EH-Net

One thing we often forget to do is talk about deliverables. After all, the client isn't just paying us to show off our skillz. Offensive Security is helping the community by releasing a sample report. Take a look and share your thoughts on this report, your reporting style, your client experiences, etc.


Hope this helps,
Don

Definitely a very thorough report. Something to aspire to  :P

Nice, I'd been wandering what other people put it theirs. Glad to see I was close to the mark with the one I came up with :)

Very helpful, thanks.

Cool! Will have to take a closer look at it and check it out. Nice of them to release something like this... now there should be no excuse for "Nessus results" given back to a client :P lol

BillV

Absolutly...there should never be an excuse for submitting nessus results in a deliverable.  I have seen many external vulnerability reports and even some of the "top dogs" out there include raw nessus outputs in their reports.  Now, from a tech standpoint it looks extremely sloppy.  However, I would like to know what it looks like from a non-tech user standpoint.

BTW, I am going to the Off-Sec 101 Pen Test class in March.  Who has gone to this class already and what should I expect to get out of this class?  Thanks.

There's quite an extensive thread Here (http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,1152.0/)

I do it a bit differently. If there are any glaring (critcal) things that need to be fix I hit on them in the summary prior to the introduction.

In the introduction I include details of the people who worked on the project on the client side. The report needs to live on its own. If they come back and look at the report they can find out who interally were the system admin, project coordinator (etc) contacts.

Their report totally skips the methodology and crams that in with the findings.

I also have a completely separate findings section detailing the following:
Target
Level of risk (Low Med High)
Exploitation Likelihood (Low Med High)
Description
Recommendation(s)

This gives the sys admins a checklist to work off of to fix things. Selecting Low, Medium, or High for the Risk and Likelihood takes some serious thought. The risk may be harder to quantify in a black box test where you don't know what is around that box. Also, you can't just give everything a rating of high. You have to prioritize. The overall risk is based on the Level of Risk and Exploitation Likelihood and uses a matrix similar to this:
http://www.dwi.gov.uk/regs/service/fig4a.gif
I can't find the one the NSA uses, but that is the one I use. The one shown above is similar and hopefully gets my point across.

One final piece of chrome. I highly suggest using the cross-referencing feature of your word processor. You can add piece that say see BLAH and have it fill in the text and work as a link in your pdf viewer. It is a small touch, but demonstrates your attention to detail. It also helps a bit since I break up my sections differently.

I personally dont think that the report is in depth . I am going to secure a Client network tomorrow morning and after that pen test would be performed on it by other some other engineers . There are a lot of things involved in Pen testing as I am going through the process of securing the network . But on the other hand this is the most detailed Sample report i have seen so far on the Internet.

Reports like speeches or sales pitches need to be tailored to the audience. This sample report would be great to those in charge of the technology, but anything more than 1 page is too much for most C-level execs.

Keep that in mind,
Don

Definately agree with Don's statement.  It depends on the audience.

Didn't even notice there wasn't an Exec Summary in there. Usually a good thing to have so the exec can feel good that the money he "gave" you was put to good use.

I am wondering if there are any other sample pentesting reports available from other companies or individuals?

Great report to go to the Administrators, Engineers, or Technical Managers....but it looks like pure jibberish to anyone else.  Page 5 is about all upper management can understand.

careeracademy's authorized LPT course for ECCouncil claims to have developing such reports as part of the course. I would be interested to hear from someone who has viewed the DVDs?
Is it worth the price tag?

There was also this example that floated around last year:

This is a VA/PT report for a fictitious bank called eClipse Bank PLC carried
out by another fictitious company Cynergi Solutions Inc. All names, URLs,
IPs, etc are fictitious. Some of the vulnerabilities discussed have actually
occurred for real but i have replaced all the pesky details.

The report is attached or it can be downloaded at:

http://digitalencode.net/ossar/ossar_v0.5.pdf

and this one from OWASP (way old i know) for hacme Bank:

http://lists.owasp.org/pipermail/owasp-london/attachments/20060430/01d79928/attachment.pdf

all good references though =)