After explaining what recon is and why it is important let’s see some examples of some of the craziest I’ve done.

Just as a note, it’s not always fun; actually most of the time is dull and boring and sometimes you do get spotted and the whole project is busted.

Off-site Backup Location Security

In this project I was tasked with figuring out whether the external backup site (off-site backup for their sensitive data) my customer was using was secured as advertised. The idea was to try to infiltrate the building and try to get to the servers farm room.
I began with the overt approach, I figured I would do a quick map of the actual building and their main lobby in case I needed to go through this and then do a night recon to figure out entry points.
I dressed up as an executive with a full suit and tie and a seemingly very expensive briefcase. The briefcase had, thanks to a friend, a little camera that can be fired up from the handle. I walked right into the building photographing everything, from the guard at the front gate, via the parking lot and the reception floor. I placed the briefcase on top of the guard counter so I can take a picture of the uniform, security cards, and pretty much anything I could capture. I pretended to meet one Mr. Smith (name changed for OPSEC) and I told the guard I would call him on my cell and that I would wait in the lobby if it was OK with him, which it was. In the meantime I paced all over the lobby, going to the bathroom, going near the gates that allowed you to go into the actual building and the elevators. I probe their awareness by walking, pretending to be on the phone, to their cafeteria, a placed I wasn’t supposed to go, and no one challenged me. I sat there and within minutes I had a clear picture of the doors leading to the server rooms (there were 5 of them), all this time no one challenged me so I decided to push it, I mean, if I am already here and no one is paying attention why not go for it? I walked to the doors, they were locked and you needed a password on the keypad or an ID card to open them. I waited there for 10 minuted, still no one challenged me. A man came out of the server room’s hall and while he continued walking I pretended not to pay attention and talk on the phone. I was using the peripheral vision to keep an eye on the slow closing door. In the last moment I moved and placed my shoe and prevented the door from closing.

I was in.

Now I needed to be careful, I didn’t have an ID car with me and I didn’t look like an IT guy either so I took my jacket off, stuffed it on the briefcase and folded my sleeved, sort of like an IT guy from a company doing a check. I knew from my customer that their backup is kept on the server room #3 so I went to that room, which of course was locked. Another key pad. You know all those tricks in the movies where they blow powder to see which buttons were pressed? They don’t work that well, besides you don’t know the order of the PIN. So I was stack. I took some pictures as a proof that I was there and started walking toward the exit. I didn’t want to linger there more than necessary.
I went out, approached the security guard and try so social engineering on him. I mean, as I said, I was in and I managed to get into the server room’s hall. I might as well go all the way. I approached with my phone on my ear and saying to Mr. Smith “Absolutely Mr. Smith, I will tell the guard to let me in. What’s his name?” I looked at the guard’s tag and answered “The guard is John Doe, yes sir I am sure he is a very good guard and will help me if now I’ll call you back” and gave the guard a smile pointing at the phone. I then said “Do you want to talk to him? No? OK, see you in a few minutes in room #3”. I turned at the guard who was looking at me with a look that said damn, do I need to move…. I told him that I needed to wait for Mr. Smith on server room #3, which to my surprise he did not refuse. He walked me right into the room 3#. Once inside I took my time taking pictures and displaying IP addresses, server names, console screens, etc.

Success!

More coming later.