This One Time on a Pen Test: The Pizza of Doom

Last updated at Sat, 09 Dec 2023 23:08:25 GMT

As part of a physical social engineering engagement for a bank, the customer was really concerned more with security awareness instead of physical vulnerabilities. They wanted some creative pretexts, or ruses, to see whether we could get in.

One of the ideas we came up with was to show up as a pizza delivery guy to see whether that could get us in. We ran the idea by the customer, and they were cool with it.

We went online and bought a hat, shirt, thermal pizza holder, and, of course, the pizza. We almost even accidentally walked into the pizza place wearing our pizza gear, but we changed at the last minute in the parking lot.

With the customer’s prior written consent, we bought a fake domain that looked like our customer’s and created fake email correspondence between human resources personnel and people we found on LinkedIn. The emails talked about how someone from the pizza company was going to come in to sell pizza by the slice.

When we showed up onsite, we told reception we were there to sell pizza and asked where the common area was. She was confused and wasn’t going to let me in. However, because I saw her first and last name on her badge, I was able to guess her email address and send her the fake email correspondence.

She told me to wait in the reception area after I called my “supervisor,” which was an excuse to get on my phone to send her the email. The receptionist called their facility manager down to the front desk, and they read the email together. The facility manager decided to call all the people on the email thread while I just stood there awkwardly listening to these confused people on the phone who knew nothing about pizza being sold by the slice.

Our pretext was quickly taking a nosedive, so I told the receptionist I needed to use the bathroom. The bathroom was behind locked doors, so she buzzed me in, which gave me access to their facility. I left the pizzas and walked into their building completely unescorted.

Interested in learning more about how Rapid7 pen testers conduct their assessments? Check back every week for a new story in the series.

• This One Time on a Pen Test: Paging Doctor Hackerman
• This One Time on a Pen Test: How I Compromised a Healthcare Portal Before My Hot Cocoa Went Cold
• This One Time on a Pen Test: Missed a Spot
• This One Time on a Pen Test: Nerds in the NERC