Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This is the fifth and final post in our five-part series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our report, “Under the Hoodie 2018: Lessons from a Season of Penetration Testing.”
While performing a physical social engineering penetration test, I began with Open Source Intelligence (OSINT) gathering for a client partner. While starting the penetration testing service engagement, information was obtained about the client regarding the location of the physical assessment as well as information about the organization.
At the start of the first day onsite for the assessment, I drove to the parking lot and began observing employees as they entered work. I noted what people wore, what their badges looked like, where the majority of employees wore their badge, where they walked from when heading to the building, and where they entered the building.
A local Starbucks across the street from the office seemed like a great place to lay low and get a closer look at the badges so I could make my own to impersonate an employee.
After creating a badge and wearing similar-looking clothes as the employees I observed, I worked to identify a staff member I could tailgate into the building around 4:30 p.m. Within a few minutes, the perfect opportunity arose. As I walked behind a staff member who was heading toward the entrance, a number of other people walked out as well. This allowed me to blend in with all of the people coming and going. I then worked to open doors for employees so they would reciprocate the favor. It worked—once I walked into the elevator, an employee scanned their badge so I could head upstairs.
Pushing the limits
I was able to gain access to the building and lay low for some time while employees finished up for the day. Once a number of people ventured out, I began working on my objectives for the assessment. After a few hours, I had accomplished a number of objectives for the organization. It was time to see if any employees would challenge me. Late in the evening, I approached the help desk and asked for a phone charger, posing as a new employee on the security team who was stuck working late.
Now, it’s important to note that at this point, an internal network penetration test was taking place at the same time as the physical social engineering assessment. However, the rules of engagement stated that the teams were not allowed to associate onsite. I struck up a conversation with the help desk to gather more information and give them an opportunity to challenge me as someone who shouldn’t be in the office.
Thinking I was a new employee on the network security team, someone at the help desk said to me, “Steve, did you know an internal network penetration test is taking place right now?”
“Whoa, I did not know that,” I responded. “That’s awesome. I wish I was a pen tester—they have such a cool job.”
“For all I know, you are a pen tester!” the help desk employee joked.
“Nah, man, not me. It would be awesome if I was, though,” I replied with a chuckle. “Oh, by the way, can you let me into the server room? I really need to get in there to take care of some things.”
The help desk employee asked why I needed access and said even they didn’t have access. About a half an hour passed as I continued to chat with the help desk employee to get them to challenge me and tried to get additional access to sensitive areas in the building. I finally revealed that I was a penetration tester to the employee, then left the building for the night and continued the assessment the next day.
Fast-forward to seven months later. I was onsite for the client partner again, but this time it was for an internal network penetration test. While staying after hours on the second day, I stepped away from the computer and grabbed a quick cup of coffee. I walked to the elevator and badged up with the vendor badge to go to the third floor. However, the elevator wouldn’t change floors, as vendor badges didn’t work in the elevator after hours. I was essentially stuck in the elevator and couldn’t go anywhere but the lobby.
I proceeded to the main lobby, and since this was not a physical security assessment, I approached the security guard and told him what was taking place.
“Hi there,” I said. “I am here as a vendor and was working on the second floor, but when I stepped into the elevator, I realized I couldn't go anywhere but down to the lobby. Can you badge me up so I can grab my things and head out for the night?”
The guard replied, “Oh, sorry, I can’t let you up because we had an incident where someone made a fake badge and was able to gain access to our building about seven months ago. Without a specific OK from your point of contact, we can’t let you up.”
Once we tracked down the point of contact, he was very happy to hear that they were following the policies implemented after the previous physical social engineering assessment. So was I! It was great to see a client take the lessons from the previous engagement to heart and work to properly train their employees and break those old habits.
Interested in learning more about how Rapid7 pen testers conduct their pen testing engagements? Check out the previous posts in this series below:
- “This One Time, on a Pen Test, Part 1: Curiosity Didn’t Kill the Cat—Honesty Did”
- “This One Time, on a Pen Test, Part 2: How Just One Flaw Helped Us Beat the Unbeatable Network”
- “This One Time on a Pen Test, Part 3: How Jumping a Fence and Donning a Disguise Helped Me Steal an Energy Company"
- “This One Time on a Pen Test, Part 4: From Zero to Web Application Admin through Open-Source Intelligence Gathering”