"This wasn't just a break-in, it was a walk-in. The facility's perimeter didn't start at the badge reader. It started on the sidewalk outside, at the roofline, and in the areas no one was watching anymore."
Now, gather 'round children, for it is story time.
Assessment Background
There are a lot of resources out there when it comes to OSINT, and sometimes you find a lot more than just street views, access control brands, delivery drop locations, or maintenance vulnerabilities. Sometimes you find the blueprints for the whole building. In this case, a full-on virtual walkthrough and floor plan were posted directly to the property management website. I mean the works, click-and-pan views, labeled doors, floor numbers, access points, even approximate ceiling heights.
Why is that helpful? Because when you know where every fire escape, hallway, and stairwell lands, you can locate a few catalysts for compromise, and that's exactly what we did.
Our team had been tasked with testing the overall security awareness of the site, physical and electronic access controls, internal and wireless networks, and basically anything we could get our hands on. We had already spent a couple of days doing some badge skimming while hanging out like locals near the strip of food markets and cafes across from the target facility. Employees and contractors rolled in each morning to grab coffee or hit the nearby deli for lunch, almost all of them wearing low-frequency HID badges around their necks or clipped to their belts. It's an old trick and a familiar scene. You see it in everything from Mr. Robot to real-world pen test footage, a pseudo-BOS-cloner tucked in a laptop bag, quietly gobbling up badge data while you make small talk or fake a phone call. It is an oldie, but still effective.
While posted up during one of these sessions, we also noticed they were using a DoorKing access control panel with a keypad mounted next to one of the main entry doors. Curious, we took a closer look and did some digging. Sure enough, they were still using the default administrator PIN. That little nugget would pay off later, allowing us to log directly into the panel, deactivate access control to a set of externally facing doors, and walk right in like we owned the place. No alarms. No cameras. No lockpicking or fancy gadgets.
We should mention something else. This wasn't just any building. It was a federal facility transitioning into a SCIF, Sensitive Compartmented Information Facility. That alone raised the stakes. It meant stricter controls were incoming, but they weren't in place yet. A perfect window of opportunity for a red team operation, and the acquisition was public information.
On-site Red Team Assessment
After wrapping our initial recon, we turned our attention to the building's layout and rooftop access. Thanks to the floorplans, we identified a likely path, an exterior fire escape ladder that connected the target building to a hotel next door, separated only by a narrow gap. If we could get a room on the adjacent floor of that hotel, we'd simply be able to step out onto the rooftop.
Austin, a member of our team, volunteered to work his magic with the hotel staff. While Brent and I loitered casually nearby, Austin went inside to chat with the desk clerk.
"Excuse me, but would it be possible to change my room?" Austin said, sitting his bag beside him.
"Is there something wrong with your current one?" the attendant asked, a little concerned.
"No, it is just we were hoping to get the same room we have gotten the last couple of times we have stayed here. It is kind of a special thing."
The attendant was more than happy to switch the room to one that was exactly overlooking a small drop onto the target facility roof.
Once inside the hotel room, we began running our wireless tools, because this also conveniently allowed our 15 dBi antenna more than enough range to begin attacking the target access points. This is also important to note, make sure that you have a list of APs when performing wireless tests. Do not just roll into an assessment with your ALFA antennas and blasting Wifite.
We waited until nightfall and, as we let our tools run, Brent and I got to work on the window and were able to open it without damaging the hotel or doing anything outside of its intended purpose as a window.
Climbing onto the roof to a poorly secured stairwell from an adjacent building.
It is important to note that when performing any sort of night operations, do not wear a bunch of shady shit. This means leave the ski masks and black hoodies at home. In this situation, we were all able to safely "parkour" our way on top of the roof wearing dark-colored slacks, polo shirts, light jackets, etc., like anyone who might be working after hours could have on. We also had fake badges that we had forged, printed, and cloned with the skimmed credentials from earlier around our necks.
As we made our way to the stairwell door, I started to remove my Covert Companion and Brent stopped me and laughed.
"Dude. Look."
The door had a thumb turner on the exterior side.
It was later revealed to us that the client had intended to prevent people from getting onto the roof at all, had removed the rusty fire escape, and basically pretended the roof did not exist. Unfortunately, they had not considered the adjacent hotel's access to their rooftop.
Brent began scanning for sensors on the door to avoid triggering any alarms. There were none. We would later discover they had been deactivated by the last tenant and never reactivated. This door had pretty much been forgotten. We also weren't concerned about any active alarms inside the building at this time. We had learned the schedule of the cleaning crew and knew they disabled the alarms while working.
I removed a USB snake camera from my bag, just to get a good look on the other side of the door before we decided to open it. Using an old mobile device we keep in our bag, the snake cam easily fit under the door. Nothing but the glowing exit sign and door handle. A good old concrete stairwell.
We opened the door and made our way to the target floors, where a number of cubicles, conference rooms, and the C-Suite resided. We were able to pick the locks to several filing cabinets and executive desks, and found a large number of employee IDs and proximity badges that were either scheduled for deletion, or were for new hires and updated badges for current employees. The awesome thing was that the PIN number for the new badges was written on small Post-It notes and stuck to each badge. We looked through the stack and found badges where the employee photo could resemble each of us, and took them to use throughout the rest of the assessment.
We then continued our hunt for more sensitive stuff by latch slipping the door into the Records offices. In addition to this, we found the server room. Nice. We plugged in our laptops and began some high-level enumeration, discovering an outdated ESXi server and grabbing a few account password hashes. There was also a box with some hard drives that were scheduled for data destruction.
After we walked the floors for a couple of hours, gathering artifacts for our findings and planting rogue devices and keyloggers, we found that we were also able to access the suite using the old canned air attack against the REX PIR sensors for the entrance doors just outside of the elevators. This is a technique that we started using years ago, and it still works. There were cameras, but they fed to the receptionist desks, which we gained access to, in addition to access to their security system and cameras, where we took a selfie from the control room.
After we wrapped up, we made sure that our rogue wireless access point was accessible via the hotel room, and we spent the night watching Old Gregg and hacking away on their production network. It is important to note that any rogue wireless devices that you plug into a target network could potentially open holes to other attackers, so make sure that your devices are hardened as well, and remind the client of how this was accomplished. Another successful night of turning overlooked access into complete compromise.
Baseline Security Issues
This operation is a case study in how overlooked architecture, neglected access points, and poor asset handling can dismantle even the best-intended security plans. The weaknesses here were not hidden. They were simply ignored, from rooftop access and deactivated alarms to cloned badges, default credentials, and aging infrastructure that still had a foothold inside the environment.
Unsecured Rooftop Access
The stairwell door leading to the rooftop was equipped with a thumb-turn deadbolt on the exterior, which could be easily bypassed by anyone on the roof. Worse, the door had no functioning alarms or sensors, a leftover from a prior tenant that had been deactivated and forgotten.
Lack of Physical Alarm Monitoring
No motion or contact sensors were present or operational at critical entry points, including the stairwell and executive suite doors, allowing us to move freely without triggering alerts.
Insecure Badge Protocols
Employees routinely wore low-frequency HID badges in public, allowing for quick, passive badge cloning during coffee and lunch breaks nearby. These badges offered single-factor access to sensitive internal areas.
Default Credentials on Access Control Systems
The DoorKing panel used for badge readers retained its default administrator code, allowing us to log in and deactivate badge access entirely, effectively disabling their physical security barrier without alerting anyone.
Failure to Enforce Clean Desk or Asset Disposal Policies
Executive offices and cubicles contained unlocked cabinets and unencrypted hard drives marked for destruction, as well as sensitive documents stored in open or poorly secured desks.
Vulnerable Wiring Closet and Outdated Infrastructure
The wiring closet was accessible via basic lockpicking and contained an old, unmonitored ESXi server and loose drives, highlighting how poorly managed infrastructure creates unguarded digital entry points.
Unauthorized Remote Access Opportunities
From the hotel next door, we were able to scan wireless networks and deploy attacks via directional antennas, revealing a lack of wireless network hardening or geographic containment.
Misconfigured Access Controls
We were able to exit or gain access to secure suites by using canned air to trip REX PIR sensors, exposing a commonly misconfigured and overlooked vulnerability. This disengaged the lock by tricking the sensor into tripping via motion and temperature variation. We first presented this in 2015, and it is still an issue across several industries.
Conclusion
What made this assessment work was not one big failure, it was how many separate problems were allowed to exist without anyone thinking about how they could be chained together. The rooftop was not supposed to matter. The hotel was not supposed to matter. The forgotten stairwell, the default code, the cloned badges, the bad alarm coverage, the exposed records office, and the outdated server were all treated like separate issues, if they were considered at all. But that is the point. Real compromise rarely happens because of one dramatic mistake. It happens because enough small ones line up in the right order, and once they do, getting in starts to look less like a break-in and more like business as usual. And that is what these access logs are really about. Not the flashy moment someone gets inside, but all the little things that made it possible long before anyone noticed. This one started on a rooftop. The next one will start where no one thinks to look.
