Access LogsCovert EntryWar StoriesBrent WhiteCovert InstrumentsTim Roberts
If you’ve seen any of our talks or posts the last few years, it’s no surprise that’s we’re big ambassadors for the Covert Instruments tools. We utilize them in some form or fashion on every single physical security assessment and have built a solid relationship with them as well. With that being said, we are … More Covert Instruments: Access Logs Series by We Hack People!
Show full content
Access Logs: Covert Instruments
If you’ve seen any of our talks or posts the last few years, it’s no surprise that’s we’re big ambassadors for the Covert Instruments tools. We utilize them in some form or fashion on every single physical security assessment and have built a solid relationship with them as well.
With that being said, we are excited to announce the new “Access Logs” series on Covert Instruments’ website!
We are very grateful to Covert Instruments for the chance to share our experiences, stories and pro tips with you through these articles.
Social EngineeringAIAritificial Intelligenceartificial-intelligencechatgptPenetration Testingphilosophytechnology
Artificial Intelligence is the latest buzzword in cybersecurity marketing. Vendors are quick to advertise “AI-powered” penetration testing as if machines are suddenly capable of replacing seasoned human hackers…pfft! The reality is much less sensational: Artificial Intelligence doesn’t replace penetration testers; it enhances them. Just like the fear and hype that surrounded tools like Metasploit or … More Artificial Intelligence in Penetration Testing: Force Multiplier, Not a Replacement
Show full content
Artificial Intelligence is the latest buzzword in cybersecurity marketing. Vendors are quick to advertise “AI-powered” penetration testing as if machines are suddenly capable of replacing seasoned human hackers…pfft!
The reality is much less sensational: Artificial Intelligence doesn’t replace penetration testers; it enhances them.
Just like the fear and hype that surrounded tools like Metasploit or Nessus years ago, AI is being pitched as the next big leap forward – one that will “automate hacking.” These tools didn’t eliminate the need for skilled testers; they just helped us become more efficient. AI will follow the same path. It’s not a substitute for human creativity, intuition, or accountability. Rather, it’s just another tool in the kit.
Where Artificial Intelligence Actually Helps
AI genuinely adds value when used outside of a marketing pitch-deck. It’s not magic, but it’s practical and it is important that you do your own research!
Reconnaissance and triage: AI can comb through OSINT, logs, configs, and assessment data faster than any analyst. It highlights potential weak points, ranks risks, and speeds up the initial sweep in the same way many automated scanning tools do. That means less time sifting through noise, and low-hanging fruit, and more time focusing on what matters.
Pattern recognition and baselining: It gives testers a broader picture of how vulnerabilities repeat across environments. Over time, AI can spot recurring issues across clients or tech stacks; patterns of misconfiguration of services/settings, and weak authentication.
Reporting efficiency: Anyone who’s ever written a 100-page penetration test report knows how long it takes for formatting and documentation. AI helps with first drafts, summaries, and recommendations, freeing up time for analysis instead of paperwork. However, a the tester still has the final review and adjustments that were overlooked or unrecognized by AI.
Research acceleration: Need proof-of-concepts, CVE write-ups, or exploit references? AI can surface them instantly, pulling from trusted sources and repositories. That speed matters when time on target is limited. It’s not the final say-so, but it does lay the ground work quickly, often leaving the tester with minor modifications/adjustments to make before delivering the final product.
AI doesn’t replace the craft, it helps handle the grunt work. The best testers are already using it to move faster without sacrificing depth.
Artificial Intelligence and the Race to Find CVEs
Here’s where AI is making some real noise: it’s finding and reproducing CVEs faster than ever.
Frameworks like CVE-Genie can analyze CVE data, reconstruct vulnerable environments, and even build working exploits in minutes. In testing across hundreds of CVEs, AI successfully reproduced around half of them with working proof-of-concepts, at a fraction of the time and cost of a manual researcher. AI models like GPT-4 have also shown they can exploit known vulnerabilities (“one-days”) roughly 80% of the time when provided proper context. That’s powerful!
However, that doesn’t mean AI is suddenly unearthing new zero-days overnight. These results depend on structured data: detailed CVE entries, existing patches, and reproducible codebases that were all previously discovered and documented by humans. AI performs well when there’s enough context to feed it. When there isn’t however, it’s asked to reason, hypothesize, or navigate business logic it struggles. It also struggles when “thinking outside of the box”. Although it helps with the “busy” work, it still relies on humans to give it the initial data to work off of.
Artificial Intelligence is supercharging the analysis phase, but it’s not replacing human discovery. It’s accelerating what we already do, not redefining it.
Think of it like a tireless intern researcher, who can sift through thousands of reports and code diffs, but still needs a senior-level researcher to interpret what is found and decide the quality and validity of the deliverable(s).
Where Artificial Intelligence Still Fails
AI has serious blind spots and understanding them is key to using it responsibly!
Business logic and chaining: AI can spot a SQL injection, but it can’t understand why an app’s workflow allows a privilege escalation or how a race condition forms when two micro-services interact. Those are human-level insights.
Context and nuance: AI doesn’t understand what “impact” means to a business. It can’t weigh the consequences of exploiting a live production system or explain why a theoretical risk might not be exploitable in practice, unless that data has already been provided to it. It’s not able to perceive this on its own.
Noise and false positives: AI produces volume. Without expert validation, you’ll drown in findings; many of which aren’t real, or “false positives”. Skilled testers separate the noise from the needle.
Regulatory requirements: PCI DSS, HIPAA, SOC 2, ISO 27001, and other standards require human validation and methodology. An AI scan alone doesn’t meet compliance…period.
Scope and depth: AI performs best on predictable web-based targets. It still struggles with IoT, cloud infrastructure, complex networks, or physical environments. It doesn’t bypass locks or social engineer employees. Humans still lead that domain.
Bottom line: AI may be fast, but it’s not intuitive. It doesn’t adapt, improvise, or take accountability – all of which define good testers.
What the Research Shows
Several projects have pushed Artificial Intelligence deeper into offensive testing, and the results are telling:
RunSybil AI Agents (2024): AI-chained multiple exploits together on a demo site but failed basic logic on a simpler app. It showed persistence, not intelligence.
PentestGPT (2023): Improved automation in reconnaissance and scanning but lost context between phases. It could start a test but couldn’t finish it.
PenTest++ (2025): Automated recon and reporting, but required human oversight for exploitation, explicitly acknowledging that human judgment remains essential.
CVE-Genie (2025): Successfully reproduced about half of tested CVEs with working proof-of-concept (PoC) exploits, but only when sufficient metadata existed. It’s a major step forward, but not a revolution.
These projects prove that AI is useful and evolving, but we’re still far from a world where you hand an AI a target and it autonomously performs a full, responsible security assessment.
The Human Factor Remains Irreplaceable
At its core, penetration testing isn’t about finding CVEs, it’s about thinking like an adversary.
It’s about curiosity. Adaptation. The ability to look at a system and see what’s not there. It’s about knowing when to pivot, when to stop, and when to press. It’s about creatively chaining vulnerabilities that no script or model could predict. A human tester brings strategy, intuition, and accountability.
We understand context: business goals, risk tolerance, compliance needs, and ethical boundaries. AI doesn’t. It can’t. When the test is over, it’s the human tester who writes the report, explains the risk, answers questions, and helps fix the problem. The machine can only describe what it sees, not what it means.
Conclusion
Artificial Intelligence is already changing how penetration testers work and possibly for the better. It helps us find things faster, write reports quicker, and analyze data more efficiently. It’s a force multiplier, not a replacement. The most 31337 of hackers aren’t threatened by AI; they’re training it! They’re bending it to their own custom workflows, using it to automate the noise so they can focus on the signal.
Because in this field, speed matters…often driven by compliance deadlines (but that is a whole other rant), but so does instinct. No algorithm has ever matched the instinct of a human hacker who’s learned to think like their adversary.
References / Additional Sources
From CVE Entries to Verifiable Exploits: CVE-Genie Framework,” arXiv, 2025
While AI voice cloning might not be mainstream yet, it’s crucial for all of us (especially those in leadership) to understand how it can be used. What Is AI Voice Cloning? In today’s fast-evolving landscape of AI-assisted attacks, voice cloning isn’t just a sci-fi concept, it’s an emerging and a very real, evolving threat. Having … More The Risks of AI Voice Cloning: What You Should Know
Show full content
While AI voice cloning might not be mainstream yet, it’s crucial for all of us (especially those in leadership) to understand how it can be used.
What Is AI Voice Cloning?
In today’s fast-evolving landscape of AI-assisted attacks, voice cloning isn’t just a sci-fi concept, it’s an emerging and a very real, evolving threat. Having spent years in the trenches of social engineering and covert entry, we’ve watched these tactics evolve in real time. What started with phishing emails and fake login pages has now expanded into deepfake audio, videos, and cloned voices that can convincingly impersonate real people.
While AI voice cloning isn’t fully mainstream yet, it’s becoming increasingly accessible. For leaders, security professionals, and employees alike, understanding this technology and its implications isn’t optional anymore, it’s essential.
How Could It Be Used? The Vishing Scenario
Here’s the scenario that should make every organization take notice: An employee receives a phone call. The voice on the other end sounds unmistakably like their ISSO; the same cadence, the same tone, the same personality they’ve heard dozens of times before in all-hands meetings or company videos. The “ISSO” urgently requests a password reset, access to ABC, or approval of XYZ. Everything sounds legitimate…but it’s not. The caller is an attacker using a cloned voice in a live vishing (voice phishing) attack.
This type of scenario isn’t theoretical! There have already been confirmed cases where AI-generated voices were used to defraud companies out of hundreds of thousands of dollars. In one case, a finance officer transferred funds after receiving what they believed was a direct call from their company’s chief executive. The voice was cloned. The call was fake. The money was real.
The combination of authority, urgency, and familiarity makes voice cloning an incredibly effective social engineering weapon, one that bypasses traditional awareness filters because it sounds like someone the victim knows and trusts.
Why It Matters / What to Do
For those of us in cybersecurity, especially in red teaming or awareness programs, the lesson is simple but critical: Voice alone is no longer proof of identity.
We’ve long warned users not to trust emails or text messages at face value. Now we need to apply that same caution to voice communication. Whether it’s a voicemail, a Teams call, or a quick “urgent” phone request, trust, but verify. For leaders, this is an awareness issue that must start at the top. If your voice is publicly available, assume it can be cloned. If your staff regularly handles sensitive data, make sure they’re trained to challenge unexpected requests, even if they “sound” like they’re coming from the corner office.
What Can You Do?
Mitigation starts with culture, not just controls!
Educate your team: Make sure employees know voice cloning is real and possible. Use examples and role-play exercises to reinforce awareness. Gamify this by offering incentives. For example, those who catch and report the exercise are added to a raffle for a gift card. You could even go further by adding their names to the company newsletter/internal updates to call them out for their wins!
Encourage verification: Teach staff to independently verify any sensitive or unusual request through a secondary channel. A quick text or email confirmation can prevent major damage.
Implement strong MFA and internal processes: Authentication should never rely solely on a phone call or voice recognition. Require multi-factor verification for financial actions, password resets, or data access.
Limit the attack surface: Leaders and public-facing staff should be mindful of how much high-quality audio they put online. Not everything needs to be public.
Foster a security culture: Employees shouldn’t fear “questioning” leadership or delaying an action if something feels off. Building psychological safety into the security culture is key.
Final Thoughts
AI voice cloning represents the next evolution in social engineering; not because it’s the most advanced attack, but because it’s the most human-sounding one yet. Attackers aren’t hacking systems; they’re hacking trust! The best defense isn’t more technology; it’s awareness, process, and culture. When your team understands that hearing isn’t believing, you’ve already won half the battle.
After many years and several covert entry assessments under our belts, we’ve certainly noticed repeating issues no matter the type of client, and wanted to share them with you. These are some of the most common weaknesses we encounter. Each one represents an opportunity for an attacker to bypass physical security controls, often without leaving … More WHP Top 10 Covert Entry Vulnerabilities
Show full content
After many years and several covert entry assessments under our belts, we’ve certainly noticed repeating issues no matter the type of client, and wanted to share them with you. These are some of the most common weaknesses we encounter. Each one represents an opportunity for an attacker to bypass physical security controls, often without leaving visible damage or triggering alarms.
Loading Bays & Service Elevators Back-of-house access points like loading docks and service elevators are frequently overlooked. They may be left unlocked, secured only with basic padlocks, or bypass floor restrictions that are enforced on public elevators.
Examples: Open bay doors, no badge restriction on service elevators, padlock vulnerabilities.
Security Awareness Gaps Attackers exploit human behavior and a lack of situational awareness to gain access. This includes tailgating (following someone into a secure area), direct social engineering, or leveraging OSINT (open-source intelligence) from social media, employee review boards, and tools like Google Street View.
Examples: Tailgating, social engineering pretexts, OSINT reconnaissance, propped-open doors.
Misconfigured Doors & Hardware Improperly installed or maintained door hardware can be bypassed with simple tools and minimal skill. Attackers may exploit gaps, outdated mechanisms, or physical weaknesses to gain entry without causing damage.
Misconfigured Request-to-Exit (REX) Sensors REX sensors designed to unlock doors when people exit can often be triggered from the outside. Attackers may use temperature changes, air pressure, or motion to activate them without detection.
Examples: Canned air, hand warmers, reflective surfaces.
Unencrypted Access Credentials When RFID or NFC badges are unencrypted, attackers can clone or emulate them quickly with off-the-shelf tools. This allows them to create a working duplicate and bypass access control entirely. Examples: Badge cloning, NFC emulation.
Disabled or Missing Tamper Detection Access control panels and wiring should have physical intrusion detection (PID) or tamper alarms. Without them, attackers can install rogue inline devices to intercept, manipulate, or override signals.
Examples: Electronic access control (EAC) implants, bypass boards.
Lack of Port Hardening Open network or device ports inside a facility are a goldmine for attackers. Unsecured USB ports or live network drops allow them to deploy rogue peripherals, HID emulators, or malicious USB devices to establish persistence.
Default Keys & PIN Codes Many access control panels, elevator systems, and secured cabinets use default keys or factory PIN codes. Keyed-alike locks make it possible to open multiple systems with a single key. Examples: Keyed-alike control panels, default PINs on Linear, DoorKing, or similar systems.
Weak or Insecure Physical Locks Low-quality locks on desks, cabinets, closets, and fenced areas are often vulnerable to bypass tools and basic manipulation techniques.
Examples: Jiggle keys, shimming, lock picking.
Inadequate Incident Response & Monitoring Even when a breach occurs, a lack of real-time monitoring or an unresponsive security team allows attackers to continue operations without interference.
Examples: No security guard engagement, inactive MSSP alerting, no 24/7 monitoring.
In covert entry and Red Team penetration testing that includes onsite social engineering and physical/electronic access control testing, the guise isn’t about costumes or theatrics – it’s about perception. The goal is simple: make people believe you belong where you are, long enough to get the job done. A good cover role can drop barriers, … More Covert Entry: Disguises We Use and Ones We Never Touch
Show full content
In covert entry and Red Team penetration testing that includes onsite social engineering and physical/electronic access control testing, the guise isn’t about costumes or theatrics – it’s about perception. The goal is simple: make people believe you belong where you are, long enough to get the job done. A good cover role can drop barriers, lower suspicion, establish rapport, and allow you to move through an environment without raising alarms.
However…there’s a difference between blending in and breaking the law. One can get you through the front door. The other can get you in the back of a police car.
The Roles That Work Over the years, we’ve refined a set of personas that work consistently well for us in the field — believable enough to pass casual scrutiny, common enough to exist in almost any organization, and most importantly, legal.
Auditor: A great assumed authority guise or “I’m supposed to be here” role. People expect auditors to take notes, look at systems, and ask questions. Clipboards are you friend and people do not want to fail.
Employee / Contractor: With the right badge, uniform, or even just confident body language, you can blend right into the background.
Vendor: Whether delivering goods or providing a service, this one works well for locations with regular deliveries. Printer repair, vending machines, data destruction, etc.
IT: Almost no one challenges the person “fixing the Wi-Fi” or “running new cables to fix the slow connection.”
Corporate Staff: A professional look, corporate lanyard, and the right stride can take you places.
Maintenance / Technician: A uniform, a tool belt, work gloves, and a sense of purpose can make people move out of your way. Make sure your equipment DOES NOT look new – dirty that shit up!
Building ManagementContractor – Particularly effective for leased spaces where building management has authority over shared areas.
Each of these roles has two things in common: they’re believable within the environment, and they don’t require actual legal authority to pull off.
The Hard Line: Roles We Never Touch No matter how tempting they might seem for instant access or unquestioned authority, some disguises are simply off-limits. Hollywood paints impersonating several of these roles as something people commonly do as spies, monster hunters, security contractors, and more.
Here is the meat of it! In the U.S., it’s illegal to impersonate:
Law enforcement officers (police, sheriff, federal agents, etc.)
Firefighters or EMS personnel
Military members
Postal workers / mail carriers
Certain regulated utility workers (varies by state)
Why? These roles carry special privileges and responsibilities under the law. Pretending to be one not only breaks criminal statutes (like 18 U.S. Code § 912 for impersonating a federal officer), but it erodes public trust in critical services and can put lives at risk. The penalties can include arrest, heavy fines, and permanent damage to your professional credibility.
The Rule We Live By If a role would give you legal authority you don’t actually have, don’t use it. No test is worth crossing that line and ruining the reputation of not only you, but your business and potentially more. Every persona we adopt is approved in the Rules of Engagement before we step foot on-site, and we document exactly what’s in and out of scope with the client. Another pro-tip? Make sure that the client point-of-contacts are the proper authority aka “sponsors” to approve your tests in both the cyber and physical attack vectors, depending on the assessment type. Too often people forget to include building management or key individuals (keep this limited to only a few people, but those people need authority and weight and at least a couple of phone numbers to be available for contact during the testing period).
Listen, we know Covert Entry is the new Benjamin Button in the community now and it seems everyone is offering it, but covert entry isn’t about just using some new tools you picked up at a conference or putting on a costume. It’s about skill, planning, psychology, and the subtle art of being invisible in plain sight. When done right, the disguise isn’t what gets you in, it’s the confidence behind it! Goodluck out there and be safe!
We are excited to present again this year at Def Con’s Physical Security Village! Below is a description of our presentation. We hope to see you there!
Presentation Description:
Even seasoned covert entry specialists can make critical mistakes. This presentation focuses on how NOT to perform covert entry assessments, addressing real-world failures, Hollywood myths, ethical boundaries, and tactical errors that can put clients, reputations, and personal safety at risk. Participants will learn practical approaches to avoid these mistakes while still delivering reliable and professional results. Open forum discussions, tool demos, video examples, and troubleshooting strategies will be featured.
Topics Covered: * Real-World Failures and Lessons Learned * Hollywood Myths vs Reality * What Gets You Caught (and Sued) * Understanding Client Trust and Scope * Safe, Legal, Ethical Approaches to Physical Entry * Troubleshooting When Things Go Wrong * Demo: Tools and Techniques That Work (and What Doesn’t) * War Stories and Lessons from the Field * Group Discussion (as time allows)
This page will be updated shortly after our DEF CON 33 presentation for the Physical Security village is complete and will feature information mentioned during.
Covert EntryBrent WhiteDisguisesHackingPhysical SecurityQuick ChangeRed TeamTim Roberts
Disguises and quick changes that are most useful during covert entry and social engineering assessments do not need to be to the Hollywood level you see in movies. The budget and team required to pull this off in that capacity is large, and time-consuming. If it’s not executed professionally, you’ll be spotted as a fake … More Disguise Quick Change to Avoid Detection for Covert Entry
Show full content
Disguises and quick changes that are most useful during covert entry and social engineering assessments do not need to be to the Hollywood level you see in movies. The budget and team required to pull this off in that capacity is large, and time-consuming. If it’s not executed professionally, you’ll be spotted as a fake extremely quick, and that’s nearly impossible to talk your way out of. Most cases do not call for this. If it does, you’ll know, and so will the rest of the agents assisting you.
For covert entry assessments, the disguises can be very simple and easy to execute with great results. It must be planned and practiced. The backstory and appearance must be believable/convincing enough that you are not drawing attention to yourself. The goal here is to be so incredibly boring that no one remembers you. In the event that someone does begin to approach you out of curiosity or concern, your goal then becomes to quickly change the main attributes about yourself that allow your hunters to lose you.
For example, I have very short, blond hair. The first thing I will do is make it dark and longer. If I’m wearing a dark jacket, I will change the color and style. Even adding a hat and glasses helps to quickly mask certain attributes.
Another example is to match in uniform, when appropriate. In Tim’s example, the use of the glasses and hardhat are natural, yet helps to cover up his hair and eyes. The bright vest and flannel shirt are also fitting. Yet when removed, the while helmet reveals dark hair. The bright vest and colored flannel would be something darker and very simple. Perhaps a darker grey t shirt. The items could be stuffed in a darker colored backpack. There are many options.
Now, you can’t just throw these things together and expect to get around being so blind to your real identity such as Superman in tights vs Clark Kent in glasses. There are many courses dedicated to learning this art, as that’s what it is. You must know how to skillfully modify yourself to not only throw off those around you, but to fit in with the crowd you’ll be in, how you move, how you act, and so much more. This also includes the movements you must make to change, often times in view of the public, and the locations at which you begin changing. Again, MUCH must go into this.
The example we’re sharing with you in the following video is to show the simplicity of the change, yet how effective it can be with proper planning and execution. In this particular instance, we were performing surveillance against a target to gain information such as high traffic times, guard routes, employee badges, and more. We were located at a parking garage some distance away. After some time, two individuals began approaching our position as no one had done since we posted there. Out of caution, we made our way to the area show in the video where I quickly changed my appearance. I was the only one visible from the surveillance post, so at this point, it was only necessary for me to change. That still gives us a few guys “on the bench” for more surveillance from other positions during the day. After I changed my appearance, Tim Roberts, Davis Blackwell and I then circled back in the direction that we came from with the ability to walk right by the two that were initially heading our way, undetected. Perfect! Whether they were actively pursuing us or not, they no longer would find the guy with the long hair wearing a hat and glasses in a dark hoodie. This took some pressure off of us and allowed us to continue with the assessment unscathed.
If you would like to learn more about our Covert Entry assessments against commercial and government facilities, or for training related to disguise methods, covert entry, social engineering and more, send us a message via the “Contact” page.
On March 07, 2023, we enjoyed conversation with friend and OSINT specialist Joe Gray on his “OSINTion” podcast. Discussions were based around intelligence report writing, rules-of-engagement when dealing with personal devices and individuals, certifications, and of course, social engineering techniques and topics. We appreciated being on the show and hope that you enjoy watching and … More OSINTion Podcast with Joe Gray
Show full content
On March 07, 2023, we enjoyed conversation with friend and OSINT specialist Joe Gray on his “OSINTion” podcast. Discussions were based around intelligence report writing, rules-of-engagement when dealing with personal devices and individuals, certifications, and of course, social engineering techniques and topics.
We appreciated being on the show and hope that you enjoy watching and listening as much as we enjoying recording it!
FunPresentations and Interviews90sBrent WhiteHackerHackingphreakingTim Roberts
Join Tim and Brent as they discuss stories of their early exploits with old-school hacking, phone phreaking, 90’s hacker culture, \as well as what motivated them to pursue careers in Information Security.
Show full content
Join Tim and Brent as they discuss stories of their early exploits with old-school hacking, phone phreaking, 90’s hacker culture, \as well as what motivated them to pursue careers in Information Security.
Covert EntryPhysical SecuritySocial EngineeringWar StoriesHackerHackingRed TeamTim Roberts
When traveling for these types of assessments, we always consider the location of a client’s facilities. Often, we’re fortunate enough that these locations are adjacent to a hotel, café, food court, or a shared facility in general. How does this help, other than the convenience of a nap or food in between efforts? To a malicious actor, one can use this to conduct passive reconnaissance to gather useful information which is anything from the target facility’s dress code, ingress/egress points, security camera placement, style of... … More War Story: “Can I see that?”
Show full content
Assessment Type: Covert Physical Penetration Test / Wireless Penetration Test
At Dark Wolf Solutions, we offer a variety of service offerings from our penetration testers – often these service offerings involve threat simulation from not only the roles of criminals attempting to access networks remotely, but also the threat of physical compromise via social engineering and attempts to circumvent physical and electronic access controls.
The primary goal of this particular service offering was to access restricted floors, wiring closets, server rooms, offices, production network(s), shredder bins, hard copies of sensitive information, to test the security awareness of both contractors (security guards, cleaning crew, etc.) and employees, and to plant a rogue AP (access point) to allow us to remotely connect to the network.
When traveling for these types of assessments, we always consider the location of a client’s facilities. Often, we’re fortunate enough that these locations are adjacent to a hotel, café, food court, or a shared facility in general. How does this help, other than the convenience of a nap or food in between efforts? To a malicious actor, one can use this to conduct passive reconnaissance to gather useful information which is anything from the target facility’s dress code, ingress/egress points, security camera placement, style of lanyards and badges used–if any, tailgating awareness of employees, or to simply find names of employees. In this particular instance, we realized just how fortuitous we were when we began to gather information on this target.
Onsite Covert Entry Penetration Test
How fortunate were we? Very! The hotel was directly across from the target facility, with a handful of coffee shops and restaurants connected to the building. One café had large untinted glass windows facing directly into the lobby of the target facility. So, during the morning rush, we had coffee, sat and watched with the best front-row seats imaginable. By simply people watching from the coffee shop, we were able to covertly capture photos of employee badges, determine the type of badge readers used to access a restricted elevator, and see how folks interacted with one another.
As this target was the main corporate office, our usual guise of being from corporate IT or an auditor wouldn’t work. We needed credentials. In the lobby were at least four unarmed security guards in each corner of the open floor plan. Entrance into the lobby wasn’t an issue, but going any further was. The facility used electronic turnstiles, which required valid credentials before allowing you to proceed to the elevator. Each elevator also required valid credentials for whichever floor you were attempting to gain access to.
Once we had a solid idea of the dress code and general security awareness of both the employees and the security guards, we decided to go ahead and prepare some tools in our hotel room. We configured some USB keyloggers and our rogue access point (that we would ultimately attempt to plug into their DHCP (Dynamic Host Configuration Protocol) enabled production network via a vacant and active network jack and/or by changing the MAC (Media Access Control) address on the rogue AP to match something like a VoIP (Voice Over IP), just in case there was any sort of MAC filtering).
Using some of the photos we had taken during our passive reconnaissance phase, we were able to visually duplicate two badge credentials each. One was a contractor badge and the other an employee badge. We had noticed a couple of varying badge designs in use and wanted to make sure that if we got to the target floor(s), that our badges matched – so, it is nice to have a plethora of options to switch between when able. In addition to the badges, we had a couple of lanyards to choose from our tool bag and found ones to also match what many employees were wearing.
Earlier, during our active reconnaissance phase, we had used an RFID (Radio-frequency identification) diagnostics card to passively confirm the badge reader was operating at 125kHz – this helps us to determine what kind of proximity cards are being used throughout the building. We printed our newly forged identities onto some blank low frequency badges, in hopes to eventually write valid credentials to them; if we were fortunate enough to clone a legitimate badge.
We noticed the computer monitors at the main guard desk in the lobby were visible from the exterior side of the building, on the sidewalk. To not draw attention to ourselves, Brent and I took turns taking pictures of each other in front of the building, while making sure to zoom in on the computer monitors. While later reviewing these images, we were able to determine the main cameras that were monitored as well as the areas they covered. There were also other details given such as operating system versions, VoIP phone versions, and much more.
Once inside the lobby of the target facility, we stood around and waited, with the “We are waiting on someone” excuse, in case we were challenged by anyone. Using our phones as a prop, I pretended to be speaking to a point-of-contact, making lunch plans. If you have seen any of the talks from wehackpeople.com, you will know that Brent and I believe the best time to tailgate or get physically close enough to copy badges is when lunch is starting or when everyone is leaving for the day. Employees are often eager to get out of work and this allows us to exploit the distractions of hungry people and/or the end of the day haste. It was close to lunch time, and we took advantage of this by improving on the guise of “We are waiting for our PoC to join us in the lobby for lunch. No worries.” Standing in blind spots in the lobby was easy enough, but again, the goal of this engagement was to gain access to their network, plant a rogue access device, and try to bypass electronic and physical access controls – all of this also included social engineering as the medium toward compromising the target(s) and a solid evaluation of the client’s onsite security.
While pretending to be on the phone, we walked around and noted how often people did or did not pay attention to what we were doing – specifically the security guards. Brent installed a badge cloning device that would allow us to copy any badges that are scanned on one of the badge readers. However, it was purposefully installed in a way that made it very obvious that the device was there and clearly out of place. We watched as several employees routinely went about their day ignoring the “eye sore” of a device. Some noticed the device, gave it a look or two, and proceeded to badge in anyway.
While we watched the amount of legitimate employee badge scans rack up on the poorly-installed cloner, we decided to also target the security guards. One security guard sat behind the desk in the lobby, surfing TikTok. I decided to walk over to him and our conversation went something like this:
“Sorry to bother you, but while waiting for some folks to meet for lunch I noticed the badge turnstiles! Those are great. I’m curious about the cards you guys use, do you happen to have one of the blank badges behind there?”
At this point, Brent arrived and helped bolster the social engineering attempt, “Did you find out if they are those new HID badges?” He asked me, walking up to join the discussion.
“Not yet, I just asked about them.” I replied and then directed my attention back to the security guard. He had been looking around for a blank badge.
“Sorry, there aren’t any back here.” He did not seem suspicious and so far had no reason to question the two people who looked like they belonged there.
“No worries. Actually, could I just see the back of your badge? That will tell me what kind you guys use.” At this point, I had palmed my small badge cloner and reached with my opposite hand toward the guard. The guard sat there for a moment, contemplating my request, pulled out his wallet, removed his access badge and handed it over. I flipped the badge over and pretended to read the back of it, squinting my eyes, supporting the badge with both of my hands and utilizing my device to copy it within seconds. “Right on! It is the HID-ABC-LUL model.” I smiled, turning to Brent for confirmation, then returning the badge back to the security guard. “Thanks man. We may have to look into getting something like that at the XYZ location.”
“The point of contact is here!” Brent interrupted me and nodded toward someone on the other side of the lobby, who looked important and appeared to be leaving for lunch.
“We will be here most of the week, so I am sure we will see you around.” I waved goodbye to the guard as Brent and I left the building and made our way across the street to a cafe.
After some time, we went back to the hotel room, where we were able to copy the security guard’s badge credentials onto our blank employee and contractor badges that we had made earlier. That evening, we decided to verify that the badges worked and if they could be scanned at multiple readers during the same time. The security guards during the night shift noticed us as we entered, but we just nodded and kept walking toward the turnstiles, scanning our newly cloned badges, successfully accessing the elevators. Next, we had to authenticate with the access controls inside the elevator. This was the true test to see if we had access to the target floors or not. Success! We scanned the badges, entered the floor number, and were on our way up to the target floors!
The cleaning crew was hard at work but kept to themselves most of the time and acknowledged us as employees just working late. We exchanged some brief pleasantries and immediately found an unoccupied cubicle; the perfect place to plug in our rogue AP. The client’s network utilized DHCP, so getting access to the production network was just a matter of plugging in. After we kicked off some network scripts, we then began plugging in keyloggers on key computers, picking wafer locks on shredder bins, and gaining access to C-Level executive offices, wiring closets, and data centers by bypassing electronic access controls via latch slipping, under-the-door tool, and request-to-exit bypasses.
While walking around the target floors, we managed to harvest passwords and additional sensitive information via a poorly executed “Clean desk” policy. We observed Post-Its with local and domain credentials written on them that would later grant us additional remote access to the entire production environment, security systems, and more. We worked well into the night gathering information, attempting to set off alarms by propping open doors for extended periods, and more. After gathering what we needed and not being challenged by anyone, we decided to call it a night, and to prepare for the next day’s entry during regular production hours.
Without going into too many details, the baseline issues were simple:
Lack of security awareness from the security guards, employees, and cleaning crew
DHCP was enabled on the network with no controls for detecting rogue devices
WPS-enabled wireless access points that enabled us to capture handshakes, crack them, and gain access to both the guest and production networks
Poor enforcement of “Clean desk” policies
Shredder vendor used poor locks on their shredding bins that allowed us to easily gain access to several sensitive hardcopies containing network details, client details, IP addresses, financial information and more
No response to access control alerts from doors being forced or propped open
Lessons Learned
So, what can be learned from this war story?
If you know me, having heard any of our conference presentations or interviews, or having read any previous war stories, you know that we enjoy targeting security guards. Why? They usually hold the keys to the kingdom, and once you’ve established a rapport with them, you no longer have to worry about pesky inquiries as to who you are or what you are doing. There have been far too many times where we have been able to simply sway the guard into handing over their keys. But, there is another reason: Many security guards are willing to help an “auditor” or someone from ”corporate” doing inventory. How do I know this? I have used similar guises several different times, without compromising my cover.
Teach your guards to NEVER hand their keys, badges, etc. over to a random “employee” or “contractor” who just so happens to mention other employee names or carry themselves as if they are supposed to be there. Guards are one of the first layers of security, but too many companies often depend on them to be the primary eyes and ears, where the whole employee body should also be contributing.
Make sure that your guards are alert and aware – Guard work can get boring, which enhances distractions (phone, Internet, conversation etc.). Make sure that the guards understand their roles and responsibilities.
Always double-check and never be afraid to validate the identity of someone.
Someone doesn’t have a legitimate badge visible or isn’t escorted? Escalate.
Did someone piggyback? Ask them to badge in and verify a successful result.
Employees rarely pay attention to badge details or authentication attempts. Teach your employees of the dangers of tailgating, keeping an eye out for malicious devices or people standing too close to them, and not to get in the habit of holding the door open for people who do not badge in. It is okay for them to ask questions. And if they are not comfortable in doing so, they need to know who they can easily and quickly access to come ask those questions to a potential stranger. It should never just be ignored because the employee doesn’t want to or doesn’t know how to deal with it.
Don’t forget about locks on doors and cabinets leading to restricted and sensitive areas. Keep in mind that you get what you pay for. If you’re in need of high-security locks, or aren’t sure if what you have in place is sufficient, contact your local locksmith, or, have us come take a look at them, and the security posture of your entire facility. It doesn’t matter how great your electronic access controls are if you can bypass them because of a cheap, or poorly implemented physical lock.
Provide robust security awareness training – Again, a good security culture, social engineering countermeasures and enforced standards can prevent a potentially dangerous and damaging compromise. When it comes to physical security, it is more than information that could be at stake.
You don’t have to be paranoid, but in the age of hacktivism and terrorism influx, skepticism and awareness are traits every employee should have. Hackers do not care how hard your network is, if they can just walk in and ask for the keys to the building.
