Should I present forged documents in a Penetration Test/Red team engagement?

It depends on the scope of the engagement.

If the customer wants you to focus on one specific task (e.g. bypassing locks, social engineering, etc.), then that's all you're authorized to do and all you are legally allowed to do.

If the customer wants you to use "anything that's legal", in order to best simulate a real attacker, them you can indeed present a forged permission to attack, possibly even with instructions added that you should be left alone during the engagement.

Why would you do that? In order to check if security personnel actually verifies of a Permission to Attack is valid or not. Otherwise an attacker could present a forged Permission to Attack and use this to gain entry to the company?

What about law enforcement?

Never show law enforcement a forged document or lie to them about who you are or what you are doing. You are testing the company, not the law enforcement.

Or to put it in simple terms: When you talk to the police, you're no longer a pentester.


Unless your engagement is with the police, they are out of scope and you are not allowed to test them. If someone called the police, you already lost, actually. You should stop them right before they do that (friends of mine who do this kind of stuff work in England, where the emergency number is 999 and their principle is that they give up when someone dials the 2nd "9").

Specifically, you do not have permission to attack the police. Your slip doesn't cover lying to the police or presenting forged documents to the police.

When acting within the scope of your permission to attack, forged documents are typically fine, however I would definitely include a mention of such tactics in one of the documents signed, either the permission itself, or the offer or something else appropriate. Just in case anyone is not a fan, you want to have something written that says "but we agreed that such methods are ok to be used".

There have been a number of recent cases where pentesters got into trouble for exceeding the scope of their engagement. Don't do that. Always stay well within what was agreed, and if you ask yourself if a specific method is fine, that is a very good sign that it should be explicitly stated somewhere as a method you might employ. I mean, if it isn't clear to you, it probably isn't clear to the customer, either.

Tags:

Documents

Legal

Penetration Test

Related

Browser setups to stay safe from malware and unwanted stuff Is it a mistake to use a password that has previously been used (by anyone ever)? How good are Angular Route Guards from a security standpoint? how is my ISP able to inject into this webpage? What to do if caught in a physical pentest? Is Firefox's Lockwise secure? Does injecting my own key material into the authenticator undermine authenticator's attestation? How to use FDE without needing to share the encryption password I can pay by my credit card under fake name: who's responsible to check? I have just 4 hours a month to security check a cloud based application - How to use my time? Someone called someone else with my phone number Is There Any Risk When Visiting Websites Without Secure Connections If You Don't Enter Personal Info?

Recent Posts