Rappelling off a roof

I have one client that has been testing his security for the last 2 years in ways that would made the Pentagon jealous. They had tested their networks, both internal and external, by performing black-box and white-box penetration tests, risks analysis and an all-or-nothing phishing attack attempt (to random employees). They tested also their physical security, calling for drills, performing penetration tests and by trying to prevent information disclosure (they randomly visit employees and if they find any papers on their trash bins they get a reprimand, they are supposed to shred everything, regardless of how stupid or small it is).

I performed some of those tests while other experts or companies performed the others.

In the last one I did a few weeks ago, the security director of the company explained that they were sure they have a tight security now and that he wanted to know whether there was anything they missed. He then set the two targets. If I were to achieve any of the targets he would consider the pentest a success:

  1. Target 1: get to the 5th floor, locate the VP of Marketing’s office and place a keylogger in his keyboard (a keylogger is a piece of hardware that records the keys pressed by a user)
  2. Target 2: locate the main server room and photograph all the servers

I set to work.

After a week of recon I found out that the 4th and 5th floors are only accessible with a very specific card via the elevator. I didn’t have that card. Even if I get to the elevator I could not go to the 5th floor. Several more days of recon at night showed that there were 3 windows being left open at night. 2 in the 7th floor (last floor) and one on the 5th. For a week I observed that. So this was my way into the 5th floor (problem #1).

To make the story short, I arrived late during a weekday for a meeting I arranged with the IT department (basic social engineering). I had with me my GORUCK GR1 with a laptop and several programs that I wanted to show them. They were very happy with the programs and they wanted to buy them… Anyway, on the way out they left me alone on the elevator (problem #2). I pressed the last floor and after a few minutes I found the door to the roof, which was unlocked (problem #3). I waited on the roof until the parking lot was empty.

I had 70 meters of rope, a harness and a belay device (to break the speed of the rappel) inside my GR1. The idea was to thread the rope through the hydration tube hole, get enough slack to be able to rappel, attach the rope to a solid object, place the GR1 on my back, rappel with the rope uncoiling from the inside of the ruck and out of the hydration hole, get to the 5th floor and once inside retrieve the rope. This way the rope would not be dangling free with chances of someone discovering it. It would be neatly packed inside my ruck.

It wasn’t pretty but it worked.

I had a dry run on a friend’s building, trying to test the technique.

Here’s my GR1 during the actual run.

It was scary but fun. I attached the rope to an air conditioning box and as I was going down I have to be careful not to break other windows. In the meantime the rain started to fall but with the heat it was a welcome thing.

In my GR1 I had the rope, harness and other climbing gear, including a Black Diamond ATC Guide and a Petzl Tibloc in case I needed to ascend the rope. The laptop was stored inside the laptop compartment, several USB external drives and the basic entry tools were packed in the pockets inside. The GR1 protected the laptop really well, by the time I was inside the 5th floor it was pouring outside and the laptop and gear remained dry.

I achieve Target 1 but couldn’t achieve Target 2. I couldn’t find where the main server room was located. I placed the keylogger and emailed the security director. He left the keylogger there for several days to prove the point.

I found several security problems and they are now corrected.

Overall it was a fun project.

Disclaimer

Please do not try this at home.

I have more than 15 years experience as an alpine and rock climber, I am trained in high-altitude rescue and rope safety.