Man
Professional
- Messages
- 3,061
- Reaction score
- 586
- Points
- 113
This article is about physical penetration into one of the banks in Lebanon. A legal project with an unexpected ending, which was carried out by one of the most famous specialists in physical penetration testing Jason E. Street! The whole story is a set of facts mixed with his personal comments from speeches, interviews and behind-the-scenes conversations. Therefore, the details are on the expert's personal conscience, but I suggest you believe him! The story turned out to be too loud 
If you are interested in how the physical security of a bank was tested using social engineering, welcome under the cut!
Usually the main goal is either to gain access to computers in the customer's office, or to organize a remote connection to the organization's network. For the latter, a camouflaged mini-PC is most often used, for example, Raspberry Pi with a modem and SIM card. The restrictions on such projects, at least in the Russian Federation, are simple:
Our main character acted in exactly the same conditions. However, his goal was slightly different - not to check the possibility of gaining access, but to teach employees! Therefore, he expected to be caught by the end of the project.
Then no one stopped the hacker.
In Beirut, the signs are usually in Arabic and French, which the hacker did not know. Therefore, he was assigned a local escort for the project, who spoke three languages fluently and showed him the way. In addition, it was this escort who was supposed to prevent the hacker from being arrested! The escort is living proof of the legality of the project. But that day, Jason was in a hurry, because before the project he drank a whole 1.5 liter bottle of Diet Pepsi! The escort showed him the direction and said, "The bank is over there at the end of the street, I'll be there a couple of minutes after you." Along the way, Jason diligently looked for a toilet, but he could not read many of the signs, and he did not see the familiar WC sign anywhere. In the end, with his last bit of willpower, he ran into the bank office at the end of the street and followed the signs to the second floor to the toilet. After relief, the hacker inspected the branch from above and planned his demonstration attack.
Documents are not allowed, but fake letters? Badges? Yes! They are not de jure documents. So Jason got out his fake Microsoft badge. His goals were threefold:
For the first task, he used Rubber Duck, a well-known tool of legal hackers that looks like a flash drive but executes code. The computer identifies this "flash drive" as a keyboard, which starts pressing hot keys and typing commands. This is how the code is executed. Yes, right in front of the manager.
All Jason's Rubber Duck code did was display a message that "Hey, this shouldn't have happened!" Jason showed it to the manager and moved on to the next one, although one hacked PC is enough to register success.
Already on the third hacked computer, they started asking about him, asking who he was and where he was from. Jason repeated his legend that he was from Microsoft, pointed to his badge. And explained that he was here conducting an audit due to a merger of companies, and this was not public information yet. He showed a fake letter on his iPad to inspire more trust. Why on a tablet? For some reason, it looks more trustworthy on the screen than printed out. The letter was composed very competently, on behalf of the bank's CFO, who was also the daughter of the bank owner! What could be more respectable? But they did not believe him and asked to talk to the manager. Where was the mistake?
In the manager's office, Jason moved on to goal #3 - escape. His task is to use this fake letter on the tablet to convince the manager to let him go. He expected two successful outcomes:
1. The manager believes the letter, and he loses.
2. The manager does not believe it, asks for additional documents. Then Jason offers to bring them from the car and does not return to the bank.
In theory, there may be one unfortunate outcome: Jason is not believed and is not allowed to go "for documents". Then the escort stands up for him and explains everything, and the manager receives praise. By the way, where is the escort?
These two banks use the same corporate colors. Jason is used to not looking at the signs, because they are usually not in English. Well, remember, he was in a VERY hurry, and in this building there are two banks located next to each other. Jason simply went through the wrong door, and he broke into a bank for which he had no permission! What could he say to the manager after that? "This is unfortunate." The hacker was so stunned that he could not think of anything better.
In the manager's room, he was seated in a chair and six people around him were talking very actively and angrily in Arabic. As an excuse, Jason decided to show what he had done, that nothing bad had happened. He connected his Rubber Duck to the manager's computer, and the usual notepad window with the inscription appeared on the screen. But this did not make the right impression, in fact, he had just hacked another PC, increased his sentence, and the faces of those around him became even gloomier. The last argument, which, it would seem, they did not hear, was "Google me, I am known for such things!"
By this time, the escort had long been in the bank opposite, he first thought that Jason had already entered the manager's office and was explaining everything to him. But time passed, his ward did not appear and he decided to ask if he had come in here. After a negative answer, he began to look for Jason and found him. The escort's arguments had already been heard, but they did not play a big role. All they could offer them was to go to the bank's head office, where they would sort it out, which was generally better than calling the police.
Jason was saved by the fact that the code on his Rubber Duck was not truly malicious, and there was no crime. Also, fortunately, he did not have time to fulfill point #2 and did not take the computer out of the department!
All his violations were:
Jason explained the situation to the head of security again, explaining in detail what he did and why it happened, what the staff did wrong, and answering a lot of questions, trying to be as nice as possible.
After four hours spent in the security chief's office, the bank executives agreed to split the costs and settle the situation. For security reasons, immediately after Jason left, all the computers of the managers and the manager of the accidentally hacked branch were cleared. After all, banks are a highly competitive environment. But the main thing is that they did not have to inspect the security of Lebanon's prisons.
Source
If you are interested in how the physical security of a bank was tested using social engineering, welcome under the cut!
❯ What kind of projects are these?
Projects on physical penetration into the customer's territory are some of the most fun projects! The author of these lines has done several similar projects, so he knows what he is talking about. Jason E. Street is a very well-known industry expert who has carried out dozens of times more similar projects.Usually the main goal is either to gain access to computers in the customer's office, or to organize a remote connection to the organization's network. For the latter, a camouflaged mini-PC is most often used, for example, Raspberry Pi with a modem and SIM card. The restrictions on such projects, at least in the Russian Federation, are simple:
- Do not show any documents. After all, forgery is punishable by the Criminal Code of the Russian Federation, and showing real ones is contrary to the essence of the event.
- Do not resist security. Usually, you always have a work contract or a letter of authorization (LOA) with you. The letter/contract states that the person is doing legal work and there is no need to beat him/hand him over to the police, but you need to contact the management of the customer company.
Our main character acted in exactly the same conditions. However, his goal was slightly different - not to check the possibility of gaining access, but to teach employees! Therefore, he expected to be caught by the end of the project.
❯ First project
Lebanon. This country, which is now constantly in the news, but at the time of the project was much calmer and quieter. Jason had already done one project there at a bank and then he:- He pretended to be an employee of the head office and calmly walked around three branches.
- In one branch I received my personal login and password from the manager, and also took out all the documents I wanted.
- In two, he executed “malicious” code on the machines of managers and one manager.
- From the third one he even took the computer away!
Then no one stopped the hacker.
❯ Very fast start
The current project was carried out a couple of years later in 2021 in another bank in Beirut, the first branch of which was successfully hacked in the morning. But the offended manager, who felt like a fool, decided to take the fight into his own hands. He personally called all the major branches of the bank and warned about the expected visit of the "hacker". Of course, it was not sporting, but Jason decided that he would go to a small branch where he was most likely not expected. And he really was not expected there!In Beirut, the signs are usually in Arabic and French, which the hacker did not know. Therefore, he was assigned a local escort for the project, who spoke three languages fluently and showed him the way. In addition, it was this escort who was supposed to prevent the hacker from being arrested! The escort is living proof of the legality of the project. But that day, Jason was in a hurry, because before the project he drank a whole 1.5 liter bottle of Diet Pepsi! The escort showed him the direction and said, "The bank is over there at the end of the street, I'll be there a couple of minutes after you." Along the way, Jason diligently looked for a toilet, but he could not read many of the signs, and he did not see the familiar WC sign anywhere. In the end, with his last bit of willpower, he ran into the bank office at the end of the street and followed the signs to the second floor to the toilet. After relief, the hacker inspected the branch from above and planned his demonstration attack.
Documents are not allowed, but fake letters? Badges? Yes! They are not de jure documents. So Jason got out his fake Microsoft badge. His goals were threefold:
- Execute any code on employees' machines and show it to them.
- Take the computer out of the department.
- If he is detained, check whether they will believe his fake "authorization letter" and let him go.
For the first task, he used Rubber Duck, a well-known tool of legal hackers that looks like a flash drive but executes code. The computer identifies this "flash drive" as a keyboard, which starts pressing hot keys and typing commands. This is how the code is executed. Yes, right in front of the manager.
All Jason's Rubber Duck code did was display a message that "Hey, this shouldn't have happened!" Jason showed it to the manager and moved on to the next one, although one hacked PC is enough to register success.
Already on the third hacked computer, they started asking about him, asking who he was and where he was from. Jason repeated his legend that he was from Microsoft, pointed to his badge. And explained that he was here conducting an audit due to a merger of companies, and this was not public information yet. He showed a fake letter on his iPad to inspire more trust. Why on a tablet? For some reason, it looks more trustworthy on the screen than printed out. The letter was composed very competently, on behalf of the bank's CFO, who was also the daughter of the bank owner! What could be more respectable? But they did not believe him and asked to talk to the manager. Where was the mistake?
In the manager's office, Jason moved on to goal #3 - escape. His task is to use this fake letter on the tablet to convince the manager to let him go. He expected two successful outcomes:
1. The manager believes the letter, and he loses.
2. The manager does not believe it, asks for additional documents. Then Jason offers to bring them from the car and does not return to the bank.
In theory, there may be one unfortunate outcome: Jason is not believed and is not allowed to go "for documents". Then the escort stands up for him and explains everything, and the manager receives praise. By the way, where is the escort?
❯ Wrong door
Jason couldn't even imagine the fourth outcome. The manager looks at his documents carefully and says in a sad but very stern voice: "Everything is clear, but this letter is for the bank next door. So what were you doing with our computers?!"These two banks use the same corporate colors. Jason is used to not looking at the signs, because they are usually not in English. Well, remember, he was in a VERY hurry, and in this building there are two banks located next to each other. Jason simply went through the wrong door, and he broke into a bank for which he had no permission! What could he say to the manager after that? "This is unfortunate." The hacker was so stunned that he could not think of anything better.
In the manager's room, he was seated in a chair and six people around him were talking very actively and angrily in Arabic. As an excuse, Jason decided to show what he had done, that nothing bad had happened. He connected his Rubber Duck to the manager's computer, and the usual notepad window with the inscription appeared on the screen. But this did not make the right impression, in fact, he had just hacked another PC, increased his sentence, and the faces of those around him became even gloomier. The last argument, which, it would seem, they did not hear, was "Google me, I am known for such things!"
By this time, the escort had long been in the bank opposite, he first thought that Jason had already entered the manager's office and was explaining everything to him. But time passed, his ward did not appear and he decided to ask if he had come in here. After a negative answer, he began to look for Jason and found him. The escort's arguments had already been heard, but they did not play a big role. All they could offer them was to go to the bank's head office, where they would sort it out, which was generally better than calling the police.
Jason was saved by the fact that the code on his Rubber Duck was not truly malicious, and there was no crime. Also, fortunately, he did not have time to fulfill point #2 and did not take the computer out of the department!
All his violations were:
- Trespassing into restricted areas.
- Lying to bank employees.
Jason explained the situation to the head of security again, explaining in detail what he did and why it happened, what the staff did wrong, and answering a lot of questions, trying to be as nice as possible.
After four hours spent in the security chief's office, the bank executives agreed to split the costs and settle the situation. For security reasons, immediately after Jason left, all the computers of the managers and the manager of the accidentally hacked branch were cleared. After all, banks are a highly competitive environment. But the main thing is that they did not have to inspect the security of Lebanon's prisons.
Source
