Tim Roberts, Brent White
@ZanshinH4x
@brentwdesign

**Abstract:** Pretending to be an employee is one thing, but owning layers of identities is what has led to owning the data centers, PBX rooms, Security Control Centers and more. If a discerning employee is not buying into your backstory, your credibility can sometimes make or break an assessment. In this presentation, we will discuss document and badge forgery, setting up and forwarding local phone numbers, and fake employee web search results. You will listen to real world scenarios that led to an armed security guard handing over the building keys, facilities opening two-factor authentication restricted areas and more! **Detailed Outline:** - Introduction Pretending to be an employee is one thing, but owning layers of identities is what has led to owning the data centers, PBX rooms, Security Control Centers and more. If a discerning employee is not buying into your backstory, your credibility can sometimes make or break an assessment. In this presentation, we will discuss document and badge forgery, setting up and forwarding local phone numbers, and fake web search results. - Scope: Identifying and expanding ---- Scenario based assessment? ---- A to B (eg. parking lot to server room or executive suite) - Reconnaissance, OSINT, employee culture (dress code, department size etc). ---- Disguises (employee, vendor/contractor) ---- Being Bold -------- When is it appropriate to take risks? - War Story: What all you can learn from observing employees. ---- Dress Code ---- Badge layout (take note) ---- Entrance and Exit congestion (tailgating opportunities) ---- Guards and Visitor check-in. ----Vendors ----Emergency Exit (Alarm active during the day?) - The Anvil: What do you need for the assessment? ---- The setup (fake phone numbers and forwarding) ---- Google results ---- Forging Documentation (envelopes, letterheads, etc) ---- Forging Badges ---- Make a key from a photo! ---- RFID Stealing / Cloning - Liar! Liar! How to make your story believable without getting too involved. Lying is an art. ---- Redirection (direct the conversation) ---- Short and sweet (friendly conversation is great, but don't give away too much) ---- Vague vs. concise (keep answers believable) ---- Assistance etc. (Sorry, I am looking for...I am new...I was supposed to...) - The Ace Card ---- A fake Letter of Authorization (Did the employee read it or follow-up?) -------- When to use it and when not to. -------- In the clear from further challenge from security guards. ---- Letter template. - War Story: A good story, a fake badge, a keychain and a charming personality can convince an armed security guard to hand over their keys to the Security Control Room. - Escalations ---- When the challenger just doesnå_t buy it. -------- POC before the Police or FBI are called. -------- Escalation procedures followed? -------- Real letter. - Bug Out / Exit strategy. ---- Revisit the scope, evidence, and log. -------- Bathroom is a great office. -------- Is debriefing part of the exit plan? -------- How much time do you have for the assessment? Are you wrapping it up at this point or do you still have a few days? ---- Clean up -------- Doors kept unlocked or propped open? -------- Missing items (eg. physical keys, badges, devices etc) ---- Exit the building. -------- Is this a black box assessment? -------- Should you be concerned about Security, cameras and identification? -------- Is escalation and incident handling a part of the evaluation? -------- Avoid being seen or stick to the role 100%, from A to B and B to A. - Questions / Close-out

Back to BSides Nashville 2016 list