Always the weakest link
Sometimes I get shocked on how easy it is to penetrate a building or a network. People are always the weakest link and because of this I can count with the fact that they will screw up on something.
In networks or applications pentests this usually translate to simple things, like leaving a default installation of a web server with port 80 open and all the good stuff it comes with it, no sanitizing the data as it is being received by your application or database or (my favorite) leaving the default passwords unchanged (can you say admin admin?).
On the physical side, well, there are plenty to choose from. The ones that make me really grin are the underpaid security guards that couldn't give a damn about their post (I see a LOT of those) and the securing high-value areas with a simple lock on the door. In the cases where you have a security guard that is not attentive, well, it is just a matter of either talking your way through him or just picking the right place or time to covertly infiltrate. He (or she) won't notice. In the second case, the locks, people think that they can install a huge door, made out of ultra-hardened titanium alloy and metal bars inside with a simple lock and that will protect the sensitive area. Well, if you try to attack the door it will, but if you attack the lock instead (the weak link) it won't.
In this project I had, the customer tasked me with trying to exfiltrate data from the company. After several weeks of probing from the outside any way into their networks (I found some vulnerabilities that were very promising but I didn't have the time to sit and try to figure the exploits) I decided that I needed a hand-on try inside the building. The customer didn't know I would try this so I didn't have any letter stating who I was this time. Good luck....
After a couple of days of recon I figured a way in and as I was inside the building I discovered the comm's room.
That comm's room essentially housed all the routers, switches, hubs, security appliances and other networking essentials. Why on earth would you secure it with only a simple lock? No one knows, especially since the rest of the server rooms had proximity card access or a keypad for a PIN to enter.
I worked my way through the lock and once inside I grabbed a wireless router, attached it to a hub in one of the consoles and hide it behind a stack of routers.
Here's my Echo inside the comm room.
I worked my way out the building, unchallenged and walked across the street to a place I knew the signal would be good. I had an extension antenna on my laptop so I could reach the wireless signal better from a distance.
I connected to it and to my surprise their DHCP server didn't require a password or other account information to get an IP address. I was in their network. Five days later I had enough information about the state of the computer of their CEO, the VP of marketing and other high value executive to call it a day.
I presented my case giving them not only solutions for their information security problems but also on the physical side as well.
Man... always the weakest link.