Tailgating & Impersonation
Gaining unauthorized physical access through social engineering, following authorized personnel through secured doors, and impersonating trusted roles to bypass security controls.
Authorization Required
Tailgating Techniques
Tailgating (or piggybacking) involves following an authorized person through a secured entrance without using your own credentials. It exploits human politeness and the social awkwardness of challenging someone's access rights.
📦 The Delivery Person
- • Carry a large box or stack of packages
- • "Hands are full, can you get the door?"
- • Wear delivery company uniform or vest
- • Time arrival during lunch rush or shift change
- • Branded vehicle adds credibility
🔧 The Technician
- • Carry laptop bag and cable tester
- • Wear vendor-branded polo or uniform
- • Reference a "ticket" or work order
- • Act frustrated about running late
- • Name-drop IT staff if known from OSINT
☕ The New Employee
- • "It's my first week, still waiting for my badge"
- • Carry company-branded items (pen, notebook)
- • Ask for directions to common areas
- • Reference hiring manager by name
- • Look slightly nervous and confused
🚬 The Smoke Break
- • Wait near designated smoking areas
- • Strike up casual conversation
- • Walk back inside with the group
- • Propped doors are common here
- • Morning coffee runs work similarly
Common Impersonation Personas
| Persona | Props/Uniform | Access Gained | Risk Level |
|---|---|---|---|
| IT Support | Polo shirt, laptop bag, cable tester | Server rooms, desks, network closets | Low |
| Fire Inspector | Clipboard, camera, reflective vest | All areas including restricted | Medium |
| Pest Control | Uniform, spray tank, clipboard | All areas, basements, ceilings | Low |
| HVAC Technician | Tools, ladder, company uniform | Mechanical rooms, roof access | Low |
| Health & Safety | Hard hat, clipboard, reflective vest | All areas for "inspection" | Medium |
| Corporate Auditor | Business attire, laptop, folder | Offices, conference rooms, files | Medium |
| Cleaning Crew | Uniform, cart, cleaning supplies | After-hours access, all areas | Low |
Legal Boundaries
Preparation Checklist
Before the Engagement:
Scripted Responses
Prepare responses for common challenges. Confidence and consistency are key.
"Can I see your badge?"
"Oh, HR is still processing it. Here's the email from [manager name] about my start date. Can you call them to verify?"
"Who are you here to see?"
"I have a work order for the network issues in Building C. [Name from OSINT] requested it. Is it okay if I sign in and head up?"
"I need to call security."
"No problem at all - here's my work order. Mind if I wait here? I'm on a tight schedule but happy to cooperate."
"You can't be in here."
"Sorry, I must have taken a wrong turn. Could you point me toward [legitimate area]? Still learning the building."
Body Language & Behavior
✅ Do
- • Walk with purpose and confidence
- • Make brief eye contact and smile
- • Carry props naturally (not defensively)
- • Dress appropriately for the role
- • Know employee names from OSINT
- • Have a destination in mind
- • Look slightly busy/distracted
❌ Don't
- • Avoid eye contact or look nervous
- • Loiter or appear lost
- • Over-explain or talk too much
- • Get confrontational if challenged
- • Break character under pressure
- • Carry unnecessary electronics visibly
- • Rush or appear in a hurry
Optimal Timing
| Time Window | Scenario | Why It Works |
|---|---|---|
| 7:30 - 9:00 AM | Morning rush | High volume, guards distracted, doors held open |
| 11:30 AM - 1:30 PM | Lunch rush | Delivery traffic, food orders, people leaving/returning |
| 4:30 - 6:00 PM | End of day | Guards less alert, mass exodus, propped doors |
| Shift changes | Guard handoff | Confusion during transitions, gaps in coverage |
| After 7:00 PM | Cleaning crew | Minimal staff, can blend with janitorial |
When to Abort
Abort Immediately If:
- • Law enforcement is called or arrives
- • You are physically detained or threatened
- • Building lockdown is initiated
- • You witness an actual crime or emergency
- • Your cover is definitively blown
- • Client contact signals abort
Have a clean exit strategy. If challenged, gracefully disengage: "I think there's been a misunderstanding. Let me call my supervisor to sort this out." Then calmly leave the premises and contact your client POC immediately.
Evidence Collection
# Entry Points Tested
- Location / door ID
- Time of entry
- Method used (tailgating, badge clone, etc.)
- Personnel interaction (challenged Y/N)
- Evidence (photo/video if authorized)
# Areas Accessed
- Building / floor / room
- Sensitive areas reached
- Duration of access
- Assets observed (servers, files, etc.)
# Social Engineering Outcomes
- Personas used
- Information obtained
- Credentials or badges gathered
- Employee names / contact info
# Security Observations
- Guard patrol patterns
- Camera blind spots
- Propped doors / bypassed controls
- Badge reader types and locations
# Recommendations (for report)
- Specific control failures
- Training gaps identified
- Policy violations observed
- Remediation priorities⚠️ Professional Conduct
Physical penetration testing relies on trust. Never steal personal items, access personal files unrelated to the test, or put anyone at physical risk. Document everything, respect boundaries, and maintain the highest ethical standards.