What to do if caught in a physical pentest?

Always have your slip with you!

This is the golden rule of Red Teaming! If you don't have your Permission to Attack with you, it's like driving without a driver's license. That said, if you are caught during an engagement, I recommend the following:

  1. Present a forged Permission to Attack. This way, you can see if criminals could possibly trick a security guard to letting them do their thing with a fake Permission to Attack.

  2. Present the real Permission to Attack. If a guard has not bought your fake slip, then it's time to hand in the real slip. If the guard believes you, it's time to pick up and leave the perimeter. A real attacker would have been stopped at this point. If the guard did not believe you, ask them kindly to talk to their supervisor. If they insist on not believing you and calling the police, so be it. You're not a criminal, so don't worry about it.

  3. Follow the police's orders. They'll take you with them to the station, where you can explain to the police that you are part of a Red Team Engagement, and that you have a permission to break into the company. They will double-check that, calling whoever is listed as the person who signed your Permission to Attack. In the happy case, they'll pick up the phone, explain that you are really hired to do that, and you'll be free to go.

    In the not-so-happy case, they won't pick up because it's 4 in the morning and their phone has no battery. Should this happen, you will probably spend the night in the police station. Worse things have happened. Call your employer in the morning, and they will reach the contact at the customer's company for you.

What about the other options?

Saying "I'm a security researcher. You've caught me so I'll just leave"

will not be very helpful. In the eyes of a security guard, you're a criminal, caught in the middle of a crime. You will not have the choice of "just leaving".

Run away like a criminal.

A very bad idea. Probably the worst you could do. If the guard calls the police (they likely will), the costs could rise quite a lot and it would not make the customer happy to know they now have to pay the police for an unnecessary manhunt as well. However, you should absolutely include in your report if getting away from the perimeter after getting caught would have been a trivial effort or not.

Contact the employer to get a "Just continue pass".

That would miss the point of a Red Team Engagement. Once you have a "Just continue"-pass, you are not simulating how a real attacker would act. You would just go through the stuff of the company with their permission.

There's a flip side: what to do if you discover a physical pentester. When I was working at a bank, I happened to notice the iconic metasploit cli welcome banner flash up for a second on a desktop in the middle of a cube farm.

Physical pentesters are a part of life at a bank, and the rules of engagement are very clear beforehand. There are rules and procedures for both parties if someone notices a pentester. This keeps everyone safe.

Because imagine the situation: if metasploit is running, all it would take would be the attacker running a pre-made script and it could be "game over" for the bank. If you see the banner, it is likely already too late. That means that that person's fingers need to be off that keyboard and the network cord pulled/wifi turned off as soon as possible. Like, immediately. That means rough physical interaction. Not waiting for security to arrive. And that's a safety problem.

It turns out that in this case, the pentester messed up by exposing himself like that and the engagement would have been prematurely ended, but by following protocols, the engagement continued under the defined scope and everyone was safe. The test was not about being able to get in, but to simulate a malicious insider.