|
Gaining physical access to Server and Telecom rooms (v2.1) ~Wizbone '99 -------------------------------------------------------------------------------- +-=[ Introduction ]=-+ Ever wonder what the network backbone of a hospital looked like? Have you ever wanted to poke around in a company's telephone closet? Had the urge to take a whack at the main terminal next to some corp's big server? Well, believe it or not, it's probably the easiest thing you could do, provided you're prepared with the right knowledge and equipment. +-=[ The run down ]=-+ Unfortunately, in this day and age, there is still no way to effectively make groups of people work together efficiently. eg. Engineering and marketing departments. This includes security guards with contractors. There is no way to coordinate an effort between these two groups of people to form an effective, standard procedure to allow the contractors to do their work as well as keep the location under a sure-fire blanket of security. Mainly, this is because contractors are stubborn grunts, and security guards are stupid grunts. The main people who access communications closets (since server rooms and telecom closets are so similar when it comes to access and can often be one-in-the-same, I won't mention 'server rooms' very much here.) are Telco guys. In other words, communications technicians -- in a sense, a type of those contractor thingies I was talking about. These guys have to access these telco rooms when they're installing fibre optics, telephone lines, switches, etc. That's alot of power. Neat, eh? When working in a large skyscraper-like building, or what-not, a technician will contact security for passes, keys, swipecards, or even just to let them know that there's work to be done in the building. Oftentimes, security does not ask for ID, a work order, or anything of that nature. That is, provided the technician appears to be a legitimate outfit. In a situation such as this, security seems to be more help than anything =] /\/\/\/\/Wizbone's tip at a glance - Telco guys are often, but not always, hired by a separate construction outfit which is doing renovations in the building. If you can, find out if this is the case. If it is, you'll wanna avoid employees from XYZ Construction like the clap, and if you run across security, you work for XYZ. +-=[ What you need ]=-+ You need to know of a telephone or networking company, probably other than the major telephone provider for your location, unless you've got the uniform, persona, etc. The nice thing about living in a large urban area (you do, don't you?) is that there are more communications companies out there than you can shake a category 5 enhanced 4-pair unshielded twisted pair cable at. So, either assume the identity of an employee at one of these, or invent your own. Datacom or something to that nature is rather generic. See if you can't go down to one of those $15 embroidery shops to have a shirt made if you want, or make yourself a clip-on ID. But remember, try and make it look like you're wearing a company issue uniform. Wallet chains, baggy pants, shorts, etc will not pass. /\/\/\/\/Wizbone's tip at a glance - Don't carrry your tools in a backpack. To some, this a no-brainer. To others (even some witless telco guys) it's beyond comprehension that anything less than a tool case is NOT professional. Get a cheap aluminum toolbox, or if you have one of those sexy, expensive, indestructible black Jelco boxes, that's even better. Just try not to look like a phreak... No pun intended. +-=[ Know the site ]=-+ See what the security is like at the building. If it's not a public office building and you can't even get in to survey it, I recommend you avoid it unless you REALLY want to get in for some reason. The easiest way to wander around, without attracting too much attention and looking too suspicious is to pretend you're a bicycle courier. These guys dress like a cross between a hardcore mountainbiker, and a gay kid who shops at k-mart. Helmet, sunglasses, hoodie, sneakers, spandex pants, with cutoffs over top. Just dress like this, carry a box, and pretend you're making a delivery. +-=[ Things to look for ]=-+ Look for things like freight elevators (which can often allow you access to floors which would otherwise be blocked off by card-access or other measures), these are basically elevators that are grungy, and not easily found by the public. Lots of immigrant janitors will be using these too, but don't ph33r, they won't be bothering you, just smile. You may need a key to use these elevators from some (or all) floors. Find out if there are cameras, and if there are indeed some, keep track of where they are. Know where stairwells are, and how many. What security is like - are there scads of patrols walking around? Does the building have an on-site maintenance crew? If they do, do they wander around alot? Do you think they'd harass you at all? Find the telecom closets. Are they all stacked one-on-top of the other on each floor? This makes things gravy since they're way easy to find on each floor. /\/\/\/\/Wizbone's tip at a glance - Keep an eye out for doors marked "Unauthorized access prohibited", as well as doors marked "Alarm sounds when door opened". Once you're inside under the ruse that you're there to do work, these doors will be usable at your leisure. However, do watch that they aren't REALLY alarmed. Though sometimes it's hard to tell, depending on which side of the door has the sensors are on. Here's a suggestion from a dude at phro@hotmail.com who's found a simple way to tell whether there are alarms or not... ___________________________________________________ ____ /o/ /o/ \o\ | | | | \ \ |o| Since most technicians are carrying tools such |o| |o| | | as linemans handsets and LAN analyzers, a | |___/_/ |o| multimeter can be carried in without much |o| | | trouble. Then all you do is take a length of | | |o| speaker wire and coil it up into a loop about |o| | | four times and approx. 30 - 40 cm's across. | | |o| Then attach the wire to the meter and set it |o| | | to read AC volts and wave the loop around the | | |o| edges of the door. Then all you have to do is |o| | | watch for spikes on the meter, as any magnetic | | |o| sensors will induce a slight current in the |o| | | ring when the meter is set to its most | | |o| sensitive setting. You have to be careful |o| | | though that you don't mistake the ambiant 60hz | | __|o| AC for a sensor. |o|___ / _|_|________________________________________________|_|_ / /__________________________________________________________/ Well, phro's totally right on the money there with that idea. A multimeter is a very commonly used tool in the telco trade, so there'd be no problem carrying it around. In fact, another thought would be to use an inductive amplifier (or often just called a 'probe'). This would do the job well too, and all telco guys carry these for tracing cables. However, since they are pricey, you might wanna just use phro's suggestion if you don't already own one. +-=[ Know what you want ]=-+ Know your goals when you get there. Do you want access to a switch? Any switch, or a specific one? Do you wanna take down a network? Whatever it is, make sure you know where it is, and what you're doing. Is it a lucent switch? NorStar? Know the difference if you have to. The following are things you can expect to find your average telco closet in a large office building: Almost for sure: -voice and data panels -lots of 4pr cat5, maybe cat3 cable -25+ pair cables -A switch or two Almost as for sure: -fibre optic cables (pronounced "fih-bree op-teek cah-blays" -- Really... that's how it's said) -Data rack with hubs, routers, etc. -Manuals -Servers -Tools -Surplus computer hardware/software (mice, keyboards, OS cdroms, etc) Rarely: -Candy -Emmanuel Goldstein =] +-=[ What you do ]=-+ Basically, it can be as simple as walking into a building, and just doing whatever you want or as complicated as having to go through multiple security checks. Here's a run-through of your average situation: *Step one: Enter building. This is a tough one. Find the appropriate entrance into the main floor of the building. Once you find it, follow the instructions on the door as to whether you PUSH or PULL. You may luck out and find automatic doors. *Step two: v1) Go straight to work. That's right, make a bee-line to your telco closet and start the fun. OR, v2) go to security, pretend you're legit, sign in, get keys, cards, etc... THEN GOTO v1. *Step three: Uh... I guess that's it. Look legit, get out fast. /\/\/\/\/Wizbone's tip at a glance - One more thing to watch out for is nosy employees. I've encountered situations where I'll be working away, and some chick will walk in on me, "who are you? And what are you doing in our telephone closet?" Well, in this situation, the building had all of it's comm closets stacked upon one another so fibre, etc could be run straight up through them to all the floors. I just told her I was feeding fibre down the building. That was good enough for her. Sometimes they'll even think you're supposed to be doing work for them personally, and ask you to reprogram their handsets or fix their computers. It's pretty funny, but kinda annoying. You can just tell them you're not authorized to anything out of your scope of work. Unless you want to take advantage of the situation and get passcodes and such. It might even be a good idea to print-out a fake work order, just in case. I've never had a problem with this, but you might want to be prepared. All you need is a company name, a scope of work, and the rest is up to your imagination. Don't make it look like a receipt. +-=[ Wrapping up ]=-+ Leave your area clean. It might be a good idea to check out of the building too. Yes, as tantalizing as it may be to keep those keys, and that pass, just remember, it's always at that desk waiting for you. While if you keep it, a picture/description of you may be waiting there instead. Remember, just because it sounds easy in text, doesn't mean it will be. To be successful, it will take lots of luck, lots of confidence, a little social engineering experience, but most of all it will take preparation. This file is the best I can do, but probably the best you could ask for as far as guides for this sort of thing go. I'll continue to add to this file as I see fit, or as I recieve suggestions I deem helpful. -------------------------------------------------------------------------------- Endz. 10/28/1999 revised 12/26/1999 2nd revision 01/06/2000