Highest Rated Comments


tomvandewiele13684 karma

hunter2

tomvandewiele6384 karma

There are a lot of examples that come to mind. If I had to pick a few: breaking into an ATM in the middle of a mall while hundreds of people pass you doing their shopping (and not caring because you are wearing the ultimate cyber weapon: a fluorescent vest). Walking through the basements of a dark data center of a financial institution after business hours and almost getting locked in. Replaying an employee's fingerprints on fingerprint access control readers using toilet paper. I'm sure there is more stuff that I am forgetting but those are the first things that come to mind.

tomvandewiele6286 karma

Companies and organisations usually rely on their own security services and departments first before escalating to the police, which is part of the process we are testing. Although we usually have a "get out of jail"-letter in the back of our pockets stating why we are there if things do escalate; we never had to deal with the law or the police and we intend to keep it that way =)

tomvandewiele4638 karma

Here is a selection that we usually bring on the job and after carefully planning our attack plan using at least two to three attack waves spread out over a couple of weeks or months:

  • USB Armory, to have a self-contained system with everything you need
  • Multi-band WiFi dongles with Atheros chipset suited for frame injection
  • Proxmark EV2 or custom RFID/NFC copiers for access-card stealing or cloning
  • Magspoof for access-card stealing or cloning
  • Weaponized PocketCHIP / Raspberry Pi / Beaglebone with LCD display for WiFi hacking using a rogue access point. But also for running tools on the go such as network manipulation, credential extraction and man-in-the-middle tools
  • Rubberducky or teensy for fast typing of payloads when required
  • USB keyloggers and USB extension cords either stand-alone or WiFi enabled
  • Ducttape and straps to install rogue network implants for later persistent network access
  • Extension cords and network cables
  • Bluetooth headset earpiece to stay in contact with my colleagues keeping watch
  • Lockpick kits, bump keys, jiggler keys and other lockpicking tools
  • Pliers, wrench, screw drivers for breaking down a lock or door
  • Camera to photograph evidence and findings
  • USB thumb drives tied to a lanyard and old keys to be "left" in bike sheds and parking lots containing interesting and enticing content for the lucky finder
  • Fake paper access card and badge holder
  • Banana, bunch of papers or other things to hold in your hand. People who have something in their hand walking around the building are usually not regarded as suspicious
  • Disguise and clothes if you have to switch roles. You might have come into the building as the smoke detector check-up guy and might have to transition to a suit and tie to be able to get into the executive offices in another wing of the building

tomvandewiele3918 karma

If you are using an optical finger printer reader i.e. a piece of glass serving as the touch surface, then a latent print might be left on the reader. If the reader is wrongly calibrated and/or misconfigured then a piece of damp toilet paper on top of it can replay the latent fingerprint.