Red Team Alliance - Attacking and Defending Physical Access Control Systems (On Site)

May 17th and 18th

Course Abstract

In this training developed by world-renowned instructors Babak Javadi and Christian "Iceman" Herrmann, students will be immersed in the mysteries of PACS tokens, RFID credentials, readers, alarm contacts, tamper switches, door controllers, and backhaul protocols that underpin Physical Access Control Systems (PACS) across the globe. The course provides a holistic and detailed view of modern access control and outlines common design limitations that can be exploited. Penetration testers will gain a practical understanding of what PACS looks like in the field, and how t - intercept, clone, downgrade, replay, and bypass one's way through the system. Defenders, designers, and directors will come with away with best practices and techniques that will resist attacks. Participation will include hands-on practical experience with tools, exploits, and refined methods for compromising modern Physical Access Control Systems.

Outline

  • Fundamentals of Modern PACS Designs
  • Sensor Manipulation and Bypass Methods
  • Historical and Modern Security Tokens Including,
    • Magnetic Stripe
    • 125KHz RFID Technologies including Prox, Indal, ioProx, EM, and others
    • 13.56MHz and NFC RFID Technologies including iCLASS, Legic Prime, MIFARE, DESFire, ISO1443A, ISO1443B, ISO15693, and others.
  • Understanding and Use of "Magic" RFID Credentials in Cloning Operations
  • Biometric Authentication
  • Practical Instruction, Understanding, and Use of the Proxmark3 RFID Research and Attack Tool
  • Reader Weaponization and Extended-Range RFID Cloning
  • Tech Downgrade Attacks: Techniques for Identifying Vulnerable System Configurations of SEOS and DESFire EV1/EV2
  • Principal Methods of Operation of Door Controllers, Control Panels, and their Associated Weaknesses
  • Deploying Denial of Service Attacks
  • Wiegand Protocol Sniffing, Interception, and Replay

Students will be well-prepared for real-world red team scenarios and learn how to exploit access control technology with the latest attack hardware. There are also modules detailing the backend of these systems, allowing Man in the Middle and Denial of Service attacks.

Every student is eligible to an optional hardware package available only from Red Team Alliance! The student hardware kit is not sold separately and are limited to pre-registered students.

The exclusive hardware package includes…

  • The RFID Door Simulator: Colloquially known as the "Building in a Box", this unique piece of equipment is a self-contained unit intended to simulate authentication operations performed by a paired RFID credential reader and an upstream door controller. It features a unique multi-technology RFID credential reader, an integrated door controller, an OLED display, and a power supply. Enrolled students will practice interacting with a wide array of credential technologies and get hands-on experience with the tools, techniques, and procedures necessary for executing multiple kinds of attacks against PACS environments in the field.
  • Proxmark3 RDV 4.01 Retail Package
  • Professional PACS Credential Demo Pack: A comprehensive collection of specially configured PACS credentials representing the top technologies used worldwide.
  • Penetration Tester's Blank Credential Pack: A comprehensive and practical selection of special-purpose credentials that can be reprogrammed to emulate a wide variety of credentials, including 125KHz, 134KHz, and 13.56MHz technologies.
  • ESPKey Wiegand Interception Tool: A stamp-sized man-in-the middle attack tool that can be deployed against most systems to intercept, replay, and manipulate credential data in-transit.

Who Should Attend

TBD

What You Need

  • Windows 10 x64 w/ Administrative Rights
  • Webcam and Microphone
  • Appropriate Firewall / Security Access

Students will be required to be ready to participate with a computer natively running Windows 10 with local administrative rights. Virtual Machines and other operating systems have performed inconsistently. Students may bring a Linux or MacOS system as well, but those doing so should ensure that they have ready access to a native Windows 10 machine. Students must ensure local security polices or firewalls do not block any necessary access.

Bio

Babak Javadi Senior instructor, Red Team Alliance

Babak is a noted member of the physical security community, well-recognized among both professional circles (due to the work The CORE Group) as well as in the hacker world (as the President of TOOOL, The Open Organisation Of Lockpickers.) His first foray into the world of physical security was in the third grade, where he was sent to detention for showing another student how to disassemble the doorknob on the classroom supply closet. Babak is an integral part of the numerous lockpicking workshops, training sessions, and games that are seen at annual events like DEFCON, ShmooCon, DeepSec, NotACon, QuahogCon, HOPE, and Maker Faires across the country. He likes spicy food and lead-free small arms ammunition.

Return to training sessions