Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is part of an ongoing series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our 2019 Under the Hoodie report.
I was sent on location with another team member to perform a red team assessment. The client had told us on our pre-engagement call that no one had ever successfully gained physical access to their building. Challenge accepted.
When we arrived onsite, we found that the client owned three multi-level buildings in a campus of similar office buildings. Other companies shared the campus with our client. The buildings were arranged in such a way as to create a central courtyard, where an open-air cafe had been set up for workers to enjoy the outdoors.
Our recon identified that all doors into all three of our client’s buildings were protected by badge readers and that security guards roamed the campus looking for suspicious people and activity. We also saw that each entry had a surveillance camera overhead. We knew this wasn’t going to be as easy as other similar engagements had been, so we formulated a plan.
We had with us a HID badge cloner that had been built by our team for such an occasion. It was designed to be able to capture the RF signals from the ID badges from as far away as a few feet. We determined to make use of the cafe to sniff some ID badges. We each got a pastry or cup of coffee and sat down in nearby armchairs to wait.
When we saw an employee arrive from one of our client’s buildings, I got up with the badge cloner safely concealed in a messenger bag slung over my shoulder. I approached the employee when she was paying for her coffee and rudely reached across her to grab a napkin out of the dispenser, allowing my messenger bag to get really close to her ID badge. I apologized for reaching and returned to my seat.
After we finished our coffee and pastries, we returned to our car and checked the memory card in the cloner to see whether it had gotten her badge information. It had! We quickly made several copies of her ID badge. We agreed I would attempt to enter the building first, so I got my backpack with all my tools and my laptop, cinched up my tie, and headed for the side door. I pulled the fake ID from my pocket, praying it would work, and got ready to use it as I approached.
Just as I was about to step up to a badge reader to unlock the door, two employees walked out and held the door open for me, allowing me to enter without even needing the badge. I had to stifle a laugh as I entered the building and proceeded to install a drop box, occupy an unused cubicle for 30 minutes, and try to get network access. I eventually left the building undetected, having successfully completed our client’s challenge.
The moral of this story is, even when you have all the technical safeguards in place, your own employees’ actions can undermine it all and provide the one avenue the bad guys need to get past your perimeter.
Interested in learning more about how Rapid7 pen testers conduct their assessments? Check back every week for a new story in the series.
- This One Time on a Pen Test: Paging Doctor Hackerman
- This One Time on a Pen Test: How I Compromised a Healthcare Portal Before My Hot Cocoa Went Cold
- This One Time on a Pen Test: Missed a Spot
- This One Time on a Pen Test: Nerds in the NERC
- This One Time on a Pen Test: The Pizza of Doom
- This One Time on a Pen Test: What’s in the Box?
- This One Time on a Pen Test: Our Accidental Win