How I Got In: Bypassing Bank Security (Part 2)

About This Series

How I Got In is a collection of real-world stories from red team and physical penetration testing engagements we’ve performed over the years. These aren’t theory. These are actual jobs, with names and details changed for privacy, but the events happened just as you’ll read them.

This series isn’t about flashy hacking tools or fictional movie plots. It’s about how people like me get access to buildings and networks using timing, conversation, misdirection, and a solid read on human behavior.

Every story here started with one goal: get in where we’re not supposed to be. And sometimes, that’s exactly what happened.

If you’ve ever wondered how someone gets in when the doors are locked, the security guards are watching, and the policies look good on paper, this series is for you.

Episode 3: Bypassing Bank Security (Part 2)

How I Got In – Red Team Files, Volume 1

Phase 5: Night Entry at the Second Operations Center

This was the part of the assessment where we tested how a real attacker might approach physical access when no one was watching. The client wanted to know if their physical controls would hold up against someone motivated, prepared, and patient enough to try after hours. Their instructions were clear: try to get in, don’t break anything, and be creative.

They were especially curious about this building, which was their second operations center as this building had recently been reviewed by another physical security firm. It had new access controls, different architecture, and tighter policies than the first site. If it proved secure under real-world pressure, they planned to use the same physical control models at their other locations.

The engagement rules allowed for after-hours testing and surreptitious entry, as long as we also included traditional social engineering, which we had already done earlier in the week. That gave me the green light to treat this like a real break-in attempt. No pretext. No one to sweet-talk at the door. Just me, the building, and whatever tools I could carry.

Before any of that, though, I did what I always do at the start of a physical engagement like this, I made a trip to the local sheriff’s office.

I handed a deputy a copy of our “Get-out-of-jail-free” letter, which included information about the assessment, the name and contact number of our internal point of contact at the bank, along with my own phone number. If an alarm did go off, or if someone reported a suspicious person prowling around the building, the responding officers would have everything they needed to call and confirm before things escalated. They’d still show up, but ideally (fingers crossed) not with weapons drawn or an “overly-excited-to-do-his-job” dog running at me full speed.

The deputy looked over the paperwork, nodded, and said something along the lines of, “Man, that’s a cool job.” I smiled and thanked him. It’s not about being liked, it’s about staying alive.

That cleared the way for tonight’s entry.

I had spent a few nights checking out this site, waiting for the right conditions and I had all of gear ready to go for this moment.

What I needed was a night when the janitorial crew was working, which would mean the alarm was disabled. After a few uneventful stakeouts, I finally saw what I was waiting for: a janitorial van pulled into the lot and parked near the side of the building. A few minutes later, two people rolled out vacuum cleaners and supplies and disappeared through the rear staff entrance.

That was the signal. It was time to move.

I walked toward the main entrance. Nothing on me looked out of place. No gloves. No hoodie. Just a normal, confident walk wearing the same business casual clothes I wore earlier. I approached the front glass door and immediately spotted the access control layout.

To the right of the door was a standard badge reader. I didn’t have a badge. Mounted just above the frame on the inside was a passive infrared egress sensor, aimed downward. This was actually the sensor I was expecting. These sensors don’t detect movement, they detect sudden changes (delta), in temperature (hot or cold) compared to the ambient air. All I needed to do was trigger that change.

I pulled a can of compressed air from my bag, flipped it upside down, and sprayed a short burst of cold co2 towards the sensor. The chilled gas dropped the ambient temperature just enough to trick it into thinking someone was approaching from inside.

Click.

The maglock disengaged, and the door opened.

Now I was inside.

The building was quiet, but I didn’t stop to admire it. I moved quickly down the hallway, keeping an even pace. No badge-controlled doors were touched. No lights flicked on. Somewhere else in the building, the janitors were cleaning. I had no intention of bumping into them.

At the end of the hallway, I turned the corner and headed up the stairs. My goal was the second floor. That’s where the network was. That’s where the servers were. And that’s where the next set of barriers waited.

At the top of the stairs, I hit one.

The door was locked with a badge reader. But just to the right, there was a large opening built into the wall. It was about three feet tall and ten feet wide. Too big to be accidental, too exposed to be smart. I had seen it during my recon earlier in the week through the glass window on the side of the building.

I tossed my bag through first, then stepped up onto the stair railing and hauled myself over. It wasn’t exactly graceful, but it was fast. If someone had been walking by on the other side, I needed to be clear of the wall before they saw me.

I dropped down, crouched low, and listened.

Nothing.

I was in.

I grabbed my bag and made my way to the nearest cubicle. There was an open network jack under the desk. I plugged in my laptop and waited.

No IP address. The link light blinked, but the network wasn’t giving me anything. I tried a second network jack at another cubicle with this one being connected to an actual computer. Still no IP address.

That told me everything I needed to know.

This building was running 802.1x.

Unlike the first operations center, where I was issued an IP address immediately, this network required device authentication before access was granted. The port wasn’t dead, it was protected.

That was good security. But it also meant I had to find a device the network already trusted.

Around the corner, a printer waited.

Phase 6: Printer MAC Spoofing and Physical Lock Bypasses

I walked down the hallway to the printer, keeping my steps slow and quiet. It was a regular office printer in one of the unlocked offices. From the looks of it, it hadn’t been used in a while as the rest of the office was empty. Perfect.

First, I ran a quick test print from the front panel. Most printers like this will show the current network settings either on the touchscreen or on the printed test page. I navigated through the menus, selected “Print Configuration,” and watched as it spit out a sheet of paper. Exactly what I needed.

The page showed everything: the printer’s IP address, subnet, and its MAC address.

I reached around the back and carefully unplugged the Ethernet cable from the wall jack. That would prevent any network conflicts once I went live. The printer would stay powered on, but it would be off the network. That gave me the window I needed.

Back at the cubicle, I sat down at my laptop and brought up VMware. I already had Kali Linux running inside a virtual machine. From the VM’s settings, I changed the MAC address of the virtual NIC to match the one I had just pulled from the printer. I double-checked that it was exact with no typos. Then I set the network adapter to bridged mode, so the VM would talk directly through the laptop’s physical interface.

Once that was set, I started the Kali VM and ran dhclient.

This time, the network responded.

The switch saw the printer’s MAC address, believed it was legitimate, and issued an IP address on the correct VLAN. I was in. Fully connected, authenticated, and inside the trusted internal network, all without ever touching a firewall or endpoint.

I had become the printer.

The connection was stable. No ARP conflicts, no errors. Unplugging the original device had done its job. Now I had time to look around.

At the far end of the hallway was a storage room. The door looked ordinary, but it was locked with a standard mortise lock. It didn’t have a card reader, no alarm contact on the frame, and no additional protections. But there was a slight gap between the door and the frame. Just enough to fit a shim tool through.

I carry a thin stainless-steel latch slip for exactly this kind of job. It’s not a lockpick. It’s a bypass tool that engages the latch directly, sliding between the bolt and the strike plate. I fed it through the gap, angled slightly downward, and gave it a firm twist toward the latch.

Click.

The door popped open.

Inside was a cramped but loaded storage room. Stacks of documents, carts full of file folders, filing cabinets, and bank paperwork dating back years. I moved slowly, snapping photos and making sure not to disturb anything.

What stood out wasn’t just the amount of sensitive material, but how casually it was protected. Toward the back, on top of a stack of boxes, was a beige metal lockbox labeled in marker: “Pay Master Key?” Right next to it sat a binder titled “Cashiers Check Log.”

The box was locked, but I wasn’t planning to force it open. What I needed was the key, and it was likely close by.

Mounted on the wall was a tall, beige key cabinet, packed with rows of labeled keys. The lock securing the cabinet was wafer-style, one of the easiest to bypass with a rake. I pulled out my rake tool and tension wrench, applied light pressure, and gave it a few quick swipes.

The cabinet door loosened under my hand. Inside, dozens of tagged keys hung neatly. I scanned the rows until I found one labeled to match the lockbox. I also noticed at the bottom of the lockbox was a small folded piece of paper that said, “Combination For Safe.” I looked around and sure enough, at the back of the room was a safe. It was the safe that the cashiers used and yes, the combination did work for the safe. After that, I turned my attention back to the key for the cashiers box.

I slid it off the hook, inserted it into the box, and turned.

It opened without resistance.

Inside was a stack of official bank cashier’s checks. Real checks. Not samples or voided stock. They were preprinted, complete with account and routing numbers, watermarks, microprint, and signature lines. These were the same checks that customers and businesses treat as trustworthy and secure, because they come from a bank.

I took clear photos of the contents, the check log binder, the box, and its markings. Then I returned everything to its original place. The key went back in the cabinet, the cabinet was locked again, the safe was locked, and I closed the storage room door behind me without leaving a trace.

Just before I left the area, I noticed multiple shred bins near the hallway wall. They all had a small combination lock attached to the top with three rotating dials, the kind that often fail because of user laziness. I tested the numbers by spinning all three numbers at the same time down, and pulling the latch down. My hope was that whoever closed it, didn’t spin the dials much after locking it. As my luck would have it, at the first interval down, the combination lock clicked open.

Inside the shred bin were dozens of documents and checks. Some were already shredded, but many were whole or only partially torn. I saw printed checks, invoices, client statements, and internal forms. Nothing had been destroyed beyond recovery. I took a picture for my report and closed it up.

I also confirmed that every shred bin on that floor used the same combination. Once one was open, they were all open.

Just before leaving, I took a few extra minutes to make sure everything was exactly the way I found it. I took screenshots of the access on my laptop, took photos with my phone of my access, plugged the printer cable back in, and headed towards the exit.

No one crossed my path. The janitorial crew was either still busy on another floor or already gone.

I descended the stairwell, passed through the main door, and stepped outside. The egress system disengaged from the inside without issue. No alarms. No alerts. No questions.

Within five minutes, I was in the car and driving off-site.

Everything had been accessed without forcing a door, triggering a sensor, or saying a word. I walked in, tested every layer of physical and network control, and walked out without leaving a trace.

Wrap-Up

This assessment was designed to simulate what a determined attacker could accomplish using a mix of physical penetration testing, physical intrusion, and real-world tactics. The client didn’t want a checklist audit or policy review. They wanted to know what would happen if someone with time, motive, and basic tools came after their buildings.

We delivered that in full.

The engagement started with a social approach. We walked in with an audit team, blended in, and gained internal network access without ever being challenged. We pivoted through systems, demonstrated lateral movement, and captured real credentials. All of this was done during business hours under casual observation.

Later in the week, we shifted to a full impersonation pretext at a branch bank. We spoofed a manager’s phone number, sent a matching spoofed email, and walked through the front door with a fake story and a real ID. The branch followed its checklist. No one verified the source of the email or phone call. That single lapse gave us complete access to the network closet.

Then came the second operations center. This was supposed to be their more secure facility. It had badge-based entry, PIR egress, 802.1x on the network, and locked rooms for sensitive documents. But every single layer had a workaround.

We bypassed the exterior door using a chilled burst of compressed air. Once inside, we identified that the network was protected with 802.1x. We found a printer, cloned its MAC address, unplugged it, and received an authenticated IP on our Kali VM.

That access led to deeper exploration. We shimmed a locked door to reach a storage area. Inside was a key cabinet protected by a wafer-style lock. We raked it open in seconds and retrieved the combination to a safe with money inside, and a key to a lockbox labeled “Pay Master Key.” That box contained live, preprinted cashier’s checks, the kind trusted by businesses and customers alike.

Near the exit, we found multiple shred bins. Each had a basic three-digit combination lock. We opened one simply by rotating the dials downward. All bins used the same code. Inside were partially shredded documents, including checks, client data, and internal financial forms.

No part of this test relied on force. No insider helped us. Nothing was staged.

We used timing, observation, pretexts, and simple bypass techniques to walk through the same paths that a real adversary might try. The building never went into alarm. No one called the police. The controls looked solid on paper. But paper doesn’t secure real doors.

This wasn’t about proving a point. It was about showing what’s possible when you assume no one will test the gaps.

They asked us to try. We did.

And the doors opened.

What Could Have Prevented This Compromise

Phase 5 & 6: Second Operations Center Night Entry

What Happened:

After-hours entry using copper wire and canned air, climbed through architectural gap, bypassed 802.1x using printer MAC, shimmed storage room, opened key cabinet, accessed check stock, opened shred bins.

Prevention Measures:

• Use anti-shim door hardware and latch guards
• Replace wafer locks with high-security cylinders
• Relocate key cabinets to secured rooms with badge access
• Use network authentication based on certificates, not just MAC addresses
• Secure sensitive stock (like checks) in safes or locking cabinets with restricted access
• Randomize shred bin combinations and avoid shared codes
• Monitor access logs or place motion detectors in key storage areas

Across the Entire Engagement

Gaps in Oversight and Detection:

No one asked questions. No one verified identities. No one followed up when unusual behavior occurred.

Prevention Measures:

• Conduct routine red team or mystery guest walkthroughs to test physical and procedural response
• Train all employees, including cleaning crews, to challenge unknown individuals
• Review vendor and visitor procedures quarterly with all branch and ops center staff
• Install motion-triggered cameras in sensitive zones (like print areas, storage closets, and hallways leading to the network room)
• Deploy behavioral anomaly detection on both the network and access control systems

FAQ: Questions About This Job