Filtering by Category: Physical

Recon and site casing

Ten meters away from the main entrance, there was a big metal box with wires going into it. The door to the container had a simple lock and we figured, well, that was the way into it.
At this point we had done the day and night time recon, and we were familiar with the patterns of life and atmospherics of the place. The container, at this time of the night, was not monitored, and there were no lights near it. We could remain fairly undetected while we picked the lock.

It took JS about a minute to get the lock open. Once the door began to move, we entered the container with ease. Inside there was an arrangement of control boxes, monitors and computers that provided the status of the main UPS (uninterrupted power supply) and controlled their work. We were now inside one of the 2 big UPS's for this complex, and after doing our recon, we found this to be one of the biggest vulnerable points. We could now work quietly and hidden, and gain access to the customer's network via their remote access to UPS.

This was possible due to the recon we performed for 10 days. Like we've mentioned many times, a good recon will likely mean the success of the project. Spend time learning your customer, understanding their environment, their industry, the key players in this industry and how they affect your customer. Understand the technology they use. And most importantly, understand their people. Their mindset and motivations.
Comb the internet for information, spend time observing and collect. Connect the dots.

After a couple of hours inside the UPS container, and given that we knew the software that was running on the servers there, we were able to gain SYSTEM access, and prepare a few pieces of malware that would be spread throughout the network and allow us to gain further access. We exited, closed the door and slowly walked out to the perimeter fence, passing under a security camera that was pointing in the wrong direction, and out to the parking lot. A fast walk for about 200 meters and we were in the next building. A factory that was pretty empty at this time of the night.
We sat on our car, and as the sun was beginning to come up, we observed as the early riserr were arriving to work. We had Z and GY in the office waiting for any connection back during the day. So, our work was done. Now coffee.

The project was successful. The IT people run the usual test on their UPS and when they connected to the server inside the container, a little dropper installed a piece of malware on the IT engineer's computer. From that point onward, we managed to secure multiple access points to their network.
As the final note, and after securing the "OK" from the security director at this company, we shut down one of the UPS's and displayed on all server console screens a message saying: The Red Team was here - all your data are belong to us.

So, spend time doing recon. Spend time knowing the place. In some cases, recon goes hand in hand with site casing. It can help you find observation points (OP), exit routes, and create 2 or more escape plans. Spend time observing. Collect. Learn.

Getting in

So, here's the thing. Sometimes plans are necessary. The complexity of the project really can only be tackled by sitting down and creating a good plan. It's the only way to deal with all the moving parts.

Some others... Well, red team it. You go in, like you belong. You find the one thing that gives you access. You exploit that and you gain the needed foothold.

All you need is the right tools.

Right mindset + right tools + practice = Getting in.


Phases of a red team assessment: Recon


Recon, reconnaissance. This phase is the most important phase. If you do it right, it will most likely end in the success of the project. A good team can ID the targets quickly, modify the plan accordingly, adapt the tools and finish the project successfully.

Read More

Action Combo

The idea for this assessment came from one of the IT managers at this organization. She wasn't sure people were taking her training seriously, and she wanted to see whether our team could get inside the server room and walk with a drive from one of their servers. Bonus points would be given if we could also take over at least one of the employee's laptops.

After a week of both physical and digital recon, we had solid information that allowed us to create plan. It was going to be a combination of attacks on all fronts: physical, digital and social.
We learned 3 key things on the recon: the back alley on their main building had no camera, the service door there was guarded by a single padlock, and their fire command system (as per the information online), would make the doors "fail open" when it was being reset.

The following week, in middle of most employees coming in, I walked very casually around the building, on the phone "on an important call that needed a little quiet", and reached the service entrance on the back. There, and without anyone looking, picked the lock on the padlock and went into the building. A few minutes later, another guy from the team came by the door and lock the padlock again. Nothing to see... Move along... Any roaming guard will see all as usual.
Onde inside, I put on my fake badge on my belt, and dressed with a suit and tie began walking. After checking the ground floor and going 2 floors up, I found a room filled with racks of servers, routers, and other network devices. Of course it needed badge access. OK, time for the social attack. I called another guy from the team that was waiting by a cafe a few blocks away.

In the meantime, no one challenged me. I was dressed with a suit and tie, I had laptop with me and a pad of paper where I had made some quick diagrams (that said nothing, but looked very official). A few guys said hello with a smile, and one even helped me get a coffee on the small kitchen on the floor.

When R arrived at the front desk, he was dressed on a very convincing fire department uniform. He talked to the security guard and told him that the fire command box was sending alerts to them every 30 min or so, that clearly all was good at the locaiton, but that he needed to see the fire command system. The guard walked with him to the security office, and opened the fire command box. After a few min, R dialed a number on his cellphone (I answered), he said: I think it's all good, we might need to reset the box. Let me know if you see the reset on your end.
He asked the guard to insert his key on the box, turn it and R hit the reset control. It took a few seconds for the box for go down and reboot. He talked to me on the phone: box was reset, can you see it? At that point, all the doors on the floow popped open. I walked into the servers room and said: I'm inside. Let it boot all the way.
R thanks the guard with a smile and while walking always, he commented on the football game for a few minutes. The guard was wearing a football hat and by doing this, he was making the guard feel at ease. An extra step to make sure he wasn't going to get suspicious.

Now I needed to find a drive to remove, and I needed to find a way to "own" one of the laptops. The disk was easy, some of the racks had hot-swappable drives. I searched for one that was labelled "backup" and took it.

The next thing was to find a way to get a laptop. This was done, again, by exploiting the helpful nature of humans. I walked to one of the desks in front of a closed-door office. These desks are usually occupied by assistants to execs, or directors. I found there a mid 40s lady, very well dressed and with "great hairdo". I commented, just passing by, how beautiful she looked and that it must have taken her a while to get her hair so good. She smile a big smile and told me ALL about it. We were having a good chat here. Just as I was leaving, I asked her: I'm having trouble accessing my powerpoints on my computer. I don't whether it's my computer or the thumdrive. Any chance I can check on yours one second?
She smiled and allowed me to kneel by her side, accessing her laptop. I plugged the USB drive, and opened it on her computer. I saw my powerpoint, opened it, but it was greated by a "corrupted file" error. So, I told her thank you and that I was clear my drive was bad. Meanwhile, behind the scenes I had now a backdoor to her laptop. A simple reverse shell that was trying to connect to a specific IP, disguised as an HTTP request. I walked away, smiling and waving goodbye.

Back in the office, the guys where receiving a shell.

Boom. We got them.

So, this one went smooth. Proper planning prevents piss poor performance. The recon, the fact that the company leaked so much of their digital footprint online (from vendors to what software their were using), and a good solid plan that attacked the 3 fronts at the same time, allowed us to really go in and succeed.
It's not this easy most of the times. You have things not working, you have people getting suspicious, you have security controls, and a million other things. However, sometimes... Well, it just works.


I'm writting this as we finish the after action review (AAR). We began the environmental recon for a new project. Five of us spent the lsat 7 hours around the customer's area and buildings trying to learn as much as possible. This will be repeated several times in order to learn any patterns. The same was already done during office hours.

Fortunately, we have a visiting friend, a retired recce guy from the UK, and he brought some invaluable analysis of our plans and provided us with some great ideas. This is why it's always good to have an outsider help you red team the plans. Especially someone with experience in the field.
originally we were going to move from one point to the next and observe, however our friend suggested that we leave 1 team memeber on a fixed position, overlooking the entire target, and then the other 4 separated in two 2-men teams that can move more fluidly around the area, reporting back to the person overlooking all. This way, he can paint a good overall picture of the environment. It was a great idea and it worked great.

During the AAR, our friend really made us walk through all the recon, making sure the things we saw different were noted for further observation the next time we went out.

So, as always, it's is great to learn new things. This was a simple suggestion, but one that made complete sense and made our recon more fluid and better.

Question from a reader

JD, another security prefessional, asked me the following question on an email and I thought it would be good to post it here. I answred to him personally already, but here it is. Maybe some of you can help him as well, and me. I'm always interested in learning.


I do a lot of with the educational market (k-12 up to higher Ed) and I am constantly asked how do you prevent active shooters from happening. My response is that you really can’t unless you predict when it is going to happen, which again you really can’t do that.

So I started wondering one day, is there a way to change the mindset of how we approach active shooters and can we really get ahead of the shooter. Meaning this:

Is there a way to “Red Team” a school to help them be better deploy deterrable or preventable resources. Trying to make it more difficult for the shooter and in turn buy more time for people to get out of harms way.

I’m not sure if I am explaining this in the best way as it is such a complex issue, but I am trying to figure out if there is a way to use the “Red Team” mindset to help schools be better prepared for these type of events. I focus so much on preventative measures and try to utilize some Predictive Analytics but I think I am missing something and was wondering how to incorporate some Red Team ideas in the school environment. You have such great content and I am sure your real world experience might lend some great insight.

I am sorry if it seems like I am all over the place here, my thoughts are getting in the way of my other thoughts.

I have always tried to think like an adversary but this one has me stumped! any thoughts would be great to help get me thinking a different way.




J, I’m not an expert on active shooting scenarios or even in securing schools, but I can tell you how I would approach this. This is just a brain dump. Each school and campus is different so you have to adapt to this.

I would approach this in 2 stages, the preventive stage and the reactive stage.

The first stage, the preventive one, should focus on stopping or slowing down the shooter before it can get near innocent people. I would start with a physical reconnoissance of the location, paying attention to possible ingress and egress routes. Ask yourself: “if I were a bad guy, how would I enter the school?” What would give the bad guy the best advantage? Also ask yourself: “What’s the nest route to escape?” I don’t know much about the psychology of these killers, but I’ve seen enough bad guy get that moment of doubt, that would make them stop and try to escape. The idea with the routes identification is that, once identify you could potentially close them, make them harder to access or guard them. By making the good ingress and egress points inaccessible to the attacker, you are either funneling him to a single point that you can control, or causing him to rethink his plans and maybe cancel the whole thing. Move to the next target.
Begin to mark on a map, diagram or whatever, the weak points in the school. Points that can be leveraged by an attacker to enter or even engage innocent people. Doors, windows, gates on the fences, parking lots, adjacent buildings, etc. Then note if these points are already being monitored by either the school, their security or the police. If not, then maybe you can suggest active monitoring, locking them (doors that should be open ONLY on fire cases, for example) or making them otherwise inaccessible to the bad guy. Try to funnel traffic (both cars and people) into a single choke point, or at least into the minimum number, so you could potentially identify the shooter even before he reaches the premises. Ideally you would have an armed and trained security guard on the school, but this is something that I haven’t seen in the US.
The big problem here is adjacent buildings, where a shooter with a rifle can take down innocent people while concealed. That’s a whole other world. We could go into counter sniper operations, but that’s beyond this.
The idea here is to make it hard for the attacker to enter and easy for the good guys to identify a possible attacker.
Then I would move inside. Assuming the above failed, the next preventive layer is the inside of the building. has some deception placed. Bogus signs, things that would temp the bad guy into going one direction, where you can, again, try to detect it and bring him down. Realistically, there isn’t much to be done once the attacker gained access, except training for the school staff and have armed security guards.
Ideally, you would have at least one staff member (teacher, admin, etc) trained in active shooting scenarios. From firearms training (stress shooting, CT shooting, etc) and hand combat, to emergency procedures (first aid, escape organizations, communications, etc). Last, identify secure locations for people inside the building, preferable with access to exits or windows where they could escape. Drill the staff and students on how to reach those places and what to do. have students also take charge, teach them how to use comms, or who to call.
I think a good first step is identifying those weak points, and creating choke points for the attacker. Route him into a controlled area, away from the target.

The second stage is reactive. The shooter is already inside. This is a nightmare situation, as we’ve seen many times. Chaos rain, akin combat, only people here are not trained.
Like in the previous stage, I think it would be good to have the staff trained in what to do. Have them trained with firearms, and possible have a few firearms in the school. Accessible only by those people (to prevent untrained people from hurting themselves or other innocents, or from the bad guy gaining access to them). Have them practice a procedure where when an active shooter has been identified, they take command: they move the kids to a safe location (identified previously), they reach the firearms and try to take the shooter down, and they call law enforcement.
Drill them, practice reaching the safe locations and the weapons. Stress them.
Like I said, once the attacker is inside, there isn’t much to be do other than take him down, and bring the kids and staff to safety.

I hope this gives you an idea… Again, I am not an expert. I’m just trying to apply the Red Team Mindset and think like an attacker. Then identify how I would protect me against that threat.

Combining Fronts

Some projects are difficult due to their complexity, some projects are easy, mostly because of lack of security at the target. Some other projects are boring, for many reasons. And, of course, some projects are fun. The latter usually include combining two or three of the three Red Teaming fronts: digital, physical and social.

In one case, a friend asked us to help with review the security in his company, we managed to walk right by the door, get to the server room and come out with a bunch of hard disks.

After several days of digital recon, we found that they security protocols in the building dictated that in case of a fire or power failure, all doors needed to be unlocked for safety reasons. Which is a good plan if you were to have it red teamed first... Well, this is where the physical recon came into play.
With all the security measures around the main entrance, inside the building and around the server rooms, we found that the main building diconnect was... well, very accessible by the general public.

So, we walked right to the switch, pull it down and after some alarms sounded, the backdoor of the building opened. We waited a few moments and walked right in. Inside there was the usual mix of people really not knowing what to do, with alarms sounding, some dark corners and some illumination by emergency lights. in other words, a bit of a chaos. We took the stairs, found the server room, the door unlocked, running UPS electricity, walked in and extracted 3 of the hard drives from the servers. Then we walked right out. Only then the fire department was arriving with some police.

We worked with our friend to solve this issue and now he has a really good plan (and a plan B as well) to deal with these kinds of issues.

When in doubt, Red Team it.