It takes a certain kind of person to do a physical pentest well. They have to have balls. They have to be willing to take risks normal people wouldn't take. And most importantly, that risk taking should be accompanied by a level of curiosity. The thought of "I wonder whats behind this door" or "I wonder where these stairs go" are a huge portion of discovering potential vulnerabilities.
We all like to think that a "properly done" pentest includes a holywood-esque layout of the building with every exit and entry points with real time updates of the guard patrols and all that fancy movie crap. The reality is that is extremely rare. The recon you do beforehand can only give you a certain picture of whats happening.
1. Do they have guards?
2. Do they have guards all night long?
3. Do they guards patrol? outside? regular intervals?
4. Are there guard changes? what time?
5. IS THERE A CLEANING CREW? do they exit the building often to throw out trash?
6. etc, etc.
One of the physical tests I was on we were lucky enough to have multiple people (usually they are all solo). After doing internal recon and figuring out the security system and how it works, and where it was placed and all that stuff we decided to check out the place more up close and personal.
We determine that the security system in place supposed to work based off of sounds. If it detected the sound of someone walking around or breaking the window or something like that, the audio was supposed to be pumped back to the monitoring station to determine if it was an intruder or something accidentally hit the window. The whole system was created to reduce false positives and having the police called out when it was actually nothing.
Well we wanted to test how sensitive the system was just be fore we hightailed it out. So as we were done checking out the rest of the building, we were all in the SUV and drove up to the last door to see if the alarm would trip if we rattled the door. My friend got out of the car and firmly pushed on the door. Me with my binoculars was watching the LEDs on the alarm system for a change from green to blinking red, meaning it went off. Well, after the push the lights didnt go off. We dont him to really go at it, shake the door hard. He pushed really hard, and then pulled really hard to do the motion over and over again and holy shit. THE DOOR OPENED. That door, the door we saved for last was the one door in the whole place that was unlocked completely. The hilariousness and elation faded quickly as I saw the LED go from green to blinking red. From reading the alarm system documentation we had about 30 seconds to GTFO before the cops were called.
After a bout of screaming because my friend thought we told him to go inside when in fact we told him to get inside the car (lmfao, that was funny beyond belief). We got in the car and got out of the area. Found a dark parking lot to park that allowed us to see the target from across the street. We waiting, scrunched down in our seats. It's amazing how many cars are out driving around at 3am. After about 6 minutes i hear on the police radio that there was a burglar alarm set off at the location. Less than a minute later the cop shows up checking out the place. Then another cops shows up.
The moral of the story: never assume a door is locked. CHECK EVERYTHING.