Red Team Entry Pack

Over the years I have acquired many tools and tricks used to gain entry to a target office. At DEFCON 23 I got a lot of questions regarding my custom pack, and the gear inside.

While I cannot share every detail (that would give away too many trade secrets), I have dissected the general pack here for your perusal.

To begin, the pack used is a 5.11 All Hazards Prime backpack. This pack is easily organized, rugged, and reliable. When complete, this pack can be carried on air travel save for the bit set (screwdrivers). Interestingly, TSA does not care about lock picks because airports generally use electronic locks for sensitive systems (though it is debatable if they should be concerned with the lock cylinder override).

The front pouch contains some basic tools and essentials. Along with the traditional pens in a work bag, if sports a few nefarious items

red_team_pack_front_pouch_small

Up in the top of the image we see a UV light and a 5.11 double duty pen. The UV light works well to pull fingerprints if you lay a little oil on exterior door handles earlier in the day. Then, when entering at night, check pin pads for buttons pressed. This forms an easy key-space reduction attack. If you are careful, you can also determine the order. The pen is useful as a punch. While I have the 5.11 variant, multiple manufacturers make these. A normal mechanical punch works as well, but saving space is always nice with multi-function tools.

Moving downwards we see a Shove Tool. This is a more rigid tool meant for shimming open doors. It has various grooves to try and manipulate strikes from above or below. They are cheap and take abuse well. The small silver knob is a homemade Medeco pick for attacking bi-axial locks. This takes some considerable practice to use, but even if you never manage to open a Medeco it works as a general pick tool. This one was made using piano wire and a vice handle. It only works for manually setting rotations after further attacking the lock.

To the right of the Medeco tool is a basic lock pick set. I generally do not bother carrying large 70 piece sets some technicians swear by, but we have sent overnight after determining there was a very odd-ball lock in an office. But that rarely happens.

Moving back up we have a Ninja Throwing Star for tapping LAN. This is a passive device, and is limited to 10/100 Ethernet. It will downgrade 1 Gbps connections, but most people will not notice. I cam currently developing a full duplex active Gigabit wiretap, but this is still in early stages.

Lastly, we have a cellular hotspot. Exfiltrating data from the office in real time, or just having network resources without target monitoring systems being tipped off is invaluable.

As we move into the middle pouch of the pack, we have some gear that is nestled tightly into the pack and some that is more readily extracted.

red_team_pack_middle_pouch_01_small

The device here is a WiFi Pineapple from Hak5. This nifty unit has multiple radios and support for USB modules (both GSM and wifi). It supports packet injection, SSH reverse tunnels, an ethernet port, and many other useful items. Here it is hidden in the pack to perform wireless attacks on target networks while on site. If the wifi is open, easy MitM. If the WiFi uses 802.1x, it can attempt to capture hashes if the clients do not validate certificates (and in the end, there is almost always a client that does). It includes a large battery so it can run without being plugged in. If we find a suitable spot, we will also drop the unit inside a wall or networking closet to provide a point of network persistence. There is plenty of available cabling so it can reach out to external antennas easier and have more flexibility. The internal pack MOLLE system proved useful to keep this in place securely when running and climbing.

red_team_pack_middle_pouch_02_small

This pouch also hosts more gear. The small mesh bags out of frame to the left hold small gear and accessories (always have spare cables and adapters). The big yellow box is a large set of security bits. Ever try to open an electrical box to find a pinned Torx? How about snake eyes? Yeah, this set was under $30 from MicroCenter and has opened every panel we encountered. Also has a ratcheting screwdriver to make things easier. Keep it organized and fitted so it does not make noise as you move around. The pin-pad is my smart card reader. Since I authenticate to my exfil services and laptops using these, I keep a reader with a self-contained secure pin entry for many uses. I am writing up good documentation for using the OpenPGP smart card so keep an eye out for that. The Gnome project broke a lot of it, so my docs will provide fix guidance. Lastly, this pouch has a Datalocker. If the docs cannot be exfiltrated over a secure network connection, I recommend these as an encrypted drive. Unlike IronKeys and software-based FDE, these have self contained password entry and strong authN support. Also has a live virtual disk you can burn an ISO onto (in this case I burned in Kali Linux in read-only for forensics and physical con-booting attacks).

Finally (in what I will show), you can see below the antennas hidden down the sides of the pack via the pack Baton holders. This is before I sewed on some extra flaps to cover the tips and installed black cable.

red_team_pack_antennas_01_small