Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is part of an ongoing series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our 2019 Under the Hoodie report.

Recently, we did physical social engineering and internal network penetration tests for a health insurance company with the customer’s prior written consent.

During some physical reconnaissance, we found a side entrance for employees and took notice that it was a pretty small office. At a smaller office, it’s harder to pretend you work there, so we came into the physical social engineering assessment posing as a vendor instead.

Hoping that the management employee we were going to name-drop in our cover story would be out at lunch, we showed up around noon dressed as a vendor in a company shirt and everything, and holding a medium-sized box.

After waiting at the side entrance for a couple minutes, an employee walked up and asked if we needed to get inside.

We were only inside for about 10 minutes before one of the employees came up to us, asked us about our cover story, tried to reach our contact, and escorted us out after they couldn’t get ahold of him.

However, that was enough time to get a rogue wireless access point connected underneath a desk, which we were able to use to connect to the internal network from the parking lot. We didn’t want to waste much time in case they went looking around where they stopped me, so we started checking the internal network scope and found a Domain Controller vulnerable to MS17-010.

Interested in learning more about how Rapid7 pen testers conduct their assessments? Check back every week for a new story in the series.

[Research] The Art of Penetration Testing: Analyzing 180 Pen Testing Engagements to Understand Security Trends

Read Now