How I Got In: Bypassing Bank Security (Part 1)

About This Series

How I Got In is a collection of real-world stories from red team and physical social engineering engagements we’ve performed over the years. These aren’t theory. These are actual jobs, with names and details changed for privacy, but the events happened just as you’ll read them.

This series isn’t about flashy hacking tools or fictional movie plots. It’s about how people like me get access to buildings and networks using timing, conversation, misdirection, and a solid read on human behavior.

Every story here started with one goal: get in where we’re not supposed to be. And sometimes, that’s exactly what happened.

If you’ve ever wondered how someone gets in when the doors are locked, the security guards are watching, and the policies look good on paper, this series is for you.

Episode 2: Bypassing Bank Security (Part 1)

How I Got In – Red Team Files, Volume 1

The Mission Brief

This wasn’t a typical walk into a place carrying a ladder while wearing a hard hat job. This was physical penetration testing against a well-established financial institution with multiple locations, policies and procedures in place, and staff who had been trained to spot red flags.

Our client was a California-based bank with headquarters, regional offices, and branch locations spread across the state. They had recently completed a phishing campaign with us that yielded us some solid results. Now they wanted to know how well their physical security controls held up against a real intruder with enough patience and creativity to find weak points. This was a physical social engineering assessment focused on physical entry to include surreptitious entry, internal network pivoting assuming we got access, and branch-level impersonation. The client made it clear: no help from the inside, no prearranged access, don’t break anything, or hurt anyone, but the rest is fair game. I was really enjoying the scope of this assessment as usually this work is limited to only daytime hours using strictly person-to-person social engineering.

We were given the building names, the scope boundaries, and a green light.

The target environment included two primary operation centers and at least one branch bank of our choosing. Each of these had to be tested during the course of the assessment. This added some difficulty to the mix because branch locations typically have strict policies, more face-to-face scrutiny, and smaller staff footprints. To make it work, we would need to observe, adapt, and gather as much intel as possible from the outside before we even started, and gather even more intel once inside.

Since the branch bank was the most difficult location, we decided to start at one of the two operation centers…

Phase 1: Social Engineering the Audit Team

Before I ever stepped onto the property, I had to make a plan of attack and all of that starts with recon. With recon, any information you gather could potentially be useful so I wanted to gather everything I could. I started with their website, looked at their executive team and their roles. Who was in their IT department, what kind of jobs does everyone do? What would be some key names I could potentially use? Who was their typical customer? Vendors? Cleaning crew? Who was their Internet provider? Does any job listing give hints to what technology stacks they use? What does the layout look like from Google maps? Do employees have photos of themselves online wearing a badge and if so, what does that look like? Every single piece of information could help as I would need a solid reason for being there and a solid story to match.

When I concluded my recon, I had few plans that I thought could work.

Plan A involved walking in through the main entrance with a well-rehearsed pretext where I was there to do maintenance on their copiers. From my recon, I found out what type/brand of copiers they had and it isn’t too out of place to have maintenance come by to fix a copier. I had the story lined up, the outfit to match, and a mental flowchart of every question I might be asked. If someone challenged me, I had answers. If they didn’t, I had a reason to be there that sounded just believable enough to work. I even rehearsed how I be rejected, just in case that happened.

Plan B was my backup. Since I know IT and security, I was just there to do a wireless survey. I would have my laptop open and I would have a fake approval letter for me to be there. This would involve hanging out until someone came through who looked like they might be easy to shadow. Janitorial staff. IT contractors. Vendors. Anyone whose presence wouldn’t raise suspicion and whose access I could piggyback for just long enough to get inside. Once inside, I would just walk with confidence like I was supposed to be there. Plant a device on the network, check for connectivity and leave. If anyone asked, I would say I’m here for the wireless survey. This also had a bonus as the IT director was out on holiday the same week I was there for testing. If anyone asked, I would throw out his name and it would be harder for him to be contacted immediately.

But plans, even good ones, don’t always survive the first few minutes on-site. Sometimes you’ll have an amazing plan and pretext and it will instantly change due to the situation that pops up.

The real win wasn’t in the plan I brought. It was in what I recognized as soon as I got there.

The first rule of physical penetration testing is simple: never force the door if someone else is already walking through it.

I arrived at the operations center at around 2pm. From the outside, the building didn’t look like much. There were no badge readers on the first floor, no visible cameras, and no signs warning off visitors. In fact, most of the first floor was under construction/renovation at that time, so it gave me the cover to walk to the second floor to “use their bathroom” if anyone asked. This building wasn’t just for the bank, as it was a shared tenant building. The real security didn’t begin until the second floor. That’s where the bank’s internal operations started, and that’s where the barriers were.

Due to construction, I had a reason to walk up to the second floor and maybe play being “lost” or say I needed to use the bathroom up here, in case I was ever questioned. I didn’t want to draw too much attention though or have my face remembered, so I poked around on the first floor and attempted to locate the smoke break area.

Around the back corner of the building was the smoking area. Concrete sidewalk, metal ashtray, just out of sight from the main entrance. I loitered there like I belonged, waiting to see who came and went. After a few minutes, I wasn’t alone.

A small group of four people arrived that were dressed business casual and carrying laptop bags. They looked almost like me. Business casual, similar kind of laptop bag, same unassuming presence. No logos, just low-key, neutral professionals. I figured maybe they are from the bank and just took a late lunch? As they lit cigarettes and started chatting, it became clear they weren’t part of the regular banking staff. I listened from a few feet away until I caught the right phrases.

Terms like “GL entries,” “Q3 ledgers,” and “financial audit.” These weren’t operations folks. They were a third party financial audit team, and they had just arrived for a scheduled audit.

Maybe they could be my way in?

I didn’t directly say that I worked for the bank. I didn’t need to. I dressed like they did, carried a bag like they did, and stood in the same space without looking out of place. All of my previous plans now shifted. I would pretend I’m with the bank staff here and walk in with them to the bank. If the banking staff doesn’t have a headcount, maybe I can play it where I can make the bank staff think I’m one of the financial auditors? I decided to open the conversation…

“Hey, are you guys here for the financial audit?” [Yes]

“Nice, Is today your first day for it?” [Yes, we just got here]

“Oh ok, I almost forgot you guys were coming in today, what point of contact did you get? [We are supposed to meet up with Tim]

That was all it took. I asked a few auditor-type questions and then I just let them talk away while I intently listened.

A few more comments and one or two nods later, and I was part of the conversation. I asked how long they were assigned to the engagement, what departments they were starting with, and whether they handled full-cycle audits or just financials. These weren’t fake questions. They were the kind of things someone working adjacent to audit might ask casually. The more I talked, the more they assumed I was from the bank, probably someone on the finance team too.

When they wrapped their smoke break and started toward the door, I walked with them and said, “Would you like me to walk you up to the office?” They smiled and said, “Sure, that would be great!”

We entered the building and made our way to the second floor. That’s where the security began. The bank’s office suite had a single point of entry for vendors and anyone from the public: a locked glass door with a receptionist inside. No badge reader, just a manual access control point.

One of the auditors knocked and entered.

The receptionist said, “You must be the audit team?”

They nodded. She smiled and waved everyone in and I held the door for each person. No names were asked.

I stayed toward the back of the group.

As we entered, the receptionist handed out temporary visitor badges, one by one and said after each one to take any cubicle they liked nearby that was empty. Each person walked past the desk, got their badge, and moved toward the rows of empty cubicles. I waited until the others had received theirs and left the immediate area. Then, out of sight of the team, I stepped up, smiled, and received my badge too.

No questions. No sign-in sheet or head count. Just a quick handoff and a quiet nod.

From her perspective, I was with them. From audit team’s perspective, I was with the bank. I had created a space in between where I belonged without ever having to say so.

I picked a cubicle, sat down, and opened my laptop bag. No one paid attention. No one asked who I was or what I was working on. The bank staff wouldn’t interfere with the financial audit so, why would they interfere with me? From that moment on, I had free rein.

I plugged into the Ethernet port under the desk and brought up Kali. Seconds later, the interface lit up. DHCP was wide open. I was sitting on the bank’s internal network with a working badge, full floor access, and a live connection. I didn’t want to pivot right now into the internal network or raise any suspicion with any activities on their network, as it could end up with someone tracing that activity to my network jack and my entire engagement would be done. The last thing I would want is for everyone to be on high alert on my first day of the assessment. So far, not a single person had questioned my presence. In fact, I even asked the receptionist if they had coffee.

Now that the receptionist had seen my face and greeted me once, I could come and go freely. I wasn’t a visitor anymore. I was just that guy from audit.

And the real test hadn’t even started yet.

Phase 2: Keypad Code Capture and Wireless Drop

When I walked out of the building after Day 1, I already knew I’d be coming back.

The receptionist had seen my face. I had a badge the day before, walked the floor, and sat among real employees. That familiarity would carry me further if I needed it, but I didn’t plan to use the front desk this time. This was a social engineering test after all and I wanted to test a few different ways to get in.

I returned the next morning. This time, I wasn’t blending in with a group. I was solo. But I walked in with the same confidence. The same business casual outfit. Same laptop bag. No one stopped me in the lobby, and no one asked questions as I passed through to the stairwell.

At the end of the second-floor hallway was a side entrance secured by an electronic T2 cipher lock. I noticed that regular bank staff used this door for entry and exit. This door led directly into the office area and allowed me to bypass the receptionist entirely. I stood nearby, phone in hand, pretending to be mid-call just outside the office. In reality, I was watching for someone who had access.

It didn’t take long.

An employee turned the corner and walked directly toward the door. As she reached the keypad, I casually shifted my position. The pad faced outward, completely exposed. She typed in a five-digit code, 58752, without hesitation, shielding nothing. The beep confirmed the unlock, and she pulled the door open.

I didn’t follow immediately. I waited about twenty seconds, just long enough for her to walk out of sight past the doorway. Then I punched in the same code, and stepped through.

Inside, I moved with quiet purpose, like someone who belonged there. I wasn’t looking around lost or even as if I was trying to find someone, I carried the posture of someone who had stuff to do. At the far end of the hallway, I found a large, shared printer tucked into an open alcove. This spot was ideal. It was the closest network jack I could see to the exterior wall facing the parking lot, which meant I’d have solid signal reach once I was outside. My plan was to plant a wireless access point with a bridged connection to the internal network but for me to connect back to it, it would have to be close to an exterior wall.

I crouched behind the printer and plugged in my preconfigured wireless access point. The lights blinked once, then settled. I gave it ten seconds to establish its presence, checked the connection on my phone, and confirmed it had received an internal IP address. Then I left it in place, flush against the wall and hidden behind a piece of office furniture.

No one saw me.

I retraced my steps, exited the way I came in, and walked back to the parking lot like I had just stepped out to take a call. Once I reached the car, I opened my laptop and scanned for my SSID.

There it was, beaconing strong.

I connected to the access point. Instant handshake. Internal IP address. Full access to the bank’s internal network, wirelessly, from the comfort of the parking lot.

I didn’t touch a firewall. I didn’t trip a single alarm. All I had done was walk into a space I was never supposed to be in and leave behind a quiet connection that no one knew existed.

Phase 3: Wireless-Based Lateral Movement

Back in the car, parked within line-of-sight of the access point I had planted, I connected and confirmed a stable internal IP address. The wireless device was behaving exactly as expected.

I launched Wireshark and let it run.

My goal wasn’t just to collect packets. I wanted to get a feel for the environment. Was there any outbound filtering? Could I see potential intrusion detection systems? Was anything trying to actively sniff me back or scan my planted wifi device? I watched the traffic patterns, looked for any signs of proxying, and identified internal DNS queries, NetBIOS name lookups, and workstation broadcast traffic.

It felt flat. Wide open.

Over the next few minutes, I picked up several systems broadcasting legacy protocols across the network. One host stood out. A file share server. Carefully enumerating one port (port 445), and a quick fingerprint confirmed it was missing a critical security update, the MS17-010 update. That vulnerability alone was enough to warrant attention and for what appeared to be a file server, it could be gold. As a domain-joined asset and it being a file server, there was a strong chance it held cached credentials for many people or at least password hashes that could be reused across other machines on the network.

That was the window.

I figured if I’m going to exploit this system, I better do it quick. I exploited the system, dumped the contents of memory, and pulled the local SAM hashes. Among the results were a lot of regular user accounts and passwords, and a local administrator account. Although none of the regular domain accounts were domain admin, they did have varying access to different Windows shares. For the local administrator hash, I wanted to see where else it was used. What other systems used the same password. At that point, there was no way to know how far it would go, but it was worth testing. I took the NTLM hash from the local administrator account and began attempting authentication against other machines in the same network segment. One after another, they responded with full local administrator privileges. It became clear that this same local admin account, with the same hash, had been deployed across multiple systems without variation.

The local administrator hash gave me immediate access on 53 systems across the internal environment. The same credentials had been deployed with the same SID and hash, which is a common setup in organizations that don’t use Microsoft’s LAPS. This kind of oversight creates lateral movement without even needing domain-level rights.

With this foothold, I began pivoting between machines and again, dumping more hashes from and passwords from memory.

I kept everything surgical. One command at a time. Verified access, mapped systems, checked privileges and eventually I found n account with domain admin access.

I didn’t need to go further by cracking all of the NTDS.dit file hashes from the domain controller.

The client’s point of contact had asked us to demonstrate pivoting capability, lateral movement, some escalation if possible, not to perform a full internal penetration test. The objective was to show meaningful impact that could be clearly communicated to executives, without stepping outside the agreed scope.

And that’s exactly what we’ve done.

The access point planted behind the printer had become a doorway. A quiet, wireless doorway into their internal network. No one had noticed. No alerts were triggered. No traffic was blocked. From the outside, everything looked fine.

But on the inside, we already had they keys to the castle.

Phase 4: Branch Bank Impersonation (Phone + Email Spoofing)

From the start of the engagement, I knew I had to hit at least one branch. It was the one part of this assessment I have been dreading. That had been part of the scope since day one, and we expected it to be the toughest target. Smaller team. Fewer distractions. Full direct human contact. We’d only get one shot, and if anything about the story felt off, it was over.

I had a loose idea of how I might approach it. Posing as a technician from their internet provider seemed plausible enough. I even packed a shirt with a small embroidered logo of the Internet provider in my bag before I ever left for this job, just in case the situation called for it. But it wasn’t until I gained internal access and started digging into their file server that the real opportunity presented itself.

One document laid it all out, which was a branch access policy for IT and third-party vendors. If someone needed to work on the network closet, they had to meet three requirements:

• The helpdesk or IT manager had to call the branch and notify them directly.
• That same manager had to send a follow-up email with the technician’s details.
• The email had to include the technician’s name, a photo, and the expectation that they would present their real government-issued ID on arrival.

Honestly, it was quite lucky that I found this policy when I did as my original plan to walk in with a pretext would have immediately failed.

Luckily, the found policy gave me everything I needed to build the pretext but obviously made this part of the job more difficult.

Before launching the actual impersonation, I tested the waters. I looked up the helpdesk team’s public-facing address and sent an email pretending to be a janitorial vendor offering cleaning services. The message was designed to be rejected or redirected. Honestly, I didn’t care as long as they wrote me back, and that’s exactly what happened. The response gave me what I really wanted, a copy of the helpdesk’s real signature, language tone, and email formatting.

Now I had a template.

I also checked the bank’s public DNS records and quickly saw that they hadn’t implemented SPF, DKIM, or DMARC. That meant email spoofing should work. Their systems had no way of validating who was sending messages that claimed to be internal.

That left just one risk. The reply.

I knew if I sent the spoofed email first, the branch manager would likely hit “reply” and ask a quick a few follow-up questions or even just confirm the message. That message would go to the real helpdesk or IT manager, who would have no idea what the branch bank manager was talking about. The moment that happened, the entire pretext would fall apart.

So I thought about reversing the order. I planned on calling the bank manager using my phone spoofing server and then sending the email while on the phone. That way, I could answer any questions and hopefully not give her a reason to reply to any email as I was already on the phone with her.

I spoofed the helpdesk manager’s number and called the branch first. I told the branch bank manager that a technician from the bank’s internet provider would be stopping by later that day to swap out an older router model that was no longer supported. I said the visit had been coordinated with corporate and that she’d receive a confirmation email with the technician’s photo and name while we were on the call.

Then, as we spoke, I sent the email. I basically prayed for the email spoof to work and luckily it did.

It landed in her inbox while she was still on the line with me. As mentioned earlier, that timing mattered. She opened it and looked at the details while I stayed on the call to answer questions in real time. If she had doubts, I was there to smooth them out and no reason to reply to it since I was already on the phone with her.

She asked one thing: “Will our internet go down during the swap?”

I told her, “No, the technician would perform a ‘hot-swap’ of the router, so there shouldn’t be any downtime.” Technically, that isn’t a thing or how routers work. But it didn’t matter. It sounded convincing enough, and more importantly, she asked the question out loud instead of replying to the email.

That’s all I needed. All I hoped for afterwards is that she wouldn’t fire off an other email asking another question.

A few hours later, I walked through the front door of the branch wearing the shirt I had packed and carrying a small bag with a real router inside, just as a prop in case they asked. I didn’t see anyone leaving the counter, didn’t see a SWAT car outside anywhere, maybe this will actually work? The branch manager greeted me by name and walked me back toward the network closet.

Per policy, she asked for my ID. I handed her my valid license… from Colorado. Honestly, I wish I could tell you that I had that excuse planned too but I completely forgot about that.

She paused. “Oh, you’re not local?”

I smiled. “I actually just moved here two weeks ago. Haven’t had time to get to the DMV yet.”

She smiled back. “Well, welcome to California. This area’s great.”

She unlocked the closet door and left me alone to do the work.

Inside, I crouched down and opened the bag. For a few seconds, I just sat still to let the adrenaline settle. I even thought to myself, I can’t believe that worked. Even with all the prep, even with the shirt and the voice and the pretext, I could still feel my heart pounding. I took a slow breath, exhaled, and got to “work.”

The real router stayed exactly where it was.

I pulled out my preconfigured Raspberry Pi drop box, plugged in the power, then plugged it into the switch. The LEDs blinked, then held steadied. I checked that it truly had an an outbound VPN connection using my phone which was already logged into my VPN server, and just like that, I had a foothold. In fact, I realized the network connection was part of the flat network, which could access their operations center and vice versa. So while I did get access to this network closet, technically, if an attacker just got access to the operations center, which is an easier target, they would have access to their branch bank (and maybe all of their branch banks).

I closed the closet door, and walked out with a thank-you and a wave.

They followed the policy. They checked the boxes. But the policy didn’t require them to verify the number that called or the address that sent the email. And once all the pieces lined up, it never occurred to anyone to look deeper.

That’s why the whole thing worked.

This wraps up Part 1 of this story. Follow us along for Part 2 where things get really interesting.

Wrap-Up

This assessment was designed to simulate what a determined attacker could accomplish using a mix of social engineering, physical intrusion, and real-world tactics. The client didn’t want a checklist audit or policy review. They wanted to know what would happen if someone with time, motive, and basic tools came after their buildings.

We delivered that in full.

The engagement started with a social approach. We walked in with an audit team, blended in, and gained internal network access without ever being challenged. We pivoted through systems, demonstrated lateral movement, and captured real credentials. All of this was done during business hours under casual observation.

Later in the week, we shifted to a full impersonation pretext at a branch bank. We spoofed a manager’s phone number, sent a matching spoofed email, and walked through the front door with a fake story and a real ID. The branch followed its checklist. No one verified the source of the email or phone call. That single lapse gave us complete access to the network closet.

Then came the second operations center. This was supposed to be their more secure facility. It had badge-based entry, PIR egress, 802.1x on the network, and locked rooms for sensitive documents. But every single layer had a workaround.

We bypassed the exterior door using a chilled burst of compressed air. Once inside, we identified that the network was protected with 802.1x. We found a printer, cloned its MAC address, unplugged it, and received an authenticated IP on our Kali VM.

That access led to deeper exploration. We shimmed a locked door to reach a storage area. Inside was a key cabinet protected by a wafer-style lock. We raked it open in seconds and retrieved the combination to a safe with money inside, and a key to a lockbox labeled “Pay Master Key.” That box contained live, preprinted cashier’s checks, the kind trusted by businesses and customers alike.

Near the exit, we found multiple shred bins. Each had a basic three-digit combination lock. We opened one simply by rotating the dials downward. All bins used the same code. Inside were partially shredded documents, including checks, client data, and internal financial forms.

No part of this test relied on force. No insider helped us. Nothing was staged.

We used timing, observation, pretexts, and simple bypass techniques to walk through the same paths that a real adversary might try. The building never went into alarm. No one called the police. The controls looked solid on paper. But paper doesn’t secure real doors.

This wasn’t about proving a point. It was about showing what’s possible when you assume no one will test the gaps.

They asked us to try. We did.

And the doors opened.

This wraps up Part 1 of this story. Follow us along for Part 2 where things get really interesting.

What Could Have Prevented This Compromise

Phase 1: Social Engineering the Audit Team

What Happened:

Blended in with an arriving audit team, got a visitor badge without being questioned, gained internal access.

Prevention Measures:

• Require pre-registered visitors with matching names on a list before issuing badges
• Receptionist must verify identity or confirm with someone internally before issuing access
• Require escorted access for all non-employees, even if they “seem familiar”
• Provide visitor badges with photo and expiration time, not just a blank pass
• Implement tailgating awareness training for both reception and staff

Phase 2: Keypad Code Capture and Wireless Drop

What Happened:

Observed keypad entry code, waited, and walked in. Planted a wireless access point behind a printer.

Prevention Measures:

• Install PIN shield covers or angle keypads away from public view
• Train employees to cover keypad entry with their body or hand
• Use keypads that auto-reset after a few seconds or display stars instead of digits
• Monitor for rogue wireless devices using regular scans
• Place tamper detection sensors near printers and network ports in unsecured areas

Phase 3: Wireless-Based Lateral Movement

What Happened:

Connected to planted device from parking lot, ran recon, exploited MS17-010, used reused local admin hash to move laterally.

Prevention Measures:

• Patch critical vulnerabilities like MS17-010 (EternalBlue) across all systems
• Implement LAPS (Local Administrator Password Solution) to randomize local admin passwords
• Monitor wireless traffic near the building for unknown devices
• Segment networks so printers or visitors are on isolated VLANs
• Alert on multiple failed login attempts or new admin sessions from unexpected hosts

Phase 4: Branch Bank Impersonation (Phone + Email Spoofing)

What Happened:

Spoofed helpdesk phone number and email, sent fake technician identity with photo, gained physical access to network closet.

Prevention Measures:

• Use SPF, DKIM, and DMARC to reject spoofed emails at the gateway
• Require phone-based approvals to come from known, validated numbers
• Create a call-back policy: if someone claims to be from corporate, branch staff must call the helpdesk back directly using a verified number
• Train staff to verify all technician visits, even if an email and call seem to match
• Maintain a verified list of vendors and expected visit schedules at each branch

FAQ: Questions About This Job