Pen testers rely on a variety of methods to compromise their clients during penetration testing service engagements, but none are quite as fun as when they must don a disguise to blend in with their surroundings. So, in honor of Halloween, we thought we would celebrate by sharing a few of our Rapid7 pen testers’ costumed crusades. Did they trick employees into doing their bidding, or were they treated to proper security protocols? Read on to find out!
‘The Boy in Blue,” by Trevor O’Donnal
I’ll never forget the time we were penetrating a police department. We had finished our pillaging and left the building, but once we reached our rendezvous point, we realized our good friend Ross was missing. We tried to reach him on our two-way radios, to no avail.
As we started to panic, in walks Ross in full police uniform, including a police radio! He had to raid the clean laundry in the basement dressing room to get out of the building. We bowed before him because we weren’t worthy.
And yes, this was all in scope. The police chief had said, “Anything goes, short of killing or kidnapping someone.” He had a great laugh about it in the end.
‘Here Are Your Flowers,’ by Robert Stewart
I once did a physical social engineering engagement where I didn’t see a clear path into the customer’s office space. The receptionist was behind a locked door and used a remote speaker to talk to guests and let them in. All of the other doors into the office could only be accessed by a badge, and my attempt at cloning badge ..
Support the originator by clicking the read the rest link below.
