top of page
Search

PENETRATION TESTING SERIES – HOW I GOT IN

Updated: Sep 3

ree

Curious how attackers really break in?  

 

We’re sharing real-world stories from our penetration testing partner, Artifice Security. These aren’t classroom exercises or textbook case studies, they’re actual penetration test engagements, carefully sanitized for confidentiality, and reveal how attackers think, move, and exploit weaknesses. 

 

In this series by Artifice Security, How I Got In, you’ll see step by step how our testers gained access, uncovered hidden vulnerabilities, and helped organizations strengthen their defenses. From initial reconnaissance to final access, these stories show you exactly how breaches happen—and what you can do to prevent them.  

 

Below are the key points every security team should review. 


Physical access to a bank building using conversations, timing, misdirection and a solid read on human behavior, along with confidence and access to the company policy document made for a successful engagement. 

 

IN SUMMARY WHAT WORKED:

  1. Social Engineering the Audit Team: Blending in with a team, receiving a visitor badge and internal access gained. 

  2. Physical Intrusion: Observing a team member entering with their code on a keypad and following a few minutes later.  This allowed the tester to plant a wireless access point.  

  3. Real-World Tactics: Spoofed helpdesk phone number and email, fake technician identity and gained access. 

ree

PREVENTATIVE QUESTIONS TO ASK YOURSELF:

  • Do you require visitors to be pre-registered with matching names on a list before issuing a badge? 

  • Do you have keypads with shield covers and require multi-factor authentication, a key code and a badge swiped?

  • Do you monitor rogue wireless devices using regular scans? 

  • Are your team members trained to verify all technician visitors, even if a written notification was received?   


Night entry to the Security Operations Center, bypassing a locked door by being creative, printer spoofing and easy access to a locked storage room.


IN SUMMARY WHAT WORKED:

  1. Building access: Front door sensor knowledge by the pen tester found the weakness for the door to open for him.  

  2. Agility: Jumping across the railing into a wall opening by the locked door allowed for bypassing the lock. 

  3. Printer spoofing: Printer connected to the internet, print the printer configuration page and the IP and MAC address became available for the pen tester to access.

  4. Locked Storage room: The storage room for keys, safe codes and bank records, including checks and account numbers shouldn’t be an easy lock to bypass.  

 


ree

PREVENTATIVE QUESTIONS TO ASK YOURSELF:

  • Do you monitor access logs and have motion detectors in key storage areas? 

  • Are your locks high-security cylinders? 

  • Do you use network authentication based on certificates, not just MAC addresses? 

  • Do you have a key cabinet? Is it in a secure room with badge access?  


After you have read these articles, shared with your team, created a review and action plan to see if you are vulnerable, it’s time to reach out for a Pen Test! 

 

Don’t wait for attacker to test your security first. Schedule a penetration test with CyberForce|Q and uncover your risks before someone else does.   



Every organization is unique, which is why we meet you where you are in your cybersecurity journey, and tailor our solutions to your needs – reach out to solutions@cyberforceq.com.


Learn more about CyberForce|Q.


 
 
 

Comments


bottom of page