A defense contractor that specializes in radar systems wanted to test their physical security. They needed to determine whether unauthorized personnel could potentially get access to their offices and their sensitive air-gapped network. The challenge was to identify weak points in their physical security that could potentially be exploited by a malicious actor.

We started by performing initial reconnaissance of the target company's physical assets. One of the offices was in a general building shared with other companies. We contacted the building manager and scheduled a tour of the offices as prospective clients.

During the tour we mentioned that we might want to make renovations to our floor if we decide to rent an office in the building. We requested to see examples of offices they previously renovated for their clients. With some social engineering, we managed to get the building manager to ask the target company's security officer for a guided tour of their offices to see the renovations.

In the middle of the tour, one of the operators asked to use the restroom and thereby split the team: the security officer led one of the operators to the exit while the building manager escorted the other to the restroom. Upon exiting the restroom, the operator noticed that the building manager was not looking and exited the restroom without him noticing.

After a quick search around the offices, the unescorted operator connected a drop box (device connected to the internal network that provides remote access) to one of the workstations and returned to the building manager, using the excuse of getting lost upon leaving the restroom.

The building manager was unaware of the operator's true intentions and escorted him to the exit to finish the guided tour. Unbeknownst to the manager, the operator had successfully completed their mission and made off with the desired access to the target's network. This served as effective training for the company and allowed them to be more resilient against physical intrusions.