Marina Ciavatta: From Journalism to Physical Pen Testing & Social Engineering

[00:00:01] Welcome to the Phillip Wylie Show. Take a look behind the curtain of professional hacking and hear compelling discussions with guests from diverse backgrounds who share a common curiosity and passion for challenges and their job. And now here's your host, offensive security professional, educator, mentor, and author, Phillip Wylie.

[00:00:34] Hello and welcome to another episode of the Phillip Wylie Show. Today I'm excited to have Marina joining me today. So I first learned Marina, it's probably been several years ago if I'm remembering correctly. I believe you were kind of hosting some live hacking events or CTFs. I think you did some stuff with the Red Team Village too. I think that's kind of where I first came aware of you and then last year at Nolicon, you know, before we started.

[00:01:03] I mentioned how that amazing panel that you, you, it, 80, Pyro and some other folks did on the Red Team stories and that was a lot of fun. And it really, one of the things that I had mind bringing you on because the listeners really love those kinds of stories. And so I figure you got a lot of cool stories to share. Before we get started, why don't you share your hacker origin story, kind of how you got started up until what you're doing now today?

[00:01:31] Yeah, we did. We did, we did got to meet each other. I think on the like 2020, I think was the time of the, a lot of live streams going on. And I used to, me and Min and Teddy from Dual Core, we used to be hosts of the UFC, U2M, UFC, UHC, U2M Hacking Championship online.

[00:01:50] That was pretty fun for those who don't know. That was a online CTF from all around the globe. People from all around the globe could compete. And it was narrated live like a, like, you know, like a UFC match with, with the screens showing up of the players and everything. It was pretty fun. My origin is quite a journey, actually. I don't have a technical background, right? So I'm not a technical person at all. I come from journalism, my first graduation, actually.

[00:02:20] And I was working in content production and events production for a cybersecurity company in Brazil. And they had an awareness and red teaming operations side of the company. And one of my colleagues that was working on the awareness platform, he got contacted by a client that wanted a physical pen test. And he was very technical. Therefore, he would not like human interactions very much.

[00:02:49] So I was, since I was, since I was an events organizer, content producer, and I was also dealing with a lot of the community management of the hacking events back in Brazil, he came to me and he was like, hey, do you want to, like, help me with a physical pen test? And I've never heard about it till then. I've heard, I've heard about social engineering before, but very briefly, because organizing the hacking events around, around the country, I would obviously have contact with the community and with the speakers.

[00:03:17] So I would understand a little bit about the subjects, but not in a technical or deep level at all. So that was the first time I heard the word physical pen test. And once he explained to me what it was like, you are going to break into a company and steal stuff and get into places you shouldn't be in, you know, sabotage and, and spy on the, on the employees and etc. I was very shocked. I was like, am I, am I going to prison if we do something like that?

[00:03:47] And so, very wild. And he was, and he was like, no, this is a hired, this is an under contract assignment, everything is fine, you're supposed to do all of that. I'm asking you because I know you're good with people. And so I was like, yeah, sure, if I have a out of jail opportunity, like to do that, count, count, count on me.

[00:04:10] And that's how I went and did my first physical pen test. It was a very big, very big client back in Brazil, we had, you know, a lot of briefing meetings and a lot of scoping to, you know, what I should do and what I shouldn't do there. And it was a great first assignment because the client themselves had never done a physical pen test and I had never done a physical pen test.

[00:04:34] So I did things that I wouldn't have done today because they were pretty crazy, but everything went fine and all the missions were accomplished. The client was very happy in the end and I just fell deeply in love with physical pen testing. So that's how I got into social engineering. And today I have my own company to do the crazy stuff.

[00:04:56] Yeah, that's kind of good that you got to start out with someone that hadn't had that done before, because like one of my first, first or second phishing email campaigns that I worked on was this company that have been doing the consulting company I work for. They've been doing it for the past six or seven years. So they've been through phishing campaigns every year and then they would do security awareness after that.

[00:05:19] So it was like near impossible. Unfortunately, it wasn't successful, but, you know, just going in, which they've been doing every year, they were really prepared. And so it's good, good for them, but it's just you, as far as the consultant was kind of hard to be, kind of hard to be successful. Cause at that time I hadn't been pen testing long, really, really, really inexperienced on the social engineering side. So this was really a tough first or second phishing campaign to work on.

[00:05:48] Yeah, I had, I had, I had a little bit of experience dealing with people. When you're, when you do event organizing, it's a very crazy world. There's problems everywhere. There's unpredictable things happening all the time. The plan goes haywire a bunch. So you always have to come up with solutions. You always have to know who you have to talk to, to solve problems really fast.

[00:06:14] If you have to change our team, if you have to, you know, bringing, well, you have to think very fast on your feet and you have to be a problem solver and you have to run around all the time. And I think events organizing has definitely helped me to come in, in physical pen testing with a lot of confidence for sure. On top of that, you know, my first degree is in journalism. So that helps also, right? Yeah, bet. Yeah. I have to know how to tell a story.

[00:06:43] I have to know, you know, the sources that I need to go after and all of that. So it all ends up helping with the work. There's probably some skills you gain from journalism getting to people that you want to interview that, you know, may not want to be so easy to easily accessible. Exactly. Yeah. You end up learning how to, you know, make people to open up to you and how to put their story together in an interesting way.

[00:07:08] So we have a lot of listeners that join the podcast that are trying to break into cybersecurity or new to cybersecurity. So what recommendations would you have for someone that's wanting to get into physical pen testing or social engineering? So you definitely have to, you don't need the technical skills, although they are really desirable. They do help, especially if you're coming from the technical side. For example, you can approach the red team if you're technical.

[00:07:35] They always appreciate someone from tech wanting to come and learn more about cybersecurity and offensive security. And the red team is usually the one running the physical pen tests and, you know, all the crazy stuff. If you do not have a technical background, you're coming out of the tech area, you don't necessarily have to be technical. You can find your place in cybersecurity nowadays that, you know, it can be compliance. It can be documentation.

[00:08:04] It can be sales. It can be awareness. Awareness is a lot of content producing. Awareness also ideally should be close to the security department to build a very effective, you know, program and campaigns that are truly effective that, you know, mesh well with the security. Not politics. I'm sorry. It's the word for processes. When you have the documentation, the correct documentation that dictates how people should behave securely.

[00:08:33] Policies or procedures? Thank you. Policies is the word that I'm looking for. Sorry, y'all. I'm from Brazil. English is not my main language. It's my second language. So, yeah. You can definitely find, you know, orbiting areas to start your work with security. I would not recommend diving into directly into physical pen testing if you've never had any security experience at all.

[00:09:01] You know, any contact with the security team, department, philosophies, way of thinking, I definitely do not recommend because it can be very stressing. It can be very dangerous. And you do have to have some background of like what is ethical, what is necessary, what are boundaries to know how to better act inside a client. That way you don't burn yourself.

[00:09:30] You don't burn the client. And, you know, it's a very delicate, delicate kind of work. I started it by accident, but I had many, many years organizing hacking and cybersecurity conferences before. So that was not a totally new world for me. Although physical pen testing was and social engineering was, cybersecurity was not something new, was not something that I've never heard before.

[00:09:53] So definitely get into the pace, get into the culture, understand why is cybersecurity important? Why does it need to be, you know, applicated correctly in the scenarios that the client needs and the company needs? You definitely have to have that background if you want to do something crazy like physical pen testing. It's not something they're like, oh, you know what? I'm great with people. I'm just going to break into a company and steal stuff.

[00:10:23] Yeah. Take a few steps back. Talk with the security team first. So, yeah, I bet you've had some scary experiences. Yeah. If you have any cool stories that you'd like to share, some of the things. What first, let's start off, was maybe one of the most scary experiences you've had on a physical pen test?

[00:10:41] So I got a lot of clients tend to purposely scare me in a sense of like, oh, just so you know, the target that you're going after, they're backed up by like private security teams. And they all have like arms, they all have firearms and they are trained to shoot. So every once in a while, a client gives me something like that during a briefing meeting. And I'm like, isn't that great? The threat of being shot. Never been.

[00:11:11] So that's good. Let me think. I don't usually get very scared doing assignments, to be fair. I'm kind of crazy. But I definitely had some kind of unexpected, harder than I thought it would be assignments. One of them was I was inside a very big warehouse for a construction company. And they had very big equipments and cranes and tractors and all of those big, you know, big heavy machinery.

[00:11:40] And I had broken into the security, not the security board, but the director's board department. So it was pretty high, high risk there, the area. It was in the middle of the night and there's a lot of armed security walking around. And as soon as I stepped in the department, the board, the director's board department, the lights went on.

[00:12:09] And I immediately threw myself on the ground because it was the middle of the night. I was like, oh, Jesus, I did not need the security guards to come barging in with guns. I threw myself on the ground and I waited for a few minutes and then the lights go off. So I was like, okay, I didn't even consider that the lights would, you know, have sensors on them. I thought I didn't consider that in my assessment beforehand. So I had to crawl all my way through the entire department.

[00:12:38] And I would have to be very gentle with opening cabinets and getting into the rooms and hiding myself under the tables to open the drawers, to lockpick. So I had to be extremely careful and do a lot of muscle work because I had to crawl a lot on the floor. And the next day I was so sore. I was very sore for weeks after. That was the type of workout that I've never done before.

[00:13:08] It's just spring. Oh, God, please may the sensor not pick my movements. But everything worked out. The sensor did not detect me. I stayed low the whole time. And, yeah, I think that was the most nervous that I was, like, you know, nerve-breaking. That experience that I had during a physical pen test definitely was that. Because, like, how am I going to explain to an armed guard if he comes in and I'm, like, crawling on the floor?

[00:13:39] That I'm supposed to be here. Yeah, boy. So have you had any interesting experiences getting caught on a physical pen test? Oh, yes. I had recently. I was very surprised. This is not an exciting story because I was caught, like, very fast on a building. It was a big building. It was a big, big company, finance company. So pretty high risk.

[00:14:06] High risk is high level a word? Yeah. High level. They're high risk. Yeah, it's like a high level target. Yeah. Okay. And because of that, they were also, like, high risk of, you know, violence. But, like, violence could escalate quickly. Like, armed guards could come in and it could put me in danger, et cetera.

[00:14:28] So I was going into the building and the building had, like, face reading, biometrics and guards everywhere and cameras everywhere. But because we were in Brazil and Brazil was going through some storms, Sao Paulo was going through, like, a storm season, the building lost its power.

[00:14:49] And in the split few minutes that I had on the lobby, I convinced the security guard to open the side door for me so I didn't have to go through biometrics to get inside. So I took advantage of the power outage to go in. Now, this is pure luck. This is not something that looks good on a report, right? Because how can you repeat that?

[00:15:12] You're going to have to drive a car on the light post to replicate a power outage or you're going to have to do, like, you know, big infrastructural damage to the building to provoke a power outage again. So the chances of that happening are not that great. But it happened when I was there. So I took advantage of it and got inside. But as soon as I got up through the stairs and I reached the target's door, I was immediately caught tailgating.

[00:15:41] And then I tried again and I was immediately caught tailgating again. They were very good at catching tailgating. And it was the only way you could get inside. There was no other doors. There was no service doors. There was just a front door with biometrics. So the way to get inside was either to clone someone's biometrics, which is quite a lot of work.

[00:16:04] And if that's not a specific request of the client because the threat is something real for them, like, oh, yeah, we do think there's higher chance of someone, you know, cloning someone's biometrics or something. You usually go with tailgating. And it just did not work. I tried many times and it just did not work. And at some point there, the employees were getting annoyed by me trying to get in. It escalated very quickly. And the CEO had to show up.

[00:16:33] The CEO was involved. Like he knew what was happening. He was part of the group of the people that hired me and et cetera. But he had to physically go there to, you know, let everyone know that everything was fine. And it was indeed something that I was hired to do. Yeah, it was the first time that was actually I got truly frustrated that I couldn't get in. And there was a second.

[00:17:03] There was another. There's another story that I like very much when I was caught. Being caught is sometimes part of the job, right? A lot of people don't know this. A lot of people are like, oh, physical pen test. That's great. You're like a spy. You never get caught. Ha ha ha. People don't know. Being caught is part of the job a lot of times because you have to test people's reaction. You have to test the security.

[00:17:24] If security is going to actually catch you once they do what they do with you, if they follow procedures, you know, if the alarms are actually working, you have to sound the alarms. And you have to make sure everything is working correctly, even if you do get caught. And I was after a whole day of an assignment. I was like, OK, this is now the time to test if I if I get caught and how. And then I was going around the department doing very crazy, suspicious things like.

[00:17:54] Clearly messing with people's desks and documents and computers and sitting and sitting in a lot of different desks. I was I was being extremely suspicious. And then a manager came to me and she was like, what are you doing here? You shouldn't be here. And she took me to, you know, a little room to interrogate me.

[00:18:12] And then I, you know, I then I showed the documents to her and we have what we call the get out of jail card, which is, you know, a little piece of contract that says you should be supposed to be there, etc. You can sometimes have a fake one that has no contact, no, no true information, ways of convincing the other person to work with you on the assignment. So you kind of recruit an ally. And I had the fake one with me and I showed her the fake one.

[00:18:42] And for those who don't know, the real one has all the information, has your, you know, employee information and it has your employer information, has the contacts like the phone number for you to call the security team to confirm that I'm a person that's supposed to be there or tell them to go and pick me up, you know. And the fake one has none of that. The fake one has whatever I decide to put in there. So I just wrote, oh, this is a test and you're not supposed to interrupt the test.

[00:19:11] If you do interrupt the test, it may, you may, you may ruin the results. And in order to support the test, you should then provide whatever the person doing the test needs. It was just very vague. And the person read that and the manager read that and she was immediately like, oh, OK, sure. What do you need? And I was like, oh, you just don't please just don't interfere and don't tell anyone.

[00:19:38] I'm going to keep doing my job and I'm going to I'm going to keep going through the department and, you know, finding new targets. And once I said finding new targets, she immediately opened the door and pointed out people that she wanted me to attack. And I could feel she was not having a good day with those people. She's like, wow, that one. You should go to that one. That that person's desk. Third drawer. Open the third drawer. You will find very good stuff that she was giving me.

[00:20:06] And I had to help everything in myself to just not laugh right. Sure. Yeah. Thank you. That's going to be great. That's funny. That was awesome. I love that. So I guess it's kind of interesting to see the different levels, you know, a higher security security facility compared to some normal security. The quality of security guards that will be working there. I'm sure there's got to be some some differences there because you see some places that security guards. You know.

[00:20:36] They're not really interested in their job or they may fall asleep on the job and stuff. Then you got people that are really serious and really highly secure places. So I'm sure that makes a lot of difference in your efforts, I would bet. I think it depends on the security team's training. A lot of them are not ready for what I'm bringing. Like a lot of them are not ready for a little girl to get inside and steal a bunch of stuff. And I have very good excuses, right? I have my trainee.

[00:21:06] I'm late for a meeting. I am from the tech support. Once I got inside like a big distribution medical warehouse and they were the client was having trouble because they were having people from the inside of the warehouse stealing medical products from the warehouse. So they needed to know how that was happening to stop it. So I was getting inside the warehouse to steal medication and show them how I was doing that. And I did it by approaching the security.

[00:21:36] And it was like very heavily secured. Like, you know, there was security guards everywhere, cameras everywhere. The doors were like iron bars, rotating iron bars. And then, you know, all the drill, all the security drill. And I got inside by approaching the security guard and asking, hey, did you call IT? I got like a call from here. Apparently, there's a problem with the security cameras. I guess one of them is not responding.

[00:22:02] And because of that, a few of the other ones are starting to show some issues. So if you could please accompany me inside. I need to take a look at security cameras to make sure everything is being recorded correctly. And the security guard opened up for me. And he walked around with me showing where each and every security camera was in the warehouse. So now I had a blueprint on my head where the cameras were positioned, what they were filming and what they were not.

[00:22:31] And he was he was going for a second round with me. And I was like, you know what? This may take a little while. If you want to go back to your desk, I will as soon as I'm finished here, I will come back there and let you know, including if I'm going to need your help to maybe reconnect one of the cameras or something. And he was like, oh, yeah, no problem. And then he went back to his station and I was there all by myself. So I already knew where the cameras were positioned. Then I put a bunch of medicine inside my coat. I took the medicine out with me.

[00:23:01] Once I was coming out on the warehouse, I said thanks for his help while I was leaving. And then I then came back to leave the medicine backpack because that's it. That's a thing for y'all to know. Once you're doing a physical pen test, sometimes you have to steal something more than once to prove that that is actually a vulnerability. That was not just luck. That's an actual issue that you can exploit over and over or more than once.

[00:23:29] So I often have to come back to the place where I stole something or I got access to that place to show that I can I could do it again. So I had to come back. And once I was back, you know, I use the same excuse. Hey, just so you know, I'm coming back here. We did find a camera that's having some problems, but I can already fix it. I brought some equipment and it's not going to take too long. I can go by myself. You don't have to go all the other way there. You already showed me where it is. So don't worry about it.

[00:23:59] And then he let me in again. And here you go. And then I put all the medicine that I stole back. And yeah, and that was it. So sometimes you have all the security in the world. But if you don't if you don't train them correctly, if you don't tell them, like if it's someone unknown, you have to confirm. You have to ask who are the responsible people. You have to contact them. You have to be sure you can't let people walk around by themselves, et cetera. If you don't train them, they don't have any any way of knowing.

[00:24:29] So do you ever have your ever came up with any kind of cool costumes or uniforms to wear into places to be able to get in? Absolutely. I usually show up very neutral and I tend to collect my costumes as I go. I steal a lot of things. If I find a jacket with the company's logo, that jacket is now mine. If I find a lanyard with the company's logo, that lanyard is mine now.

[00:24:55] If I find hard hats and, you know, maintenance vests and it's now my uniform. So I steal everything that I can. There is a video of me from one of the clients where I'm just like and it was a huge campus with 10 buildings and each building did something wildly different than the other one. So at the end of the assignment, I just send it. It's a video of me just taking stuff out of my bag for five minutes.

[00:25:23] All of the different uniforms, the maintenance uniform, the security uniform, the cleaning crew uniform. Usually I don't I don't tend to use the cleaning crew uniform for ethical reasons. I don't want anyone to be fired, especially because the cleaning crew is often neglected on training. And well, yeah, I do steal it.

[00:25:46] I had like a few pictures of me wearing the uniforms or having found, you know, the cleaning cart with the big bins and the brooms and etc. All in the cleaning products and all of that. I think one of the coolest ones was a hazmat suit. I had to get inside a lab, chemical lab. I can't remember.

[00:26:14] Was it medical or was it like automotive formula? It was one of the was one of the was a chemical lab. And once I got inside the first part of the of the lab, because there was there was two environments. The first one was like this sealed place that they would keep all the equipments and uniforms such as the hazmat suits. And then you could then get inside the lab. So once I was there, I was like, oh, my God, cool.

[00:26:43] I get to use hazmat suit today. And I put it inside and did all my crazy stuff. So, yeah, that's fun. So what about making badges and stuff? So how have you got a collection of badges that you've created over the years to get into the different locations? Yeah, for sure. I love LinkedIn. Everyone posts their badges at LinkedIn. So it's pretty easy for me to just find some employee that posted the badge there.

[00:27:11] And once they post the badge, I usually go to, you know, Canva or whatever image editor on the Internet. I'm not a designer, but it's pretty easy usually to replicate badges. I do that by myself. I just put the badge side by side with the new badge that I want to create with, you know, my picture and then the job that I want on the badge. Once the design is ready, then I send it to printing.

[00:27:38] It's usually like a sticker. In regards to cloning, I usually do one of the two. If I'm feeling dedicated and the client specifically asked me to actually clone a badge, I usually go up to the company and I wait for someone to come out or to get in. Or once I'm in by tailgating or whatever.

[00:28:03] Or if I'm in the building's vicinities, I try to go to restaurants that the employees might go have lunch to. Bars that they may go to happy hours. Or my personal favorite that works 95% of the time is the smokers area. The smokers, you know, little patio or usually there's somewhere outside where the smokers are. And that's my favorite because smokers relate to all to other smokers.

[00:28:33] Unfortunately, I do have to have a cigarette with me. That's the bad part. But, you know, I can I can ask for a lighter. I can, you know, vent about the day. And usually smokers are on the same kind of vibe. If I turn and if I say like, oh, do you have a lighter? That's a great excuse for me to approach the other person and get into their personal space. Because you usually get very close to them. Like, oh, hey, do you by any chance have a lighter? I'm so sorry.

[00:29:02] And in this approaching, I already took enough seconds close to their badge to clone them. Um, I, you know, I would have the proxmark on my hand holding it with a cigarette box as well. Or you can have like a glass box, like where you put your glasses with the proxmark inside. That gave that gives me enough time close to their badge to clone it. That was that's that one. That is definitely my top favorite. Not have the time or the resources or the client doesn't specifically ask me to clone the badge.

[00:29:32] I just literally slap that sticker that I printed on a hard card that I could get on Amazon. Or I can also use just, you know, the hotel key cards. I just put a sticker on top of it and put it around my neck. And that usually works. I don't even have to clone the badge or anything.

[00:29:55] Once I'm approaching the turnstiles that need the badge, that have the badge reading, I put the badge there and nothing happens. And I pretend I'm very confused. I'm like, what the heck? Why is this not working? I was here yesterday, blah, blah, blah. And that's a great, great way to approach the security guard and try to, you know, convince him to open up for me. Or trying to convince the receptionists to give me a new badge or something like that. So that's also a pretty, pretty cool kind of attack.

[00:30:24] So how long typically are these physical pen tests you do? Are they just usually like a day, a few days? How long do they usually run? It really depends. It really, really depends. There is no, there is not a unique formula to them because some clients have a huge campus with 10 buildings. And some clients have five different buildings in five different states.

[00:30:51] Some clients have just the one floor during lunchtime. So it truly really depends on the client's size. I can do it all. I can do it in three hours or I can do it in a week or whatever the client needs. So what's the fastest amount of time you've been able to complete a pen test? Definitely three hours. I've done one in three hours, which is like lunchtime scenario. You know, it's like, oh, we only have this one or two floors in this building.

[00:31:20] And I usually go there during lunchtime where the flow of people is pretty big, but inside is kind of empty. It's a great time of the day for me to go to the assignments. People are distracted. A lot of different departments are empty. A lot of people left stuff behind that they shouldn't, like computers and documents on top of the tables on their desks. And yeah, so three hours was my fastest point. Oh, very cool.

[00:31:49] So we're getting down towards the end of the episode. Is there anything you'd like to share that we haven't discussed? Hmm. I'm not only a physical pen tester, of course, I'm a social engineer. I do a lot of other stuff like phishing and vishing and smishing and all the ishings that you can think of social engineering. And you can a lot of the times combine those attacks, right?

[00:32:13] So if the company hires me, for example, to do a spear vishing on a few targets a few weeks before, and I collect enough information that I can use on my physical pen test, I sure will. If it's a combined contract, I can surely use the same information that I collected to help me during the physical pen test. I just had that happen at the end of the year with a client.

[00:32:37] And I was calling their help desk and pretending I was an employee and I couldn't have access to my accounts. And therefore, they reset it about the employee's account and they sent me the new password. They changed the email to the one that I wanted. And on sending me the password we set, they also sent me the QR code needed to get inside of the company.

[00:33:01] And all, you know, the information's needed for me to download the app and register the QR code into my name and etc. So I used a physical pen test a couple weeks after. So yeah, you can have fun and do some fun combos there with social engineering. I don't just do the bad stuff. I also do the nice things.

[00:33:23] I use a lot of the attacks, results and information that I have to put together awareness campaigns for the clients and teach them how to not fall for my tricks again and for similar tricks also. So I also work with awareness. I'm a red teamer, but I'm also... Is awareness a blue team kind of thing? I don't know, but I'm also educating people.

[00:33:47] Yeah, that's something that does happen with red teams and pen test teams because like one of my first pen test jobs I had, anytime they did my first two jobs, anytime there was any kind of social engineering or physical pen test, there was always some kind of security awareness that came along with it. Yeah, that's the idea, right? A lot of people run the red team ops and the physical, not just the physical pen test, but any pen tests to find the vulnerabilities.

[00:34:15] And they forget to use that to better build their teams and to better train the teams. And I definitely try to always put something positive on the reports. We from offensive security can often get mad and, you know, just focus on results and put a lot of the bad stuff of the vulnerabilities and problems and issues that we found. But you have to think about who's reading the report as well, right?

[00:34:42] Like no one likes to just be told like, oh, you only have problems. You only have issues. It's kind of, you know, it makes you lose hope that you can fix all of that. I always try to leave like little gold stars around the report and like, oh, you know what? This worked. Like I try to get inside there and I couldn't. So, you know, point for security. That's awesome. Yeah. So be nice. So is there any good training you can think of for red for the physical pen testing or social engineering?

[00:35:11] Yeah, that's a tough question because for technical people, there's there's labs. There's CTFs. There's a bunch of stuff they can do on VMs and, you know, machines that are made for their training. Now, for social engineering and especially for physical pen tests, there are no labs.

[00:35:33] And if you try to have real life experience with those, you may very well break a lot of laws and get yourself in trouble because, you know, it's not super easy to practice breaking and entering and stealing. So I don't I don't have a practical tip to give to people to train physical pen tests. I can tell you, you know, get close to the red team. Let them know you have an interest on it.

[00:36:00] Definitely go after content of people who are out there doing physical pen tests. Just listen to their stories very closely, very attentively. Get in touch. Do a lot of questions, you know, do your homework the best that you can before you try to do something crazy like that. And if you don't work with that, if you don't have a contract, do not go around doing physical pen tests. OK, it's illegal. It's going to land you and lend you in jail if you don't have a contract.

[00:36:27] And I'm talking about a legal contract, not, you know, just something that you work together for social engineering is a bit of a better scope. Right. You you can you can do that to friends and family. You can let friends and family know like, hey, I'll try to extract like I'm I'm training this new skill for my for my work. And at some point during the year, I'm going to try to extract data from you. I just want to give you a heads up just just so you don't hurt the relationship with the other.

[00:36:57] It's always nice. You know, you have a heads up and consent is extremely important for social engineering on an ethical way. And then around the year, you can try all kinds of tricks with the with your friends and family. Like try to call them and pretend you're their bank and try to get information out from them. Call, you know, some some aunt or uncle and convince them to like send you money to to an unknown account or like a friend's account or something like that.

[00:37:25] So there are ways of training social engineering that you don't have to necessarily land in jail and don't have to be mean to other people or don't have to actually scam anyone to practice. So, yeah, be safe out there. Yeah, it's been been great chatting with you. Get to know more about you and hear some of your stories. So thanks for joining me today. Yeah, thank you. Thank you for having me. This was super fun. Yeah. Thanks.

[00:37:56] Thanks, everyone. And we'll see you in the next episode. Thank you for listening to the Philip Wiley show. Make sure you subscribe so you don't miss any future episodes. In the meantime, to learn more about Philip, go to thehackermaker.com and connect with him on LinkedIn and Twitter at Philip Wiley. Until next time.