Skip to main content
CybersecurityHacking

Physical Security Lapses Grant Hackers Network Admin Access

Maintenance door left ajar in a dimly lit office corridor, with an open and unlocked door handle in the foreground.

"First and foremost, what most people believe is crime is not crime. It's a Hollywood myth of what crime looks like," Dahvid Schloss told us. "I call it the ski mask bias."

How Kristopher Johnson and Michael walked into the building

In 2023 two professional red teamers — Kristopher Johnson, then an offensive security consultant at Echelon Risk + Cyber, and a colleague named Michael — were invited to challenge a company's physical and cyber defenses while supervised remotely by manager Dahvid Schloss. The maintenance door to the office was open because it was winter; the pair entered through that door and found themselves in the mail room. When a woman confronted them, they told the maintenance crew they were new IT employees without badges and offered to help shovel ice and snow. Michael assisted the maintenance team with shoveling while Johnson asked to be let upstairs to "start setting up Michael’s laptop for work." Maintenance personnel facilitated both entries and exits: the front door required a badge, but the maintenance entrance did not — the team swiped Johnson out after the test.

The Raspberry Pi, network ports, and network access control

Johnson carried a Raspberry Pi single-board computer intended to be plugged into the corporate network so the red team could access it remotely. In the AV closet he encountered network access control (NAC) that prevented the device from connecting. The Pi also had an LTE radio but it could not connect from the closet. Johnson moved the device into the middle of a conference room and found an active Ethernet port that did not have NAC enabled. To prevent casual discovery he hid the Pi behind trash cans. The device remained physically connected for two weeks without being found.

From an exposed port to domain administrator access

The Raspberry Pi provided the foothold the testers needed. Johnson’s team used the device to connect to the company’s Active Directory, locate the domain controllers, and begin password spraying accounts. They tested the password "winter2023!" and obtained "50 or 60 hits" among employees. Using those credentials they mapped network shares and then "enumerated the certificate services - ADCS (Active Directory Certificate Services)," Johnson told The Register. The team discovered eight certificate templates that were open to ESC1 and ESC4 vulnerabilities and found the certificate authority itself vulnerable to ESC8. Exploiting those issues allowed the red team to gain domain administrative access.

What this means for maintenance teams, security leaders, and technologists

  • Maintenance teams: The maintenance crew's willingness to vouch for people without badges and to swipe someone out enabled unescorted access. Schloss noted that people who look and act like they belong are often treated as if they do. The source recommends training every member of the team to be suspicious of outsiders without badges, regardless of helpful behavior.
  • Security leaders and IT teams: A live Ethernet port with no network access control gave the intruders a path in. The report calls for restricting network access on ports in public spaces so an unknown device cannot make an Ethernet connection from a conference room or similar location.
  • Technologists and identity teams: Weak passwords and the absence of multifactor authentication amplified the impact. The testers found dozens of accounts accepting the password "winter2023!" and were able to use those credentials to map the network. The source recommends enforcing a strong password policy and implementing multi-factor authentication on accounts.

Lessons the red teamers highlighted

Dahvid Schloss and Kristopher Johnson offered direct lessons drawn from the engagement. Schloss warned against "ski mask bias" — the false comfort that crime looks like a dramatic, stereotyped intrusion — and said ordinary, plausibly behaved visitors can be granted access without scrutiny. The account recommends three concrete changes: train all employees, including maintenance, to be more suspicious of unbadged people; apply NAC or otherwise restrict physical Ethernet ports in shared areas; and harden account authentication through stronger passwords and multifactor enforcement. Those steps, taken together, would have closed the particular chain of failures the red team exploited.

The test ended only after building security detected the intruders the following day — not because they found the Pi, but because maintenance personnel went to IT to thank the team for Michael’s help with shoveling, prompting IT to check whether the new names existed. Security reviewed camera footage and even sought the rental-car license plate, but the Raspberry Pi stayed hidden and connected for two weeks until a janitor located it.

The episode is a compact reminder: physical access decisions, network port configuration, credential hygiene and certificate-service exposures can chain together to produce full domain compromise. The red team’s route — a snow shovel, a conference-room Ethernet jack, a hidden Raspberry Pi and an exploitable ADCS — shows how small failures across different groups can rapidly escalate into total administrative control.

Original story at The Register