This One Time on a Pen Test: The Pizza of Doom

This One Time on a Pen Test: The Pizza of Doom

Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is part of an ongoing series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our 2019 Under the Hoodie report.

As part of a physical social engineering engagement for a bank, the customer was really concerned more with security awareness instead of physical vulnerabilities. They wanted some creative pretexts, or ruses, to see whether we could get in.

One of the ideas we came up with was to show up as a pizza delivery guy to see whether that could get us in. We ran the idea by the customer, and they were cool with it.

We went online and bought a hat, shirt, thermal pizza holder, and, of course, the pizza. We almost even accidentally walked into the pizza place wearing our pizza gear, but we changed at the last minute in the parking lot.

With the customer’s prior written consent, we bought a fake domain that looked like our customer’s and created fake email correspondence between human resources personnel and people we found on LinkedIn. The emails talked about how someone from the pizza company was going to come in to sell pizza by the slice.

When we showed up onsite, we told reception we were there to sell pizza and asked where the common area was. She was confused and wasn’t going to let me in. However, because I saw her first and last name on her badge, I was able to guess her email address and send her the fake email ..