Information Security
penetration-test legal documents
Updated Tue, 09 Aug 2022 22:14:35 GMT

Should I present forged documents in a Penetration Test/Red team engagement?


A previous question of mine lead to this discussion which mentioned the subject of Document forgery.

I've seen many people (in videos) forge IDs and employee badges for such engagements so that seems fine as a test. However, if asked to present a more critical/serious document like a "Permission to Attack" slip (when caught), or asked by a police officer to present some ID, should we test them by first show them a forged "Permission to Attack" slip or ID and only show the real documents if caught?




Solution

It depends on the scope of the engagement.

If the customer wants you to focus on one specific task (e.g. bypassing locks, social engineering, etc.), then that's all you're authorized to do and all you are legally allowed to do.

If the customer wants you to use "anything that's legal", in order to best simulate a real attacker, them you can indeed present a forged permission to attack, possibly even with instructions added that you should be left alone during the engagement.

Why would you do that? In order to check if security personnel actually verifies of a Permission to Attack is valid or not. Otherwise an attacker could present a forged Permission to Attack and use this to gain entry to the company?

What about law enforcement?

Never show law enforcement a forged document or lie to them about who you are or what you are doing. You are testing the company, not the law enforcement.

Or to put it in simple terms: When you talk to the police, you're no longer a pentester.





Comments (5)

  • +8 – My guess is, this should be written into the contract explicitly, in order to authorize certain people as "straw man" pentesters for that phase of the test. — Nov 18, 2019 at 15:09  
  • +0 – In basic agreement. However, a minor exception is that when your client is the government, in which case it might be appropriate to test the police response. But unless it is painfully obvious that you are to test the police (e.g., the police department hired you to pen-test the police department) then this answer is true. — Nov 18, 2019 at 16:14  
  • +0 – Rather, when you talk to the police you are no longer currently pentesting. — Nov 18, 2019 at 17:47  
  • +9 – I think you can still be a pentester while talking to police, but they are not being tested so you can talk to them as you would your client (ie. someone who is 'in' on your situation). — Nov 19, 2019 at 03:24  
  • +0 – To your last statement, unless you're testing law enforcement/intelligence/security/government, in which case, probably clear this beforehand, maybe in writing in your authentic documents. — Nov 20, 2019 at 18:00