I caught up with an old colleuge today, and after hearing what he was working on it really made me miss physical pentesting.
Nothing was funnier than spending hours going over all the available options, layout of the building etc, then just printing a fake name tag and tailgating in through the swipe doors.
So long as you looked busy people just assumed you were a contractor. I could just sit in the staffroom, go in an empty office and start checking patch points, anything I wanted. Hell there was one time where another team just went straight up to the IT manager and asked for the keys to the server room (which he gave them without looking up from his monitor).
The final part of the process was to take a selfie in the server room, something fun that could be included in the resulting report and proposal. I've only just gotten over my camera shyness, so there's probably more selfies of me "trespassing" in some Telco closet than than there are of me doing anything normal.
Sadly even if I wanted to do it again, the approach would need to be allot different. Post-patch stroggo would stand out allot more than the pre-patch one did.
