War Story: Piggyback BBQ

Assessment Type: Red Team (Onsite)
Target Type: Corporate Healthcare Institute

Assessment Background

With a loose-fitting patterned tie, white button-up shirt, some gray slacks, and a fake badge draped around my neck (that I had made up and printed at the hotel earlier that morning during breakfast), I was dropped off at the target facility by a fellow consultant. The parking lot was congested and huge, so it was pretty easy to just jump out and appear as though I had just came back from my car. The delicious aroma of BBQ filled the air, so I followed my nose and eventually my ears, to the sound of music at the back of the facility. The beat of “today’s hits” played via a live DJ and swarms of business casual employees, with badges dangling back and forth, lined up at a buffet of a plethora of country food. I could see a handful of tents set up and several employees mingling in and out of the target facility points of entry. It was the quarterly “employee appreciation” BBQ, and a perfect time to piggyback with a smoked pig ‘sammich’ in hand.

I texted Brent and Drew (who were part of the covert entry team), who eventually joined me by simply walking around the large building, blending in with the crowds and into the area where the corporate event was happening. We were all wearing fake, homemade; well, hotel-made badges. Theirs imitated that of a contractor badge, and mine mimicked an employee badge (Mr. Elliot Alderson, a generic Mr. Robot reference). Our guise was “inventory control for IT” and it was game on–after the free food of course.

On-site Red Team Assessment

With a newly acquired sandwich in one hand, a drink in the other, and a smartphone wedged between two fingers, I approached the back door where an employee gladly held it open for me. I nodded, smiled, and used my foot to keep it open for myself and my partners. We continued straight into the facility, not acknowledging any acquaintanceship, and casually made our way to the stairwell. We finished eating our “props” (it was a very good sandwich) and gained our bearings, noting the lack of camera coverage and counting the floors above and below us. We knew where we wanted to go next, but needed to figure out where it was. So, I pulled up the floor plan (gathered earlier, during the reconnaissance phase) and we made our way to the Data Center and PBX (Private Branch eXchange) room. Brent’s goal was to walk around with a contractor’s “badge” to see if any employees questioned the lack of escort, while attempting to compromise their wireless network(s). The primary assessment goal? Gain access to the server room(s)/PBX control room, and obtain as much sensitive data as possible.

As we surveyed the halls, we noticed that nearly all of the badge-restricted areas had doors with the same style of lever handles. At this point, Drew decided to stand watch as I attempted to bypass the door. Brent split off and set up in a conference room, capturing handshakes from the production access point. Drew and I began talking about random “inventory control and OSHA regulations…blah…blah…blah” as a couple of employees passed by with their goodies from the buffet. I peeked through the thin window, between a haphazard paper and taping job covering what appeared to be a sensitive area. Fortunately for us, I had an under-the-door (UtD) tool concealed in my laptop bag, that allows you to open a lever door from the other side. Utilizing the UtD tool, I was able to bypass this PBX server room door, and several other sensitive areas. Score!

Once inside the server room, we had access to devices, butt sets (telephone test sets) and the PBX systems. After about 30 minutes of harvesting as much data as we could, we heard someone badge in. Two employees came in, one went straight to his laptop (completely ignoring the two of us), and the other asked who we were.

“This is Alec (Drew’s alias), from XYZ. We are doing some inventory on the PBX systems.” I interjected as I casually nodded to Drew and flipped through a clipboard that I had taken from outside.

Drew added, “Yup, we also need to check the connectivity over here” nodding to the rack. “In fact, do you have a butt set back here? I believe that is on the inventory list. I left mine in the truck.”

“We have one over there that you can use.” The other employee interjected, nodding to a cabinet as he continued to drink his soda and tap away at his laptop, not even making eye contact with us.

At this point, we were able to gather enough equipment and devices to justify getting out before the employees got too suspicious.
Note: They never attempted to validate that we were who we said we were.

After leaving the area, Drew decided to go back to the BBQ and mingle with the employees to eavesdrop and further allow them opportunity to question his validity as an non escorted contractor. To be honest, he also wanted more brisket. Incident Response was something that we had agreed to test as well, so we wanted to afford them as many scenarios for escalation as time allowed.

I found a door that led to the primary data center, and passed the cubicle area for what I could only assume was the networking department. This beautiful door had two-factor electronic access controls, requiring a 4-digit PIN and proximity badge in order to gain access. I noticed that the drop-floor below me was eager to be opened, because a handy suction grip was conveniently sitting on a table beside the door. I lifted one of the tiles and could have easily crawled under the floor, but I decided against this since I was sporting a white button up and it would have heightened the risk of being exposed during production hours. Even the best of con artists would have a hard time explaining that one! I took mental note of the risk and replaced the tile. I decided to try to pick the lock instead. Using a Bogota-style rake pick, I was able to physically bypass the electronic controls, pick the tumbler lock, and open the door. Voila! I was in the data center and had access to a gold mine of systems with sensitive data, remote employee VPN devices, laptops, conveniently labeled servers, the core switch and more.

Since the goal of this assessment was to primarily gain access and proof-of-concept, I simply plugged into the DHCP-enabled core switch, ran a basic network scan, and noted the source IP address for reporting and validation purposes. I texted Brent to get a status of the wireless security assessment and he had successfully gained access to the production network by cracking the handshakes; he was able to do this fairly quickly because the WPA-2 key was basic and we had discovered later that they changed it every month to the name of the month and year.

While poking around on my way out of the data center, I decided to hang out in front of the executive copy and printing area. I was attempting to locate the hard drive as an employee approached from behind.

“Oh, are you waiting on a print job?” I asked an employee as I removed the toner, blew on it, and stuck it back into the printer.

“Yeah, sorry. Did I mess something up?”

“No, but you could do me a favor. I just put in some new toner and need to check how the quality is.” At this point, the printer spat out the print job.

“Oh, yeah. Go ahead. Take a look.” The employee motioned to the stack of paper containing an SSN, name, address, DOB, etc. and a copy of a photo ID.

“Hmm. Would you care to try printing again?” I smiled, crumbled up the paper, and tossed it in the insecure shredder bin.

“Sure. No problem.” The employee replied and walked away.

At this point, I was able to harvest information from the print job, and lo and behold, the new print job came through – a fresh copy for me to give the employee right after I took the crumbled paper out and took some quick photo evidence (as requested by the point of contact). At this point Drew texted me and had said that he was waiting near a photographer that the company had hired for employee selfies. Brent and I left out different points of entry and met back up with Drew.

Before leaving the BBQ, we decided to clone some badges via a homemade RFID badge cloner that I had built inside of a clipboard. While walking around the employee cafeteria, we managed to get close enough to copy two badges. After leaving the cafeteria, we stood in line with some employees, who were able to snag more badges from via the clipboard while waiting for a “employee appreciation” photo. We joked with some of the employees who Drew had befriended at the BBQ, convincing them to take the photo together, while we were still pretending to be contractors and employees. Behind us was a large banner that said something like, “Synergy” and a bunch of cheesy smiles on our faces.

Lessons Learned / How do companies prevent this?

So, what do we learn from this war story?

  • Lever handle doors are a bad idea, especially when it comes to accessing secure zones.
    • This type of security awareness can easily be applied to personal lives as well. This same type of handle is also a concern of mine with hotels. The next time you are staying at a five star hotel, consider the $50 tool that a criminal can buy to get into your room while you’re out. Or, maybe someone needed a free room for the night?
      • If you’re paranoid about hotel lever handles, just shove a rolled up towel in your handle before you leave the room.
  • Again, employees are too trusting, especially when you have a legit looking badge, dress code and body language.
  • It doesn’t matter how many fancy electronic access controls you have if the core lock can be picked and the door is opened the good ‘ole fashioned way.
  • Don’t leave a gap under doors (this also makes it easy to trip exit motion sensors).
  • Physical key bypassing additional access controls: If necessary, consider a stronger lock core and a key management log.
  • Security awareness! Instill a culture of awareness, not paranoia. Every employee, vendor, contractor, etc. has a part in security. If you feel suspicious, don’t be afraid to inquire and to double-check. Due diligence is not rude. It is good practice.
  • Require badges to be visible at all times. If a certain badge requires an escort, make sure there is an escort.
  • Keep destruction/shredder bins secure.
  • Dispose of sensitive data responsibly!
  • Ensure that you are utilizing industry standards for wireless security (ie better passwords that aren’t easily cracked after obtaining handshakes)
  • Don’t let company functions (or BBQs in this case) deplete security practices.

Overall, it is important to keep in mind that no matter how secure your networks or perimeters may be, a poor choice in locks, handles, security and employee culture can leave an exploitable vulnerability.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.