We needed to access the server room of a security company. The target was one specific server that was not accessible via the internet or their internal network. It was well protected by an air-gap and really tight access controls.
We decided to go at it by hand: break our way into the building, find the server room and mannually disable the server as a way of saying "we were here".
Entering the building was complicated but after several days of recon we managed to come up with a plan that worked.
Once we were inside the building we began looking for the server room. We didn't have much time, people could challenge what we were doing at any moment and while we had a cover story, it would not hold for long, especially since we didn't have time to fake the ID cards or the visitor badges.
At the end, it was a cleaning person that pointed us to the server room. Once we arrived there, we noticed two things: there was a camera on top of the entrance (and we knew that all cameras were being monitored) and the serve room had a commond lock on the door, no ID card reader or keypad.
Yes... These people invested in top of the line security but they had a simple lock on the server room.
After looking a the camera housing we realized the camera moved 180 degrees and could monitor any point from the left to the right and in front, but not directly under it. Huh....
J and I waited until the camera was facing left (we came from the right) and I sprinted to the door, and stood under the camera. J waited. Then it was his turn. He did the same. We were no both under the camera and by the server room's door.
From there it was easy to pick he lock of the door. It was too easy, but no one seems to be on our tails, so we worked the lock.
It took J under a minute to pick the lock. We opened the door and we walk right into the server room. The noise was deafening and of course it was cold. There were many racks of servers, each one with a label containing the IP address and the server name.
After 5 minutes we found the server.
We took a bunch of pictures and disconnected the netork cable from the back of the server. Then we walked back to the door.
As we opened the door, 5 security guards jumped on top of us. In between the screams and punches I managed to scream that I had an ID on my jacket pocket. The ID was a letter fromt he security director of the company stating who we were and the assessent we were conducting. They took the letter but they remained on top of us while this was being verified.
About 30 minutes later, the directory of security walked into the server room. We were still sitting on the floor with the security guards keeping an eye on us. He was smiling.
Well, sometimes you win and sometimes they beat you at your own game. We forget Rule 66:
"If you think it was too easy, it was a trap. Look for jumping guards coming from the sides."
We learned our lesson.