Let's Get Physical

This post recounts a physical penetration test where a tester and their colleague were contracted to assess a company's physical security. Despite the client's multi-building campus with security and cameras, the pentesters found alarmingly little resistance to their infiltration efforts.

• The objective was to act as a nuisance and test defenses, with the client encouraging the team to discover targets themselves.
• Equipped with an array of tools including lockpicks and canned air, the author initially found their biggest challenge was finding opportunities to use their skills, as most access was gained through social engineering or sheer lack of vigilance.
• They successfully tailgated into multiple buildings, bypassed door systems, and even wheeled a locked shredding bin full of sensitive documents out of a building in plain sight.
• Key discoveries included an unlocked director's office, where they planted a 'listening device' (business card) and found a safe, and access to an archive room with payroll and employee information.
• On the final day, deliberately attempting to get caught by stealing a flag outside the building, they finally engaged with a security guard who was unaware of the test.
• The only successful denial of access came from a cleaning lady, who, despite being offered a direct route, refused to open a server room door without proper verification, highlighting her diligence.
• The 'reveal' to the client's staff, showing them how easily their offices and secure areas had been compromised, underscored the severity of the physical security flaws.

In conclusion, the author emphasizes that while a company's IT security might be robust, physical security often remains the weakest link, vulnerable to social engineering and basic bypass techniques. The experience highlighted the critical importance of human awareness and proper protocols, praising the cleaning lady as the unsung hero who upheld security standards.