"Sorry to bother you, but we're waiting on some folks for lunch and having a little talk about the turnstiles you guys have. Those are cool. Are they high or low-frequency readers? If you don't know, the back of the badge there should say... lemme see and I will show you."

Assessment Background

As part of our work as security consultants, we run a wide range of threat simulation services. Not just the typical "remote hacker trying to breach a network" scenarios, but also physical assessments that test how easily someone could gain access through social engineering or by bypassing physical and electronic controls. We also look at the overall security awareness culture across the board: employees, contractors, guards, cleaning crews, anyone who happens to be on site.

Physical assessments are dynamic by nature. Even with proper OSINT and reconnaissance before entry, we don't fully know what we're walking into until we're in it. Things like the type of access control systems, the building's layout, and employee behavior can shift our approach on the fly.

We always scope out the surrounding area to decide our approach and gear loadout. If the target building is next to a café, hotel, or food court (or better yet, part of a shared-use facility), that can be a huge advantage. It's not just for convenience between pushes. From an attacker's perspective, high foot traffic gives great cover for passive recon. It lets us watch and gather details like employee badge formats, how people dress, how they move through the building, tailgating tendencies, what kind of lanyards they use, where the cameras are, all without drawing attention to ourselves.

In this particular case, we got lucky. The facility was in a shared building, and we were able to gather almost everything we needed without even stepping outside.

Reconnaissance From the Café

How fortunate were we? Very. As far as scenarios for reconnaissance and covert physical assessments go, this one was the jackpot. The hotel was directly across from the target facility, with a handful of coffee shops and restaurants connected to the building. One café had large untinted glass windows facing directly into the lobby of the target. There was also a connected parking garage that employees used to come and go.

During the morning rush, we sat with the best front-row seats imaginable, sipping coffee in the middle of their workforce. By simply watching from the café, we captured covert photos of employee badges, identified the type of badge readers used at the restricted elevator, and observed how folks interacted with one another. The human interaction part is very important. It tells us quickly whether people are on auto-pilot, moving about the building with no regard for others, or whether there's a real level of situational awareness that might cause a problem when we try to tailgate or use other entry techniques.

This target was the main corporate office, so our usual guise of being from "Corporate IT" or an "Auditor" wouldn't work. We knew from our recon that we needed valid badges to follow the flow of traffic without disruption. The lobby had at least four unarmed security guards, one in each corner of the open floor plan, so any break from the normal flow of things would be noticed. Walking into the lobby wasn't an issue. Going any further was. The facility used electronic access control turnstiles as a barrier before the elevator vestibule. If you tried to jump over them, a motion-activated alarm would sound. Once past the turnstiles, the elevators required valid credentials for each floor.

That meant a bigger problem. We could clone a random employee's badge by walking past, but that would only get us through the turnstiles. We also had to know which floor that badge had access to. The only way to find out was to tailgate onto the elevator and hope someone pushed a useful floor, then try to clone that badge for ourselves to maintain access. If we missed the clone, we would be stuck riding up to a random floor and following someone off where we didn't belong. That approach was risky, especially this early in the assessment, but we kept it in mind as a backup.

Building the Toolkit

Once we had a solid idea of our approach, the dress code, and the general awareness level of both employees and guards, we went back to the hotel room to prep tools. We configured USB keyloggers and a rogue access point we planned to implant once we were inside.

The USB keyloggers do exactly what they sound like. They passively log keystrokes that will hopefully give us network credentials when a user logs in to a workstation. The rogue access point was meant to mimic one of the company's valid Wi-Fi networks, with the hope that people would connect to it instead of the legitimate one. It would be plugged into their DHCP-enabled production network through a vacant and active network jack. We could also change the MAC address on the rogue AP to match something like a VoIP phone, just in case any sort of MAC filtering was in place.

Using the photos from our passive recon phase, we visually duplicated two badge credentials each, one contractor and one employee design. We had noticed a couple of varying badge designs in use and wanted to make sure that whichever floor we ended up on, our badges matched what people were wearing. It is nice to have options to switch between when needed. Along with the badges, we packed a couple of lanyards that matched what most employees were using.

Earlier, during our active recon phase, we had used an RFID diagnostics card to passively confirm the facility's badge reader was operating at 125kHz. That told us low-frequency proximity cards were in use throughout the building, so we knew which configurations to load into our cloning tools. We printed our forged identities onto blank low-frequency badges, hoping to eventually write valid credentials to them once we cloned a legitimate one.

Also during active recon, we noticed the computer monitors at the main guard desk in the lobby were visible from outside the building, right from the sidewalk. To avoid drawing attention, we took turns taking pictures of each other in front of the building, the same way tourists snap photos of something memorable. It looked socially acceptable. While taking those "memorable" pictures, we made sure to zoom in on the guard's monitors and contact lists through the windows. Later, reviewing those images, we identified each security camera's placement, the areas that were and weren't covered, and a bunch of other useful details like operating system versions and VoIP phone models.

Working the Lobby

Inside the lobby of the target facility, we stood around and waited, ready to use the "we're waiting on someone" excuse if anyone challenged us. Phones became props. I held a fake conversation about lunch plans with one of the client's points of contact for the assessment. If you have seen any of the talks from wehackpeople.com, you know we believe the best time to tailgate or get close enough to copy badges is when lunch is starting or when everyone is leaving for the day. Employees are eager to be done with work, and that distraction is something we can exploit. It was close to lunch, so we leaned into the guise: "We're waiting for our point of contact to join us in the lobby. No worries."

Standing in blind spots in the lobby was easy enough, but the goal of this engagement was bigger. We needed to gain access to their network, plant a rogue access device, and bypass electronic and physical access controls. Social engineering was the medium, and the whole thing was also a real evaluation of the client's onsite security controls and security awareness.

While "on the phone," we walked around and noted how often people did or didn't pay attention to what we were doing, especially the security guards. Brent "installed" a badge cloning device with deliberately sloppy gaffer tape, the kind of obvious that should have made it stand out to anyone glancing in that direction. The placement was meant to copy any badges scanned at one of the readers. We watched as several employees walked by, ignoring the eyesore entirely. A few noticed it, gave it a look or two, and badged in anyway. No one reported it.

While the cloner racked up scans, we decided to push our luck and target the security guards directly. One guard sat behind the desk in the lobby, surfing TikTok. Tim walked over and the conversation went something like this:

"Sorry to bother you, but while waiting for some folks to meet for lunch I noticed the badge turnstiles. Those are great. I'm curious about the cards you guys use. Do you happen to have one of the blank badges behind there?"

That's when Brent walked up to bolster the social engineering attempt.

"Did you find out if they're those new HID badges?" he asked, joining the discussion.

"Not yet, I just asked about them," I said, turning my attention back to the guard, who was looking around for a blank badge.

"Sorry, there aren't any back here," the guard said. He didn't seem suspicious. So far, he had no reason to question us. We looked like we belonged and we spoke with confidence.

"No worries. Actually, could I just see the back of your badge? That'll tell me what kind you guys use."

At this point I had palmed a small badge cloner and reached out with my opposite hand. The guard sat there for a moment, thinking about it, then pulled out his wallet, removed his access badge, and handed it over. I flipped it over and pretended to read the back, squinting, supporting it with both hands, and copied it within seconds.

"Right on. It's the HID-Acme-LUL model," I said, turning to Brent for confirmation and handing the badge back to the guard. "Thanks man. We may have to look into getting something like that at the Acme-XYZ location, but we weren't sure about the encryption on them."

"The point of contact is here!" Brent interrupted, nodding toward someone on the other side of the lobby who looked important and appeared to be heading out for lunch.

"We'll be here most of the week, so I'm sure we'll see you around," we said, waving goodbye to the guard as we walked out and made our way across the street to a café.

Verifying Access

Back at the hotel room, we copied the security guard's cloned HID credentials onto the blank employee and contractor badges we had built earlier. That evening, we went back to verify the badges worked and that they could be scanned at multiple readers in sequence.

The night-shift guards noticed us as we entered, but we just nodded and kept walking toward the turnstiles, scanned our newly cloned badges, and made it through to the elevators. Next was the real test: authenticating at the access controls inside the elevator and seeing if we had access to the target floors. It would have been awkward if the badges didn't work and we either got stuck in the elevator or had to turn around and walk past the guards again.

Success. We scanned in, entered a floor number, and rode up to the target floors.

Inside After Hours

The cleaning crew was hard at work but kept to themselves, acknowledging us as employees working late. We exchanged a few brief pleasantries and immediately found an unoccupied cubicle, the perfect place to plug in our rogue wireless AP. The client's network ran DHCP, so getting onto the production network was just a matter of plugging into an open LAN port. After kicking off some network scanning scripts, we started planting keyloggers on targeted systems including the receptionist's computer, an HR workstation, and a network admin's laptop. We were hoping to grab Active Directory credentials and anything else they would type the next morning.

We also raked open some poorly made wafer locks on shredder bins with jigglers, and gained access to C-Level executive offices, wiring closets, and server rooms by bypassing poorly installed doors and latches. We used latch slipping, the under-the-door tool against ADA compliant lever handles, and request-to-exit bypasses with canned air.

A Note on REX Sensor Bypasses

Tricking REX and PIR sensors into believing someone is leaving is a technique we have used many times for entering suites, as you may have noticed from our other talks and write-ups. To do this, we turn a can of compressed air upside down and place the straw beneath the door (or between double doors) and spray. The dense, icy spray will trick some sensors into believing someone is leaving by triggering both motion and temperature variation. Cold or hot air affects the baseline temperature reading on the sensor, and once those two variables are met, the sensor is triggered. If the sensor is configured to release the door, you simply pull it open and walk in. You can also get the same effect by running a hand warmer on a long wire (such as the stock wire for under-the-door tools) through a gap between double doors or beneath an improperly sealed door.

Harvesting the Floor

While walking the target floors, we harvested passwords and data thanks to a poorly executed "Clean Desk" policy. Post-Its with local and domain credentials sat in plain view, and those credentials would later grant us additional remote access to the production environment, security systems, and more. We worked well into the night gathering information, executing payloads, and planting devices. After collecting what we needed and not being challenged by anyone, we called it a night and prepared for the next day's entry during business hours.

Returning in Daylight

When we returned the next day, we were able to come and go as we pleased. We were surprised to find that the keylogger on the receptionist's desk was missing. It had been discovered and reported to security by the client. Kudos to that employee.

That report had triggered a search in the area for suspicious activity, but our other devices, including the rogue wireless AP velcroed under a conference room table, were still in place. We didn't want to push our luck during business hours knowing they were on a slight alert, so we backed off and returned later that evening. After another successful night of prowling, looting, retrieving our devices, and completing all objectives without being challenged, we wrapped the assessment.

We debriefed the client at the same café where we had sipped Americanos during initial recon. It was a fun debrief. The client was receptive and even excited to get to work on remediation efforts and expanding their security awareness training, not only internally but for contractors as well, including the security guards.

Baseline Security Issues

This assessment uncovered a range of critical vulnerabilities, combining both physical and cyber risks. The specific issues we documented break down into the following categories.

Lobby and Perimeter Awareness

  • Unmonitored Lobby Areas: Security guards failed to effectively monitor lobby activities, allowing us to linger, conduct reconnaissance, and plant a visible badge cloning device on the turnstile without raising suspicion.
  • Lack of Physical Barriers: The proximity of the target facility to public areas like cafés and hotels gave us ample opportunities for passive reconnaissance without drawing attention. Windows had no privacy tint or blinds, and the visibility of security camera monitors from outside the building let us gather critical details about surveillance coverage and other operational specifics.

Badge and Access Controls

  • Inadequate Badge Verification: A security guard willingly handed over his access badge without proper verification, enabling us to clone valid credentials and access restricted areas.
  • Weak Electronic Access Control: The reliance on electronic turnstiles and elevator access controls was undermined by the ability to clone low-frequency, unencrypted HID badges.
  • Tailgating Risks: Employees displayed a lack of situational awareness, especially during peak times like lunch, making it easier for us to tailgate into restricted areas.

Awareness and Reporting Culture

  • Poor Situational Awareness: Employees and the cleaning crew routinely ignored suspicious devices, including a visibly misplaced badge cloning device and multiple keyloggers. Only one keylogger was reported, and even that wasn't followed by a thorough incident response.
  • Lack of Security Awareness Training: Both employees and security personnel were easily manipulated through casual conversation and trust-based pretexting, indicating insufficient training in recognizing and responding to social engineering tactics.

Document and Workstation Hygiene

  • Unenforced "Clean Desk" Policy: Numerous instances of sensitive information, including passwords, were found written on Post-Its and left in visible locations, exposing the organization to potential data breaches.
  • Use of Weak Locks: The disposal vendor used weak locks on shredder bins, allowing easy access to sensitive hardcopy documents such as network details, client PII, and financial information.
  • Physical Port Security: Systems containing or accessing sensitive data and networks had open USB and SD ports, facilitating unauthorized data extraction or malware introduction.

Network and Wireless Controls

  • Foreign Device Detection: Security lapses allowed undetected installation of keyloggers on key computers, compromising user credentials and other sensitive information.
  • Unauthorized Network Access: The network had DHCP enabled with no controls for detecting or blocking rogue devices. A rogue access point was successfully planted, giving us a foothold into the organization's production network.
  • WPS-Enabled Wireless Access Points: Wireless access points with WPS enabled allowed us to capture handshakes and crack the password due to weak password requirements, granting access to both guest and production networks. This was done via the planted rogue AP.

Conclusion

Two consultants in cloned badges spent a couple of days inside a corporate office, and almost every layer of defense was undone by a friendly conversation, a sloppy piece of gaffer tape, and a guard willing to hand over his badge to settle a curiosity. The turnstiles, the elevator credentials, the badge readers, none of it mattered once someone with a smile asked nicely. The "Clean Desk" policy wrote our way deeper in. The shredder bins handed back what should have been shredded. The only reason any device got reported was because a single sharp employee saw a keylogger out of place. One person paying attention out of an entire building.

That's the lesson worth holding onto. The strongest controls in the world won't help if the people standing in front of them won't ask the second question. The badges aren't doing the work. The readers aren't doing the work. The people are. And when the people stop verifying, an attacker doesn't need to be sophisticated. They just need to be polite, confident, and curious about what kind of badge you're using.

We've got more stories coming where the question was the way in. Catch you at the next one.