Key Takeaways

- Red teamers gained building access by offering to help maintenance crew shovel snow
- A hidden Raspberry Pi stayed undetected for two weeks, enabling full domain admin compromise
- Password spraying with 'winter2023!' yielded 50-60 employee account hits
Two professional red teamers walked into a client's building through an open maintenance door, helped shovel snow, and walked out with a hidden Raspberry Pi plugged into the corporate network. Two weeks later, they had domain admin access. The client never found the device.
The story, shared by Kristopher Johnson and his then-manager Dahvid Schloss at Echelon Risk + Cyber, illustrates how physical security failures cascade into full network compromise. It happened in 2023. The lessons still apply.
How did they get inside?
Johnson and a colleague named Michael arrived at the target office in winter. The maintenance crew had propped open a door. They walked through it into the mail room, where an employee immediately challenged them.
Their cover story: new IT employees without working badges. They mentioned nearly slipping on ice and offered to help shovel. The maintenance team accepted.
Michael shoveled. Johnson asked maintenance to let him inside so he could "set up Michael's laptop." They did. He was now free to roam the building.
Planting the Raspberry Pi
Johnson's goal was simple: plug a Raspberry Pi into the network, then attack remotely. His first attempt failed. The AV closet Ethernet port had network access control enabled. The Pi's LTE radio couldn't reach a signal from inside the closet either.
He moved to a conference room. One network port there had no access control. But the Pi would be visible to anyone walking in.
His solution: trash cans. He arranged them to hide the device. It worked.
Getting out proved harder than getting in. The front door required a badge swipe. Strangers refused to help. But the maintenance entrance? They swiped him out without hesitation. He waited in his car while Michael finished shoveling.
The breach was detected. The Pi was not.
The next day, building security confronted Johnson and Michael. Someone from maintenance had gone to the IT department to thank them for Michael's help. IT had no record of new employees named Michael or Kristopher.
Security reviewed camera footage. They traced Johnson's rental car and tried to pull license plate information. They suspected something was wrong.
But they never found the Raspberry Pi. It stayed plugged in for two weeks.
From Ethernet port to domain admin
With network access, Johnson's team connected to Active Directory, located the domain controllers, and started password spraying accounts. They tried "winter2023!" as a password.
It worked on 50 to 60 accounts.
"So we used those credentials to kind of map out the rest of the network," Johnson told The Register. "Network shares and things like that and then, towards the end of the test, we enumerated the certificate services."
They found eight Active Directory Certificate Services templates vulnerable to ESC1 and ESC4 attacks. The certificate authority itself was vulnerable to ESC8. They exploited these holes to gain full domain administrative access.
A janitor found the Raspberry Pi two weeks after the initial breach. By then, the red team had already won.
Why helpfulness is a security risk
This attack worked because people wanted to help. The maintenance crew saw two guys who almost slipped on ice and offered to pitch in. That reads as friendly, not suspicious.
Schloss noted that if someone looks and acts like they belong, employees default to trust. That instinct is exploitable. Real attackers know this. According to Verizon's 2023 Data Breach Investigations Report, 74% of breaches involve human elements including social engineering.
The physical access control failed at multiple points. The maintenance door was propped open. Strangers were escorted into secure areas. No one verified the "new IT employees" story with actual IT. The conference room network port had no access control. Trash cans provided adequate cover for foreign hardware.
What should the company have done?
Train everyone, not just security staff. The maintenance crew had no reason to suspect a social engineering attempt. They were being helpful. But they should have known to verify badge claims with security or IT before granting access.
Enforce network access control everywhere. The AV closet had it. The conference room did not. That inconsistency created the opening.
Assume physical access equals network access. Once someone is inside with a device, they can plant hardware. Sweep regularly for unauthorized devices. Monitor for new MAC addresses on the network.
Password policies matter. "Winter2023!" is exactly the kind of seasonal, predictable password that spraying attacks target. It met typical complexity requirements. It was still terrible.
Logicity's Take
The company did several things right. Network access control existed on some ports. Security responded quickly once suspicion arose. They reviewed camera footage and investigated the rental car. But partial security is often worse than it looks, because it creates false confidence. The single uncontrolled conference room port undid the rest. For companies evaluating their own posture, red team assessments like this one, typically priced from $20,000 to $100,000+ depending on scope, reveal gaps that internal audits miss. Firms like Echelon Risk + Cyber, Bishop Fox, and Coalfire all offer physical penetration testing alongside network assessments.
Frequently Asked Questions
What is a red team in cybersecurity?
A red team is a group of security professionals hired to simulate real attacks against an organization. They test physical security, social engineering defenses, and network vulnerabilities to find holes before actual attackers do.
How do attackers use social engineering to gain physical access?
Attackers exploit human tendencies like helpfulness and trust. Common tactics include tailgating through doors, pretending to be employees or contractors, and offering to help with tasks like moving boxes or shoveling snow to build rapport.
What is password spraying?
Password spraying tries a single common password against many accounts simultaneously. Unlike brute force attacks on one account, spraying avoids lockout thresholds while still finding accounts with weak passwords like 'Winter2023!'
What is Active Directory Certificate Services vulnerability ESC1?
ESC1 is a misconfiguration in ADCS where certificate templates allow requesters to specify arbitrary Subject Alternative Names. Attackers can request certificates impersonating other users, including domain admins.
How can companies prevent rogue devices on their network?
Enable 802.1X network access control on all ports, not just some. Monitor for new MAC addresses. Conduct regular physical sweeps for unauthorized hardware. Segment networks so rogue devices have limited reach.
How enterprises are centralizing IT control, including security
Need Help Implementing This?
If this story made you wonder about your own physical and network security posture, consider engaging a red team assessment. Logicity can connect you with vetted security consultants. Reach out at hello@logicity.in.
Source: www.theregister.com
Huma Shazia
Senior AI & Tech Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
Related Articles
Browse all
AI Revolution: How Tech is Transforming the World, One Industry at a Time
From desalination plants in Iran to AI-powered manufacturing, the tech world is abuzz with innovation. Discover how AI is changing the game for small entrepreneurs and what it means for the future of industry. Explore the latest developments in cybersecurity, robotics, and more.

Revolutionizing AI: The Game-Changing Tech That's Making Agents Smarter
A new technology is set to revolutionize the way AI agents learn and adapt, enabling them to accumulate wisdom and apply it to new situations. This innovation has the potential to significantly boost the reliability of AI agents, especially in complex tasks. By converting raw agent trajectories into reusable guidelines, this tech is poised to transform the AI landscape.

The Dark Side of AI: How Bots Are Fueling a Monetized Abuse Ecosystem
A recent analysis of 2.8 million Telegram messages reveals a shocking truth: AI-powered bots are being used to create and sell non-consensual intimate images. These bots can turn ordinary photos into synthetic nude images, and the abuse is being monetized through affiliate programs and subscription-based archives. The researchers behind the study are calling for stricter regulations to combat this growing problem.

AI's Secret Sauce: How Journalism Became the Unlikely Ingredient
A recent study reveals that AI chatbots rely heavily on journalistic sources for their quotes, with one in four coming from news outlets. This shocking discovery has significant implications for the media industry and our understanding of AI's information gathering processes. As AI technology continues to evolve, it's essential to consider the role of journalism in shaping its responses.


