Written by Jeromie Jackson Published on Monday, 28 December 2009 18:17 Last updated on Monday, 28 December 2009 18:20
The locks on the building were of good quality. They were 6 pin Schlage tumbler locks that incorporated 1 or more security pins. Here's what the internals of a lock look like:
Theoretically any lock of this type is pick-able. Raking is the first technique we used, unsuccessfully. We then began trying to single pick the pins. Over 30 minutes went by between the two methods used. While impatiently waiting I looked around, hunting for other avenues into our goal.
While standing there, I noted the screws in the window were on our side of the door! After unscrewing a screw we found the shank appeared to be long enough to go through he door. Removing the other 9 screws, and a weather seal, out came the window, and we were on the 3rd floor. From our reconnaissance earlier in the day we knew there was motion sensors run the length of the hallway. Crawling over to the closest door, in order to evade the sensor, my partner began picking the interior door on the office. After 20 minutes, without progress, we decided for him to make the LONG crawl down the hallway to where we had identified a poorly installed door that exposed the plunger. Popping the plunger with a “Lucky-7,” house number from Home Depot, the door was opened. He came around to the other door closer to me, opened the door, and I crawled my way over to the now opened interior door.
With no interior motion sensors we had free reign in the office. We obtained several documents containing social security #'s and other confidential data. Taking several tables that were available we stacked them and I jumped over the drop ceiling into the datacenter- mission completed! We took some video, gathered evidence, and left a note for our point of contact on a monitor in the datacenter. Everything was put back the way it was originally, the window in the hallway door was re-installed, and we made our exit through to the stairwell onto the main street- a clean getaway!
Our contact arrived at 7:30 the following morning, just as every other day. He went to his desk, found nothing out of the ordinary, and worked through the morning. Around noon he had to enter the datacenter for a task that needed physical access to one of the servers. He looked over to the monitor and found our note: “Dear <Point of Contact>, Please call us to discuss your physical security. Jeromie & Eric.”
I will be following up with several articles about circumventing several physical security devices such as HID Proximity cards, some good info and sources for lock picking, creating lockpicking tools, and definitely more on my infosec penetration testing as well. Be sure to follow-me on Twitter!
Should you need any security assessment, regulatory compliance, web-application testing, social engineering, or red-team engagement, I would certainly appreciate the opportunity to earn your business!
