This week has been… eventful. And when I say eventful, I can say this has been the funniest pentest I have ever been on in my life. Let me tell you about it!

The setup

A company contracted us for a series of pentests, the whole enchillada. Internal, external, phishing, and… physical. We have several buildings, with employees and security and cameras and shit, which means that the buildings were secured. There is a few hundred employees, apparently, but the fact is that we had one week on-site for three of the tests: Social engineering, physical, and the internal penetration test. I will not discuss the internal side of it, but I want to focus on all the new and shiny stuff I got to try out!

The goal

The goal is simple: Be a nuisance. Imitate an attacker, test defenses, and see if guards respond when they see us on their CCTV systems. When we asked about details to find the end targets, we were told to “get it ourselves.” This is fair, although for a test that is 5 days on-site, I guess we could have discussed it a little more. At the very least, we got a lay of the land and a few tips of what is in each building.

At the start of the first day, we got our visitor badges and checked in. Some issues there with the process, but that is a tiny problem compared to what went on later. We got escorted by our point of contact into a meeting room. In my bag, I had the following tools:

• Lockpicks
• Screwdrivers
• Can of compressed air (big thanks to Deviant Ollam)
• Traveller hooks (made from knitting needles)
• Some other knicknacks (plastic card, tool duplicates, jigglers)
• A toolbox (to fit in with the working man)

I wanted to be prepared for anything, as this was my first physical test. What I did not expect is to have to look for opportunities to use the tools and prove it was doable, because apparently, I am a fucking ninja. Alternatively, no one gives a shit, but which of the options is funnier to imagine?

The last thing I took with me on this gig was something special. The blessing of the one and only Tinker Secor.

Fuck yeah!!! Get it!!!

– Tinker Secor

This alone gave me the courage to pull off all the crazy shenanigans you’ll read below. Along the way, I received many a hint from Tinker, and the result was destructive. Tinker is not human. Tinker is a state of mind.

The plan

Me and my colleague had a plan for anything. Day 1, we walked around the campus, looked for cameras, checked out every corner, noted interesting entrances, exits, card readers, and everything. Then we picked up our badges, a card that would “only let us enter the meeting room” and were left alone with our thoughts. The plan was to find any interesting documents, get into the director’s office and plant “listening devices” (read: business cards) in meeting rooms. Gucci, we’re on. Time to do recon.

We had our authorization letters ready, of course, and hid our visitor badges to make it more sporty. An attacker would not get one, unless they wanted to go through reception. I thought we would get found out, or at least challenged, but over the course of the first day, no one paid us any attention. Not one person went and asked us if we were lost. We blended in almost too well. It was time to up the ante.

The other building

I felt that the first building may have “accepted us” to being there, so it was time to infiltrate another building. We tailgated into a smaller, new building. The door was equipped with a tablet to call and request door opens from employees, but what good is it if I can just waltz in? We fully wanted to get caught, but not even waving at every camera I saw was enough to get a guard in our vicinity. We went on, checking out printing nooks, shredder output, testing door locks, etc. No picks yet, only if there was an open door, we would get in, take pics, get out. Quick and easy.

During this part, I actually barged into an office that had a woman working there. She did not even seem that surprised, she just asked who I was looking for. I asked for a name I saw a few floors ago, and she sent me on my way. No badge check, no “are you accompanied” or anything. Just a “oh, yeah, he’s around” and a goodbye. Not good for them, hard to fix, but not that much. That showed me what I suspected: People just don’t care. And if they do, they don’t want to be the evil evil suspicious type. Paranoia is bad, checking someone out is not socially acceptable.

To end the run in this building, we decided to go all in. Balls deep, as one would say. Next to the reception, there was a shredding bin, the kind you put paper into, it’s locked with a normal lock, and every month, a company comes, picks up the paper and burns it at a central location. The bins are meant to prevent dumpster-diving… but thanks to a generally shitty lock, the fact of the matter is that you can just turn the safest drop-off point into a single point of failure. Oh, and did I mention the bins have wheels?

The heist

The heist itself went smoother than I expected: After walking around under cameras for around 20 minutes, we just stood at the reception next to the bin. After being near it for a few minutes, we just grabbed it and walked it out. Doors opened, no one screamed, and in a few seconds, we were home free. If we were thieves, we could have that bin open in a few minutes and then leave it where we found it. This is a proof-of-concept, though, so after I took a picture in front of the building, we just drove it back in. Luckily, it was lunchtime, so some employees just badged us in. Next thing we knew, the bin was back and no one was none the wiser.

I wanted to try and see if we could bypass the door entirely, and that’s where the canned air comes in. If you turn a can of compressed air upside down, it starts “boiling off cold gases.” These are not harmful in open spaces, and their temperature is well below freezing point even when gaseous. This can trigger a sensor that checks for temperature increases: First it sees a drop to -50C, thinks “Baby, it’s cold outside.” Then, the temperature starts rising again, and the sensor thinks “Oh, temperature going up?! Must be a human!” and opens the door. If this works, I will update my Mastodon. If it doesn’t, well I can still walk in after someone, so it’s a finding nonetheless.

Little did I know this was just the tip of the iceberg.

The Thursday

On Thursday, we decided it was time to go even further. We prowled the grounds for days now, and we never met the security guards. Did not see them, no indication that anyone was behind the cameras. Were they fake? They told us there were no fake cameras, but no one stopped us? Seriously?

We got to the office, got our coffee, and got to work being a nuisance. A little menace. Some war crimes, nothing major. At around 10, we went for the shredding bin in the main building. It was in a high-traffic area, but hey, no one stopped us yet! I’m not picking a lock in the hall, so we grabbed it and wheeled it to our “headquarters”. In full view of all cameras on the way. This was after we took a bin outside the day before, we expected them to be on the lookout! Someone must have snitched, right?

Apparently not. The beauty of this shredding bin is that it’s locked. You can think of it as a one-way bin: You put stuff in and the company can get in it to burn them. No one else gets in there. Well, the lock on the lid is shitty enough to be picked by yours truly. It took a grand total of 20 seconds, with the first pick being the wrong way. I had the feeling that you can’t go wrong there, but hey, it wasn’t hard. What we found was incredible. There were documents that should be shredded by a Level-4 printer. Payroll, employee information, everything you could ever want for blackmail, phishing, etc.

When we got bored with going through the trash (cleaner than dumpster diving), we started thinking how to push it. The last two points we went for was the archive and the reception desk. The reception was behind glass, a tall desk, and it seemed inaccessible. Or it would have been, if the door around the corner had been locked. There were locks, but the best lock in the world is worth fuck-all if you don’t use it! We nicked some visitor badges and a few knicknacks, but no money or anything valuable. We are not there to steal, we are there to prove that it could be done. And I believe we did that quite well.

The last goal was to pop the high-value target: The boss. The big cheese. The director. Our plan was simple: The office was at the end of the corridor, behind a glass door, and it was a hefty, tight keyway (we saw it the day before.) My buddy went to provide cover and give us a reason to be there: He knelt by a door, opened the glass door and pretended to be fixing something.

“You go for the door, I’ll cough if someone comes. You have time, no worries.”

This was by far the tensest moment. If anyone was in, we were in a lot of trouble. The director would not take kindly to being invaded, and he was not made aware of the test. We would be caught red-handed and thoroughly fucked. This is where the second stroke of luck showed up: When I came up to the door and started putting my bent wire inbetween the door, I felt the door move. When I looked up, I noticed they were not flush with the frame. It could not be, right? Not this easy, I thought. I pulled…

And the door opened. I hissed at my buddy and his jaw dropped. To me, I found an open door and opened it. To him (from what he told me), I picked a lock in 5 seconds flat. It was unlike anything I did in my life. Exhilarating, the adrenaline rush was incredible. We peeked inside the empty office and entered. The office was huge, around 12 meters across. We walked around a desk and left a business card in his drawer. In addition to photos and videos, we took one business card of his and kept it. When my buddy opened a cupboard, we found the jackpot: A safe. A good ol’ combination safe. I manipulated a safe lock before, but we did not have time. It was time to leave. We documented the fact it was there, and left.

When going out, we met a photographer waiting at the front entrance, outside. We did not let him in. He seemed extremely disappointed and left.

Getting caught

This part has been so much fun for me, trying to blend in (I don’t blend in well and didn’t take any office clothing with me), but somehow, being confident just works. For the last day, we decided on one goal: Get caught. To do that, we had to combine three factors: Be on camera, misdress (do not wear the correct things for a job) and do something so dumb that no one in the world could say it’s a valid action. After a long deliberation, I remembered a famous actor who talked about boy scouts. What is the worst thing you can do to boy scouts?

Steal their flag. In full view of cameras and in front of the building. To up the stakes, we also parked sideways in a spot that was strictly no parking. We got out, came up to the flag pole, and lowered the city flag. The moment we unclasped it and made our way back to the car, a man came running towards us. He seemed angry and ready to unleash a whole can of ass whoopin’ on us. When I saw him coming, I just asked “Are you the security guard?” and then shook his hand. He must have been taken aback by that, but read the letter, called our contact and all was well. I kind of tensed up when he listened to the phone, eyed me suspiciously and then went

“Should I shoot them now or later?”

Turns out he did not know about us, but he did not take our intrusion as a threat, quite the opposite: We had a very productive conversation about the state of their security, his complaints, he knew he could confide in use and I thank him for it. We found the symptoms, but he explained the decisions behind them. If you ever find yourselves on a physical, talking to the security staff when all is done is your best bet to learn what the background issue is.

After we explained what we were there to do, I went over to the other building, and my goal was simple: Get into the server room. I waltzed in like I owned the place, tailgating as usual (it was the ol’ faithful at this point) and went straight for the door. Upping the stakes once again, I got my picks in hand, stood by the door and tried to pick the lock. People walked past, no one paid me any mind, even though I was obviously unaccompanied, not wearing a badge (visitor’s or otherwise) and I was making quite a bit of noise.

After 10 minutes of unsuccessful picking (I am shit at this), I thought I could get someone to open the door for me. The cleaning lady had keys, so she was the prime target. I walked up to her, pretending to be a contractor, and explained that my “colleagues” from IT did not give me a key, but they knew I was supposed to be there and that all was well. The lady told me that her key was unlikely to work, but being helpful, she tried it. It worked. The lock moved! I was in! She turned the key about 90 degrees, then stopped, and I saw her thinking… Shit.

“I have to check with the security team, the door could be alarmed and I could lose my job this way!”

God fucking damnit! I was so close! Just a half-turn more and I would have been in! I tried several tricks to convince her to open the door. I bargained: “Hey, I’m here, obviously I belong here,” I tried making fun of the situation: “I am hourly, so I don’t mind, if you want to waste your and my time, go right ahead.” Nothing worked. The cleaning lady went out, called the guy who caught me 20 minutes earlier, and when she came back, she just said “He said he has to verify you and not to let you in. Sorry.”

It was hard not to hug her right away. She stopped me, professionally, courteously, not panicking. She smiled, felt bad about not being able to help me, but her dedication to her work was stronger. She was the only one who denied me anything during our 4 day test! I hung my head, started to walk away, but then I thought: “The test is over, she deserves the pat on the back.” I explained to her what she just did: saved the company from compromise, and that she did it perfectly. She started smiling, I asked for her name, and that was that.

People, never mistreat cleaning ladies. They are the ones holding your company afloat. When all else fails, they have the biggest responsibility (keys to everything), so it’s best not to piss them off!

In closing

The report is in writing, but my mind is racing with all the excitement. I wonder if the same tricks work for other industries, but here, there is so much room for improvement. It’s shit now, but with a good report and some buy-in from management, this can all be remedied.

It was an amazing week. If you need someone to break into your company, let me know. I am looking forward to the next one.

Addendum: The reactions

NOTE: I just remembered this part of the test after publishing it.

On the last day, we were scheduled to give a final report, and wanted to walk our point of contact around. What we did was not magic, but we did place business cards in places where we broke in: The boss’ office, the archive, and several other places. They were not our business cards, but those of our colleague, so it would be an awkward conversation to have.

Moshi moshi, colleague desu~!

Hi, I have your business card here, how did it get into the archive room?!

… What?

A cleanup was needed, and what better time to do it than with the guy who hired us! We went to the archive first. I picked up one of the business cards and told the client the other card was in the office under a flower pot. We walked in on three ladies working, explained and told them it was a security test. Their reaction stunned me:

Why weren’t we informed?

Before I could say anything, the client said “Only 5 people in the entire corporation knew about this. That’s the magic, the boss didn’t even know!” That made me kind of happy. It was a real secret mission with the goal being to lie, cheat, steal, kill. The hitman life I always dreamed about, and legal? Sign me up for more!

The next point was the boss’ office. To my chagrin, the exchange with his secretary was more than worth it:

Contact: “Hi, is the CEO in?”

Secretary: “No, he’s gone for the weekend. How can I help?”

Me: “I just need to get into his office for a second, could you accompany us there?”

Secretary: “Oh, anyone could just say that! People can’t just wander in there, you know!”

This made me giggle and I just moved towards the CEO’s door. The elderly lady followed, and when I opened her boss’ drawer, there it was. The crips logo of our company. Her eyes widened for a second, but then she turned toward our contact:

Oh you, did the CEO know about this? That’s all you IT guys, always pulling pranks. What did this prove?

It proved that this building needs better security.

It was glorious.

The last point was to hand in our visitor badges, which was more of the same. I walk up, the receptionist greets me, and I pulled a stack of visitor badges out of my pocket.

Here, I want to return these, I borrowed them yesterday.

HOW THE HELL DID YOU GET THEM?!

This is the magic reveal that made it all worth it. It made me feel like I actually knew something. Sure, I could have left, but aftercare is important. I needed closure and I needed to make sure the whole pentest was explained on my terms. Even though my contact seemed like an upstanding guy, I cannot tell if he would put the affected people at ease or let them wallow in the fact that their security was breached. I can make sure there were no hard feelings and that they did not feel at fault for being victims of a specific attack.

Overall, I can’t wait for another one of these. This is too much fun, and it seems like it is an often overlooked part of a pentest. Their IT security was top notch, I didn’t make a dent, but the physical security was where all of it could fall apart.

I want to thank Tinker and Deviant again for sharing this post, I never expected this to get this much recognition! The next one will be even more detailed, better, and hopefully I get caught before I get to all my targets! It’s cool to be a burglar and do cool stuff, but getting caught puts me more at ease as a civilian, since that proves something is actually secure.