A few months ago we had a very interesting physical assesment of the offices of a new customer. The security director wanted to know the current state of their physical security and how aware were their employees of threats.
This is a small startup company, but doing very interesting work in the security field themselves.
The director told us: you can do whatever you want and exploit any and all vulnerabilities you find. Just let me know immediately.
The time frame was set to 2 days. So we set to work.
The first day was used for a quick onsite recon. I went into the building where the customer's offices were located, while JD scouted the perimeter.
The main entrace was guarded only by a keycard reader and a locked door. So, I waited on the phone for a few minutes until a person working in the building came in and opened the door. I walk right after him, still on the phone. He never challenged me or asked me not to tailgate.
In the meantime, JD found that the back entrance was guarded only by a very shiny but easy to pick padlock. It had a nice sign saying
"Restricted Area. No Unauthorized Personnel Beyond This Point".
OK... JD found the sign to be an actual invitation in, so... He picked the lock and he was in. He called me on the phone to give me the sitrep. We had both bluetooth headphones so we can have both our hands free. I told him that I was in too via the front door. We agreed to meet at the floor of our customer. He made his way on the stairs, he wanted to check for cameras or other security features. I made it on the elevator. I was hoping someone will challenge me to show him/her a badge or ID card. NOP.
A few minutes later we found ourselves in the same floor facing not only our customer's office, but also the offices of the rest of the companies in the same floor (3 in total).
Our customer has a card reader on the entrace so we couldn't just walk in. Again, we waited on the phone... The trick never gets old and it always works. The same with the cigarette break: just wait with a cigarette in your hand by the area outside the building where everyone smokes, take a few puffs and when someone walks back in tell him you forgot the ID card. Chances are he or she will let you in.
We waited there for more than 10 min, no one challenged us or asked us what we were doing. Granted, we were dressed in suits and ties, still...
Then, a person came out of our customer's office. While I was on the phone I told him: "please hold the door one sec..."
He did... And we were in.
We walk right into the security director's office. He looked at us and smiled. He said: "Great. Now we can start the project"
He is one of the rare customers that actually gets it and it's not ashamed of asking questions, working hard to fix the problems and is willing to test the security all the way.
So... A two day project was done in less than one hour. Why? People are not trained to challenge strangers. People don't really care. People are usually the weak link.
On top of that, a very vulnerable place, the back door, was not secured properly.
Overall it was a fun one hour and we now begin working with the director in order to make their overall security better and tighter. That's what a good Red Team exercise must achieve.