33

From my previous question, I've seen that a "Permission to Attack" slip is crucial in ANY Penetration Test. However, that question and its answers and comments have only discusses interactions between the Pentesters and the client's party (their staff).

How should we deal with 3rd parties such as:

  1. "Casual" targets

    • Neighbors
    • 3rd party staff (real elevator maintenance, real CISCO staff, etc)
    • Non-staff people (customers of the company, guests, patients in a hospital, etc)

  2. Dangerous people

    • Local law enforcement (the police)
    • A real possible criminal (having both a Red Team and real criminals breaking in at the same time sounds tough)

I've seen (read articles) some say that we should always tell the police the truth rather than try to social engineer them. I've also heard people talk about themselves tricking local police like staffed security. Some also say that we should present and confirm our Permission to Attack with local law enforcement beforehand as we would with the employer.

schroeder
  • 123,438
  • 55
  • 284
  • 319
ChocolateOverflow
  • 3,452
  • 4
  • 17
  • 34
  • Well my main question is about 3rd parties in general but it *does* have 2 small parts: the casual targets (customers and maintenance) and the dangerous (police) – ChocolateOverflow Nov 13 '19 at 07:41
  • 3
    "should we hack" - you should ***only hack*** those who have given you permission. Period. How you ***deal*** with 3rd parties is a separate matter. – schroeder Nov 13 '19 at 07:46
  • 3
    Doing a pentest at the same time as a criminal is doing the same? Talk to him and recruit him to your company! Or play the lottery... – ThoriumBR Nov 13 '19 at 15:18

1 Answers1

38

It depends very much on the situation and your contract.

Usually, reputable companies who conduct physical pentests have extensive guidelines for their pentesters in many situations. Such instructions are to be followed. I'm going to give a rough overview over possible ways such third-parties may be interacted with:

Local Police

Local Police is to be treated like police is treated anywhere else. A Permission to Attack means that you are legally allowed to conduct a physical pentest, not that you have the authority to ignore the police. Should a police officer instruct you to identify yourself or similar, you have to follow suit.

In fact, the fact that you are conducting a pentest is completely irrelevant to any police interaction. Interact with police in accordance to local laws.

Neighbors

Neighbors are people that have nothing to do with the pentest you are performing. You can't be granted any authority over them, just like the company that hired you to perform the pentest has no authority over them.

That doesn't mean you can't strike up a friendly conversation with them if you happen to see them doing some garden work across the street and see what kind of information you get out of them. But for the purposes of your assignment, they are not any different from regular people you meet on the street. Again, your involvement in this pentest doesn't change anything.

Third-Party Staff

This should be covered either in a general policy of your employer, or specified in the contract of the assignment. In general, they are likely to be treated like any "regular" employee of the customer.

For example, if you can walk inside the perimeter together with the guy who was hired to fix the printer, all the better.

Non-Staff People

Tread carefully! Attempting to social-engineer customers, guests, patients, etc... can very quickly become a very difficult subject for you. This should actually be discussed with the client beforehand, and be explicitly written down.

For example, interacting with patients in a hospital may make them and their families feel disrespected, and you want to avoid that.

Emergency Personnel

In case of an earthquake, a pentest would be the least of my worries. Should emergency personnel appear on-site, aid them as best as you can. You don't know the situation, and somebody's life may be in danger. A pentest can always be done again tomorrow.

Real Criminals

Contact security or law enforcement immediately. Don't play hero, just do your job.

  • 10
    in fact, I'd say that if the police respond to your attempt to break into a facility duing a pen test, your test has failed and the security of the facility remains uncompromised... – jwenting Nov 14 '19 at 07:31
  • 2
    I think I've seen people talk about situations where they meet with police but social engineer their way through to continue with the operation though. – ChocolateOverflow Nov 14 '19 at 08:49
  • I feel like this doesn't really account for all the ways that things could easily go messily. – ikrase Nov 14 '19 at 10:23
  • 1
    "interacting with patients in a hospital may make them and their families feel disrespected" - and under some jurisdictions impersonating medical staff (medical secretary, doctor, nurse etc) to patients may put you in legal hell as it violates medical privacy. And in worst cases can interfere with their therapy leading to loss of money, health and worse. – Mołot Nov 14 '19 at 10:46
  • @Mołot Yes, but I was more referring to asking a patient like "Excuse me, do you know where the medical staff is?" or such. Impersonating medical staff is something that I didn't even consider someone would attempt to do. –  Nov 14 '19 at 12:32
  • @jwenting Maybe. It depends what their goal was. If their goal was to get access to highly sensitive information and are able to publish it, they still lost. –  Nov 14 '19 at 19:39
  • 2
    @MechMK1 but in pentests dressing to blend in with personnel allowed to be there is common, right? And in hospital doing so may make patients believe you're a doctor even if you merely ask for nurses' station in this ward. – Mołot Nov 15 '19 at 14:06