Don't Get Caught!
That’s one of my most important rules. It applies to both digital and physical pentests. Cover your tracks and become invisible.
Well, in this particular physical penetration test I got caught. It was partly my fault and partly the fact that my customer has well trained security personnel. I succeeded in completing the pentest but just as I thought I was going home safe, I got caught, thrown to the ground and threatened to be shot if I didn’t comply with what the security personnel was saying.
All the while I was trying to reach for a letter I had on my pant’s right pocket where the Security Officer of the company that hired me for the pentest stated who I was, what I was doing and that in case of emergency to contact him. I even told these three big, HUGE guys that I had a letter explaining everything but they were following procedure. It was painful to say the least, but at least they didn’t shoot.
This is what happened.
My customer hired me to see if I could disrupt daily activities in one of his buildings. The idea wasn’t to penetrate their network or get to their servers (like I usually do) but to see whether I can disrupt their workers from doing some of the mission critical things they do in this particular case. The Security Officer briefed me about the fact that the data being handled by his company had to be available all the time. He explained that during the past year they invested a lot of money on physical and digital security and redundancy server farms. I started with a bit of recon via some open source intelligence collection (the internet, some random calls to different employees, etc).
After a few weeks of planning, recon and a trial run (I went into the building to check it out) I decided to do it. I knew from my recon that the entrance has 4 cameras outside and 3 inside. So I decided to go in with the morning rush when everyone is coming in to work. That way I would try to blend in with the people.
A camera inside (blurred some of the picture for security purposes)
Once inside I piggie-backed with several employees into the elevator and got off at the top floor. My idea was to get to one of the server rooms located on the top floor and try to physically disconnect some of the servers.
Here’s my Radio Ruck before going into the elevator
After reaching the last floor and finding the server room I quickly realized that they had in place some serious high-tech lock. There was no way I could open that lock without the proper card and passcode. I moved to the next server room, unchallenged and avoiding the cameras as much as I could. The second server room was the same. I noticed then that most rooms had that lock system.
I reached the stairs and went down one floor. The same. All the rooms had the same lock system. That wasn’t there during my recon. I asked a cleaning guy if there was a way to open the door to my office since I forgot my card. He mentioned that I needed to see the security department for that.
It occurred to me that if I couldn’t get to the server rooms I could try to disrupt them by killing their power. I asked the cleaning guy several questions about random stuff and had a nice conversation with him in order to put him at ease and eventually I asked about the power supplies for the building. I told him I was originally an electrical engineer and that I loved to see big electrical rooms and switches. He said it was located on the basement but that I needed permission from the security department to go there. He was very helpful, he pointed me to the service elevator. I thanked him and down I went.
My pack on the service elevator going down towards the basement. No cameras in this one.
Once I reached the basement it took me 5 minutes to locate the electrical room, it was well marked
I tried the door but it was locked, but to my surprise it used a simple lock. How did they missed this? They spent apparently a fortune installing high-tech locks on most offices and important rooms and they overlook this one?
I pull out my trusty SERE Bogota Lock Pick and had the lock open in no time.
I entered the room and found several electrical boards with ON/OFF switches and buttons. I found one that said “10th floor” (the server rooms are located there) and pulled the switches down. Then for good measure I pulled the 9th and 8th floors too. That would do it. They wanted to see if I could disrupt their work? Here it is.
I got out the room, closed the door and went to take the elevator back to the ground floor so I could get out the building. The elevator came, the doors opened and BOOM! Three very big security guards came out of it. They looked at me, saw that I didn’t have a badge on me (their standard procedures indicates that they have to have one visible at all times), one reached for his weapon while the other two jumped on top of me. Damn, they were fast. Well trained! I am usually ok with dealing with this and I am hard to handle but since I didn’t want to get shot I just went to the ground while the guards smashed my head against the floor. Immediately I felt my arms pull back and the plastic cuffs tight around my wrists. I tried to reach for the letter but they just pull my arms. It was incredibly painful. I started screaming that I was on their side and that they needed to check my pocket. They did not respond. All the while this guy had his 9mm trained at me. At least he had good trigger discipline, his finger was in the trigger guard and not on the trigger itself.
They took me to the security office where after 20 minutes the Security Officer came and told them to release me.
He said: You succeeded in taking the server rooms down and for the most part you paralyzed most of the work but you got caught. How do you want to call this? Success?
I said: No. I failed. I should have been more careful and thought about the fact that someone would come down to check. However, what where you thinking when you installed a simple lock in the electrical room?
Anyway, I pointed all the weak points and they are now making sure this won’t happen again.
I am happy to be alive :)
Disclaimer: Please DO NOT do this at home. Doing this is illegal. I do this under a contract and with full permission of my customer. The pictures shown in the post are the ones authorized by my customer. The rest of the pictures I took had been erased by request of my customer.