Unfortunately ~nobody does. The effectiveness of red teams was one of the most surprising aspects of working in security. The most common way to break into someplace was to pose as a construction worker: http://i.imgur.com/ZjnGmZ5.png
If you're dressed as one of them, you can go wherever you want and people rarely ask questions. Another approach is to pose as an interviewee. That's how you get into the building, but beyond that you never actually talk to anyone so nobody is suspicious. People generally don't care when someone is walking around the halls dressed up in a suit.
One of my coworkers was involved in dozens of red teams and he got caught a grand total of one time. Every other time he was able to acquire an IP address, take a picture of himself sitting in the exec's chair, swipe a file out of the server room, or whatever the customer wanted.
>If you meet a member of that select club, "The Twelve True Fishermen," entering the Vernon Hotel for the annual club dinner, you will observe, as he takes off his overcoat, that his evening coat is green and not black. If (supposing that you have the star-defying audacity to address such a being) you ask him why, he will probably answer that he does it to avoid being mistaken for a waiter. You will then retire crushed. But you will leave behind you a mystery as yet unsolved and a tale worth telling. ...
So, every time, he took a pic in the exec's chair, stole a file from the server room, and also did whatever he wanted? What is the 'N' factor here, because it sounds like your friend is a bold high schooler who achieved N=1,2,3(tops). Pretty boring security stuff.
To clarify, the companies he penetrated were the ones that hired him in the first place. Red teaming is when a company hires you to perform physical pentesting. You're legally allowed to break into their company within a set of defined rules. Usually the rules are straightforward: no breaking stuff (though sometimes there are exceptions), achieve the objective, carry a "get out of jail" envelope with two emergency contacts from inside the target company who will verify they paid you to break in if anything goes wrong. Other than that, you're free to be as creative as you want in achieving whatever the customer asked for. Think Ocean's Eleven.
These gigs are highly paid and secretive. The coworker I mentioned went on dozens of assignments like this. Admittedly he was legendary, but only because he was so experienced. If you were motivated and malicious, you could do many of the same things to attack a target network. People rarely do that, but it's the ultimate proof that none of us are secure against motivated adversaries.
I mean GP that you're replying to literally said N~=dozens, meaning probably 25+
Side note, that sounds like something one of my old bosses would do on his red team excursions (he also told me to get my teeth pulled without anesthetics at all, so... yea).
