"Sorry to bug you, but we're doing a key inventory, and John from facility services gave us this key for the Security Control Room. It doesn't appear to be working. He said you should have one, and to ask if we could use it. We promise to bring it right back, or you can escort us if you'd like..."
Assessment Background
When we're running red team, covert entry, or onsite social engineering assessments, we've had a pretty high success rate with tailgating and piggybacking our way into buildings and restricted areas. Security checkpoints are always part of the game. Sometimes it's a front desk manned with security, sometimes it's turnstiles or mantraps. Either way, we've learned how to use little moments of distraction to our advantage. A guard caught up in a conversation, binging a show or a podcast on their phone, or someone dealing with a delivery is often all the opening we need. We've also learned the value of creating a distraction when one isn't handed to us.
Picture this. We walk up behind a group of employees heading toward a badge-controlled door. We've got "the look" down to an art. A decent fake badge, and body language that says "we belong." As they badge in, we mimic the same motion and swipe our fake HID cards. It usually doesn't matter if the reader flashes red, green, or beeps at all. Whether the failed read sound is loud enough for people to hear, or we play the "beep" from our own device, nobody pays attention to anything but your hands or your eyes in most commercial locations with heavy foot traffic. Everyone is in a rush or zoned out in the ole daily grind, and more often than not, someone holds the door without a second thought. Or we catch it right before it closes and slide through like it's just another Tuesday.
Confidence and timing go a long way. Seriously. Walking in like you know where you're going and pretending to badge in is usually enough, especially in larger facilities with high turnover, heavy foot traffic, and employees who don't know every face. It gets even easier during high-traffic times like lunch or end of day, when the herd mentality kicks in and nobody is really watching the details.
On this particular assessment though, we had a familiar challenge: getting past an armed security guard posted at the front entrance.
On Site
The engine ticked softly in the rental car as Brent and I ran over the plan one last time. This commercial gig wasn't much different from several like it, and we had definitely noticed a theme. A bland brick-and-mortar behemoth in some office park with the same concrete and rubber plants feeling. Employees who were half checked out filed in, their eyes glazed over from the same day-to-day routine. It was the kind of place that practically screamed "easy target." I glanced over at Brent, who was already halfway through an Americano, and we both said, "Easy."
Cocky? No. We're not that type. We were confident in our abilities and had seen this sort of thing many times before, and succeeded. Even the seemingly mundane assessments are strangely exhilarating, and we often learn a thing or two ourselves. After all, we were there to infiltrate their "fortresses of data" to expose weaknesses in their systems that most people didn't even know existed.
Breaking the Perimeter
Our first challenge, accessing the perimeter, ended up being no challenge at all. The parking lot guard station was empty and the gate was left wide open, like they had just given up. The next challenge was getting into the building. As we examined the exterior, we noticed the emergency exit lacked a badge reader, but it was a no-go for floor access. We didn't want to trigger an "Emergency Exit" alarm or create a "Door Forced Open" state with the security system.
The rear entrance was secured with a badge reader that controlled the electric strike on the door. Fortunately for us, a poorly placed strike plate and an improperly installed latch allowed us to "slip" the electric latch and pull the door open, bypassing the reader altogether. A well-placed shove knife or traveler's hook rendered the electronic access control pointless.
We were in.
Walking Past Security
Once inside, we realized real quick there wasn't much room to maneuver without eventually running into security. The layout funneled everyone through a central lobby where the guards were stationed. Even if we had slipped past them early on, we would have crossed paths eventually. They made regular rounds, and the maintenance crew doubled as "security" too. These guys were everywhere.
So we didn't bother sneaking. We went straight for it.
I adjusted my clipboard, custom-built and loaded with our dual-frequency RFID cloner, and we made sure those fake badges of ours were easy to see. People trust what they think they recognize, and visible badges go a long way. The guard didn't even look up at first. He was mid-bite on a donut. No joke.
"Morning," I said with a friendly tone. "Got a sec for some compliance questions? Just need to go over the visitor badge process real quick."
He barely mumbled a response, too busy chewing.
Perfect.
I kicked into the "auditor" routine, rambling off NIST (National Institute of Standards) compliance terms and badge security buzzwords just fast enough to overload him. That tactic works like a charm. You create a little anxiety, mix in some authority, then ease it with reassurance, and suddenly you've got someone who just wants you to handle it so they don't have to think too hard.
"Mind if I look through a few of those?" I asked, nodding toward the binder of Visitor and Contractor badges on his desk.
"Knock yourself out," he said, eyes still glued to his breakfast.
That was my cue.
I angled the clipboard, flipped on the power switch, and let our RFID cloner go to work while I browsed through the badges, pretending to inspect them. The clipboard looked like nothing more than a clipboard, but with a quiet hum underneath, it was copying everything.
Meanwhile, Brent leaned casually against the wall, eyes locked on the ceiling. Or at least, that's what it looked like. In reality, he was doing what he does best: casing the place and committing the layout to memory. Camera placement, motion sensors, employee behavior, mapping out the next move.
Twenty minutes later, we had more badge data than we needed and enough intel from the guard to start building out our next steps.
Next stop: the server room.
The Server Room
As usual, it wasn't hard to find. These office layouts are typically the same. You can also often find a map of the building in the stairwell, posted to show where the fire exits are. Once we made our way to the server room, we were surprised by how little was in place to secure it. A basic mechanical lock. No electronic access controls with access logs. No alarm sensors. Just a simple pin and tumbler.
Brent pulled out his picks and got to work. Click. That sound never gets old. The door was open after just a handful of seconds.
We stepped into the heartbeat of the company. It was only us among the rows of servers humming in the dark. But the real jackpot was off to the side: a box labeled Remote Employee VPN Devices and Handbooks.
That innocently labeled cardboard box was a golden ticket, Charlie. We had our hands on the VPN setup guide and a device. Along with credentials gifted in the same box, we were able to quickly identify a few misconfigurations that we can't get into detail on. We now had a solid external method of access into their internal network.
Although that was a great win, we still needed to see if anything else stood out to us among the servers. Per usual, the racks were either left unlocked or locked with the key still in the keyway. Because of this, we had easy physical access to every server. It was no problem to connect our network taps that allowed us to "dial in" externally. We could have implanted more keyloggers, installed malicious software, removed hard drives, or employed any other type of physical attack, including destruction. However, we chose to forgo those options. We had already gathered enough information and enough evidence to show proof-of-concept of physical-based attacks to the client. There was no point in creating extra clean-up work for us or the client.
After an hour in the server room, unattended and unchallenged, it was time to go. We had done everything we needed to in there. Obtained credentials, planted network taps, and took photos for evidence.
The Security Control Room
Eventually, we stumbled into the Security Control Room. The door was locked, but it had a huge window with no covering on it. We could easily see into the room. It was empty and the lights were off. And yeah, it looked like something straight out of a heist flick. A wall of monitors, printed protocols, and a wafer-lock aluminum key box labeled "Company keys" just sitting there, begging to be picked open.
While standing in the hall, Brent stood sentry while I pulled out my lock picks, determined to get inside the control room and inside that key box.
"You know we're just supposed to take pictures, right?" he said, clearly enjoying the irony.
I laughed. "Yeah, yeah. But imagine if the server room key was in here?"
Click. We were in. The timing was perfect. Seconds before the door opened, one of their maintenance and security guards rounded the corner at the opposite end of the hall. We were sure he had spotted us, so we jumped into the room as fast as we could, quietly shutting and locking the door behind us. Certain the guard was on his way to question us, we hid under the desk.
"What are we going to say if he walks in here and finds us?" Brent whispered.
"I don't know. 'Surprise!'?" I shrugged. We tried our hardest not to laugh out loud. The flickering of the CRT security monitors made for an ominous situation, but no one came in after us. Had they caught us in there, this is where some mad improvisational skills come in handy. Have a story prepped for why you are there, and make it convincing.
Once we knew they weren't coming in, it was time to get back to work. I grabbed my picks again and focused on the key box I had been waiting to get to.
Click! A quick, easy open. Inside, the weak off-the-shelf office aluminum box held more than the key labeled Offsite Data Center. Several company vehicle keys, and more.
Brent grinned. "What if we were to leave a note that says..."
"Thanks for the memories?" I said, snapping a photo of the data center key so we could recreate it later. No need to take the key itself. We just needed the bitting. This determines the depth the keys are cut, or filed. There are several apps out there that will let you guess the bitting from a photo, as we and others have covered in industry talks and workshops.
We put everything back the way we found it and left. No traces. Clean work.
Wrapping Up
We made our way back to the higher floors for one last sweep of the offices and cubicles, documenting a few more issues, and then called it. At this point, we had gone through every single office, cubicle, filing cabinet, server room, and media closet. We had even hung out and had a snack and drink in the break room. There was nothing more we could do.
Just as we were wrapping up, we heard a couple of guards talking, making their way toward the office we were in. Same as in the Security Control Room, we both hid behind the large desk and waited until we heard them get on the elevator.
We made sure we hadn't forgotten any of our tools and made our way outside via the stairwell, after moving among employees for hours, undetected.
This job wasn't about spy gadgets or Hollywood hacking moments. We cloned badges, but we didn't even need them. It was more of a "here is another way you are vulnerable." What got us in was one of the oldest tools in the proverbial book, understanding how people work. Their routines. Their assumptions. Their blind spots. That, and several physical security weaknesses that should have acted like a safety net when the human firewall fails.
That's where real access lives.
As we walked out to the car, the sun was going down and the building behind us faded into the background like nothing had ever happened. And as far as they knew, nothing had.
I tossed Brent the keys. "Burgers?"
Brent laughed. "Burgers."
Baseline Security Issues
It doesn't take a high-tech gadget or an elite-level exploit to walk through the front door. Most of the time, it's the little stuff. Doors left unlocked, guards looking the other way, and employees who hold the door open for a stranger because it feels polite. We've seen time and again how routine dulls vigilance, and how a fake badge paired with the right body language can get you deeper into a building than any malware ever could.
This assessment is one of several examples of how physical security breaks down. Not because the tools aren't there, but because the people and policies behind them aren't dialed in. From unguarded gates to badge readers that no one is paying attention to, the cracks weren't just visible. They were wide open.
But here's the thing: all of this is fixable. Physical security isn't just about locks and cameras. It's about awareness, accountability, and creating a culture where people understand that they are the front line. You can have all the tech in the world, but if no one is looking, it won't stop a thing.
The specific issues we documented on this engagement break down into five areas, working from the outside in.
Perimeter and Physical Access
- Unguarded Parking Gate: The parking lot checkpoint was completely unmanned, with the gate left open. Direct perimeter access with zero resistance.
- Improperly Configured Door Hardware: A rear entry door with a poorly placed strike plate and a disengaged security plunger allowed for a basic shove knife attack to bypass the lock. No alarms were triggered, and no tamper detection was in place.
- No PIDS on Emergency Exits: Emergency exits lacked sensors during off-hours and any alert systems robust enough to deter or detect misuse, further weakening physical access control integrity.
- Tailgating: Employees were observed allowing unauthorized individuals to piggyback into restricted areas without challenge. Fake badges and confident behavior were enough to slip in undetected, especially during high-traffic times like lunch or end of day. The facility lacked any physical access controls such as turnstiles or mantraps to help mitigate tailgating.
Badge and Credential Controls
- Ignored Badge Reader Alerts: Visual and audio cues of failed badge scans were ignored by employees and security personnel alike. Red lights and silent failures went unnoticed during busy moments. Security staff relied on the presence of a badge rather than verifying its legitimacy. Forged badges on blank HID cards passed visual inspection without any credential validation.
- Unsecured Badge Inventory: RFID badges were stored in plain sight at the security desk with no inventory control or logging. These were cloned in place using a disguised RFID skimmer without any interference.
Personnel and Social Engineering
- Untrained or Unengaged Security Personnel: The security guard at the front desk was distracted, uninterested in his duties, and failed to follow basic protocol, allowing direct access to RFID badge binders and answering questions without vetting the red team's identity.
- Social Engineering Susceptibility: A fake auditor persona and a confident flood of compliance jargon overwhelmed the guard, who defaulted to compliance rather than escalating or verifying. This psychological overload created trust and access.
Interior Spaces and Critical Infrastructure
- Inadequate Server Room Security: The server room was locked with a basic mechanical lock that was easily picked. There were no access logs, alarms, or video review triggered by entry. The room also contained highly sensitive material, including VPN devices and manuals, left unsecured.
- Poor Key Control Practices: The Security Control Room key box was accessible and secured with a basic lock that was picked with ease. Keys were clearly labeled, including access to offsite data centers, allowing for duplication from a photo.
- Predictable Facility Layouts and Server Room Placement: The building's design followed a predictable layout that allowed the team to easily locate and access the server room without prior intel, underscoring the risks of standardized, cookie-cutter facilities. Clearly labeled signage on doors removed any uncertainty.
- Physical Access to Critical Infrastructure: Network taps and keyloggers were deployed directly on server hardware without resistance. There were no physical security deterrents, cable management protections, or tamper-evident seals. Server rack keys were left in keyways, or the racks remained unlocked entirely.
Monitoring and Detection
- Lack of Network Monitoring or Detection: The red team was able to successfully implant and install foreign devices such as USB drives and LAN taps. There were no signs of real-time network monitoring, access alerts, or response protocols.
- Lack of Physical Monitoring or Detection: There were no signs of real-time monitoring of access control alerts, and no apparent response protocols in place. The red team was able to move freely throughout the facility, access sensitive systems, clone RFID badges, and interact with employees without triggering any security intervention.
Conclusion
This assessment wasn't defeated by a zero-day or some exotic tool. It came apart through basic human behavior and the quiet assumption that someone else was handling it. An open gate. A distracted guard. A key box sitting behind a lock that could be picked in seconds. Every layer of defense was there on paper, but when the people behind those layers weren't paying attention, the whole thing folded.
That is the real story of physical security. The hardware only matters if the humans around it actually care. Confident behavior, a fake badge, and a little compliance jargon walked us past armed security, into the server room, and eventually into the key box that held the keys to everywhere else. No alarms. No challenges. No one asking questions.
The fix isn't more technology. It's attention. Train guards to question the friendly auditor with a clipboard. Lock the racks and keep keys out of keyways. Treat the front desk like a checkpoint, not a greeter's station. Every one of the issues we documented here can be closed with discipline, not dollars.
We've got more stories from the field on the way. Different buildings, different people, different weak spots. Catch you at the next one.
Share:
Access Log 004: Drones & Weaponized Cats vs The Gate
Access Log 006: BBQ and Open Doors