Another physical pentest

A few months ago I had to perform a physical penetration test in which I was tasked with trying to infiltrate the building of my customer, find the CEO or any other high-ranking executive's laptop and make a copy of the hard drive.

I performed my recon for 2 weeks. The building had cameras everywhere so I had to be careful where I was walking, I wasn't sure whether the security personnel was monitoring the cameras or whether they can recognize me as someone that wasn't an employee but I didn't want to set any alarms if I could avoid it.

The big problem was that in order to avoid the cameras I needed to take the elevator. The stairs were a no go, cameras everywhere, but the elevator had a possible bling spot (which I discovered on a recon walk when I went into the building pretending to be a UPS guy). However, in order to take the elevator I needed to call it first. I couldn’t do this because I needed a company access card to enable the calling button. So I waited. A few minutes later someone walked out of one of the elevator. I pretended to be on the phone. As the door was closing I walked right into the elevator.

I reached the last floor, found the CEO’s executive assistant office and after some time waiting for her to leave I managed to connect a portable WiFi access point to a wall Ethernet plug on a room next to hers, surprisingly the Ethernet plug was hot (is was enabled). I was dressed in a suit and tie, so if anyone asked I was waiting for an interview with whoever. I hid the access point and after a hour or so I managed to find the CEO’s laptop on the network, it was called TheNameOfTheCEO-Laptop. Unfortunately for him he had the stupid NULL session enabled (lack of basic security hardening) and not personal firewall enabled and that was my way in. I had his laptop. I copied his home directory, email database and calendar. I also left a small text file called wewerehere.txt on his Desktop directory. That small file stated who I was and what I did and to contact the IT security manager.

I met later the same day without he manager and gave him the portable disk I used to copy all that info. I also gave him a quick solution on how to secure the CEO's computer and other important laptops until I could write a proper report and provide in-depth technical solutions.

I took a lot of pictures to document everything I did, however I cannot publish any of those, like I usually do, because of the NDA I had to sign with my customer.


I can’t stress this enough, do not do this for fun! It is illegal.

It takes years to learn this, moreover it takes longer to be able to do a proper pentest without causing any harm to your target's networks, security devices, etc. This is rule number 1 on pentests.

Big, expensive, digital lock defeated by an old credit card and a spring.

The AA