The article describes the experience of using the Flipper Zero multifunctional device for penetration tests.
1484 
The article examines a real-world example of a data center penetration test. The authors begin by using OSINT (Open Source Intelligence) to gather employee information via LinkedIn, detect data leaks using services like Leakcheck, analyze social media for compromising photos, and create a duplicate key based on the image found. This case highlights the importance of a comprehensive approach to security, including protecting against social media leaks and controlling employees from posting potentially sensitive data.
Disclaimer: The information presented in this article is for educational purposes only, is not a call to action and cannot be used for malicious purposes. The purpose of the material is to demonstrate existing vulnerabilities and shortcomings that need to be addressed by information security specialists in organizations, as well as to show the work of experts in the field of cyber training.
The exciting journey began with a morning call from a representative of the affected organization with a request to calculate a commercial offer for the service. Usually in such cases, as much information as possible is collected, but this time the details were not disclosed, and a face-to-face meeting was offered.
During the conversation with the customer, it became clear that the organization had already conducted pentesting several times, had aspects that needed to be improved both externally and internally. However, against the background of some events, there was a need to check the level of physical protection.
A general overview of the company and its activities was previously conducted, but it was not possible to obtain detailed information. An agreement was reached to sign an NDA on both sides and start work.
At the initial stage, having only the name of the company, it was decided to look for information from various sources. For this, an in-depth analysis of technologies, employees, management, customers, partners and even the geolocation of the facility was used.
The first tool for data collection was LinkedIn. Practical OSINT cannot be published without appropriate approval, so screenshots are not provided. The process itself was quite simple: the search for company employees began with the subsequent entry of information into a table, this time for convenience, the choice fell on Excel.
Next, information was collected from merged databases, such as Leakcheck and similar collaborative services. Using corporate email addresses and merged passwords, it was possible to gain access to the contact phones of employees tied to various messengers (Viber, WhatsApp, etc.), as well as information about their purchases and other data.
First, it was possible to find information about the heads of the IT department, and later about technical specialists working in different segments of the network. Based on this data, a full-fledged employee dossier was compiled, which could be used for implementation in the organization or for making acquaintances. A convenient record-keeping system adapted to specific needs was used to document the findings.
At this stage, recipients for phishing emails were identified that would help penetrate the desired segment of the network. Information about the responsibilities of employees and their functions was obtained through conversations with the HR department. Such data is also useful in cases where there is a need to introduce yourself as a certain person or give the names of employees to explain your presence on the territory. In case of extreme necessity, it was envisaged to create a duplicate identity for temporary use.
Particular attention was paid to social media, where many photos with potentially useful information were found, including images of documents, keys and other important details. Articles were also found in which the photos provided an idea of the interior of the enterprise.
A photo of a key found on social media made it possible to make a duplicate of it for verification. Additional instructions can be provided on YouTube upon request to demonstrate the mechanics of making keys.
In addition, articles and videos of the opening or reconstruction of objects were analyzed, which contained building plans and details about their infrastructure. Such materials were used to create a complete picture of the object.
For potential work with Wi-Fi, a map of access points was compiled, which was used for “Evil Doppelganger” attacks using the Eaphammer tool. Such reconnaissance was carried out directly on the ground or during mobile movement.
Finally, physical restrictions such as locks and possible loopholes left by employees themselves to avoid passing through the main security were investigated. The presence of standard Apecs padlocks and English profile locks on the internal gates was recorded. The locks were assessed from a distance, so it was difficult to determine the exact manufacturer.
It was necessary to assess the operation of the security post, in particular, how often the cameras were switched and whether they were constantly monitored. It seems that the guards were warned about a possible test, as they were constantly watching the monitors, actively discussing something. Even the blinds at the post were covered so that they could not be seen from the outside. However, when a colleague inspected the perimeter, there was no reaction, which indicates that the cameras were in automatic mode, which is not triggered by motion sensors. The time of the bypass was recorded, and it was possible to proceed to the preparation of the necessary equipment.
A standard set of tools was assembled for the night work, focusing only on the most necessary, placing everything in convenient places for quick access. High-quality equipment was used, such as the Multipick, which is one of the best tools for working with different types of locks.
Preparation for the intrusion included recording video on a GoPro camera in 1080p format at 60 frames per second. Thanks to previous projects, it was possible to avoid stress, and the actions were carried out calmly and harmoniously. The most obvious ways of intrusion were the external fire escape, the perimeter fence or easy access by unscrewing the corrugated iron. In this particular case, a high-quality bolt cutter was used to overcome the first circuit.
Internal access was opened thanks to the structural features of the building, such as fire escapes, transitions between buildings and open windows on the upper floors. Prepared tools, such as lock picks, allowed to quickly overcome obstacles and get to the backup power control unit. Additional equipment was installed there, including a Raspberry Pi, which allowed the necessary actions to be performed.
For further work, a hidden access point was created, the devices were placed in inconspicuous places, such as network filters or electrical panels, which guaranteed the effective use of the obtained access. All actions were performed taking into account high standards of professionalism.
The operation was successfully completed in the same way, everything went quietly and without unnecessary noise. However, the next day the Customer asked to repeat the manipulation during the day. It was obvious that this stage had an increased risk, because it was likely that the actions were already known, and the camera recordings could be viewed. Despite this, the decision was made to complete the task. The Customer insisted that nothing was known about the pentest, but the team deliberately went “to the slaughter”. As they say, “we perform, you pay”.
The daytime operation took place in the presence of a large number of people moving around the territory of the enterprise. A helicopter with yellow vests was found for camouflage, which made it easy to impersonate contractors. In the new conditions, the previous actions were nominally checked. The operation ended with the shooting of high-quality video from several cameras, which was transferred to the Customer.
The report required additional time, since video recordings from cameras and action cameras alone were not enough. However, the work was successfully completed, the task was completed, the reputation was strengthened, and a financial reward was earned.
It should be noted that details regarding the hacking of internal and external systems or the use of social engineering were not described, since the operation was carried out according to a standard scenario without complex technical chains.
1484 
1052 
6