Taking down the power grid

Okay, welcome everyone to our next track at PasswordsCon. I am Dimitri aka Rurapente. I'm running PasswordsCon this year. So it's great to see such a full room. It's really nice. I'm sure you guys are going to enjoy it. Just some quick thank yous to our Diamond sponsors, Adobe and Aikido, and our Gold sponsors, Dropzone AI and Profit. And then a quick comment about cell phones and cameras. Please put them on silent. so that they don't go off and we don't hear all the interesting ringtones that you may have. And then when it comes to taking pictures, just a reminder, the speaker said you can't take pictures of him and/or his content. That's right. Yeah. But

don't take pictures of anyone else in the room without their consent or anywhere else in the venue as well, I should say. Cool. So taking down the grid, I think that's why it's so full here. It's a very interesting topic. It's interesting for me too, because I'm from South Africa and we don't have to try very hard. It brings itself down most of the time. But I'm going to pay for that comment, but it's okay. But yeah, it's a very interesting topic. PasswordsCon, as you can see, spans quite a wide area because of the fact that it covers so many different topics. So I'm looking forward to hearing this. I'm sure all of you are

as well. So let's hand over to John-Andre Bjorka. Thank you very much. There are some passwords in the talk, so I think we're under the password cone umbrella. My name is John Andre Bjorkaug. Jon Andre Bjorkaug, Norwegian. Hey! I'm Norwegian. I work for a Norwegian company called NetSecurity as a principal penetration tester. I'm originally an electronics engineer with a specialization in telecommunication and wireless systems. It's much more fun to break stuff than building stuff, therefore I do pen testing. I've been doing pen testing for... 17 years. I picked my first lock when I was 10 years and I got hooked into the physical security area already then. This entire talk is a war story. It's one

red team assignment that we did. The assignment was, as I said, a red team exercise. Everything was allowed except hurting people and damaged property. The goal was to get into the EMP secure server room for a large power company, which controls a large part of the power grid for a country. When inside the EMP secure room, we should place a fake dummy bomb, just to simulate that we could place something scary inside that room. Because that room controlled all the OT that controlled the power grid. So if a bomb would go off there, it would take down the grid. When we do a test like this, we first start with recon, of course, doing OSINT and some physical recon. OSINT, we use

Google Maps, LinkedIn, homepages, everything we can find online. For the physical recon, we are driving around the property, walking around the property, using cameras with high zoom lenses, telescopes, binoculars, and so on. to get as much information as possible on the target. There are some movies hidden in the presentation. So if someone recognizes the movie, you can shout out. Which movie is this? Yep, correct. Before we got into the physical part of this test, we did a phishing campaign to get some domain credentials in case we get access to some computer inside the facility. We wanted to find out what kind of access control system is used, which technology. Is it Mifre Classic? Is it

HID? Is it EM cards or whatever? And we also wanted to make some ID cards, visually correct ID cards that we could use to blend in in the environment. Cards like this. Very successful to have a mix of different ID cards when you're on a red team exercise. Like this is a mix of Norwegian companies, you have cleaning companies, you have computer companies, elevator companies, ventilation and so on, and some guard companies. So the first step in this test, in this exercise, was to get an access card with a pin. From recon, we knew that they had a Stanley access control system that we could see from Google Street View. We found the exact reader and we

found on Google image search that this reader supports a lot of technologies. It supports 125 kilohertz cards, it supports Mifreda Classic, Mifreda Deathfire and so on. And we were hoping that they used one of these weaker technologies like 125 kilohertz or Mifreda Classic. But to find out the exact technology that they were using, we had to get very close to the reader. using Flipper Zero. And we found out that this is a Mifre Classic and using the Flipper you are able to extract the data that can be used to calculate the encryption keys. You also get the sector and the which key that is used. And using the Flipper app you're able to decode the encryption

keys. So we have then the Mifre Classic sector, the area on the card, the location on the card where the interesting data is stored, and we have the encryption key. Having this, it is possible to skim cards, to clone cards. Now, how do you do that? There's two ways of getting a copy of a card. Either you can get close to people, but we don't want to get close to people. It's, yeah, no. Or you can use a weaponized reader or some skimming equipment. A weaponized reader is a lookalike reader who is built to skim cards instead of just opening the doors. But the weaponized readers that it's possible to buy are really expensive. And we found out this when we were starting on the assignment. So

we didn't have time to order the reader and we didn't want to use so much money on it. So we don't have money, we don't have time. What do we do? We improvise. We take whatever we have, build something and hope that we're building something that is able to skim the cards. So we had a reader, we had a Proxmark, we had a Raspberry Pi in our briefcase, we had a power bank. We needed a case to put everything in it. We wanted to control this from remote. We didn't want to stand next to the reader and connect to the Wi-Fi on the Raspberry Pi enclosed in a case. We wanted to be able to connect

to it remotely, so we used a 4G modem. connected to the Raspberry Pi. We needed to have some cables to connect everything. And of course, we needed some tape to tape it up on the wall. To put all this equipment into one case, it's not possible to get a very discreet reader. So we used this. It was the smallest case that we could fit everything in because we needed quite a big power bank because we wanted to mount this in the middle of the night. so no one was around and hopefully when people are getting to work they wouldn't see the small box that we placed under the reader. So we put everything into this exact

box. We wrote contact information on the backside. This is a security test, the name of the company, my phone number and so on. We placed it under the reader. Very discreet. How did you paste it there? With magnets or what? Tape, double-sided tape. Yeah, it was nice until we should--when we were taking off the wall because the tape was a bit too strong. So, a little bit of the painting was removed. Why don't folks at No-Dot just says, you know, "Don't remove this maintenance test?" Yeah, I could have, but then people would read, read that, and say, "What's this?" Maybe contact the janitor or something. But the funny thing is that no one noticed, and there were also some people who tried to push

it, thinking it was an "open the door" button or something. So we got an idea after this that we have to use one of these and built a weaponized button. Put some reader inside this and put it next to the original reader. So now we have the skimming equipment in place, but this company, they use pin codes all day. So we had to get the pin code too. And we had to have a place where we could sit and observe the pin code. So what kind of place is the best? Yeah, it's a white van, of course. Rented a white van, placed it like 200 meters or so away from the door. We were able to see the keyboard. sitting in the car with a sniper scope. The

sniper scope was a bit overkill. I think it was like seven, seven thousand, seven, eight thousand dollars for it. It's something we borrowed from a friend. But it was... We were able to see the code people entered. A little bit blurry picture because we used our phone towards the telescope and tried to take the picture. I tried to do a recording. But we were able, you're not able to see the digits, but you don't have to see the digits, you only see the location of the finger, that's good enough. And luckily, some people swiped their cards and we were able to read those cards. I think we got like five or six readings before we very stealthy removed the reader again with some of the paint. So this is

the data on the card. There's a location ID and this card ID. So when having this data, it's possible to make your own cards. So we used the Proxmark and made cards and we tried to use that card and PIN code and access granted. But when on the inside we met a door to the server room, we were hoping, hoping, hoping that the card that we have got was that we were really lucky and that that card also worked to the server room. But of course it didn't. So Yeah, access denied. So then we had to find another way of getting in. We have access to the building, no access to the server room. We need to escalate the privileges on our card. How

can we do that? Yeah, but then we have to hope for someone with the right permissions to swipe their cards. Huh? Support ticket, yeah. No, we hacked the access control management software instead. Much more fun. I see now that I talk too quickly and the time is running way too slow, so I have to slow down. Yeah, we need to escalate the privileges, level up the card, but we need to get network access to be able to find that software. But the problem now was that the office wasn't empty. It was still full of people. We heard people chatting. The server room was in the basement. And so when we first got into the building, we saw some stairs run down and luckily we saw the

server room door and we heard people in the office. We heard a lot of people. So where do you, where's the best place to hide when you have to hide for quite a bit of time? The toilet. Just pretend that you have a real bad stomach or something. So we waited for two hours in the toilet. Finally, the office started to sound quiet. And we took the chance and just started to walk around the building trying to find somewhere that we could sit and do a regular penetration test, an internal infrastructure test to try to find the access control system, the management server, and from there escalate. So we started to connect to the network everywhere. they

were using 802.1x port authentication. None of the ports gave us access to the network. We only got access to the guest network, but nothing more. We didn't see any interesting things. So how do you bypass 802.1x? Printers, that's one option, but also IT employees office, they always have one point to test something. But printers is the go-to network ports when you're not finding anyone else. So then we started to gather information about the environment, doing port scans and trying to find whatever we could find. And luckily we found a server called SRV Stanley 01 or something like that. It was really clear that this was the access control server. Before we started the test, as I mentioned earlier, when I was talking

faster than I do now, we said that we did a phishing campaign to get some credentials. When we tried to connect to this access control server, we found that it replies on RDP. And we just tried one of these accounts that we got earlier. I think you've got like, I think you send mail to 100 people or so and you got like 30 or 40 credentials as usual. Luckily, one reason, all domain users had access to RDP to this access control server. No idea why. But when we RDP to it, it was in kind of like a kiosk mode-ish. When you logged on with your Windows credentials, you were met with this. It's not so discreet. I'll try to... I removed the name I already said it was a

Stanley thing. You see the black and the yellow. So how do we find password for this? Was the next question. Now we have access. How should we log on to this? We need to have more... More info. Yeah, we'll see. So next step, escalate access privileges on our card. And of course, we started with manual, as you said. Default credentials. Tried this, administrator, administrator, manager, manager, installer, installer, engineer, income, and so on. And none worked. So, oh, damn. But then we just... did all lowercase instead. So administrator, lowercase administrator, we're in. So then we have had access to the, this is in Norwegian, this was on Norwegian installation. Adgangsrettigheter, access rights. So when having access to this, we use the ID

of the card, which was the ID that we saw earlier in this screenshot. One of the fields in the data here was the was the id found the card changed the uh the access rights so what now before i continue is there any questions because i have 45 minutes on this and um yeah i i said to pet that uh it's not a 45 minute talk but yeah you can use the time but yeah we'll see yeah oh many questions

before you see how it goes you can have some questions what was your time frame on each of the phases from recon to going in the server room etc um we did the the fishing campaign but for the physical thing we only had two days so we did the fishing i think the week or two weeks before and then we went on site because it was quite a bit to travel so we went on side did the physical recon one day and we did the attack in the evening and the day after So it was a quick test. Yeah, looking at the group, the user numbers there, was there any possibility to increment through those

numbers, through a brute force from your-- That could be an option, yes. It's always possible. If we hadn't been able to hack the management software, we would have done that to try to find a user with higher privileges. But then we wouldn't have the pin code. So-- Ah, yeah. Yes. Cheers. Oh, that's-- A lot. Okay, that's good so we can drag out the time a bit. So this building clearly had some physical security, right? They had codes and stuff. Were there no cameras, no front desk person, right? You were really able to get in and nobody noticed you were there for those two days? There were cameras and there were a front desk person, but

we went in the back door. All employees went in the back door and then we did the same. Cameras, there were cameras everywhere, but we heard afterwards that they were turned off for some reason. So they didn't see anything. Why did they pay you for this? Like, this was so easy. Yeah, yeah, yeah. It was a bit easy. Easy and easy. The having to decode the data and build the reader, improvising that. It looks easy, but it was some headache doing that. I am really curious about-- they considered doing a phishing campaign in scope for this? Yeah, everything was allowed. Just don't hurt people and damage anything. Except the paint on the wall. Okay. Cool beans. One more and then we'll see how

it goes. Maybe you can guess how it goes. Sorry if I missed this, but just out of curiosity, where did you get a box the perfect size and shape at that short notice? There was this electrical shop. hardware shops focusing on electrical equipment. So we just went in there and tried to find something that we were able to put everything in. So we just bought a bunch and found the smallest one that we could fit everything in. It's not exactly small. Okay, one more then and we'll have more, take more questions afterwards. There's one. I'm not gonna throw it, you can pass it on. What was in your fishing campaign? So let's see what was that. The

reason I didn't say anything about the phishing campaign is because I think that's not what I do. I think it's boring, so I get another guy to do that. But I think it was something like a Microsoft thing that you have to refresh your access tokens, blah, blah, blah, blah, blah, something. I can keep up now. It seems like there's a lot of questions, so we can use more time afterwards. So now we had the pin code for this card. We had the card, tried it on the server room. The outer server room opened. So when we entered that, we got into the regular server room and there were this huge door on the next server room. When you open these

kind of doors, you hear like, "pssh!" So like, pressurized and there's... Yeah, it's an EMP security room. So it was really exciting when we took our card up to that reader, entered the pin code, and were able to open the door. When we did this, when we got into the room, it felt like we were taking a selfie, sending to the contact person. It felt kind of like Mission Impossible. It was more like this. So we sent this selfie to the contact person and he got surprised. After we did the selfie, as you remember, the objective of the test was to place a bomb in the room. So we had this pellet case with some electronics and stuff within it. to just

to be a simulated emulated bomb. Place the bomb, then we needed to pull out, get out, we left the bomb, we removed all the permissions on the access card because we didn't want that, we cloned the card so the person who had the original card also had access to that EMP secure room for a while there. This was done late at night, so we hope that that person didn't try the cart and they of course didn't. We cleaned up the permissions, cleaned up whatever else we left in the internal penetration test that we did to find the access control system and walked out. That was it, and as I answered earlier on the question how long it took, it was yeah, the fishing campaign was

done in one day the week before and we did this in like two days, two very long days. 24 minutes? That's a bit low. Hopefully there's a lot of questions then. I said we've had 20 minutes. So that's it for the talk. It's whoa!

You can start taking questions, I think. So you guys weren't willing to pay for the keypad, but you were willing to pay for the $6,000 to $7,000 spotter scope? We borrowed it. Oh. We had a nerdy hunter friend. That last slide you said, you cleaned up on your way out. Did you have to do anything with the logs? Or was there logs of like who accessed the... Oh, no. We didn't do anything about the logs. Oh, okay. We could have, but we didn't do that. What was your client's immediate reaction and what did they learn from this experience? I think they changed the access control system to something else than my classic. And I also think

they... try to teach their employees to stand in front of the key panel when entering their pin code. They were quite surprised maybe that we got into the room because it... When we started on this test, we did not think that we were able to get into the room. We had no idea how we should do it because it's a secure room. only like two or three people have access the physical security of the room is very good we try to look at the under and it's a good high security Norwegian lock as a blow lock it's not possible to shim the door in in any way there's covers in front of the latches and everything so we had no idea how to get

in but so we were surprised and the customer were quite surprised too This is someone-- Can I ask-- I brought it over here. Could I ask why you chose to make that external box as a skimmer rather than tapping the reader directly with something like an ESP key? Yeah, we didn't want to remove the reader from the wall because we were thinking maybe there's some tampering going to an alarm company or something like that. So we didn't want to remove the reader from the wall because you have to remove the reader to get in to place the ESP key. Okay. On the wires. And we're not sure either if they're using, what kind of protocol is on the backside, if it's vegan or whatever. Well, it's my

first classic. It's almost always Wagon, right? No, it depends on the reader. Actually, in Norway, there's quite a bit of readers using some other serial protocols. Okay, thank you.

male #2: Why do you think they gave you such a short time to do the pen test? Was it because they didn't actually want you to succeed in the pen test? Because that seems like a really short time to do a thorough engagement. Yeah, but it's--they gave us more time but that was the time slot we had available to do the test. I think we had like a month or two to do the test but we delayed it and delayed it and, "Oh, we have to finish this test." So how did you figure out where the server room was? And additionally, what about the EMP room? Did you just expect it to be in the server room? There's these fire maps in the hallways. Did it say?

Yeah, we saw that there was this server room and there were another server room behind the server room. And we didn't see any other server rooms on the fire maps. How many people were involved in this engagement? Two? Ah, plus three when the fishing guy was another one. Hey. If you hacked the access management system beforehand, could you skip the part of your installing all the physical hacking part? You could probably create your own key... Yeah, but we needed to know what the format of the data on the cards. But if you have access to the fully fledged access management, you can bypass all the stuff and just create your own key card with administrative privileges. Yeah, if we

had access to the place where they have the reader, the writer, card writer and all that, we would be able to do that because there's no place in the access control management software where you see the data format on the cards. So probably if you didn't have access to it, you needed to brute force all the versions of the cards, basically. Yeah, and that's impossible. Yeah. Cool. So based off of this engagement, how would you rate it between your other engagements for level of difficulty? Excuse me? Based off of this engagement, how would you rate it between your other engagements that you conduct off the level of difficulty? So would you say that this was

easier than your other ones? Do you find that a lot of the engagements that you do are pretty simple and as easy as this in the wide open? That's a really hard question to answer. It's actually among the harder ones because it's a really specific scope and there's a very few people having access into that area. It's not possible to tailgate in, which we do on a lot of other tests. So it's among the harder ones before we... It turned out to be not so hard, but when we started on it, we thought it was really hard. So, yeah. Did you have specific recommendations and did you follow up? We haven't followed up. The recommendations was to, as I mentioned earlier,

teach the employees to cover the pin when they enter the pin or maybe have something to cover next to the reader covering it. Also to change the technology of the cards because the readers support like Mifred Desfire, which is much, much better. But they use this old one. So I think that was the specific ones to use another technology on the cards. So I've got two follow-up questions on what your client did afterwards. One, did they procure an EDR of any kind? And then two, did they interview the employees that were successfully phished to see if – they had some afterthought of like, oh, that seems kind of weird. 'Cause you know, if you've got a self reporting mechanism, then you can flag a security

team or your InfoSec person and like trigger to rotate credentials and cut off that access. - The last one I don't know. I haven't asked them about it. Your first question was EDR. I don't remember if they had, I think they had like defender APT or something. But we didn't do any, we didn't use any exploits or malware or anything on the, we just, we scan their environment we found the server with a name that matched the access control management escalating the permissions on their on their employee account could have triggered a detection and response if they were looking at their admin logs on their on their windows server right yeah on the but it was only the cards we didn't do any escalation escalation on the

servers yeah Thanks, great talk. Just a quick one about what the client's response and reaction was, you know, once you sort of walked them through what you found, how did they respond? What was their reaction? They didn't think that we should be able to get into the room, so they were quite surprised that we actually were able to succeed. Yeah, that's yeah, they were not aware of what kind of technology that was used on the access control system because usually they just buy a solution from the vendor and yeah, in the documentation doesn't say anything about what's technology and so on. So yeah, so you had, you had two doors to get into that server, you had

the server room and then the EMP server room. Yeah. I think you mentioned that you're kind of doing this at night, but there are IT folks who work like night shifts and stuff. Like what was going to be your contingency should you open that EMP server room door and there be somebody in there doing work? And since it's such a small group of people that would have access. I don't think we ever thought about that. Improvise. We'll make eye read when we get into there. All right. So you had a pretty easy time to get into that access control panel with the RDP and everything. What was your backup plan if you had no way to get that easy

admin access? There wasn't any plan B, it was just improvise. You were lucky. Yeah, we were lucky that worked. If that hadn't worked, we just needed to try to find something else. When you do tests like this, you never know what you meet, so you have to be very adaptive and able to improvise. as that room seems to be very critical how come there wasn't any 24 hours surveillance through the cameras etc from the security company there should be but the cameras was turned off for some reason i don't know why but they're on now i hope i hope just a question from me yeah well so i mean if there's any of us here that um are responsible for securing

something similar to that what would you say are the three things that should be focused on not necessarily specific to how you breach there but what you were trying to do to get in what would you say the three focus here is someone trying to secure an environment like that should be focused on based on what you were able to do it should be you should have the latest and best of the uh better technologies on the cards using like my fur despires or something like that that's fire ev3 um Not everyone should be able to get into the access management software. You shouldn't use default passwords. Don't use default passwords, don't use old technologies, mostly that. Cool. But

that's all over. The weak password, the default passwords, old technology. It's not only in this kind of systems, it's everywhere. Hey, two questions. Do you know what prompted them to initially request the pen test? And then also, did they give any insight into what were the factors that led to the specific failings, like the decisions to not update the physical reader and the ports being open and whatnot? I don't know. Sorry. Even more? It was good that I spoke quickly in the beginning, apparently. For the 802.1 bypass, were you working off an employee's computer or was that like a whitelisted port? No, it was just a Linux computer that we brought with us. So we didn't use the employee's computer, no. Just

there were this Ethernet socket in the IT employee office and we connected there and they ran.

I guess, what was the plan if you were to have encountered someone that might have stopped you or asked maybe for an excuse to be there? The pretext, you mean? That too was maybe not planned as good as it should. But we had like ID cards. with the company name and which looked like the company name and we the plan was to I think we had that in addition to cards from IT vendor that they use so the plan was to say that we were from that IT company doing something something we've got time for two more questions yeah and I've almost done my steps for the day so it's going well I guess pivoting back

to the 802.1X problem, was there a reason why you elected to use your own computer instead of, you know, just trying credentials on, like, those phish credentials on an employee workstation? Because in our computer we have our tools. Because you need to use, we use like Nmap, we use the Crackpad Backsec and so on. It's not so easy to do from your employee Windows computer. Okay, one more. Have I missed hands anywhere? One more. So with the whole RDP thing, were there recommendations on that? Did they lock that down or do they need to have that access to be able to do their jobs and stuff? I don't know if they've done it, but we recommend that they don't have domain users in the remote

user group. So I think we recommended that they locked it down to only the people who need to have access and also recommended that they change the password for the access management software. Thank you very much, Andre. No problem.