You have two types of prospect customers in the world of Red Teams: Those that believe they need help and are willing to invest in proper security and testing, and those that believe their security is the best but since it's required by their oversight they will hire a security consultant to try to find security vulnerabilities.
The former are easy to work with and easy to convince when it comes to the need to perform different tests, including a physical penetration tests, social engineering and other less traditional tests. The latter... Well, those take some convincing to do.
I can present hard data on why their security is lacking but they are too confident that their security is so good that they won't listen. In these cases I have to show them first hand. I usually would ask for permission to try to penetrate their building/network but sometimes...
This particular customer I had to convince authorized me to, and I quote: "try to bypass my security guards, I dare you...".
So I started with the recon and found several possible ways to bypass their elite security guards. The most obvious was the underground parking garage. It had a ramp that allowed the cars to go from the street level to one of the two underground levels reserved for employees or visitor parking. The entrance was guarded by a bored guard that during the recon showed me that he loves to read. The funny thing is that if he really is paying attention to the book he gets tunnel vision and his focus gets narrow as well.
I tested this theory by just waking by his booth several times looking like I was on the phone. He never even looked at me. Then I tried again another day by walking up to the ramp, taking two steps down and going back too the street. Nothing. He was reading.
The day of the test I was dressed with a suit and tie and put on my very important executive face and demeanor. I was ready to go. I began walking towards the ramp, keeping an eye on the guard, (not directly looking at him but using my peripheral vision. If you look straight at something, chances are that that something will look back at you. Trust me on this). Just as I was ready to go for the ramp a car came out so I had to wait for the guard to go back to his book and loose the focus on the outside world.
Then, I went for it.
I walked pass the guard, trying to remain close to the outside wall and pretending to be on my phone. A minute later I was on the first sub-level. I kept on walking until I found the door to the elevators. You needed a card to open this door so I just waited there, again pretending to be on the phone, just in case someone saw me, and trying to keep away from the camera pointed at the door. About seven minutes later the door opened and three people came out. I let door go back to being almost closed and then sneaked in.
I took the elevator all the way to the last floor, the CEO and other C level execs offices. I went to the kitchen and set my laptop on the table there. I found 2 open wireless networks and a few minutes later I was part of their network. I did a simple scan and prepared coffee. Then I called the security director. On the phone I said: How about you come to the kitchen on the last floor, the one by the CEO's office and I show you how good your security is.
Literally a minute later he was there, mouth open. He saw me there, drinking coffee with my laptop open.
I showed him a map of his network and a little MP3 file I recorded earlier with the CEO on the phone talking to the investors (or something like that). He was in shock.
New project for me!