The Power of Doubt: A Red Team Triumph in Social Engineering

In the world of cybersecurity, the battle often begins and ends with human behavior. During a recent physical penetration test against a major enterprise, two Nomad Security red team operators demonstrated just how critical—and precarious—this human element can be. This is their story of gaining access to one of the most secure areas of the organization, and how three near-captures turned into opportunities for triumph.

The Test Begins: Entry by Confidence

The operation started at the organization's sprawling headquarters, a fortress of badge readers, biometric locks, and eagle-eyed security personnel. Our mission was clear: simulate the tactics of a determined adversary to test the organization's physical and digital security. The end goal? Gaining access to the secure datacenter housing critical servers.

The first challenge was gaining access to the building itself. The team opted for a common but effective tactic: tailgating. By lingering near the main entrance during a busy period, they waited for an employee to hold the door open out of courtesy. A smile, a quick "Thanks!" and they were in.

But their luck almost ran out early. A sharp-eyed receptionist called out to them, "Excuse me, do you have an appointment?" One operator, carrying a clipboard and wearing a generic company-branded shirt, responded, "Oh, we’re just here to inspect the HVAC system—we’ve been called to check on some irregular noise complaints. Is that not on the log?" Their casual tone and confident demeanor diffused the situation, and the receptionist, clearly busy, waved them on.

Close Call #1: Too Close for Comfort

Once inside, the operators headed toward the elevator banks. A security guard intercepted them, asking to see badges. This was their first real test.

“Oh shoot,” said one operator, patting his pockets. “I think I left it on my desk. Can we go back to our floor to grab it?”

The guard frowned but seemed reluctant to make a scene. “What floor are you on?”

“Seventh,” the operator replied confidently, using the generic layout knowledge gathered during reconnaissance. The guard begrudgingly swiped them through the elevator bank, muttering something about checking later. Another hurdle cleared—thanks to the natural human inclination to avoid unnecessary conflict.

Close Call #2: The Janitor’s Closet Incident

On the seventh floor, the team’s goal was to locate a workstation left unlocked or with weak credentials to escalate privileges. They discovered an unattended janitor’s closet, perfect for staging their gear and reviewing their next moves. Unfortunately, their activity drew the attention of a passing employee who stopped and asked, “What are you guys doing in there?”

Quick thinking saved the day. One operator waved a rag, saying, “Spill in the hallway. Just grabbing supplies.” Despite the presence of two laptops and unloaded backpacks spilling electronic gear across the table, the employee hesitated but moved on, perhaps uncomfortable pressing further. This moment was another reminder of how often people choose to give strangers the benefit of the doubt rather than risk confrontation.

The Culmination: Biometric Access Achieved

The team’s ultimate goal was the datacenter on the lower level, secured with biometric locks. To gain access, they needed domain admin credentials and the biometric data of an authorized custodian. They had identified a likely target during reconnaissance: a mid-level IT administrator whose workstation was located across the hall from the datacenter.

Using a compromised password obtained through an NTLM Relay attack that was later cracked offline (a classic yet all-too-common vulnerability), they gained access to the administrator’s workstation. From there, they escalated privileges to domain admin, allowing them to manipulate the biometric authentication database. They copied and supplemented the custodian’s biometric data with their own using the fingerprint scanner at the custodian's workstation left unattended during their lunch break.

Armed with fake biometric credentials, they made their way to the datacenter. The biometric reader scanned one operator’s fingerprint—and granted access. They were in.

Close Call #3: The Final Challenge

As they entered the datacenter, they had several free minutes to walk down the aisles of servers, capturing pictures of themselves as evidence of their presence. Once they had sufficiently proven they had unrestricted access, they turned to exit. Just in that moment, a security officer patrolling the area spotted them. “What are you doing here?” he demanded. The operators, anticipating this scenario, played innocent. “Sorry, we are here to replace some air filters for the ducts, but I think we took a wrong turn.”

The officer escorted them out but didn’t raise an alarm. By the time anyone thought to verify their story, the team had gathered the evidence they needed and left the premises.

Lessons Learned: The Power of Awareness

This test revealed the significant gaps in the organization’s physical security, most of which stemmed from human behavior. The operators were caught red-handed three times, yet not once did anyone escalate the issue. Instead, each encounter ended with the employees assuming innocence or ignorance.

Key takeaways:

1. Train Employees to Act on Doubts: Employees must understand the importance of reporting suspicious behavior, even if they’re unsure. Encourage a “see something, say something” culture.
2. Empower Employees to Escalate: Provide clear protocols for reporting and following up on potential security incidents.
3. Regular Drills and Reinforcement: Conduct regular social engineering drills to test and reinforce employees’ vigilance and response protocols.
4. Strengthen Physical Security Measures: Implement stricter access controls and ensure employees are trained to verify credentials without hesitation.

This operation underscores an essential truth: technology alone can’t protect an organization. People are the first line of defense—and the weakest link. Only by fostering a culture of awareness and accountability can businesses truly fortify their security.

At Nomad Security, we don’t just find vulnerabilities—we help organizations build stronger defenses. Because in the end, it’s not just about testing your systems; it’s about empowering your people.