31. Assuming Direct Control
Demos
• HID EVO Discovery
• Pull database (it’s empty)
• Implant card value
• Pull DB again to show new
card value
• https://youtu.be/biNaPsvDpr0
32. Assuming Direct Control
Demos
• AMAG EN-1DBC Discovery
• Implant card value via CVE-
2017-16241
• https://youtu.be/OQ-7ixDIGXg
Where to look?
OSINT Searching job descriptions…
Read people emails like a freaking stalker, digging through the org chart to find the people who have the info we want
And then all the places that people store documents (list them)
Depending on the level of compromise you might get to the point where you are targeting the desktops and backup of those key personnel