Proactive Recon

Sometimes you are in the middle of a recon for a physical assessment and you find a way in, right there on the spot. Do you exploit this vulnerability or just note it for later?

I say go for it.

This was the case a few weeks back. We were performing an on-site recon: we would walk the perimeter and try to go inside the target building and learn as much as we could from atmostpherics and their security measures in place.
After about 40 minutes of roaming inside and outside the building, dressed as business people with a suit and a tie and a cellphone that never left our ears, we thought we had the site main security features, entrances, location of the targets and other details sketched, when I noticed that the service elevator on the far end of the 1st floor had the door open and no one was using it.

A sketch we draw after casing one of our customer's sites. The circles are cameras, the two parallel lines are doors and windows and the labs were our targets. You can see elevators, staircases, hallways and other details.

The main elevators needed a badge to be swiped in order to select the floor. It was the same with the stairs, you needed a badge to open the door to the stairwell. We didn't have one at that moment. We supposed the service elevator was the same, but since the door was open we calmly made our way there, keeping an eye on the security guard that was on the reception desk.
When Z and I reached the elevator, we stepped in and hit the 3rd floor, where the main lab with the server we wanted to target was located.

The doors closed.

A several seconds later we were walking on the 3rd floor. After some walking we found the primary data center that we wanted to hit. The door was locked and you needed a badge and a code to enter. Standard.
We took some pictures of the area, and some of the inside of the server room (via the window to the lab) to have them ready for our planning. The idea was that now that we knew where the target was and what security measures were in place, we could find a way in.

We didn't need to. An engineering came out just as I was finishing emailing the guys the pictures on my phone. Z, in a very casual way, put a foot on the opening to prevent the door from closing. The engineer didn't even give as a 2nd look. If we were there, then we were ok since we had to go through security to get to the floor. He assumed we belonged there. Bad... Never assume.
In any case, First the elevator door open and no one noticing that. Second the engineer not challenging us about an area that was clearly off limits to outsiders and third... He left a console to one of the servers unlocked. No screensaver, no logout, no screen lock, no...

Lucky? Hell yes.

The security of that company, thus far, sucked. And sucked hard.

Needless to say, Z was all over the server and with a little running of a bunch of tools we installed a nice backdoor. We copied some files into a secure USB drive and left after taking a bunch of pictures.

A couple of hours later, the guys in the office were cruising inside the network.

After a couple of days and a very detailed map of the customer's network, their physical security measures (we came back to recon them two more times during the day and night), we prepared a very comprehensive report. They were not happy.
However, the security director was a former military guy that knew how to take this and turn it over.

We will see soon if all this was fixed. Stay tuned.

Notes: Proactive recon... Yes, go for it if you see the oportunity. We could have been caught but, lucky was on our side. If you don't try you won't get it.