Access Log 008: The Bathroom

"Sorry about that!" an employee blurted, nearly colliding with me as he hurried down the stairs.

"No worries," I said, barely paying him attention. My focus was on the stairwell door to the 5th floor, still slowly swinging shut. I sprinted up the last few steps and wedged my size 10.5 shoe between the door and the frame before it could latch. Turns out I didn't even need a badge to open the stairwell doors. Better safe than sorry, I thought.

Assessment Background

A few years back, a client walked into our pre-engagement briefing loud and cocky, convinced their physical and network security was untouchable. It was the kind of overconfidence that makes you pause and file a mental note. They slid the Letter of Authorization across the table with a smirk and said, "Good luck," as if they'd built a brick wall around themselves. We've seen that posture before. It doesn't intimidate us, it sharpens us.

They gave us a broad scope and a very tight testing window, just enough for some remote reconnaissance followed by a handful of compressed days onsite. That constraint forced focus, and it suited us fine. We've learned how to work fast and thrive under pressure. With little time on the clock, we started by ripping through every piece of public information we could find: employee profiles, contractor listings, blog posts, archived job ads, procurement notices, even obscure forum mentions. OSINT isn't glamorous, it's tedious. It's methodical work that reveals patterns: badge artwork, network username conventions, vendor relationships, and details about the workplace culture that people assume don't matter.

With those patterns in hand, we moved to remote social engineering: targeted phishing, vishing campaigns, and the other variants we've refined over years of practice. The goal was realism. We built believable narratives and credible pretexts so that when we engaged people online or on the phone, it felt natural. It paid off. In short order we pulled domain credentials, badge format samples, internal policy snippets, and a handful of employee names and roles that would make our later conversations sound effortless.

By the time we showed up onsite, we weren't guessing. We had mental maps of the building's layout and the spots most likely to become chokepoints during shift changes, when foot traffic was higher. We also had a clear list of the assumptions they were making about their own safety. Those blind spots are rarely dramatic. They're the small, everyday shortcuts and trusted routines that compound into exploitation paths. Reconnaissance was done. The real work was about to begin, and we were ready.

On-Site Red Team Assessment

The day of the assessment arrived, and the familiar mix of adrenaline and focus kicked in. We met the client's main point of contact at a little café off-site. He was a straight shooter, a former military type who wasted no time. We went over the Statement of Work (SoW) and verified the scope one more time. Then he slid the last piece we'd been waiting for back across the table: the signed Letter of Authorization (LoA). Green light. He leaned back, gave a half-smirk, and said, "Alright, go prove us wrong." Between the personality, the buttoned-up shirt, and the slicked-back hair, it came across as cinematic and a little cheesy. So whatever you're imagining, that's it.

This was a "Black Box" style assessment, meaning we were given just enough information to identify the target and whatever restrictions were placed on our rules of engagement. All we had was an address and a handful of objectives: get inside, reach the network, and pull sensitive data. What they didn't realize was that we'd already been busy. Our OSINT and reconnaissance had painted a detailed picture long before that signature hit the page.

Casing the Building

The target was right across the street from our hotel: a sleek, ten-plus-story slab of glass and steel. Corporate fortress vibes, but nothing we hadn't handled before. Back in the room, we kicked off the usual ritual: laptops out, coffee in hand, game-planning around the tiny table. Brent had his VMs spinning up while I stood at the window studying the building. He held up an old 20 dBi cantenna with a grin. "Think this thing still works? If you get an access point planted inside near any of those windows, we should be able to hit it from the edge of the hotel parking lot."

We ran the math, counted floors, and checked angles, figuring we'd get coverage up to about the fifth floor. Solid intel for what we were about to attempt.

That night we ran recon, filling in the gaps from our earlier OSINT: building layout, camera angles, employee patterns, smoke break areas, and which exterior doors were most likely to be used and when. Driving past the front, I noticed the cleaning crew had propped a door open. We've seen that countless times at commercial and government facilities. A jackpot mistake for attackers, almost too good to be true. I parked at the hotel and went to scout it on foot while Brent ran overwatch from the room.

Brent: "I have eyes on the main entrance. It's still wide open. Three people just crossed the lobby and got into the elevator. The lobby is wide open right now."

Tim: "Yeah, I just heard the elevator bell. They went up a few floors. No one's around."

Brent: "It's wide open. You want to take it?"

Tim: "I do. It'd be easy, but I've still got a few things to check and I didn't bring my tools out with me."

Brent: "Makes sense. It's starting to rain anyway."

The rain started, so we called the external recon phase and shifted to prep work: staging the rogue AP, snapping profile photos for the forged badges, and then playing some old-school NES games. Tomorrow was game time, and we were feeling confident.

Game Day

The next morning was gray and heavy with clouds, but we crossed our fingers that the rain would hold. Getting caught without an umbrella, or walking around in a poncho, isn't just uncomfortable. It's a dead giveaway that you've been on foot for a while. That swishy poncho sound draws attention, and the wet can wreck your gear fast. Once you're soaked through, you have to change, dry off, and pray for another clean window before the next downpour hits.

From the hotel window, we watched employees arrive, most bypassing the front entrance and slipping through side or back doors. It confirmed what we had documented the day before. We headed down to the street and split up, surveying from the parking lot in separate vehicles to document the details: badge reader placement and types, dress code, lanyard placement and colors, and door usage. We also paid attention to how people treated each other. Do they move like zombies, paying no mind to who else is around? Or are they more alert, more likely to question something out of the ordinary? This part can be boring, but it's critical.

Walking In

After a few hours of recon, we settled on the rear entrance near the designated smoke break area: high traffic, low awareness. It's often a prime entry point for us. Around 5 PM we made our move. I suited up: forged badge, collared shirt and tie, sunglasses, and a laptop bag with the AP hidden inside. While Brent lingered outside snapping pictures of badges, the two of us started a phone call with each other. I was chatting and laughing, moving like I belonged. We do the "phone call" bit to project a certain energy: everything's cool, I belong here, I'm having a good day. It disarms the people around us. It also says "I'm busy, don't bother me," which nudges people not to interfere, question, or interrupt. They'll even hold the door open for us more often.

Brent stayed outside and kept "talking shop" with the smokers, quietly cloning a few badges while I got ready to make entry. The plan was for him to head back to the hotel room once I was inside, resume overwatch, and be ready to confirm the rogue access point as soon as I planted it.

Right as I reached for the door with my fake badge, an employee walked out. "Thanks," I said with a casual nod, catching the door and walking right in, still talking on the phone. No need to fake a badge-in when you can just walk in. And just like that, I was inside.

Brent later told me he laughed and shook his head at how quick and easy that was, like it usually is. He had to cut a conversation short, since he wasn't expecting to head to the overwatch position so fast.

The Stairwell

Our recon had given us a rough map of the place. I headed left, passed a closed café, and ducked into the bathroom to breathe and let the adrenaline stop punching my ribs. I sent Brent a quick text to green-light entry. He replied that foot traffic on our target floor was starting to thin out.

When the flow slackened, I moved. I glanced at the emergency floor plan pinned by the stairwell, just enough orientation to make the stairs less of a guess, then slipped in and started up. Halfway up, I nearly ran into someone hammering down the steps. A fast, polite "sorry" from both of us, and we kept going.

Then luck landed in my lap. The 5th-floor door was swinging closed behind someone who had just walked through. I shoved my foot in, wiggled past, and eased it shut behind me. No badge, no tail, and no Metal Gear Solid alerts. Just impeccable timing, a calm demeanor, and the kind of quiet luck you cultivate by watching doors and people instead of your phone. Beyond the door was a vestibule of sorts, a badge-secured access control point with thick glass walls leading into the rat-maze of cubicles. Dim lights and silence. A few stragglers were still at their desks, listening to music or clearing their throats. I clocked a nearby bathroom, our "ole WHP office and hideout." Then I heard a voice.

"Yeah, so the SQL team had the same issue last week..." An employee on the phone walked out. I caught the glass door before it shut and slipped in right behind him. He didn't even glance back. This was obviously a real problem here.

The Floor

A conference room sat directly across. I ducked inside, dimmed my phone, positioned myself near a window facing the hotel, and whispered with all the cinematic charm I could muster, "I'm in."

Brent: "Nice. Let me know if there's an Ethernet jack for the AP. I'm almost back to the hotel and I'll fire up the laptop."

I kept low and waited until the last two employees clocked out. Then it was on. I swept the floor, dug through shred bins and trash, and snapped photos of sensitive documents. I even found laptops abandoned on desks, untethered, their authentication easily bypassed with bootable media that handed me local administrator access. Then I found the perfect cubicle, its occupant clearly on vacation. Even better, they had their own Linksys home router plugged in. Yeah, that's weird. It's pretty safe to say that wasn't an approved device.

Before I even set ours up, I noticed a rogue access point already wired into their network. After deploying our own and tucking it beneath a pile of unused laptop bags, I slipped out like I'd never been there. Later, we flagged the first rogue device to our point of contact, just in case it wasn't theirs. It could have been a leftover from a former employee, or worse.

On the Network

I met Brent in the hotel parking lot, and from the rental car we connected to our rogue AP. Voilà. It was in range, exactly as we'd guessed. We now had access to the production network, and we started exploiting anything we could.

The rest of the night was surgical. With Blackball's Super Heavy Dreamscape playing in the background, we scanned internal ranges, found live systems, and started pulling data. Using credentials written on paper that we'd snagged during recon, we moved deeper: databases, employee PII, internal projects, and even brute-forcing their IP-based camera systems.

By morning, we had everything we needed. And no one ever knew we were there.

Baseline Security Issues

This was yet another reminder that infiltration doesn't always come down to tools. It comes down to patience, planning, and knowing how to read people and environments. We didn't have much time, but we made every minute count. From the moment we saw that smug "Good luck" across the table, we knew exactly what kind of engagement this would be. They thought they were locked down. What they didn't realize was how much access they'd already given away through routine, human behavior, and small oversights that compound when no one's paying attention.

This assessment was a mix of quiet recon, well-timed social engineering, and just enough tech to tip the scales in our favor. We mapped the blind spots, watched the rhythms of the building, and struck when the moment was right. A door held open here, a name dropped there, a rogue access point buried under a desk: small moves that built up to total control.

By the time we connected from the parking lot, scanning internal networks over coffee while the building slept behind us, we had already won. The client didn't just underestimate us. They underestimated how far a little preparation, a forged badge, and a confident walk can really get you.

They never saw us. But they'll definitely remember us.

The specific gaps we documented broke down like this:

• Overconfidence in Security Posture: The client's dismissive attitude and "Good luck" mindset set the tone. That kind of overconfidence usually means they've stopped looking for their own blind spots, and this engagement proved it.
• Front Door Propped Open by the Cleaning Crew: A main entrance left open by custodial staff handed us a blatant physical access opportunity, with no oversight or access logging for after-hours entry.
• No Access Validation During Entry: The forged badge and casual "pretend badge-in" routine went unchecked. Employees weren't trained, or simply didn't bother, to verify whether someone had actually scanned in or had legitimate access.
• Tailgating and Piggybacking: Employees held doors for strangers without hesitation. This behavior was common and predictable, especially at shift changes and near the smoke break zones.
• Badge Readers Installed but Poorly Enforced: Badge readers were present, but enforcement was weak. The design relied too heavily on employee behavior rather than layered enforcement or alerting when doors were forced or held open too long.
• Cameras Present but Not Monitored: Cameras were installed but clearly not actively watched. We were able to note their placement, avoid the angles, and move through the facility without an alert.
• Predictable, Exploitable Employee Behavior: We used observed routines, arrival times, break areas, and floor patterns, to blend in and move freely. That predictability, unchallenged, left critical doors and floors exposed.
• Untethered, Unsecured Laptops: Laptops were left out and unattended in cubicles, providing physical access to company assets and sensitive data with minimal effort.
• Unsecured Documents and Trash: Sensitive information such as SSNs, PII, and financial data sat in unlocked bins and trash cans, with no shredding or secure disposal in place.
• Rogue Access Point Deployed Without Resistance: We planted a rogue AP on the internal network unchallenged. The lack of port security or Network Access Control (NAC) let us pull an IP address and start scanning immediately.
• No Network Segmentation or Isolation: Once on the internal network, there were no meaningful barriers between the rogue device and sensitive systems. Database access and internal resources were freely reachable.
• No Challenge or Reporting of Suspicious Behavior: Despite a forged badge, unfamiliar faces, and someone sitting in their space after hours, no one challenged us. That reflects a serious gap in internal awareness training.
• No Visibility Into Unauthorized Access: No alarms. No security personnel intervened. Nothing indicated that intrusion detection or anomaly monitoring caught anything unusual, even as systems were accessed and data was pulled.
• Outdated or Misconfigured Physical Security: Interior doors didn't require re-authentication from the stairwell, and stairwell access was unrestricted. That allowed floor-to-floor movement without detection or logging.
• No Control Over After-Hours Movement: We were able to hide out, plant devices, and operate after hours without triggering alerts or being approached. Physical presence alone was treated as authorization.

Conclusion

This assessment reinforced something we say over and over again: most successful intrusions don't happen because of sophisticated hacking. They happen because of small gaps that everyone assumes someone else is paying attention to.

The technology was there. The badge readers were there. The cameras were there. The policies existed. The problem was that security had become routine, and routine creates blind spots.

A door gets held open. An unfamiliar face isn't questioned. A laptop gets left unattended. A network port gets trusted. By themselves, those don't seem like major issues. Together, they gave us everything we needed. In the end, we didn't defeat their security systems. We defeated their assumptions.

And that is exactly why physical security assessments matter as much as the rest.

We've got more stories from the field coming. Different buildings, different people, the same kinds of small gaps. Catch you at the next one.