Podcast
Join Viktor, a proud nerd and seasoned entrepreneur, whose academic journey at Santa Clara University in Silicon Valley sparked a career marked by innovation and foresight. From his college days, Viktor embarked on an entrepreneurial path, beginning with YippieMove, a groundbreaking email migration service, and continuing with a series of bootstrapped ventures.
Links
Follow Me
Follow Me
Join Viktor, a proud nerd and seasoned entrepreneur, whose academic journey at Santa Clara University in Silicon Valley sparked a career marked by innovation and foresight. From his college days, Viktor embarked on an entrepreneurial path, beginning with YippieMove, a groundbreaking email migration service, and continuing with a series of bootstrapped ventures.
Physical Pen Testing Secrets: Covert Building Infiltration Explained
Play On
14 MAR • 2025
1 hour 6 mins
Share:
In this captivating conversation with Warren Houghton, we explore the secretive world of physical penetration testing. Warren, an experienced security professional, shares his expertise in testing and bypassing physical security measures that protect sensitive facilities and assets.
We begin by discussing the fundamentals of physical penetration testing and how it differs from digital security assessments. Warren explains his methodical approach to evaluating building security, from initial reconnaissance to execution, and how he documents vulnerabilities for clients to address.
A significant portion of our discussion focuses on the technical tools and techniques used in physical penetration testing:
- Badge cloning technologies and vulnerabilities in common access control systems
- Lock picking tools and techniques, including the use of specialized tools for different scenarios
- Under-the-door tools and methods for bypassing door sensors
- The effectiveness of tailgating as an entry method
- The vulnerabilities of magnetic locks and how they can be compromised
Warren shares fascinating war stories from his career, including breaking into:
- A bank in Amsterdam where he successfully accessed the stock trading floor
- An arena with inadequate security measures
- Corporate buildings with sophisticated access control systems
Perhaps most intriguing is Warren’s deep dive into social engineering tactics. He explains how building rapport with targets like receptionists and security guards is often more effective than technical approaches. Warren demonstrates how creating a sense of trust and familiarity can lead people to willingly provide access to secure areas, highlighting the psychological aspects of security breaches.
The conversation takes an important turn toward security recommendations, with Warren emphasizing that security awareness among staff is the single most critical defense against physical breaches. He explains why:
- Staff should understand they are part of the security posture
- Simple practices like removing badges when leaving the office significantly improve security
- Investigating security alarms is essential rather than dismissing them
- Certain access control technologies (particularly HID proximity cards) should be avoided
We also discuss the importance of proper encryption keys for access cards, with Warren explaining that many organizations use default credentials that can be easily exploited. He provides practical advice for improving physical security, including the use of custom encryption keys and tamper-resistant readers.
The episode concludes with Warren’s perspective on the balance between technical security measures and human awareness, suggesting that even the most sophisticated systems can be compromised if staff aren’t properly trained and vigilant.
For anyone responsible for facility security or interested in understanding physical security vulnerabilities, this episode provides rare insights into the methods used by professional penetration testers and practical steps to enhance protection against unauthorized access.
Transcript
Show/Hide Transcript
Welcome back to another episode of Nerding up with Viktor.
Today I'm joined again by Warren.
Welcome back, Warren.
Hey, Viktor.
How you doing, mate?
Good.
So last time I had you on, we quickly realized that this was going to be a two part episode.
There were way too much stuff to cover that.
We quickly, even before hitting the record button, we realized that.
Right.
There was a bit of discussion before.
They were like, oh boy, there's some more to chat about.
Yeah.
The last episode was not even your focus or area of expertise.
This was more like a side thing you do on the side.
But today we're going to talk about what you actually like to do for a living.
And your focus, my true passion.
Your true passion indeed.
And that is to do fiscal pen testing, Covid entry.
Right.
Or how would you define that?
I don't know how I define it.
It has lots of names, isn't it black teaming, covert physical entry, social engineering, smash and grab.
I don't really know, like to find how I'm the guy that breaks in your buildings and then I'll try and get access to your network and yeah, that's me.
And so it's usually a multi stage attack.
Right.
It's not just like, oh, you got, you broke a lock and now you're done.
Because that's usually, that's just, that's not the engagement.
Right.
That's just a means to an end.
Yeah, that's.
It's like, it's.
I like to be.
It's never about just getting in the building.
And that's something that I want to try and chat, maybe chat about this.
Yes.
Just getting in the building.
It's about the impact of having someone in your building.
Yeah.
And if I break into a building, there's no one in it, there's no network, then what have I gained?
Like, you know.
Right.
So let's talk with that.
Like, how does your regular engagement look?
Like what's like, what are people hiring you to do?
That's maybe start there.
I don't know why they hired me.
I'm not gonna lie.
I wouldn't hire me.
So they tend to be a little bit more of a drive to trying to scare their board members to say, yeah, this is doable.
To get budget is usually say like, oh, some crazy guy from PTP has just broken in and we need to get budget to actually change stuff.
Right.
And your engagement, a general engagement goes over like a few different phases.
You've got your osint so just advanced Googling, basically just Google.
Yeah.
So open source intelligence gathering.
And basically you go, okay, I am targeting company A.
I need to learn everything about company.
I want to know where headquarters are, what it looks like.
And you'll build up a picture about what that building looks like.
And then you go on site and you go, right, first things first, I need to confirm what I know.
And is it actually true?
Like, is there suddenly, you know, there's scaffolding on the building this week or something, you know, people, it changes.
So you need to confirm that.
And then you just work on a.
Work on a way in.
So you just sort of start watching people, trying to gauge what they look like, what people wear, where their badges are, how they act, where the client is.
Like, you know, in London, for example, you get like skyscraper.
Generally a company doesn't own the entire building.
So you look at where they are in the building and yeah, just trying to.
I aim to emulate a member of staff because like these buildings are meant to let people in.
They're meant to let the right people in.
So you just want to be one of those right people.
Right.
So what's your go to?
Like, who do you like to impersonate?
I like to impersonate me.
So I don't.
Generally, I don't use a fake name or anything like that.
You can, I can always imagine a bad exam, a bad thing where like if you were walking away from someone and somebody used to come out, oh, Tony.
And you don't turn around because Tony's not your name.
It just.
That's really hard to explain away.
It's.
It's easier to lie when it's founded on truth.
Cover stories to cut off like.
Or Personas to bear in mind.
Yeah.
So I go as Warren and I come from.
It is usually my thing because I look like someone that works in it.
Like, look at me.
I look like you're stereotypical IT guy.
Right.
So that's what I go for.
And it gives me like, it's a nice cover story to give me access to or give me a reason to look at your computer generally give me a reason to be in the data center, that sort of thing.
But I, I tend to not.
I don't like talking to people if I can get away with it on site.
And there's.
Yeah, I don't like.
Social engineering should always be a backup.
But it should never be your sort of first.
First thing you do.
Right, Right.
All right.
So you're hired by this company to basically say how good in my fiscal security.
And that is essentially a means to an end to plug in some kind of device on their network to basically bypass all their perimeter security.
Right?
That's usually the game, right?
Yeah, absolutely.
Yeah.
It's like you've invested X thousands on firewalls and EDR and all IPS and everything like that.
But if I can walk in and literally plug in, or like some people are not even interested in you accessing their network, like, how much of impact to a bank would there be of you walking into a data center and sticking an ax through all their stock trading servers?
That's arguably a bigger impact.
So sometimes it's just getting access is what they're interested in because they're like, look, you just being in that room is a risk.
Yeah, yeah.
Okay.
So that obviously varies a lot depending on what kind of building you're going into.
Right.
So if you're in central London and trying to get into a shared office building versus going into a data center with like man traps and whatnot, that's a very different engagement.
Right.
And if.
I mean, I'm sure people who are listening have been to sophisticated data centers.
Like I've been to DCS where there are like two man traps to even get into the building.
Right.
And like, yeah, you're not gonna talk your way in there probably.
I mean, even if you're meant to be in there, you probably can't like explain away why you need to be in there.
Like I like to think of it and a few of my like, colleagues and stuff like that.
There are three types of building in this world.
There's buildings like normal offices.
They're built to let people in.
It just happens to be the right people.
Right, yeah.
Built to let people in.
A data center is built to keep people out.
People don't need to be data center.
Only computer needs to be in a data center.
You just built to keep people out.
And then you got prisons.
It's built to keep people from leaving, you know, and it's.
There are probably more.
And maybe paraphrasing, I'm sure some of like, oh, didn't mention this, but like, you know what I mean?
It's.
So a data center is a completely different ball game than an office building in London.
Yeah, that's.
You tend to need sort of cyber assistance on that because there's like almost like a staged attack.
To get into a data center, first you need to be able to actually be allowed, almost be allowed into the data center.
Because no one's going to just let you in.
Yeah, you can't talk your way in there.
You can't talk your way in.
Like it's.
Well, at least it's bloody difficult.
Like, I know people are happy, but it's not something you should plan for, in my opinion.
There are stuff like card cloning and stuff like that, which is, I mean, I've got a lot of.
I like car cloning.
We can go into that.
We're going to talk about that at length later.
But yes, EU interviewed Iceman a few months ago.
Iceman's weird.
Love Iceman.
So, yeah, and so car cloning is obviously going to be a thing that you would have to maybe employ for a data center.
Because you can just let yourself into a data center.
You still have a bit of an issue about because there's generally like a key box usually in a data center.
Like keys for different network cabinets and whatever.
We've all seen them.
It's a different ball game.
Center is an entirely different beast.
Yeah.
All right, let's talk about more like an office building then.
So like you done your recon, you know, like what you're dealing with, you know, you go into the right building to start with.
Right?
That's, that's an important.
Make sure, you make sure you break into the right place first.
First and foremost.
So, so you roll, you rock up, you kind of, you dress the part, you look like somebody from it.
You go to the, I mean the receptionist, the first gatekeeper most likely, right?
Usually, yeah.
So I tend to try and avoid the reception because the receptionist is usually the most dangerous person in that building.
Seconded to maybe the PA of some high board member.
You get the receptionist, they've got a level of power without being in charge.
Right.
They are the first, like you say, the first gatekeeper and they have that power.
They allow people into the building and they're generally very dangerous.
On a social engineering engagement or like a physical compromise, if there's a back door, I will always choose the back door rather than go find the reception.
Sometimes you can't do that because like London for example, generally it's multi occupancy and you got one big reception on the ground floor or something.
At that point you just, you've got to go through past the reception and hope to God that they don't look at you.
But then that all goes back to.
Do you tailgate then?
Is that your first plan of attack?
I don't, I don't like tailgate for Me is a non persistent attack.
My objective is always to get persistence into that building so I can go into that building as and when I want.
And my objective personally is, well, how does everyone else get into that building?
Like I look at that, how did everyone else get in that building?
And generally it's a card, right?
You get, you know, that's where I've spent too many years looking at access control systems, at how they work.
I know like how they work, the full system.
I know like generally I'm not gonna say I'm some sort of genius, but like I understand how an access control system works.
I understand a lot of different cartechs and that's what I, I specialize in identifying what card tech they are using in a covert manner and trying to work out what card set they use based on the readers, based on what they look like, you know, where they are.
If it's hflf, whatever, but that's.
Then I would target that to get me access.
If that doesn't work, say they're using some crazy expensive, you know, hid SEOs with custom keys and all this jazz, then I'm gonna have to tailgate because it's not going to be cloneable in any realistic manner.
Let's go back to the scenario where things are clonable.
Right.
So imagine you have some kind of gate which is what you'll see in most office spaces.
Right.
Or most semi sophisticated office spaces.
Right.
There's some kind of gate with RFID badges.
Right.
So you know what the part should look like your it you want to get into the building.
Probably the target you're going after tend to be something related to it as well.
Right.
You're not going into like finance buildings that you go in like.
Right.
So probably going to be looking like the part.
Right?
Yeah.
So generally every company has an IT department.
Yeah.
Especially in 2025.
I've broken into a lot of banks, a lot of tech firms, a lot, you know, a few government buildings, stuff like that.
And they've all got an IT department.
Like there's no reason you, like I wouldn't break in wearing a hoodie.
I've never broken wearing a hoodie.
Especially like squid game on it.
But like it's so you need to measure what they look like.
Like for example, I broke into a building last week.
Okay.
I was in engagement last week and I broke into a building.
They were wearing casual but like smarter than a hoodie.
So they wore like polio shirts and jeans.
I wore polo shirt and jeans.
It's because you need to be.
There's the gray man mentality.
I mean, if it hasn't read that there's a gray man, there's a whole blog post online if you search gray man, it's brilliant.
Okay.
You almost want to blend into the background.
You want to be visible but invisible.
Right.
And you don't want to stand out.
Right.
And that's why you have to just judge what everyone else is wearing and do that.
Right, Right.
Okay.
So you now look the part.
You know what entry system they're using.
Is your first port of entry then kind of badge cloning or is that you try to get close somebody close enough to somebody in the cafeteria, clone their badge and then just rock in?
Yeah, that's it.
So we tend not to do like a one day smash and grab jobs like you've seen like 10 years ago, whatever.
Like that.
Because you don't have the time to emulate any form of realistic attack.
So these things are generally like a couple of days recon or a couple of days breach and stuff like that.
So you've got a little bit more time to come up with a solution.
So, yes, I will attempt to clone your badge.
Say you're using, I don't know, iclass.
Hit iclass with a default key.
Cartek's widely known and it's been known to be compromised for a good 10 years or something.
Ridiculous.
Someone put the encryption key on Twitter like a decade ago.
If they're using that, for example, I'm going to attempt to clone your card at like a nearby shop.
Right.
There's no reason for me to go in your building and put myself at risk rather than just wait for you to come out of the building and then just clone you out.
You've done enough recon that you know who works there now and maybe like, I guess is access control.
Do you scope enough to know like, oh shit, only this level of employees have access to this building or you just pass tried to get past the.
So the initial thing is you're trying to get past the threshold.
Right, Right.
So you don't know.
I don't know.
You coming out.
If you've got access to the data center, for example, I might be really lucky.
Yeah, right away like the cto, that'd be great.
But you might not.
You have to assume you don't.
All you can see from the outside is I can see you've walked in, you've scanned your badge on that reader.
That's the only.
That's All I can tell was 100%.
And I know I.
I need to scan that reader to get access.
So I turn your badge and I get access past that first pedestal.
So, like, for example, the same job last week we got in, we had persistence in due to car cloning, but we didn't have access to the data center.
So it's like, okay, well, first things first.
Find who has access to the data center.
And we sort of waited outside the data center and luckily saw someone go in.
Like, that's not.
People don't generally go in data centers.
We got lucky in that instance.
Yeah.
And we're like, well, that guy definitely has access.
Right.
So we targeted him and went over to.
You just basically follow him around until you can get close enough and just.
Yeah, we actually waited for him to go back to his desk and then just went over and asked him for the guest WI fi passwords.
It wasn't like asking for a guest WI FI password while my colleague, because it was like I was attacking from the left, talking to him.
My colleague was attacking for the right cloning his badge, which he left on the desk, which was not ideal.
But those sort of things is trying to.
Trying to figure out the next step.
It's all about elevating.
Like, you're not going to.
You're not going to hack a website and instantly get da.
Generally, you know, it's.
It's the next step.
So talk me through a little bit more about the cloning mechanism.
Right.
Because that's what.
What's in your bag.
Right.
For engagement like this.
Because obviously going into this, you have no idea what you're faced with.
Right.
So I presume your bag has quite a few tools in it for various kind of attack scenarios, right?
Yeah.
So my bag is very specialized towards car cloning because that's what I do.
That's my area expertise.
If you were to go over to a black team in America, it may look very different because they tend to do more bypass techniques and like under the door tools and stuff like that.
Right.
That.
I've been doing this a long time and that generally doesn't work in the uk.
Like there's.
So my bag won't look the same as that.
And it's specialized where you are.
My bag.
I mean, you've got the Proxmark, obviously you spoke to Iceman.
My glass came off, which is why it's yellow because I've stuck it down and like, I tend to use that.
Maybe a Raspberry PI that I can use to control it or I can use my phone.
I tend to have big readers for different access cards.
Technologies for range, I assume.
Yeah, range.
So like.
Well, this one, for example, I use this one.
This one is a Paxon P200 which currently working on at the moment.
And that gets a range of about yay ish.
Okay.
Which is brilliant.
And you can put in the bag and clone a card through.
Through someone's pocket.
It's quite simple.
So you basically have that big antenna hooked up to Proxmark and then you just need to get about a foot away from the badge and game over.
Yeah.
So that particular one won't be hooked up to a Proxmark.
That hooked up to.
It's an ESP32 with some custom coding friend of mine, which is obscenely good.
So big to him because he knows who he is.
And so we use.
I use that and then.
But it really depends on what the card tech is.
But you can use a mixture of different tools to gauge an idea or at least a good understanding of what the car take is.
You're never going to get it 100 because you have.
Don't have access to the card.
Like unless you have the card, you.
You can't 100% tell exactly what it's doing, but you can gain a good idea.
Right.
So it's all about taking the right kit to do the right job or to have every eventuality.
So like, access cards are generally two frequencies, for example.
So you've got LF and HF 125khz and 13.56 meg.
Now there's a little tool which I haven't got it to hand, otherwise I'll show you it.
And all you do is put on a reader and it induces current into this little tool.
Right.
It doesn't need logs.
It's not actually a car.
But all it does is blink a little LED when it's a certain frequency.
Right.
So you can narrow the search, essentially.
Yeah, precisely.
So you can put that on their reader and instantly with like, we're not talking, there's a delay or anything.
You just got to be on the reader, which is in the public area, generally.
Because I'm on the outside of your buildings.
Yeah.
And you can tell what frequency of cards you're using because if your only accepts hf, you're not going to be using an LF car because it physically won't work.
So at that point you can start dialing down what access cars they're doing.
Yeah.
Using and then target that one.
Right, okay.
So in most scenarios, as long as you can get close enough, you are a game over essentially in terms of access.
In most scenarios, yeah.
There are systems out there which are crazy good.
Like, I'm not going to say that every system can be cloned because they absolutely can't if you've invested into the right things.
But they're rare, I'm not gonna lie.
Like, good stuff.
It's the Facebook, it's the Microsoft, it's the Google of the world that have enough sophistication to deploy these.
That's it.
Like, it has been honestly a long time since I've seen a car that I couldn't clone in the field.
But yeah, you generally have to get, we'll say about a foot, you know, depending on what card tech it is.
But a foot is your roundabout, you know, distance.
And a vast majority of them are like instant time frame.
Like, we're not taught.
Like, as quickly as you can read your card on an actual reader, I can clone your card with my kit and.
Yeah, go ahead.
Oh, sorry.
And then like, if you wear your card to like Tesco or.
Yeah, whatever, or shop and I see it, then I can clone it without the risk of going anywhere near your building.
Yeah.
And now you have the payload.
Right.
So now you, I mean, usually these are like credit card size badges in most scenarios.
Right.
But you probably then need to disguise your card in case you get caught.
Right.
So, yeah, how do you do that?
Do you take a, do you try to snap photo of that, how the catch looks like?
So you can go to a print shop to print out like a sleeve for it or like, how do you actually go about that?
Or is that a lot of concerns?
There's a mixture.
If you've been really silly, then somebody's put like a really good picture on the Internet because people do.
And that's where it'll be up in like osint, we see it all the time.
Yeah, people.
I mean, you generally see people with badges online, but they're sometimes low quality and you can't always make a forgery based on them.
But like some people are like, hey, first day at company X, here's my badge.
And that's just very silly, isn't it?
Like, you can understand why that would be silly.
So you make a forgery.
Like, I like making forgeries.
They're quite fun to make because it's a fine art and I've got a badge printer right there.
Or we take a badge Printer with us on site and we print the badge in the hotel room, we can confirm it.
Like, we can get photography online.
Sorry, on site.
If you didn't put one online because you were smart.
So, like, if you go to a nearby shop and you haven't put your badge away, like, I cannot stress enough to, like, the end users.
Put your badge away.
If you don't put your badge away and we get like, photo of it.
I've got quite good at photography over the years and if it's on show, I'm probably going to get a picture of it and then we can make a forgery and like you say you just make a forgery.
You.
I either.
You can either print it to like a.
An RFID card if you want.
If you've got a few, like, I've got quite a few but I don't like wasting them, so.
But you can print it to just a normal plastic card and then just put it in front of a car, like an rfid.
Essentially.
And.
Yeah, that's it.
So you don't even need.
You just need a normal plastic card.
Just put it in front of your RFID card and away you go.
Really.
So, like, once you.
Once you've got stuff like a lanyard.
A lanyard is.
Is amazing, you know, especially if they've got custom lanyards and stuff like that.
We see it quite a lot with like the company name down it and stuff like that, which is good and bad.
They're really good in your office because it's really good at highlighting who isn't.
Isn't staff.
As soon as you wear it outside your office, it's bad.
Take it off.
Yeah, because it make.
It highlights you as a target and it's also.
If I get a picture of it, I can make it and then suddenly I'm trusted.
Right.
Right.
Your bag is your, like, single biggest token of trust and it's what I'm going to target.
Any information about it I can get, I will.
Right.
And you go, how quickly can you get a badge or a lanyard printed like that?
An hour.
I do it myself.
Oh, really?
Like the badge.
The badge I can print myself.
Literally, I've got a badge printer, so I don't need to go to, like there's.
You got to be quite sensitive, obviously.
This is client data, so you can't just go to, like, another company and say, print this badge for me.
Right.
If it's a client name on it, they might just get in contact with them and that'll be really.
Of course, of course.
Plus it's client data, so you can't go giving that to everyone.
Yeah, lanyards, they can be really good.
So I've made my own lanyards before where they had like the logo all the way down and you can get like DTF transfers and like basically iron them on and it looks really good.
Or you can get them custom printed companies online, they take about a week or so.
So that's where like if you see.
At that point, because you haven't done recon fully, I guess.
Yeah.
So the color is interest.
So it really depends on what you see on the osint.
Right.
So like the one we've done a while ago, actually their lanyards were literally the same color as their brand.
I'm going to say what is obviously it's client just in case but like it was the same color as their brand.
It's quite clearly going to be the same color as their brand.
You could see it in very bright color in any of the pictures.
So we just went to their website and got the color code of their brand and then just had that printed.
Right.
When were on site we noticed it was identical.
Like we found some in a drawer and it was like, this is literally the same.
I think we even went to the same supplier.
Yeah.
But it also like, I mean it also probably doesn't have to pass too much scrutiny.
Right.
And you probably want to make it look a bit worn out and snake a little bit ragged.
Right?
Yeah.
So that really depends on where, what sort of site you're going to.
I tend to if you go, if you're going into a bank and you need to dress in a shirt or something like that.
Not that you try.
And like I'm not going to pass as an investment banker.
I'm not that sort of guy.
But you need to blend in like we said about earlier.
So I might wear a shirt now that's not a very dirty environment.
That's not a very like rough environment.
So I might only wear it down a little bit just so it doesn't look like it's freshly printed.
Yeah.
Or the lanyard.
If I'm going to like a utilities company and I'm there wearing, you know, high vis and boots and stuff like that, because that's what they wear, then I'm going to make it look a little bit rougher because clearly that would be a little bit rougher in that environment than.
Yeah, of course.
But it's all play to your environment.
Like, it's all like, you need to emulate your target.
Rather than just trying to get in the building.
It's trying to be like, there's always the goal for me and my old colleagues and stuff is like, there's no reason for them to catch you.
Like, the only thing they can pick out in the ideal world is the fact you just don't work there and they don't know you.
Nothing else, Nothing else should be wrong.
Yeah.
You know, but you could just have been somebody started yesterday that they are just not in the systems.
Yeah, Covid really helped with that.
It, like, it was really bad for a lot of things.
Obviously we didn't break into a lot of buildings over Covid because not allowed out of the house.
But like, during, just post, Covid was a nice little sweet stop for physical Covid entry.
Because you're like, well, I started over Covid, of course you don't know me.
Like, like I, I've been working from home for the past two years.
Like this is.
And there is still an element of that in the world where you say, like, I work remotely and I just come into the office for a meeting and that's why you don't know me.
Right.
It's good.
Interesting.
All right, so let's go back to your bag a bit for a second.
Like what?
Like, if you want to rebuild your bag, like, how much is custom, how much is open source?
Like, what if you would start afresh, like, how much would it take to rebuild your bag?
Is that like super expensive hardware or is it like relatively cheap things?
I've got like a random bag over here that I used last week.
Let's have a look what's in it.
So I've got like love a.
Love a bag show.
Well, yeah, don't go wrong.
There's not a lot in it.
Like, I think there's a few bits.
Like, my office is not tidy.
Like, I'm not tidy.
Tidy mind or a tight.
So these are certain things.
Now, this sound may sound really stupid, but clients like it.
So obviously I, I, I'm not, I don't do this illegally.
I do this with the respect of a client.
Sets the engagement rules.
Right, of course.
So this, right now, what does this look like?
Viktor just, I mean, I, I presume that's some kind of receiver of sorts that, I mean, it's a three to create the case, but I presume it's some kind of receiver.
It's actually literally just a 3D printed box with a wire stuck in it.
Like, it literally does nothing.
But to a client, when you leave that on a desk, it's a bug, right?
Now, that's why I put in my bag, because it's so stupidly obvious that this is a bug, but it's not a bug.
So there's actually no risk to the client.
And they're a lot happier about me using this than an actual listening device.
Or plug in a Raspberry PI to a network.
Yeah, you can plug in a Raspberry PI.
So.
But some people, like, broke into an arena and they wanted us to bug the dressing rooms, right?
Because they were like, oh, what happens if you can hear or listen to conversations of talent that come through this arena?
So obviously Raspberry PI doesn't really help too much with that.
But I put this in a bookcase in, and suddenly it's been bugged, but not been bugged, you know?
Right, right.
It sounds really stupid because it's literally just a 3D printed bug.
I remember a colleague was like, warren, I need you to make some bugs that are not bugs.
I'm like, okay, I can make bugs that are not bugs.
Just like, I'm just gonna print this and stick a bit of red wire in it and it looks ridiculous and obvious.
So that's what I did.
Nobody actually would want to try to do any listening devices would make them look like that.
Yeah, exactly.
No one's going to make them look like that.
Like, it's so ridiculously obvious that it was a 70s Bond movie, right?
It's like, I should probably put a little blinky red light on it just to really.
So the idea was like, if a client sees this, say a client goes underneath the desk or whatever we've planted in a data center, and they see this, they should report it because it's so obvious.
Now you can stick.
Like, there are certain things you can do, like a Raspberry PI.
You plug it in and say, like, it do not remove with a big label.
And they're probably not going to report that.
But this.
The objective of this particular bit of kit was it should be reported.
Yeah, yeah.
And that was the objective.
Then I've got big old bunch of keys.
So interesting key rings or like blank.
Keys or just some.
Just some jiggles.
Jigglers.
Okay.
So when you go to sort of a pedestal or a confidential waste bin or something like that, you can get them open surprisingly quick with just a jiggler.
Now you can probably just find the key somewhere in the office.
But you know, a jiggler goes a long way.
Yeah.
Got a selection of default keys.
So these are just a selection I've had many years now and I keep on adding to them.
I've default keys for like cabinets.
So you get into a data center and find a cabinet locked because they're doing it correctly.
If you've already got that far, then the game's up anyway.
But then I've probably got the key or it's like a lift key and you can stop people calling it if you really want it.
Or doors where they've got a.
A kill switch on the outside for the access control system.
Now I don't quite get the logic of why they've got.
They had that but I had the key for it and I just went and it was open.
Now I'm like, what?
Why?
Yeah, so that when that clearly went in the report, I got stuff like long range antennas for Busmark because these are really handy.
So Proxmark tool, this thing went to earlier, signed by your boy that you interviewed the other month.
Great guy, big shout out to him, he's awesome.
And so these are like long range antennas for it.
So it changes the read range from like, you know that to like that.
Right.
And that doesn't sound like a lot.
But if it's in the bag, that makes a huge difference.
Yeah.
If it's in a bag or you put it in a parcel and you walk around the parcel or folder, you've got a bit more maneuverability on that.
And you though you can do an awful lot of things with a Proxmark and a bit of scripting in lure and you can do an awful lot of things.
So you know, if I need to, I will.
Then you got stuff like I don't really use this a lot.
I bought it because it looked fancy.
But you got like the Comedian Ultra, which is a cool bit kit and you can load that up with like card dumps and it can emulate loads of cards for.
You tend to not use that too much because there's not really a.
Not really a reason for me to use it.
Then I've got like a rubber ducky.
Nice.
We're gonna say like.
Yeah, rubber ducky.
So they are really useful.
The Hak 5 tools are generally pretty good.
I don't have an awful lot of them because I don't need them.
But this one's great.
This one.
What payload do you have on it?
This one pulls a lot of information about your av, your host name.
It was a custom payload by a friend.
Colleague of mine.
And basically it pulls a lot of information.
If your AV is on your firewall, if it's on what your domain name is, what your IP address is, all loads of information and then spits it up to a box we control.
Okay.
And that's it.
That's all it does.
And it's like a bit of enumeration to then give to the Red team or something.
But it's not the most covert of payload because it does stuff like nice and whatever, because that's what it does.
And.
Right.
Generally an EDR would catch this.
Right.
What else we got in here?
Antennas, Lots of antennas.
WI FI adapter, which is.
Yeah, but yeah, there's a few things.
But a lot of.
A lot of what I do is based around the Proxmark or stuff.
Like it's in a bag somewhere.
Big reader.
Right.
Usually big readers.
These are big readers.
And trying to determine what your access cards is.
Obviously you've got stuff like Flipper.
You got this.
Mine's got a little nard board on it, which is a.
A present for becoming a father for a very good friend of mine.
Which is the best present.
So, yeah, if you tend to dial your kit into what your objectives are.
And my objectives are generally clone your card because that's how I get it.
So a lot of my personal kit is built around that.
I know a lot of people have a lot more bypass tools than I do.
I don't have many.
I have an under the door tool.
And honestly I've never used it.
I've never needed to.
So talk to me about Emil.
Let's talk a bit about alternative approach, like under door code tool.
Like how.
Talk about how they work.
Is that.
That one extension that you can actually access the doorknob and turn them or how does that.
Yeah, basically.
Yeah.
So it's a.
I would get it out, but it's.
It would look weird on camera.
So I'm not gonna.
But it's meant to be like long bit of thin metal.
Right.
Handle.
And one end it's got like a.
Like a long string effectively.
Right.
And you.
The idea is you poke them underneath the door and you turn it round so that it hooks around a handle on the other side.
Right.
And it's never.
You can't use it for like a little turn knob thing, but if you've got like a hook handle, say like a hotel would be a good.
Good example.
Then hooks around the handle and then you pull the String and the metal sort of like bends and hooks the handle down and opens the handle from the ins.
Nice.
Okay.
All right.
Yeah.
Another interesting thing I've seen quite a few times about in commercial environment, you have a lot of doors that are controlled by magnetic locks.
Right.
That's a pretty common thing with sensors and all that, which opens up a whole different type of attack vector versus a regular lock.
Right.
One of the interesting thing I think is the spray can approach to sensors as well.
Maybe talk about that because I think that's a cover.
That's exactly.
Again, you see this a lot of times in America.
Can they have like different laws on like fire exit and stuff like that?
Yeah, a couple of times in the uk.
But it is rare.
It is rare in you.
But effectively when you walk up to a door internally and it's got like a little sensor and it opens for you.
Right.
We all seen these sort of doors, but on the way in you would maybe have to scan to open the door.
Right.
That would be the scenario about what you would want to do.
If you get a can of air, like a little spray air duster, and turn it upside down and spray it.
It sprays out like white, Right.
It spreads out like a white mist sort of thing.
Yeah, like exactly like that.
Sprays out like a white mist.
Now if you stick that little nozzle through the gap in the door upside down and spray it.
That white mist that's sprayed into the inside of the door will activate the sensor and we'll go, oh, there's movement on the inside.
I best open this door.
And effectively.
Yeah, it's the most.
I love the attack because it's so.
It's so ridiculous to see.
Yeah.
Especially if you do it in front of a client.
They're like when you open that door with a can of air, right.
Like it.
It's like a quid if that.
Right, yeah.
So like if that's your only door for your client, like if that's your only access that you need to get bypassed, then you've got in with like say a quid or like a couple of dollars.
If you're in America or whatever it is and you have persistent access because you do that every time.
Now, the fix for that is obviously out of hours, lock the door, like put a bloody thing on it.
But people die, do they?
Because people are generally lazy.
Yes.
Yes.
Cool.
Let's talk more about other tools.
I mean, let's talk about the lock picking.
I mean, it doesn't sound like that's a very common thing that you do in your engagement but I mean obviously for your type of attacks it is surely a fairly common ping.
Do you don't have a lock picker at all in your kit?
I do, yeah.
I've got a lot picks.
I would love to tell you where they currently are.
I do have lock picks that I do use so I, I'm not going to pretend to be the best lock pick.
I'm not like if you look at lock picking lawyer it looks really easy.
It's not that easy.
Single pins like a complex lock.
It's like oh, you know, click on 3.
He is obscenely talented and I want to express that now, initial access wise, I'm not going to pick your lock because that's not my thing.
Right.
I'm not that good.
I don't need to be that good at it because.
Because it's not very suspicious.
Yeah, it looks really weird.
How can you explain that away?
Right.
If you're, if you caught trying to pick a lock on like the external door, try and explain that away to a security guard.
You're not going to.
Your engagement is busted at that point.
Yeah, but that said, I do pick locks and if I get into the building generally there's stuff like your confidential waste bin and your pedestals and certain cupboards and stuff like that where you maybe keep your cards or your lanyards or your uniform or something like that.
You may have locked that and generally they're not a good lock because they like wafer locks or something like and they, you can just rake them like within a few seconds and they'll be open.
So I don't necessarily need to be a good lock pick because you're not putting good locks on your doors.
Yeah.
So that's that's me.
But yeah, I do have lock picks and I do carry them on a daily.
Not when I'm not working because there's no need to carry them to the nearest Tesco, you know, when I'm going shopping.
But, but yeah, I do have lock picks and they do get used.
Let's talk a bit about the state of lock picking.
Right.
Because we've seen.
I'm not a good lock picker by any means.
But I do find it fascinating.
I do play a little bit with it.
But you've seen a lot of development lately in lockpicking with not bump keys kind of at the start of that, I guess, which has been around for a long time.
But you have like lock guns now are very readily available on like AliExpress and whatnot.
Like, how good are these lockpicking guns?
And like maybe speak a bit about that from your colleagues that I'm sure you have exposure to from them.
Yeah, like I've heard that they're all right.
Like obviously they're very loud, like physically like generally quite loud.
So I wouldn't use them on covert job because you can hear them go at the other end of the office.
And that's again, that's really hard to explain.
Yeah, but like, yeah, I've heard they have their place.
They have their place.
Obviously.
You see like the leashy tools out there at the moment are really good and they make lock picking a lot easier for certain.
Certain keys.
If you got like your Yale lock, which a lot of people use on their front door, that's the one with.
You have like angle that you.
You basically.
Yeah, yeah, yeah.
I've seen this almost like a flat.
Plate effectively with like what looks like, but it's not a key.
And then you've got like a little arm almost and it goes like at angle and it tells you where, like how far to put it in for each one of the pins.
So a lot obviously as has pins and you need to pick these pins in order to align them and open the door.
And what Alicia does is it tells you where the pins are and then you can, you know, tension a little bit and it will pop open the door.
It makes those locks an awful lot easier.
Now I'm not going to say they can pick every single lock because you've got security pins and other things going on make it much better.
But yeah, they're really good tools.
But they're like 70 quid a piece for like each different type of lock.
Yeah.
And I just haven't invested in that many because I haven't.
But it's essentially like doing single pin picking.
Yeah.
With.
In easy mode.
Precisely.
It's like single pin picking but like it tells you where the pins are.
Right.
Tells you if you pick them.
And it's like, well, yeah, this is brilliant and it makes life an awful lot easier.
I should probably pick some up but you know, haven't got around to it.
I've had in my basket that.
I mean, I know you can buy the good ones.
Like, I know.
Well, looking a lawyer has with his company with what they called blank on the name.
Yeah, yeah.
They have some high quality ones but I, I've had them on basket I'll express a few times, like let's just get my finger on them or hands on them to see how they are.
But I never actually got around to try them out.
But the COVID Cover Instruments shop.
Yeah, it's a frequented quite a few, but.
Oh, shiny.
I should probably.
Yeah, it's hard not to be tempted by that.
Cool.
So you mentioned elevators before and I think that's a really interesting attack vector as well.
Because I mean, getting into the physical building.
Cool.
But it's about elevating access within the building and accessing levels that you're not supposed to be accessing as well.
Right.
Data centers being one of them in corporate buildings.
They're probably off in the basement that are restricted.
Right.
Let's talk about elevator hacking.
All seen those things.
Like, oh, if I press all these buttons simultaneously, you can do this.
You all read these articles online, like how you bypass elevators, right?
Like I would say 9 of that bullshit.
But like I'm curious about your thing, your reasoning on that.
Yeah, honestly not my area of expertise, so I don't have a lot of information on it, but I can hypothesize.
Right.
Yeah, sounds a lot of bullshit to me.
But like it's.
What are you going to gain like what are you going to gain from that other than going to a floor?
May not be able to, but then you just buy a key, like I bought the key for the elevators and just go.
And it'll lock it.
Fire brigade.
And that'll generally let you go to whatever floor you want to.
You don't need to hack them like the keys available on ebay, you know, and just do that.
It's a lot easier, you know, take the easiest way out.
You don't need to.
Don't need to be all fancy.
Just.
Just buy the key.
It's like three quid.
Fair.
Oh, fair enough.
Well, yeah, that's.
That sounds like an easier path.
Yeah.
Cool.
So I think this episode warrants a bit of conversation about the magic of the Hive is vest.
Right.
And I think that's something that we spoke about before we hit the record button last time.
It's just how often do you utilize that?
Because obviously you try to blend in, but sometimes posing as a BT engineer or whatever, something like that can get you into a lot of place as well without people batting it out.
Yeah, it can.
So that's tends to be quite an old school attack nowadays.
So you tend to not have to go, oh, I'm here to inspect your fire extinguishers.
Or I'm the BT engineer, whatever.
Because generally you have like a work permit.
Like, that's how these people work.
They have a work permit.
They are allowed to be there.
And it's very widely known that BT engineer is going to be there.
A fire extinguisher inspector will be escorted generally.
Or like, because you can't get access to everywhere, so you're going to be escorted.
So what can you do?
Like you're in.
Like we said earlier, it's not about getting in.
Getting in generally isn't the hard bit.
I'm not gonna lie.
Getting into a building is.
I find the easiest bit.
It's getting into the right places in the building that makes it hard.
And if you get in, that's where you can like elevate your access and go, okay, well, who do I need to target now?
Do I need to social engineer anyone?
To go?
I need to get in there because I, you know, I'm doing a bloody audit or something.
I'm doing your.
But you're already in the building at that point.
Right, Right.
Okay.
Trust, you know, you have to, you have to come from a place of trust with anything.
Like if I'm going to question like the receptionist, for example, like, for some reason I need to question the receptionist, I tend to avoid them.
But say on this instance, I need to question them.
I'm never going to come from the outside and then go and question her because she.
I'm not trusting them.
Yeah, yeah, you're, you're coming from public area and trying to, you know, ask me potentially sensitive information.
I'm going to make sure I come through the barrier from the inside.
Make sure maybe I make a little bit of noise, maybe I bang my bag or something like that.
So she glances over and sees me coming through this barrier and sees me coming from a place of trust and then go to hell.
You know, it's all about.
There's a whole science to it, clearly.
But, like, it's.
Yes, social engineering is, is a dark half, really.
But yeah, I mean, I, I find social engineering one of the most fascinating parts of this whole thing.
Right.
And I mean, DEFCON has this social engineering village where they do like, competition, like on the air, literally.
Right.
So maybe speak a bit like how, yeah, how are you doing social engineering?
What's your, how do you usually go about that?
What's your strategy generally for social engineering?
Or if there is one?
So I tend to, I, I wouldn't say I have A strategy.
Like, I, I tend to just be friendly.
I know it sounds weird.
Smile get you a long way.
Smile will get you an awful long way.
Especially, especially in England.
We're very trustworthy and we don't like confrontation.
Yes, we can play that.
Brits in general are very vulnerable to social engineering or certain kinds of social engineering.
If nobody's ever going to do anything unless they want to do it, that needs to be.
You need to.
Any.
Anything you want to do, anything you want to, anyone you want to compromise, anyone you want to target.
They're never going to help you unless they want to help you.
Rule number one, social engineering.
You have to make them want to help you before they will help you.
Okay, so it's the thing I said about earlier with the guest WI fi that didn't really fit that bill.
Like, there was no reason for him to want to help me other than him feeling like he is helping me.
But, like, generally you need to give them a reason to help you.
And then you target that.
If you're friendly and you smile and you ask them about their day, engage in conversation.
Yeah, so I did a job last year, right.
I broke into.
Broke into a building.
Bear in mind, at this point, I had full access, right.
I had cloned a card, got access to where I needed to be, and just wanted to push and get more access because I'm never quite happy.
Yeah.
So I'd walk past the receptionist a couple of times.
I made sure, like, she'd see me, had engaging conversation.
I'm not gonna say her name, but she was lovely, really nice lady and engaged in like, oh, okay, her back was bad and all this sort of stuff.
And you build up a rapport with your target before you target them is.
Is what I, I tend to find works a lot better.
So by this point, were already, I'm also going to say firm friends, but like, she already quite liked me, right?
She didn't know what I was really there to do, but she already quite liked me.
So when I went back later on, this was all to build up a rapport.
When I went back later on and said, hi, you've got access to the access control system over there.
Can I jump on that PC?
I'm just doing an audit at the moment.
Can I jump on that PC?
And she's like, oh, yeah, absolutely no problem.
Because she already quite likes me.
And so you have to make her want to do it.
And it was all about that.
It was all about making her want to help me because she liked me.
Okay.
And then she's like, oh, do you need me to log in?
I'm like, whoa.
Well, yes, I do.
Yes, please.
Thank you very much.
So she logged into the access control system and then she just left me with it.
She's like, oh, back in a minute, Warren.
I'm just gonna go to the toilet.
I'm like, oh, no problem at all.
This is brilliant.
So I just had unfettered access, the access control system and the reception for like five, ten minutes.
I'm like, you realize how much damage I.
I could do?
And did.
Because it led on to me compromising the entire access control system and dumping the entire database of everyone.
So that.
That was.
That was fun.
But, yeah.
So it's all about.
With social engineering, it's all about not.
Only can you elevate your own access, but you.
Yeah, I had everyone's access at that point.
Yeah.
I mean, I could get everywhere.
Like, I could get people I could get.
Place my point of contact couldn't get to, which was quite funny.
And he's like, oh, I don't.
I haven't got access to that.
That room.
I was like, well, I have.
So it's.
It's the social engineering.
It's all about building a rapport with your.
With your cl.
With your target.
Right.
It's all about making them want to help you.
Right.
And want.
Nobody wants to be vulnerable.
Nobody wants to be targeted.
Nobody wants to do any of that.
But, like, if you make them your friend, they will.
They will just divulge everything, which makes Brits really vulnerable.
That's what I tend to.
Sounds really harsh.
That's why I tend to exploit in people because I tend to be generally quite friendly to people and people generally want to help me, which is brilliant because I want them to help me because I'm trying to hack them.
And it's so.
It's.
Right, it's fun.
Interesting.
Good stuff.
All right, so I think let's wrap up with some war stories, because I'm sure you have plenty.
So let's maybe turn the tide, turn over to war stories of, like, what you've learned, what you've seen.
And.
Yeah, I'm super curious about that.
Yeah.
So, right.
I'm trying to think.
There's.
I've broken into about four, 50 odd buildings or something.
Ridiculous.
So there's a.
There's a few.
There's one.
There's a couple that stand out.
Right.
There was this job, me and one of my best Mates did.
And we happened, like, and this is very rare, but the hotel happened to be literally across the road from the target.
And that doesn't happen every day.
Like, so we're like, well, we need to get in that hotel because we can see the target from our hotel room.
This is brilliant.
So we did.
We got in that hotel.
Not the best hotel, right, but it was brilliant for that.
And we had, like, a camera and everything like that propped up at the window.
Like, we have to do this because this never happens.
So we did all that, right?
And were struggling to get in at this point.
We're like, okay, we're, you know, we're trying to.
Trying to find a way in.
And kept on getting, like.
It was like a massive complex, right?
And as soon as you went into the complex at wrong point in the day, generally someone will question you, like, okay, well, we have to try and figure it out.
We had a forge.
Everything like that.
Getting a forge wasn't a problem.
We knew the access control system by this point.
At this point in history, it wasn't easily cloneable in the field.
It is now.
But hindsight, you know, it's fine.
So at some point during the engagement, we saw this random person.
Random person just come out of this little door from the.
From the canteen.
And were like, oh, my God, they use that door.
At that point, we'd only seen some people use the front door, right?
And we're like, oh, my God, they use that door.
I mean, like, that's.
That's our way in because that's not the front door.
So, like, I'm running over there now and left him left in there in the hotel room, and he videoed it and then sort of chilled outside this door.
And somebody else came out, and I got instantly.
I was like, happy days, Breach.
Let's go.
Now.
The fun was tailgating in or like, you actually.
Get in.
So as soon as somebody opened the door, I tailgated in after them.
And I was like, right, I'm in.
Make sure you had push by an exit, because you don't want to get locked in a building that really sucks and stuff like that.
The next day, we had to do it again, but we had to get persistence.
So we divulge this massive plan.
And were like, so maglock.
It was on a maglock, and if you put, like, one single piece of duct tape on a mag lock and then let it shut, it feels like it's shut, but with a little bit of force, it'll pop open quite Easily.
But to a normal person, it feels like a shot, right?
Like even just that thickness of a duct tape is enough to reduce the mag force by enough.
And it's brilliant.
So we tailgate in again.
I tailgate this one person.
My colleague tailgated me.
Behind me.
I had the tape on the inside of my coat.
Bear in mind, it was lunchtime, so the canteen was full and I quickly pulled a tape out.
Oh, yeah, there was so many people in this canteen.
But we had to do it, we had to get persistence.
We're like.
It was a measured risk at this point.
And I quickly slapped this duct tape on the maglock.
Now, because it had been open for too long, the alarm started to.
The door started to alarm and it was like, beep, beep, beep.
Silence, Silence across the canteen.
And we're like, oh, God, what do we do?
And me and my colleague were just like, meh.
And just laughed it off.
And then suddenly everyone was like looking at, going, and this carried on.
Sometimes the most simplest things are just like, stupid door, you know, idiot.
Like, what the hell?
But that was it.
We got some.
That door.
We came back later that night, we could open that door, that was fine.
And then we completely ran out of their office and did what we needed to do.
So we got access to obviously their domain.
We got access to.
Oh, wow.
One of the objectives was getting to their data center.
Right now it was a false ceiling.
And we didn't have badge at this point.
Like, if I did this job now, it'd be a very different job and I would just clone the badges because I know how to clean the badges.
But we didn't at that point.
But it was a false ceiling and I'm like, I wonder if the wall goes all the way up.
So before I knew it, my colleague had found a ladder.
It was like 8 o'clock at night at this point.
He'd found a ladder.
And we had a ladder outside the data center, just lifting up, ceiling.
And we're going to know the ceiling.
The wall doesn't go all the way up.
It was sort of like Happy days.
And there was like a push button exit which were trying to reach and stuff like that.
That was really good fun.
That was a really fun job.
We got absolutely everywhere and the climb was suitably terrified.
It was good fun, really good fun.
What else have we done?
I imagine.
Yeah.
So I broke into a bank in Amsterdam a few years back and we had.
I had one, I had One day.
So basically I, I had one day free in my schedule and the guy that was leading the job like, look, I'd rather have you for one day.
Then it was quite nice of him, it was like, than anyone else for a week.
Because I trust you, I know what you can do.
He's worked me for years, so I was like, okay, I mean I do what I can.
Like I don't think we're going to get in a day like, that's not going to happen.
It was a big bank, like a big well known bank, right?
But I did, I managed to tailgate the whole way in because we couldn't clone the badges at this point.
Again, it was quite a secure system and I believe it still is quite a secure system even by today's standards.
So I tailored all the way into their office, found that the objectives was to get into the stock trading floor and it was like a, you know, the tubes, right?
It was tubes to get in.
I was like, can't tailgate through that.
Like that's not, that's not doable.
Looked around a little bit, but the objective was basically get in, prove you can get in and then get out.
That's all, that was all I needed to do.
I didn't need to do anything.
I didn't need to go in getting any network access.
It was prove I can get in, prove I can get out, end off.
I was like, okay, well I'll stick to objectives then.
So I chilled out in the bathroom for a bit because adrenaline's on high obviously.
I was like, right, let's give it a go, let's get out.
It was a tailgate on the way out because it wasn't a push button exit.
So I was like, okay, well I've got to try and get out somehow, right?
So I went out for this door, beeped my badge because I had a badge that beeps.
It just didn't open the door.
And sometimes that's all you need, right?
It's that level of trust.
And I was like.
Then called back to the receptionist, I was like, oh, can you buzz this door open for me?
And she's like, who are you?
I'm like, well I'm Warren from the London branch.
It's like, who are you?
Before you know it, this is the only time it's really happened.
The only time I've ever really come close to getting caught.
We know she was next to me, security guard was next to me, head of facilities was next to me and they're all going, who the bloody hell are you?
I'm like, I'm worried.
I'm here for the London branch.
I'm here for a meeting.
And she's like, who are you here for the meeting with?
I was like, I'm gonna be honest, it was a Dutch name and I can't really pronounce it very well.
Just play dumb.
Sometimes you gotta play dumb.
And I can't really pronounce it very well, and I've got no signal up here on my phone.
If you can let me downstairs, I'll find out who it is.
I'll get them to contact you and we'll get this straight up.
And that was the.
I was like, I just need to get out now.
I don't need to tell them who I am.
Really.
Yeah.
I just need to get out.
And then for them to be on my side.
Yeah.
And she's like, okay, yeah, that's.
That sounds all right.
And I was like, well, who should I get them to contact?
What's your name again?
Social engineering.
Put it back onto her.
Make her feel like the target.
Make her feel like she's under scrutiny.
So they're on the defensive.
And she's like, Said her name.
I was like, and then you play stupid and you're like, as you probably gathered, I'm pretty bad with names and I'm not going to remember that.
Can I take a picture of your badge?
And she's like, yeah, okay.
So she held her badge open like this in her palm, and I just took a picture of it.
And I'm like, well, that was silly.
I don't know why you did that to me, but thank you, because now I have a very clear picture of your badge.
I can make a very good forgery off of that.
And then she's like, sorry for all of this.
It's like, sorry, we're just doing our job.
Which is the best thing to hear as a social engineer, because you're like.
You're like, it's okay.
I know you're just doing your job.
It's okay.
And the security guard was like, I'm going to have to escort you out.
Unfortunately.
I'm like, that's great.
In my head, I'm like, this is great because I can't get out.
You're going to let me out.
This is brilliant.
And he escorted me down with him in the left.
Turns out he used to live in London.
All that jazz were chatting about.
I know, I know a bit of London.
I've never lived In London, but I know London.
And chatting about London.
And he's like, cheers, mate.
I was like, I'm just gonna go grab a coffee and I'll get him to call you.
Be no problem.
He's like, yeah, no problem.
Beeps me out.
Never went back.
Why would I go back in there now?
I'm like, I'm gone.
I'm gone.
So just like.
I'm like.
I was like, yeah, I got in, dude.
But, like, this is what I see.
And tell the intel.
Give them the debrief about what happened.
I'm like, look, there's.
There's tubes.
They're using this car tech.
It says, scan out.
The receptionist is really on it.
Fair play.
And this is what you can do.
And he's like, dude, what the hell?
And then, yeah, there was work after that.
And he was like, I'm going to talk to the client, because this is probably not.
Yeah.
And it changed a little bit, but I was like, oh, that was close.
Almost got caught that time.
That was the only time I've ever really almost got caught.
I've never been caught.
Otherwise.
I just sort of.
What else have I done?
I've done a few.
Broke into an arena the other month.
That was fun.
That was a really big arena.
Broke into one of them with a colleague at ptp and, yeah, we got access everywhere.
Like, some of the doors were, like, hinging off and we could, like, push the door and press the push button, exit through the gap it made in the door and all that.
I'm like, this is.
This is bad.
That was really good fun.
We got on the roof of this arena and everything.
It was.
Yeah, that was really good fun.
There's probably too many war stories to really list them all.
It feel like I'm just gloating about cool stuff, but, yeah, it's a really fun job.
It sounds like it.
I guess the last thing I want to wrap up with is if you were to give advice for somebody building a company or building an office, rather, what's the one thing they should get right?
Like, in terms of, like, making your life hard?
First and foremost, staff.
Security awareness.
That is the biggest thing.
Make staff realize that they are part of your security posture.
Make staff realize that just taking their badge off when they leave the office is such a huge win for the security of that company.
Like, it sounds stupid, but, like, simple things like that really impact somebody trying to get in your building from, like, a persistent way.
Like, tailgating is always potentially going to be a problem.
Like you can always get alarms around it.
You can like highlight tailgating, but it's security awareness fully that's going to stop him if somebody tailgates and the alarm goes off.
Investigate that bloody alarm.
Like don't just happen.
Don't just laugh about it.
That door that went off in my story like that's good.
That's a security feature on the door.
It's been open too long, could be tailgated and no one cared.
Like.
Yeah.
Everyone just laughed it off.
Right.
Security awareness, mate.
Like first and foremost, if you like, people should be aware that they have a place in security of a company.
Yeah.
And for access control systems, what should people avoid?
What.
Let me ask you this.
What is completely game over in terms of security?
Don't use HID procs.
Don't do it.
Like it's.
Don't.
I know it's cheap.
Don't do it.
It's really bad.
Largely Paxton net 2.
You see it everywhere.
There's some fundamental issues with that system that mean it can always be cloned and there's not a lot you can do to stop it.
I wouldn't, I wouldn't recommend that.
There are some really good systems out there.
Like it's not all doom and gloom.
And I've put a couple of blog posts out if you want to check PTV's website.
One of their.
Put a couple of blogs that.
So you.
Oh man.
This is the whole, this is a whole subject but like a card, you've got your effect password on it and password to the door.
Like to feel like the password that will open the door is your auth data.
Right.
And how that's secured on the card is what makes it a secure card.
Not the card itself, not the technology is how you've chosen to secure it on the card so you can have like hit SEOs.
And my fair des Fire are like two of the big players in security field about their really good cards and they can be configured in an incredibly secure way unless you encrypt the data on the card with a known key.
Right.
So like it's like having password as password.
It's like, well, okay, you've got a password but I know, like it sounds.
Like a default credential scenario.
It's exactly that.
It's exactly that.
That default credential is hard coded.
So like every, like HID for example, for hid SEOs that.
That default credential is hard coded like all their readers.
So even if you don't know the key and there's like there's some people that do know the key and there's some really cool talks at DEFCON there were last year about how they extracted the key.
It's not going public as far as I'm aware.
It's never going to go public.
But you don't need the key.
You just buy a reader that has the key.
It's easy, right?
So just make sure the way you make it is change that key.
That's it.
Like you can change the formatting types and stuff like that of your data and make it be like corp 1000 for example, is one that they like to sell as a security feature.
It's not, it's not a security feature, it's.
It's a management feature about how you manage your keys or how you manage your auth data.
The only thing that makes your card secure is your encryption key.
Set a custom one that's custom to you and you'll be fine.
Right, interesting.
And I guess one thing to bear in mind is these readers.
If you can remove the readers from the wall, you can usually tap into the traffic between the reader and the back end and it's kind of game over as well, right?
Oh yeah, absolutely.
That's next level of security.
That's it.
Like yes, you can take a read off the wall.
Say it's like Wiegand or something like that, which is a very well used protocol.
The back end of a reader to the controller, which is usually on the inside of the door somewhere and you can tap those wires like you say and just get the clear text auth data that's been decrypted and everything like that.
Because your reader knows the encryption key I just spoke about to do to communicate with the card, but generally nothing else like post that does.
It doesn't need to.
It's only the reader that needs to talk to the card.
Right.
So if you can tap those wires behind it, you can get it like decrypted and fully clear.
Now there's stuff that protects that.
Obviously you've got different protocols like ISDP and stuff like that is better.
Or you have like tamper switches on your readers.
So if you pull a reader off the wall, it alarms like mad.
And somebody going back to the security awareness, somebody should bloody investigate that because somebody's just ripped a reader off the wall.
Go and investigate that.
There are ways of managing the risk, but it's not, it's generally not good if you can get to the wires on the back end of a reader.
Yeah, yeah, exactly.
So it's always like with all things security, it's finding the weakest link in the entire equation, right?
Precisely.
Precisely.
I like I think I said, I think I quote said it on the last episode we did.
Hackers are lazy.
Like I'm not gonna write some crazy O day to hack you if you've just set the password wrong.
Like it's easier, isn't it?
Yeah, sometimes you just don't.
I think that's a great note to end on.
Again, thank you so much for coming on the show, love.
Lovely to hear your war stories.
It's a fascinating space.
We might do a third episode at some point in the.
Exactly, exactly.
So again, thank you so much for coming on the show, Warren.
Real much appreciated.
Have a good one.
Talk to you soon.
See ya.
Cheers.
Found an error or typo? File PR against this file or the transcript.