Last updated at Wed, 03 Jan 2024 20:13:46 GMT

Recently, we did physical social engineering and internal network penetration tests for a health insurance company with the customer’s prior written consent.

During some physical reconnaissance, we found a side entrance for employees and took notice that it was a pretty small office. At a smaller office, it’s harder to pretend you work there, so we came into the physical social engineering assessment posing as a vendor instead.

Hoping that the management employee we were going to name-drop in our cover story would be out at lunch, we showed up around noon dressed as a vendor in a company shirt and everything, and holding a medium-sized box.

After waiting at the side entrance for a couple minutes, an employee walked up and asked if we needed to get inside.

We were only inside for about 10 minutes before one of the employees came up to us, asked us about our cover story, tried to reach our contact, and escorted us out after they couldn’t get ahold of him.

However, that was enough time to get a rogue wireless access point connected underneath a desk, which we were able to use to connect to the internal network from the parking lot. We didn’t want to waste much time in case they went looking around where they stopped me, so we started checking the internal network scope and found a Domain Controller vulnerable to MS17-010.

Interested in learning more about how Rapid7 pen testers conduct their assessments? Check back every week for a new story in the series.