Red Teamers Infiltrate Network by Posing as Snow Shovelers
A red team exercise demonstrated how a lack of physical security and weak password policies allowed attackers to gain network administrative access after posing as new IT employees.

Red teamers successfully infiltrated a client's network by exploiting basic physical security lapses and a weak password policy, demonstrating a significant vulnerability in the organization's defenses. The operation, conducted by offensive security consultants from Echelon Risk + Cyber, involved posing as new IT employees to gain physical access to the client's office during winter.
During the exercise, the red teamers approached the client's office while maintenance staff were working with the door open. They presented themselves as new IT hires who had nearly slipped on ice, offering to help shovel snow. This offer was readily accepted by the maintenance crew, allowing one of the red teamers, Kristopher Johnson, to enter the building under the guise of setting up a colleague's laptop.
Once inside, Johnson sought a suitable location to deploy a Raspberry Pi, a small single-board computer intended for remote network access. After failing to connect the device in an AV closet due to network access control, he placed it in a conference room, connecting it to an unsecured network port. To avoid suspicion, he concealed the device using trash cans.
The red teamers' presence was initially detected not by security systems, but through a well-intentioned interaction: a maintenance worker attempted to thank the "new IT employee" Michael for his help shoveling snow. This prompted the IT department to investigate, as they had no record of such new hires. Security personnel reviewed camera footage and attempted to identify Johnson's vehicle, but the Raspberry Pi remained undetected.
For two weeks, the Raspberry Pi remained connected to the network, providing the red team with a persistent access point. During this period, they successfully connected to the company's Active Directory, located domain controllers, and initiated a password spray attack. They discovered that the password 'winter2023!' was reused across 50 to 60 accounts, granting them initial access.
With these compromised credentials, the red teamers proceeded to map the network, identify network shares, and enumerate certificate services. They found multiple vulnerabilities in Active Directory Certificate Services (ADCS), including ESC1, ESC4, and ESC8, which they exploited to achieve domain administrative privileges.
The operation concluded when a janitor discovered the Raspberry Pi two weeks after its deployment. The exercise highlighted critical security failures, including inadequate physical security protocols, insufficient employee vetting, a lack of network segmentation, and a severely weak password policy, compounded by the absence of multi-factor authentication.
The consultants emphasized that basic security awareness training for all staff is paramount, as many individuals lack the "ski mask bias" and tend to trust those who appear to belong. They also stressed the importance of network port security and robust password policies to prevent such breaches.