything out of the ordinary in the mall and report it to security. JDLR was a security awareness campaign that the mall cops put up to report suspicious people like me sneaking through back hallways. But really, I wondered how effective this campaign was. Suppose you were told to report something that was just JDLR. Would you notice when someone came into your office or store who didn’t belong? Would you then care enough or be brave enough to do something about it? How quickly could you even find the number to security? This is a story about a guy who got caught sneaking into a building because he just didn’t look right. JDLR.
JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: Let’s start out with what do you want to be called, or what’s your name? What do you do?
KYLE: My name is Kyle. Right now, I’m on the Red Team at McKesson.
JACK: Ah yes, another Red Team story. The Red Team is the offensive team in a simulated attack. In this case, Kyle’s day job or sometimes night job, is to physically break into buildings to test their security like a sophisticated criminal might do. Oh, and I should give a warning here. Kyle drops a few swear words while telling us this story so if you don’t like swear words, you might want to skip this one. This mission was to get access into a utilities company and I won’t even say what kind of utility company this was.
KYLE: They were a very large conglomerate made up of a lot of companies.
JACK: When you’re dealing with the utilities, whether it’s electricity, gas, or water, it’s extremely important that these networks are secure because something going wrong here can result in a massive disaster. These services are such an integral part of our lives. In fact, I’ve even heard stories that the national guard sometimes will do penetration tests on utility companies to help keep them safe from attacks. Now, there were only two people in the company who knew about this physical penetration test and it was the head of IT security and the head of physical security which is the boss of the security guards.
KYLE: The point was to gain access to headquarters by way of anything we could do at any of the previous sites and then [00:05:00] leading up to going to headquarters.
JACK: [MUSIC] Okay, let’s underline the objective here; basically, it’s to get access into the headquarters of this utility company. Then once there, get network-level access and then see how far you can get into the network once doing that. For instance, if Kyle could break into headquarters and get onto the network there and get to network admin, that would be pretty ideal for him. But in this objective, he’s allowed to also test the security of other locations which might help him gain access to headquarters. That’s interesting. Immediately I’m thinking about what I might do to get into headquarters. Maybe I would need an employee badge to get in, some passwords, or somehow, I hacked the network to let me in. Maybe a smaller, less secure location would allow me to get some of this stuff. Kyle starts profiling some of their other locations online to try to find an easy target.
KYLE: I get on my browser and I just go to Facebook; I go to LinkedIn; I go to Twitter. I look at the company pages; I find employees. I go to their individual pages and between all of that you start to amass obviously a lot of very useful information about the surrounding areas, the general temperament of the people who work there, you get a feel for how the company likes to present itself, how many events they have, where you can blend in at. You get the obvious things that everyone goes for; badge, images, camera angles, things like that that you can see from Google Street View. When we were looking around in the social media, we started to notice that the companies that they owned in the Midwest had a lot more outdoors-type events like cookouts, BBQs, fun runs, march for the cures, whatever. All that stuff. Whereas some of the bigger cities, their acquisitions there didn’t have so many outdoors events, right.
JACK: Kyle decides to target locations in the Midwest part of the United States.
KYLE: First I decided that well, okay, yeah, we’re going to do Midwest but there’s a couple of sites out there. Which one do we want to hit? There was one site specifically that was on four blocks within an industrial area. We’re talking a huge amount of space to cover. Obviously, there’s a lot of supplies laying around in one big lot, a lot of vehicles parked in another. You’ve got your corporate building on this lot and then you’ve got your little warehouse buildings over here. Well more often than not, your target area is gonna seem like it should be the corporate building but it rarely ever is important that you go there. That small little garage where all the shop workers are who don’t really care so much about making sure that that door wasn’t left jammed open, or that that truck was locked; that’s where you want to start because that’s where you get your easy privilege escalation. Before we flew out there and marked that building, told everyone that’s where we’re gonna meet up.
JACK: As Kyle starts making his way out to the Midwest, he now starts focusing on trying to figure out who works in that building. By using LinkedIn and Facebook, he starts to get a list of people; drivers, managers, technicians, and by having this list of names and roles, it can help him out if he needs to drop a name or try to lie his way into the building. He also looks on Google Maps to try to get as much information as he can about this building. What’s next door? What kind of fencing do they have around it? Where are the doors to get in and out? We take Google Maps for granted now but twenty-five years ago we really didn’t have access to satellite photos of every place on earth. We definitely didn’t have street view photos. To get access to stuff like this, you had to be like a government spy but now everyone has this capability to freely access satellite imagery of pretty much anywhere on the planet. It’s kind of crazy. Okay, so Kyle and his co-workers fly out to this place. They rent a car, they get a hotel room, and they wait for nightfall, [MUSIC] thinking they’ll be a lot less people at night. Maybe nobody. They should be able to sneak in somehow unchallenged.
KYLE: Typically, you want to dress for the part, so we were dressed in darker clothes. I had a black beanie on. I’m a very pasty boy so I stand out pretty hard when there’s a little bit of light. I had a black button-down shirt. It wasn’t super crazy; tattoos hidden. Beanie can just be swept off with short hair that I had just freshly cut for the gig. I’m on the level as far as playing the part goes.
JACK: They get in their rental car and park next door to the facility.
KYLE: It was a weird house-turned-business in this weird industrial area and it had a car port. We just slid in under there. It was a rental car. It wasn’t anything super flashy. It was like a Kia something.
JACK: They knew the building had a chain link fence around it and started walking around the outside of the fence looking for a way through. That’s when they spotted a part of the fence that they might be able to get under, so they tried.
KYLE: Rolled up underneath the chain link fence and we just kind of hung out in between some trucks for a minute and got our bearings on the situation.
JACK: From here they can look around [00:10:00] to understand the facility better. There were a lot of trucks at this building, company trucks, like trucks for workers to use to visit customers to fix or install lines. A whole fleet of trucks were parked there for the night. Kyle and his co-workers kept looking around for any people, cameras, guards, lights, alarms, but it was quiet.
KYLE: We didn’t see any guards. There’s not really a whole lot of camera coverage. We saw one camera on the back of the warehouse building we were gonna go for. It was fairly well-lit so that was kind of problematic.
JACK: They mapped a path to the building, finding a way to hide in the shadows and get close to the door of the building. They had to take a long way around to avoid any cameras or lights but eventually they reached the door of the building. It’s like a typical warehouse building; there are loading bays and truck docks and that kind of thing. But also, there’s a regular door for people to walk in and out of. It’s late at night and they’ve been watching the area and nobody is around.
KYLE: We take a little bit of time, come around, we get to the warehouse building and suddenly we go to pull on the door and voila, it’s just open, man. There’s no trick to it. It had an HID reader. There was supposed to be a locking mechanism but apparently it wasn’t functioning. We never really found out what happened there but that was a huge stroke of luck right off the bat.
JACK: Okay, so as we hear Kyle’s story, I’m going to point out a few things that I think this company should do to fix these problems. In this case it was way too easy to get on the lot, and there should have been better cameras, and maybe a guard watching over the fleet of trucks, and of course they should absolutely be locking the door to this place at night. Really, the door was completely unlocked into a warehouse of a utility company? But this is why the company hired Kyle; to check these kind of things. This is why Kyle picked this building, thinking it might be easier for him to get into versus maybe the corporate offices.
KYLE: We walk through the door. [MUSIC] We’re just in a shop. It doesn’t seem like much but we do see there’s some shop computers so we know we’ve got network access there. Then there’s smaller buildings or structures that they build within these massive warehouses. They’re like a little office building within a warehouse on a lot.
JACK: Kyle thinks that might be a manager’s office or something. It might have extra documents or extra network access so he heads over to that door.
KYLE: There was a box of nails or screws jammed into the doorway into that office area. Again, thank you very much. Open the door right up, and in we go.
JACK: Okay, next tip; if you have an office that has any kind of sensitive documents in it, lock it up at night. Kyle and his co-workers are now taking cover in this office. It’s a good place to hide out and look around. They can hear if someone’s opening the door to the warehouse or if someone’s coming and they can keep watch from here. Kyle takes his backpack off and pulls out a dropbox. A dropbox is just a computer but it’s like a small, portable, self-contained computer and you can plug it into the network and leave it behind if you have to.
KYLE: It was a cell phone with a full battery and mobile hotspot enabled, attached to a Raspberry Pi attached to a wireless card connected to that mobile hotspot, connected to a battery pack all duct-taped together, plugged into the network. We bypassed the firewall. There’s no traversing out. You plug in, it’s out. Hacky as shit, dumbest thing I’ve ever done by far, technically speaking, but it did the job really, really well.
JACK: Kyle plugged it into the network in this little office and texted the co-worker who’s on the other side of the country who’s been waiting for this moment. The other person is a penetration tester and he checks the connection. The way this particular dropbox works is like this; this is a Raspberry Pi and it’s like a tiny little Linux computer. It’s about the size of a pack of cards. It has two network connections; one is the cell phone that it’s connected to and the other is the network in this office. When it’s plugged in, it turns on the cell signal and tries to connect back to that pen tester on the other side of the country. This basically gives him access to this computer as if he’s sitting right there in the office with these two. But now that Kyle has plugged this thing into the network, he tells the pen tester it’s in, and the pen tester now quickly gets busy trying to figure out his way in and around this network.
He’s checking to see what kind of traffic he sees, what kind of VLAN he’s on, what servers they’re talking to, and he goes from there. He gets busy trying to find anything he can in this network. Man, this is such a effective technique. I just want to underline this a little bit. You walk in the building, you stick this computer in their network, basically, that allows your other Red Teamer to connect into it which just basically gives them access into the network. Then from there, they’re aggressively – I mean, they’re probably a very skilled person who knows how to heat-sync straight [00:15:00] to the goods of this place. They’re aggressively trying to get things as you’re also in the building at the same time. Within minutes they’re probably already very successful.
KYLE: Yeah, more often than not, honestly, I’ll be going through filing cabinets, throwing a few million dollars of competitive intel in my backpack, and I’ll get a text message; yo, got DA. I just put it down five minutes ago, right? That’s absolutely correct.
JACK: Got the A?
KYLE: DA. Domain admin.
JACK: Oh. Domain admin. Within a few minutes of walking into this building, the team has full administrator abilities in this network. They can now see any files on any drives in this location and they can read e-mails for anyone who works in that building. They pretty much have access to anything in this network. Amazing. I should point out that even though I don’t know how he got DA, domain admin, there are probably a few security holes in this network that need to be patched. But besides that, this company might want to enable .1x or Knack or some kind of way that would prevent a computer to just plug into the network and be right on the network. What .1x or Knack will do is require the computer to authenticate before getting access to the network. That would prevent someone like Kyle to just walk in and plug their own computer in it.
See, the goal with security isn’t to make everything perfectly secure but it should exhaust the attacker’s resources. Imagine if every port was locked down in this warehouse. Kyle would have to go around trying every port he saw to see if that one was open and would allow him on the network. This might have taken him a long time for it to happen and maybe during that time a guard would come by or another employee would come by and they would catch these hackers in the act. Sometimes you just need to slow down the hackers as best you can. But in this case, nothing was slowing them down at all. [MUSIC] I’m wondering how hard your heart is thumping at this point. Are you seriously looking over your shoulder a lot? Are you super nervous?
KYLE: Not me, man. I don’t think my friend was either which is why he did a lot of physicals with me. I honestly have never really been a nervous person. It takes a lot to get me going. I just see it as I’m there to do a job and it’s gonna get done so I already know that. What’s to worry?
JACK: Kyle keeps snooping around the office and grabs all kinds of documents and files and shoving all this into his backpack.
KYLE: Yeah, yeah. We got some competitive intel which was something they were concerned about and it’s not just for competitive purposes. It can also be for more malicious or national security related.
JACK: How do you know where to look? You’re actually like opening filing cabinets, looking for anything that would be of value, right?
KYLE: Yeah. If there’s not filing cabinets, more often than not, I think you would be surprised to find that there’s a lot of really good information just rolled up sitting in boxes right in front of you when you walk through the right door. It’s really, a lot of times, just a bunch of plans when you go into these sort of companies that you’re really after. At least me, ‘cause I look at it like I can take a lot of this data and sell it to your competitors. I could take this data and I could sell it to enemies of the state. I could take this data and I could use it to leverage it for attacks against all of these other buildings or all of these other locations. Whether it’s gas, electricity, anything like that, if there’s diagrams and data to be had, I want it. I want it bad. [MUSIC] We did also take some reflective gear with company branding. We took some company cell phones that we saw in bags that were obviously stored, not in use actively. We grabbed a couple of things like that, some lanyards. This is the sort of stuff you do when you do these multi-facility things, is you snowball the gear, is what I like to call it. You snowball the loot and by the time you get to the most important target, there’s no way you can fail. You have everything you could possibly need for any situation.
JACK: They even went back and grabbed their dropbox because at this point, they had so much access and lots of documents that they might as well take it with them to the next location and go with a running start next time. This looks like a job well-done. They got everything they came for and it’s time to bug out.
KYLE: It was successful. We decided to bug out. We took the hardware with us.
JACK: Kyle takes a look at the objectives that the client wanted him to do. Get physical access into the building; check. Get network access; check. Get domain administrator access; check. Get competitive intel; check. Find any spare keys to doors or trucks that you can take; check. But there was one more thing on the list.
KYLE: They wanted us to steal as many trucks as we could off the lot. We took like, a lot of F-350s filled with tools and had trailers on them with back hoes, and Bobcats, and all kinds of shit, dude. We were instructed to park them down the street in a big parking lot and then just leave the keys somewhere inside of the building so that once they found the keys, they could go get the trucks. But they wanted to see what the [00:20:00] employees would do if they came in the next day and all their vehicles were gone. Unfortunately, I’m not capable of driving a semi or we would have made out with a lot more.
JACK: How many did you move?
KYLE: I think twelve or thirteen, man. We took a lot of trucks and they were all full of shit. All of them.
JACK: [MUSIC] Do I even have to explain the mistakes made here? First, lock up the keys to the fleet of your trucks and don’t leave whatever key you locked it up with just lying around for someone to find. Second, there are no guards or anyone watching the cameras at this place. At least someone should be monitoring the gates when they’re opening and closing and look at the camera to see what’s going on, right? Kyle and his co-worker had a successful night and they acquired a lot of stuff but they weren’t really feeling ready to go to headquarters yet. They wanted to hit up a few more locations to what Kyle says, snowball the gear. They wanted more stuff and more access before taking on a big building. The next day they called the head of security to give them a report on how it went that day. Security was shocked but wanted to see if they could take it a step further, like really teach that location a lesson.
KYLE: They had us go back the next day in broad daylight, get into a truck ‘cause we had uniforms right, so no one’s gonna stop us. We had the key because we had stolen it from the building. They wanted us to go in broad daylight, put the key in the ignition, start the truck, and try and drive off the lot. That worked. Then I called them. I was like, what do you want me to do now? I’m just sitting in front of your building in one of your trucks, fully dressed up and no one’s really doing anything even though we just stole all your shit last night. What do you want me to do now? Well, fuck it. Just drive it to the headquarters. I drove it all the way to that particular company’s headquarters which was about an hour away and then I parked it in the parking lot and I was instructed to leave the keys inside. They were gonna tell the security guard there to go check it out. I don’t know what the plan was there but I did my part. Then I got picked up and that was that. The next objective is to do a similar thing at a different location but this would be the headquarters of one of their larger acquisitions.
JACK: This building is in a totally different city and state. They do a lot of passive reconnaissance like looking on social media to see if anyone posted pictures of what the badges look like so that they could maybe make a duplicate. They also look at what Google Maps has to offer.
KYLE: This location was kind of more in a downtown-type area. This wasn’t the same as the previous. This was in a more business region than the other. I would say that equally dead at night, though. This was no exception in terms of the Midwest lifestyle. It was downtown but once 9:00 hit, there was nobody on the streets. We checked it out during the day; we wanted to see what the foot traffic was like and it actually was surprisingly high for such a small area, being that it was downtown. We decided that we would try to walk around inside, see if security questioned us. No one said anything. We made it to the elevators, saw that there were badges and just kept walking along. We left the building, went out, saw there was a massive parking garage that was attached to the building and kind of wrapped around. We figured that could mean there are external doors into the parking garage from if not our client’s offices, someone else’s offices which will be good enough. We wait until night because that’s just I guess what we liked to do.
JACK: [MUSIC] This building isn’t a warehouse. It’s a seven-story office building and this utility company only occupies one floor of the building.
KYLE: This office building essentially took up an entire city block including the parking garage.
JACK: Okay, so this isn’t the headquarters of the company. It’s the headquarters of a company they acquired. It was a big place.
KYLE: We wait until nighttime. We parked just down the street. There seemed to be a couple of homeless guys. They kind of wandered up and down the street regularly in this spot so we wore ratty clothes, messed up our hair a little bit, I threw a dress shirt in my backpack, for example, and threw on a t-shirt that I ripped a hole in. We just walked down the street in these clothes and the security guards would walk around inside the building and look at the street periodically and see these people walking about. As soon as we noticed, he turns around, he walks away. We dart into the parking garage and meanwhile there’s a homeless guy screaming at us as we’re doing it. I’m pretty sure that he started to come after us but the security guard came outside and started yelling at him and he stopped. We didn’t go back to double check but we’re pretty sure that’s what happened and we were trying not to crack up. We started walking up the ramp into the parking garage. We saw the stairwell doors and [00:25:00] we thought well, might only get us to the roof but it might also let us into an office.
JACK: Sometimes big buildings like this in downtown with parking garages have a stairwell that leads you right into the building. Kyle and his co-worker go into the stairwell and take a look. Once they get in the stairwell, they see another door that’s attached to the office building, like an emergency exit to come out of the office.
KYLE: We start walking up and down the stairs. We’re like well, there’s not exactly a fucking company directory on the wall inside the stairwell, is there? We really don’t know which floor is which and we don’t know which floor we’re on. Let’s just start guessing.
JACK: They find that in the stairwell are two doors on each level; one leads to the parking garage and the other leads into the office building. They try pulling on the office building door, but it’s locked. They go up a flight and pull on that door but it’s locked. They go up another flight; locked. They go up another flight and try the door. This one opens. It’s just totally unlocked and leads them right into the office building.
KYLE: We’ve got an open door. Cool. We walk out, we see a hallway.
JACK: The hallway is like a common area. It’s not any particular office. It’s like the same hallway you’d be in if you just took an elevator up to that floor. As they walked down the hallway, they see doors to different offices. There were a lot of different companies in this building.
KYLE: We see a couple of doors. We see some HID badge readers on these doors. We don’t know who they belong to ‘cause they’re not marked. We decide not to fuck with them just yet and we decided to walk over to the elevator. We get into the elevator. We see the badge reader. We think shit, we can only go down to the lobby.
JACK: So far, so good. They’re in the building, bypassing the security guards who were there to make sure nobody got into the building late at night like this, but the badge reader on the elevator means that in order to get to certain floors they need to scan the RFID badge to get to those floors. But still, they have no idea what floor their client is on. They didn’t do enough passive reconnaissance and there’s no directory anywhere; not in this elevator, nothing. They’re both standing in the elevator trying to figure out what to do.
KYLE: [MUSIC] We had one option. Press one, go to Lobby, walk out, look like idiots. That’s our option one. Not gonna do that. The other option is to sit there and wait for someone to call an elevator to a floor. Could be a security guard so we gotta be ready to look normal like this was a coincidence. But it could also be someone just manning the phones at night or some shit. That’s the safer option and while we’re doing that, might as well throw option three in there and brute force the fucking buttons.
JACK: One by one they start pushing floors in the elevator. They pushed the button for the top floor. The elevator didn’t move. Rats, they need the badge to get there. They pushed the button to the next floor. The elevator didn’t move, either. The number didn’t even light up. They tried another floor; nothing. Then they tried the next floor and boom, all of a sudden, the elevator started moving.
KYLE: We didn’t know though. We didn’t know why. We just knew that it was moving. Was it ‘cause we pressed a button? Did someone call it? Are we going down to the lobby ‘cause we tried too many times? There was a moment of confusion and we just looked at each other like uh? But then the doors open and we see the company logo and we see the desk and we see the doors. We’re like ba-bing!
JACK: When the doors opened, they saw the company logo for the place they were trying to break into. The one floor that didn’t require a badge to access was the exact floor they needed to get on. What another stroke of luck. As you come out of the elevator there’s a reception desk and then two closed doors after that which leads into the office.
KYLE: We checked the doors. Oh darn, they’re locked. We look over at the receptionist desk; a couple of drawers, there’s a lock box on top of the desk. How much you wanna bet that they key for that lock box is underneath your keyboard or in one of those drawers? That was a correct guess. [MUSIC] We found the key to the lock box inside of the first drawer that we checked and inside of the lock box were guest badges, guest badges that were not deactivated when they were not in use.
JACK: After rooting around the reception’s desk, they found badges that let them in the door. This kind of reminds me of many video games I’ve played, but there’s another tip; don’t leave the keys under your keyboard or in drawers in areas like this because now the team is in.
KYLE: Rinse, lather, repeat, essentially, from the previous site. Once we were inside, the objective was to find as much information openly accessible as possible, see if you could get on the network.
JACK: A good place to always lay low for a while is the bathroom. The two head into the bathroom, change their clothes, and sort out their plan.
KYLE: I was in the bathroom with my colleague. We were trying to figure out where we were gonna put the dropbox and we said well, we didn’t get into the server room at the last site. Let’s see if we can get into the server room at this site. It’s gotta be on this floor. This is their only floor so we know it’s here. There’s at least an IDF, something. [00:30:00] We’re walking out of the bathroom and as soon as we walk out of the bathroom door, there’s the security guard and he jumps and we jump and we all go aah! I go holy shit, you scared me, man. He goes you scared me. Are you guys okay? Are you guys working late? We’re like yeah, man. Jesus, you gotta let people know when you’re coming, you gotta put a bell on you or something. We all laugh, we part ways.
JACK: Security ran into them but because they dressed like they belonged and were already in the office, the guard didn’t question them. This is a bit odd. The guard failed here. He should have stopped them and asked them more questions but instead, he just walked off.
KYLE: Then we continue walking around the building as I said earlier, collecting stuff, taking pictures, flipping keyboards, and then we walked by a door. We hear humming. You know the humming.
JACK: [WHIRRING] Something on the other side of the door was making a loud whirring sound. There was no windows in this room so the team couldn’t tell exactly what was in there. But when you work in IT long enough, this whirring sound is something that you will instantly recognize as the fans of a server rack. The team had scoured the whole floor at this point and didn’t find the server rack anywhere, either. They knew for sure that this had to be the room with all the computers but the door to it is guaranteed to be locked. With no windows, how do you get in? They look up and see there’s a drop ceiling. This is the typical office-type ceilings that have panels that can be pushed up and there’s a space above the panels.
KYLE: There’s a broom in the janitor’s closet just down the hall. We grab that. We poke it up into the ceiling and we see that there is no wall extending over. Easy enough. I just held out my hands and said boost up, bro. Up he went, no question. Then he slid the other tile out of the way, dropped down on the other side, and all I hear is I’m good! He plugs it in, and finds a way back over, slides the tile back into place, and that was that.
JACK: Okay, where’s the security failure here? This is a server room of the headquarters of a utility company that got acquired by this larger utility company. The server room of a place like this should be treated as a very secure room. It should have a security camera monitoring the outside of the door, the inside of the door, inside the server room, too, and definitely a very securely locked door that probably should be logged when it’s opened or closed. Maybe even some pressure-sensitive plates to know if something heavy has come in or out of the room. When constructing the server room like this, you should extend the walls up into the drop ceiling to stop people from just going through the ceiling to get in. I’ve heard this done many times before and a few two-by-fours and some plywood would certainly slow these people down. Especially if you have guards wandering around the floors, if they heard sawing and hammering going in the ceiling, they’d probably come check it out.
KYLE: Yeah, there was a moment of giggling there, too. Like, there’s no way that there’s just not a wall, right. But that’s the thing with these multi-tenant facilities, is a lot of times you don’t have the leeway clearance pull, whatever it is you need to get shit done in that building because you’re too new there or the other tenants don’t like your company, whatever political reasons there could be. But a lot of times you are barred from being able to make those kinds of very important changes to the structure of the building.
JACK: They didn’t want to come out through the server room door because that might trigger some kind of log or event. They left the drop box in there, came out through the ceiling, putting everything back. They get their pen tester to then get into the device and start attacking the network from that dropbox which is in the server rack.
KYLE: We also went around and tried to see what other sorts of findings we could generate from this site for the client, things like are the shred bins unlocked? ‘Cause that’s a fairly common mistake. The data that needs to be gotten rid of is supposed to be locked up and a lot of times it’s either so full you can just grab the shit out with a picker or you can use your hands, or it’s just unlocked.
JACK: They got everything they needed from this location and they’re ready to leave. They knew that if they just went down the elevator through the front doors past security, that might raise some suspicion. They came up with a plan.
KYLE: We decided we didn’t really have much of a choice. We had to get all dressed up in stuff that we found around the office; hard hats, reflective gear, we got a bunch of those big cardboard roll-up storage things so that we could put a bunch of stolen goods in there, we had files, we had a couple of Toughbooks that we wanted to take with us to a SCADA site, we had some truck keys, we had about everything you could need to be an employee of this company. We decided to just walk out the front door in front of the guards.
JACK: [MUSIC] When they walked past the guards, the guard spoke up.
KYLE: He was like oh, you’ve got a hard hat on. You’re gonna be working hard, ha-ha. [00:35:00] Yeah. They were totally chill with it. They did even suspect a thing which I thought again, was very, very odd considering that it was three in the morning and he had just seen us in normal street clothes outside of the bathroom upstairs. It was very weird, a very weird occurrence.
JACK: They walk out of the building, down the road, load their stuff up in the car, and leave. I don’t care who you are; that’s gotta give anyone an adrenaline rush.
KYLE: Oh yeah, of course, man. As soon as the car doors close, that’s generally when it’s okay to kind of cut loose. We were not on camera anymore, there’s no way a client could hear us, there’s no one. We can be a little excited. We can get a little cocky amongst ourselves. We can have a good time and then get back to the hotel and party. If you’ve left the drop box there, honestly, that’s kind of the other half of the fun on physicals, where I leave the drop box and then we go back to the hotel and then you’re just hacking all night, having fun with whoever’s there with you or even your buddies who are out traveling on other engagements over the wire because you’re just passing the shell around.
JACK: At this point they have a lot of stuff from this company to try to get them access into headquarters. But they don’t feel like they have enough yet. They want to hit one more site to see what they can take from there. They go to another city in another state to another office for this utility company. This is a smaller office than the last, much, much smaller. This office is in a medium-sized building, one story, with other companies that are also in this office building.
KYLE: This is definitely one we have to hit at night. There’s no way we can do it during the day ‘cause the office is so small that unless we have an airtight cover story, they’re gonna know that we’re not supposed to be there and they’re gonna want to know who we are. Really small offices are just like that.
JACK: The team arrives at the building at night. [MUSIC] They see a few cars in the parking lot and people coming and going from the front lobby. They discovered that other companies in this building have overnight workers, like a call center. They go up to the front door and it’s open. They get into the building. There are no guards since it’s a small building and the front door’s always open to let this overnight staff get in.
KYLE: We didn’t really do a whole lot of recon in this case because the building was pretty straightforward; one level, just a long hallway with some doors.
JACK: Kyle and his buddy go down the long hallway looking for the utility company inside. They finally find the door. It’s a glass door and they can see inside. It’s dark. Nobody’s in there. They pull on the door but it’s locked.
KYLE: It was a glass door and it was one of those with the hook handles and the lock was inside of that. It wasn’t a deadbolt but it seemed industrial-grade.
JACK: The team looks around. The hallway’s empty. There’s no security in the building and nobody seems to be around. They pull out some lock picks and begin trying to pick the lock. Kyle’s okay at this but his friend is much, much better. His friend kneels down and slowly tries to open the door. Now, I say slowly because picking a lock is usually not a quick process. There are two basic tools; a rake and a tension bar. The rake goes into the lock and pushes the pin up, ideally to the same position to where the key would push them up to, and then the tension bar is used to twist that lock open. On a tough lock you can literally try it hundreds if not thousands of times and get nowhere, and not even know if you’re anywhere close. When you try it, it either opens or doesn’t. Another big problem with picking locks is you don’t know if you need to twist the lock clockwise or counter clockwise to open it. Half your attempts have absolutely no chance of working since you’re twisting it in the wrong direction. Kyle waits nervously as his friend keeps trying to pick the lock.
KYLE: I’m just peering down the hallway in both directions, trying not to look really weird as this guy’s obviously picking a lock right next to me. If anyone came around the corner this is not gonna be explainable other than he’s my locksmith. That’s all I had on me, that’s all I had prepared.
JACK: Insert rake, push pins up, twist the lock; nothing. Push pins up, try to twist; nothing. Push, twist; nothing. Push, twist; nothing. Over and over he tries. To add to the stress, this is a very small office so they thought there might not be anything inside for them to even take.
KYLE: It was stressful that we were sitting in this dark hallway working on a door handle for what we thought was basically no reason other than to appease the customer. If we got caught then we could have our cover blown for headquarters because the security incident could get reported to everyone there. They would then tell their parent companies or alert everyone in their offices, whatever their procedures are, and then our photos get e-mailed to headquarters. That stuff happens when you get caught doing dumb shit. [00:40:00] Yeah, it was a little nerve-wracking, especially like I said, we thought it was for probably nothing.
JACK: After a while your hands start cramping up from this, your knees are getting sore from kneeling, and the pressure builds because you’re just hanging outside of an office for a long time looking really suspicious. Push, twist; nothing. Push, twist; nothing. But then push, twist; unlock. It worked! [MUSIC] They got the door open. Quickly they get inside.
KYLE: We get in though, and we see there’s like eight desks in here. It’s all open. There’s a kitchenette, there’s a bathroom, and that’s it. There’s nothing. Why are we here? I guess let’s look around and see what sort of data we can get access to. Let’s see if the network’s any different. Let’s see.
JACK: Because it’s a small office, they can comb through things a little bit more carefully. They look in people’s desk drawers for anything worthwhile. They look in filing cabinets, they even start looking through any backpacks that were left there overnight.
KYLE: Well, as just by happenstance, it seemed that there was someone traveling to that office from headquarters that day or that week or that month. We don’t know. Maybe he had been relocated and just never sent back his original badge, but we found it in his backpack that he left at work.
JACK: This badge looked like it would specifically work for the main headquarters, the main objective they needed to access. Finding this badge absolutely was worth the trip coming down here.
KYLE: We clone it with a Proxmark right on the spot and then we leave. We didn’t take anything. We didn’t even really take pictures of anything other than the badge and him picking the lock.
JACK: You’ve already heard Kyle say he’s got a dropbox in his backpack and a set of pick locks and now you see he has a badge cloner. This is a device that can scan an RFID badge and take the data from it so you can make your own badge. At this point I’m curious. Let’s take a look in Kyle’s bag to see what other things he brings with him on a mission like this.
KYLE: The general essentials are your standard tools; screwdrivers, you’re always going to need a good screwdriver, you’re always gonna need a dropbox. Network taps aren’t a bad thing to have if you can get one. They’re not always so great. They usually force you down from gigabits so you can’t really use it in a data center environment or anything like that very well, but they’re not bad. Rutabagas are okay but I wouldn’t say they’re essential. If you have a good dropbox then you’re going out over 4G, you don’t need that WiFi access to the internal network. But multiple methods of persistence are always good to have in your bag. I actually always keep one with me even though I rarely use it.
Another essential is a spare phone, a spare working phone with service. It’s really important. You may need to call yourself from it and flip it over and slide it under a door so you can see what type of locking mechanism is on the other side. You may need to use it for a hot spot for a laptop that you’re gonna use to shell out so you can leave before someone shows up for work but you don’t have time to get persistence any other way. There’s always a good reason to have an extra phone. There’s the obvious accessories to the Proxmark which are spare antennas, spare badges, and I would say if you can afford it, a Boscloner is great. Those are a little pricey pre-built and I think they’re kind of a bitch to build but they’re awesome. You can just sit at the nearest lunch spot that you scoped out on social media and know all of the employees go to and just catch all the badges all day. Those are a lot of fun, too.
JACK: They took pictures of this badge too, so they can make as close of a replica as they can. They leave the building and get back to their car and feel good about breaking into this office because it was worth it. Now they have their sights set on the last location, the national headquarters for this conglomerate of a utility company. [MUSIC] Everything they’ve done up until this was to prepare for them to get into this building. They’ve got keys to trucks, hard hats, vests with the company logo on it, complete with persistent network access, and they know a lot about this company, and they have cloned badges.
KYLE: Now we get to the interesting part.
JACK: We’re gonna take a quick break here but stay with us so you can hear the interesting part. [MUSIC] Kyle and the two other co-workers head to this location of where the headquarters is but they decide to leave the penetration tester back at the hotel to be ready to come rescue them if need be or use the internet to help them out in some way. It’s in a big city and it’s a big building. Kyle and his friend go to the building.
KYLE: We decided alright, we’ve got this badge. It might work, it might not. We can’t be seen trying that shit out at the front door in the middle of the night, right? [00:45:00] You can’t just walk up and be like well, here we go, and then if it doesn’t work, then what? We’re immediately burned, of course. We do some careful recon against this building. This is in a much bigger city. This is definitely gonna be a lot of traffic at night. This is not what we’ve been dealing with previously. This building is gigantic. It definitely takes up a whole city block and there is no parking garage. We decided to scope it out a little bit, see where all of the entrances were, see if there was roof access, see if there was any wall or anything going up to the roof that wasn’t all glass that we could potentially scale if we had to. The building itself looks like it is going to be fairly difficult to get into anyway except for the front door unless this badge works because there was a service entrance at the back. It was an obvious service entrance because there were some utility trucks and there were some big turbines sticking out the top of a little building that was right next to it so it was like the machine room area. We thought well, this seems like a safer place to try it out.
JACK: They parked their car down the road and walked down the street to the back of this building to the service entrance in the middle of the day. They get up to the door and they see it has a badge reader.
KYLE: We swiped and the door opened. [MUSIC] In we went. We were in a very, very odd kind of boiler room setting. This definitely wasn’t where we wanted to be but it was a start. This means that the badge we found at the previous site was valid, does work, and now we’re in the building. That’s good news. We take a look around. We don’t see any cameras. We don’t hear anything else other than the humming of machinery and whatever is going on around us. We see an exit sign above a door down a dark hallway and we make our way. We open the door, no alarms. We’re good. We peer out and we see through a door that is kind of like a frosted glass. There’s the long lobby to the front entrance. That means security guard is probably just outside that door somewhere. We looked to the right and there’s a long dark hallway. We don’t know where that goes. We look dead ahead though just to the right of that frosty glass door, and there’s a little office room with a copier. It looks very cozy and we won’t be bothered.
JACK: [MUSIC] They sneak across the hallway into the copy room. Nobody saw them. They start looking around for anything of value here. They find the copier has a network port.
KYLE: We get the dropbox plugged in in between the copier and the wall. We’re hanging out, looking around to see if we can find anything useful in that room; letterheads, stuff like that can equally be useful if you have nothing at all when you’re walking around in a building. It’s good to have a handwritten letter on company letterhead saying check out this in room whatever than have nothing at all. Keep that in mind. If you’re just stuck in a paper room, that’s still perfect. You just need to be a little more creative with what you have around you.
JACK: You would write your own letter to say this is what I need you to do and then you would show that to a security guard if you got caught, is that what you’re saying?
KYLE: Yeah, yeah. It’s better than having nothing, right? If I just give him a story, it’s just a story but if I have a piece of paper on company letterhead with – Mike at the bottom, I’m sure he knows Mike. Everyone knows Mike. I mean in that situation, if you’ve got nothing else and that’s where you’re stuck, the point I guess I’m trying to make is you can make use of that seemingly unimportant detail, like access to company letterhead or envelopes.
JACK: Kyle texts the guy back at the hotel to let him know the dropbox is plugged in. The pen tester gets into the dropbox and sure enough, he can get into the whole corporate network from that little port behind the printer. The pen tester finds other access to folders and data which didn’t even need a password to view. They’re feeling good that they accomplished all their objectives.
KYLE: We had successfully gone from site to site gathering everything that we gathered, including data, uniforms, clothing, hardware, and a badge. We successfully breached and compromised the network of the headquarters building without being detected. We never got caught, challenged. We never talked to anybody. We went right back out that back door again.
JACK: Okay, so here’s some tips for this. Back doors should have just as much security as front doors because bad guys use the back door as if it is the front door. In this building there were security guards watching the front door constantly and there’s extra security there. But this back door was secured only by an RFID badge reader and nobody was around. Oh, and also again, make sure all [00:50:00] network ports require authentication so dropboxes can’t be thrown into the network so easily.
KYLE: Once we left that building, all objectives had been accomplished. We had tried the least hard on the last building because we had everything we needed to make it go as smoothly as possible.
JACK: But here’s the thing; Kyle and his team were given a few days to test this building. Since they were so successful, they had free time. Why not spend the rest of their time testing the building further and see what else they can do in there?
KYLE: The second time we went back, we decided we needed to challenge security. [MUSIC] We have a budget; might as well use the rest of it. Let’s kill the rest of this time by just seeing what security does and then we’ll go in the next day and we’ll see what the people do.
JACK: They wait for night then head over to the building. All three of them are driving separate cars.
KYLE: We decided that we were gonna go in through the front door.
JACK: Because at the front door they knew there would be security guards there and they wanted to see if they could get by those security guards in the middle of the night. They drive around the neighborhood looking for a place to park, but they can’t find anything. The only parking spot Kyle could find is one that said No Parking because it said the street cleaners would be there in the morning and they didn’t want anybody parking there.
KYLE: Two of us parked our car. It says a No Parking Zone. I don’t care. What’s gonna happen? They’re gonna tow the car and that’s the worst that could happen. I’ll probably just get a parking ticket, though. Me and one guy park our car. We get out, we start walking towards the building. Our partner was behind us and could have easily just parked his car where we did but instead thought it was clever to call us and tell us that we parked in a no parking zone, to which I said who the fuck cares? We’re literally here to break into this building. Will you please park in the no parking zone? He’s like no, hangs up, drives around the block. We’re just standing there out front in this very well-lit front of this building and the security guard walks up the door and is now staring at us. He comes around again and he’s staring at us out of the car as he’s driving around. We’re staring at him and then he drives around again. Now the guard is looking at us sideways. We’re like okay, well, we’re definitely fucked now. Let’s just leave. That’s the best thing we can do, is just leave.
JACK: Kyle really didn’t think parking there would be a problem because they were gonna be in and out so quick and they weren’t gonna street clean until the morning. But this phone call right in front of the office door just screwed up the whole vibe of this mission.
KYLE: We decide we’ll come back in a half hour or something ‘cause that was just ridiculous. We can’t even tell anyone about this. We give our friend a little bit of shit for not just parking in a no parking spot. We find some parking spots to soothe his delicate sensibilities. We park in those spots instead and then we walk our happy asses down the street and we walk up to the door.
JACK: [MUSIC] As soon as they get in the front lobby, they see a door that gets them into the rest of the office with a little badge reader next to it you have to scan to open the door. That door is right next to the security guard’s desk. Sitting at that desk is the same security guard who saw them earlier and he’s watching them.
KYLE: He’s ready for us. How can you not be after seeing that just a half hour ago? He’s not that short-term memory guy, I guess. We’re unfortunate there but I badge in. [BEEP] They walk in behind me. He immediately says hey, I see that your badge works but you guys didn’t badge in. You know you’re supposed to badge in even if you’re going in behind someone, right? He’s like yeah, we know that, of course, man. But we’re here dealing with some incident response stuff. We’re with information security. We’re in a hurry; can we just go upstairs? He’s like well, I want to see your badge, talking to me. I had taken their badge design, put my photo on it, and printed it on this cloned badge. This has my face, my name on it. He’s asking for it now. He’s writing down the data. He tells the other guys to go badge in.
JACK: Now, the other two guys had badges too but they were just blank RFID badges just for hanging around the neck to look official, but they didn’t actually work. But they decided to try it anyway.
KYLE: They badge in and they beep [BEEP].
JACK: Here’s the thing about RFID badge readers; they beep whether they work or not and since Kyle’s badge worked, it was able to open the door and he held it open for them. But see, the beep doesn’t matter. After you scan it successfully, there’s a little click [CLICK] that’s important. That click is the sound of the door being unlocked. But in this situation, as soon as Kyle heard the beep [BEEP], he spoke up.
KYLE: We’re just like yep, see? They work. He says okay, well where are you guys gonna be? We said we’re gonna be on the fifth floor. Just pulled a floor out of our asses and just said the fifth floor.
JACK: Kyle and his two co-workers quickly made their way into the building and the security guard didn’t follow them.
KYLE: We walk up the stairs. The apartments are labeled on certain doors and we see one [00:55:00] that says Information Technology. We’re like oh, let’s cruise in there. Let’s grab some laptops, plant another dropbox, and then get out of here fast.
JACK: Meanwhile the security guard goes back to examine the logs. He looks to see who just badged into this door. It shows a picture of the employee. That picture doesn’t look at all like what Kyle looks like. Next, the security guard looked at the logs for the other two guys and it showed Failed Authentication. At this point the hairs on the back of the security guard’s neck were standing straight up.
KYLE: [MUSIC] We get the dropbox planted. We started loading up our bags and mid-stuffing laptops into a backpack, police officers come around the corner. I look up and I see them and I’m like well fuck me, man. Really? I look back at my partner and I was like this is your fault. You didn’t park the fucking car. The security guard says can you stop right there? I need to talk to you. Come over here please, where we can see you. I start walking into a more lit area slowly. Cops are all really nervous and everything. I’m like guys, you got me. It’s all good. Here’s this letter. I’m gonna hand it to you. It’s in my back pocket. I pull it out and I hand it to the cop. The cops hand it to the security guard. The security guard goes fuck. Then he turns around and walks away and makes a phone call.
JACK: What Kyle had is what’s known as a get out of jail free card. It’s a letter from the security guard’s boss saying that Kyle was there to test the security of the company and if there were any questions, just call the boss. The guard calls his own boss and asks him if it’s a real letter. His boss confirms it is.
KYLE: He comes back and he says yeah, yeah. This is fine, officers. Man, I knew I had something going on, I knew it. I didn’t know what but I knew it. He was talking to his cop buddies; I guess he was really old friends with them and he called them up personally and said guys, I got some weird people here and they’ve got a badge that works and just don’t seem like they’re supposed to be here. I don’t know what to do. They just came ‘cause they knew him. That was a really lucky thing on his part ‘cause otherwise I’m sure the cops would have been well, okay, we’ll send a squad car but they send the whole damn battalion after us, man. There was like, five or six cops there. It was pretty crazy.
JACK: Kyle and his co-workers were let go and they went back to the hotel. But they had one more day to kill while in town so they decided to go back once more in the middle of the day where there would be totally different security guards. Their plan was to go in through the lobby, badge into that door, all three of them walk in, and then just wander around to see if any employees would spot if somebody was in the office who just doesn’t look right. [MUSIC] Three guys just wandering around.
KYLE: We went in and we were just walking around like normal. Not a lot of people really even gave us a second look. I was hanging out next to the coffee machine meeting pretty girls. We were all just doing our own thing walking around the building doing whatever we wanted. I walked downstairs; I see one of my buddies and I start walking over to him. We were gonna try and get out of here soon or meet up with our client or whatever the plan was. I noticed that he’s in someone’s office and he’s taking pictures. I see someone see him do that. I’m like wait a second, I’m gonna sit down on this step here, just watch this go down. The guy who saw him taking pictures starts getting all of his buddies, right, and then there’s this mob forming around my friend. He doesn’t notice it ‘cause he’s just taking pictures of people’s shit. I’m like okay, I should probably come tell him that he’s surrounded. So, I walk over. I’m like hey, guys, don’t worry. He’s supposed to be here. This is okay. They were like well, who are you? They all kind of turned to me. Whoa, whoa, guys.
JACK: All of a sudden, the situation seemed to unravel. Not only was there a group of people wondering who this guy is taking pictures, but now they’re wondering who Kyle was. They were right to question them; they didn’t know these guys. But even though Kyle has a get out of jail free card, you only want to use that as a last-ditch effort because it completely burns your cover. It’s okay to be stopped but that doesn’t mean you’re caught. Now the next step is to try to leave the building and get out of there.
KYLE: Yeah, so as they’re sitting there, I’m trying to get us out of it. I can see this big guy over here positioning himself in front of this door over here, and I can see this guy and this girl walking over to this other door over here. They’re boxing us in right now. That’s exactly what they’re doing. It’s almost like they’ve coordinated this shit. It was pretty wild. I had never seen anything like it. Yeah, as they’re sitting there, quote unquote “distracting” us, they’re doing that. They’re blocking us in and they’re also going to get the authorities. Then the security guard comes up, the head of security comes up, [01:00:00] our point of contact. Obviously then, everything is explained and the whole office is in an uproar and everyone is just amazed and having a good time. As far as bad ending goes, it was the best bad ending I’ve ever had.
JACK: Kyle and his team write up a report and deliver their findings to the head of security.
KYLE: We had a great time with the executives. They really enjoyed the story. They loved it, obviously. The people who set out to get things done based off of the information we provided by doing these engagements got what they were after so it was a win, win, win. Everyone had a good time and everyone got what they needed out of it, including myself. It was a lot of fun.
JACK: Sometimes in the corporate world, to get budget approvals to improve security you need to demonstrate just how vulnerable you are. Kyle and his team were able to demonstrate many vulnerabilities which got people to approve budgets for things to improve security for the company. This company quickly fixed a lot of the vulnerabilities that were found in this report. That’s what a few weeks hanging out with Kyle is like. What a fascinating job. I bet I’d be good at this myself. I used to be a master of sneaking into places; abandoned buildings, amusement parks, movie theatres, exclusive events, you name it. If only my guidance counsellor told me about this kind of work when I was a teenager.
JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries. A very big thanks to Kyle for sharing his story with us. You can follow Kyle on Twitter. His name there is @icommitfelonies. This episode was created by me, the spaghetti coder, Jack Rhysider. Theme music was created by a digital minstrel, Breakmaster Cylinder. See you in two weeks.
[OUTRO MUSIC ENDS]
[END OF RECORDING]
Transcription performed by Leah Hervoly
Transcription performed by Leah Hervoly www.leahtranscribes.com