Pen testers rely on a variety of methods to compromise their clients during penetration testing service engagements, but none are quite as fun as when they must don a disguise to blend in with their surroundings. So, in honor of Halloween, we thought we would celebrate by sharing a few of our Rapid7 pen testers’ costumed crusades. Did they trick employees into doing their bidding, or were they treated to proper security protocols? Read on to find out!

‘The Boy in Blue,” by Trevor O’Donnal

I’ll never forget the time we were providing pentesting services to a police department with the customer’s prior written consent. We had finished our pillaging and left the building, but once we reached our rendezvous point, we realized our good friend Ross was missing. We tried to reach him on our two-way radios, to no avail.

As we started to panic, in walks Ross in full police uniform, including a police radio! He had to raid the clean laundry in the basement dressing room to get out of the building. We bowed before him because we weren’t worthy.

And yes, this was all in scope. The police chief had said, “Anything goes, short of killing or kidnapping someone.” He had a great laugh about it in the end.

‘Here Are Your Flowers,’ by Robert Stewart

I once did a physical social engineering engagement where I didn’t see a clear path into the customer’s office space. The receptionist was behind a locked door and used a remote speaker to talk to guests and let them in. All of the other doors into the office could only be accessed by a badge, and my attempt at cloning badges was unsuccessful. But I wasn’t giving up.

I did a ton of recon on the employees and after locating one employee on LinkedIn first, I tracked down her Facebook page using her name, location, and profile picture. Her Facebook page was public, which meant all of her personal details were available. I learned about her family, her habits, her hobbies, and her husband.

I devised a plan to show up as a flower delivery guy to surprise her with a dozen roses from her husband and a song to serenade her with in the office. I worked up my costume to appear like a delivery guy would, and got the receptionist to let me in. The employee was called from the back to the front desk, which was a bummer because I wanted to be at her desk, but I rolled with it. I gave her the flowers, sang, “You Are My Sunshine,” and finished with, “Love, Tony!”

Her response was a confused, “Tony? Who is Tony?!”

“Uh … I don’t know, that’s what the order said!” I replied, and promptly booked it out of there. As it turns out, the employee I located on Facebook was not actually the right person, despite the fact that they had the same name, lived in the same city, and looked very similar. Totally crazy.

Though I failed at getting into where I wanted to go, this is still one of my favorite engagements because of the way it ended.

‘Pizza Delivery!’ by Aaron Herndon

On a previous red team operation, we had recently completed our objectives remotely. Access to the network had been obtained, servers were compromised, and loot was exfiltrated. In the twelfth hour, our customer point of contact had an idea. He wanted us to infiltrate the physical security operations center (SOC) with either a plant or some type of attack. This operations center had its own entrance separate from the rest of the main facility entrances, making it possible to knock on the door and gain entry directly to the lobby attached to the SOC room.

Assuming the SOC facility would require badge and PIN access (which turned out to be correct) and that tailgating would not be feasible due to the center being a single room with a small number of employees who all knew each other, we decided to take a new approach: enter as the pizza man.

Using a uniform from a large pizza chain, we dressed the part. Then we ordered the SOC some lunch. The odd request was that we asked for an empty pizza box from the pizza chain, which they did provide. Inside this box was our laptop, equipped with a CrazyRadio PA device running the MouseJack firmware. On loop, the device would scan for vulnerable USB mice and keyboards to remotely inject keystrokes (a surprisingly common vulnerability due to the wide adoption of Logitech peripherals in the workplace). We configured our MouseJack payload to quickly open the run prompt, download a payload from the internet, and execute it, giving us remote access to the machine.

On the day of our attack, we approached with four pizza boxes and a bag with some two-liter bottles of soda. The top three boxes actually contained pizza, while the fourth housed our payload delivering machine. With our hands full, we banged our elbow against the door of the SOC room to get their attention. An intercom buzzed, and we were asked to identify ourselves. After saying we had a pizza delivery, the door quickly opened to reveal an excited employee.

We indicated that we weren’t sure who had ordered the pizza, but were told to come to this room for delivery. The SOC employee directed us into the room, allowing us to set the pizzas down. We spent a couple of minutes making small talk, letting our mousejacking attack go to work. Then, we mentioned that the bottom pizza was actually to be delivered to another individual at the company, and reclaimed our payload box, making a smooth exit.

Returning to our car, hearts racing from excitement, we quickly contacted one of the red team operators to see if the attack was successful. Sure enough, we had received a connection to our payload server and the attack launched. Unfortunately, the connection died four minutes into being used. Had they discovered our pizza Trojan horse? Did the employee shut their machine off to go indulge themselves in the food provided? We still do not know.

‘The Construction Worker,” by Leon Johnson

I was once part of a Red Team of three tasked with testing an energy company with three locations in three different cities. My assigned location was surrounded by an 8-foot barbed-wire fence to guard most of its service and Cat heavy equipment vehicles.

I started by driving by the site on the first day of testing, watching people arrive for work and leave to get an idea of what sort of activity this location had. I went to dinner, and when I came back around 9 p.m., I realized there was a business next door that allowed for cover after hours. I decided to jump the fence and walk around the property in the shadows as much as I could. My goal was to avoid getting picked up by any cameras and getting caught.

As I began checking the commercial vehicles for unlocked doors, I found that one had a laptop on the armrest inside. I got excited, as I was thinking of all the possibilities for what I could do with a laptop if I got my hands on it. The vehicle’s locked doors stumped me for a while until I realized the quarter window was unlocked. I was able to push it open, unlock the truck, jump in, and grab the laptop.

I sat there for about five minutes waiting to see if anyone had spotted me. When nothing happened, I tried to get into the laptop but struggled because I didn’t have any tools on me. I made a call to my customer point of contact and asked for written permission to take the laptop, which was granted. I then slid it under the fence, jumped over to my rental car, and headed to my hotel.
I worked on the laptop all night, getting past the login first with Kon-Boot and adding a local administrator user. Later, I mounted the hard drive with Kali, as the drive wasn’t encrypted. I pulled up the local admin hashes off the PC and set up some malware so that when the box was booted up, it would call back to me and give me access when it was on.

The next morning, I broke back in and returned the laptop before employees’ shifts started so no one would suspect anything. I got a local administrator shell, but it died before I could do anything with it. So, I had to go back the next day and do it again. Once more, I briefly got a shell I was unable to do anything with.

I decided to go to an office of theirs and attempt to see whether I could clone some RFID badges so I could use them to gain access to the customer's facility without having to jump the fence every night. It turns out, the location I cloned badges from was a shared office, and I was unable to tell who or where the cloned badges I obtained came from. In the end, none of them worked at the location I had been given permission to test.

At this point, it was the second-to-last day of the assessment, and I didn’t have everything I wanted. So, I decided to do it again but just keep the laptop and use it to get into the corporate network. This time, I got into a truck and put on a uniform someone left inside. I used this uniform to walk around the property and gain access to more trucks. I figured if I were seen on camera, I would look like a legitimate employee just doing some maintenance or say that if I were somehow found and questioned.

I also knew the laptop would now be reported stolen in the morning, which meant I didn’t have much time to work with, since they could have had a way to shut off access to it. I started taking a forensic clone of the system and decided to take a shower while it was cloning. When I came out, I saw the mouse cursor was moving and closing things! It became a fight for the mouse and keyboard at this time, and I ended up just disconnecting the network connection. I eventually got on the corporate network and gained local admin access on some other systems, which led to domain admin access. With that, I was able to do whatever I wanted on their network and systems.

That was fun.

Interested in learning more about how Rapid7 pen testers conduct their assessments? Check out our 2019 Under the Hoodie report.