On this particular project my team and I were tasked getting access to the VP of marketing's laptop. Part of the team began tailing the VP so we have an idea of what his daily routines were. The other part of the team began checking the company's network in order to try to penetrate it and find our way to the VP's laptop from there. As a last resort we would try a physical penetration of the building so we could get to the laptop.
After over a week we didn't have anything concrete on the digital pentest side, they were fairly secure. We could eventually find a vulnerability that may be exploited but we were under a very tight timeframe for the project. We were considering the physical pentest when J. called me from the field and told me that he discovered the VP has an unsecured Bluetooth connection on his laptop.
Whenever we tail a target we scan his computer whenever we can, in this case he was connected to a wireless network at the local coffee place. He sat there for half an hour, giving us enough time to scan his computer for open ports, apps, etc. We also tested his bluetooth since a lot can be done with this. J. discovered, using a custom scanner we wrote, that you could connect to the computer via bluetooth.
The VP's computer had installed a mobile phone sync software that included a very small and simple FTP service that can be used via bluetooth. Tough luck, it has the default password.
We connected to it the next morning at the coffee place. We downloaded several interesting files and left there a small calling card: a text file saying "we were here".