Sometimes you get in and have no time to do anything, you thought you had the time to get to that server room, to that manager's office. You open your laptop on the floor, connect to that wireless you just cracked and install your backdoor. Then you vanish.
Quick and dirty: in, install, out.
Recon sometimes is just walking and observing. If you know what to look for you can notice things that are in the wrong place. Vulnerable spots and ways in.
Another good thing to have is a small laptop or an iPad. Run a stumbler or signal scanner, stash the laptop or iPad on your pack and just walk. If you find one, mark the spot and return. Try to capture packets and see if you can crack that wireless or bluetooth.
Have a little notebook - I prefer Field Notes or Rite in the Rain - and sketch a quick map of the area and take notes of what you see. Jot down atmospherics: people’s behavior, cars, cameras, points of interest, etc.
Do this a few times and if the atmospherics remain the same you know you have the place down and you can start planning.
Remember: On a day-to-day basis, security is mostly about paying attention.
In the past few years security contractors and other personnel have been engaged in VIP protection; from perimeter security and convoy protection to personal security assignments.
I've done this in the past. I received the training. However, since I am also a geek with red team and information warfare skills I also performed what I like to call *VIP digital protection* or VDP.
C-level executives, VPs, command and other high level employees or personnel are targets not only on the physical side but also on the digital side. Their laptops, cellphones, iPads, etc contain a wealth of information that can not only be sold for a lot of money, it can also represent a risk to national security.Read More
Sometimes I get shocked on how easy it is to penetrate a building or a network. People are always the weakest link and because of this I can count with the fact that they will screw up on something.
In networks or applications pentests this usually translate to simple things, like leaving a default installation of a web server with port 80 open and all the good stuff it comes with it, no sanitizing the data as it is being received by your application or database or (my favorite) leaving the default passwords unchanged (can you say *admin* *admin*?).Read More
Like a mentioned a few days ago, I am in the process of finishing an iPhone and iPad app that its sole purpose is helping during the physical recon of a target.
The idea started after getting tired of having to rely on different apps on my devices to perform the different tasks.
Don't get me wrong, these are fantastic apps, but I wanted a unified app that can handle everything and compartmentalize it, secure it and provide support to red team members in the field.
Let's see what I use currently for the recon.
If you’re in public, you’re on camera. If you walk into a coffee shop, the owner gets you at the register. Visit a larger store, and chances are they have your face as soon as you cross the threshold. At least one or two of your neighbors catch you on camera when you walk around your neighborhood, and many cities monitor traffic using red light cameras at major intersections. The question is no longer if you’re on camera, but rather how many different angles you were caught on while going about your day.
With so much monitoring taking place, and with surveillance systems gaining more online functionality every year, it’s natural that securing these systems would become… complicated. And that many many are secured incorrectly or not at all. Because so many cameras and surveillance systems are completely open, it’s possible for anyone with Internet access to watch literally thousands of cameras online using only Google and a kindergartener’s understanding of the ‘Net. With a little time and patience, almost any given system, from a set of residential cameras to those used by your local police, can be accessed, viewed, and even reset if not properly secured. Of course, if you can do this, it means that anyone can do it. Feel safer yet?Read More
A while ago I had to perform a physical penetration test in which I was tasked with trying to infiltrate the building of my customer, find the CEO or any other high-ranking executive's laptop and make a copy of the hard drive.
I performed my recon for 2 weeks. The building had cameras everywhere so I had to be careful where I was walking, I wasn't sure whether the security personnel was monitoring the cameras or whether they can recognize me as someone that wasn't an employee but I didn't want to set any alarms if I could avoid it.
The big problem was that in order to avoid the cameras I needed to take the elevator. The stairs were a no go, cameras everywhere, but the elevator had a possible bling spot (which I discovered on a recon walk when I went into the building pretending to be a UPS guy). However, in order to take the elevator I needed to call it first. I couldn’t do this because I needed a company access card to enable the calling button. So I waited.
A few minutes later someone walked out of one of the elevator. I pretended to be on the phone. As the door was closing I walked right into the elevator.
Tiger Team 101 - Car Dealership Take Down - part 2/4
Part 2 of the Episode 1 of Tiger Teams.
You can see here techniques similar to the ones I use. It was a fun show.