pen test documentation

[DataDwarf]

Rescinded
Here is a short blog post from HackaServer that talks about writing a pentest report.

http://blog.hackaserver.com/howto-complete-a-penetration-test-report-guideline/

They also have an example report of a pentest against Metasploitable.

http://blog.hackaserver.com/howto-complete-a-penetration-test-report/

[jjwinter]

Looks like my B.A. in English will have a use someday after all...

[LT72884]

Jamie, how you gonna do the report engine?

im interested in how that is going to work.

[Jamie.R]

LT72884 its somthing I am working on not sure best way to do it yet was thinking having it as web app so mysql backend with php or somthing GUI. I am trying think best way to do it as I want it to be really flexible and grow as a project that everyone can get involed in.

[tturner]

Jamie.r This is something I've been working on for awhile. One of the directions I'm starting to shift more in favor of is using a wiki as the collection point and then populating report with data from the wiki. If you include the ability for team collaboration and a place to upload tool output and then have a way to reference within your reporting engine that has substantial value.

I'd be happy to talk to you about some of the work I've done here if you think it might be helpful. Unfortunately my mechanisms currently are pretty ugly, generate an infopath form, copy and paste into word, customize content and then convert to protected pdf. I know some consultant firms use custom spreadsheets for this and believe it or not get some pretty amazing results out of Excel. I'm moving in a similar direction as you but I think I'm going to implement as a Rails app.

What I'd really love to see here is some good collaboration tools and proper version control for the report. Also need to consider the sensitivity of the data and storage/encryption needs and how you plan to purge or dispose of the data once no longer needed.

Also, if you have not looked at http://dradisframework.org/demo.html already I highly suggest you check it out. It may already meet most of your needs.

[Jamie.R]

Cool I have seen dradis before I am still trying do some ground work I know how I want it laid out it just picking the right tools for the job. As far as encryption goes and deleting data this would be down to the person using it.

I think my plan is to have it so you download it and install it locally that way you are kinder using the tools in your own secure environment. As I say its all still idea in my head really need to get some time sit down draw up some plans of how its all gonna work just trying get some idea from the security community on if it be useful as don't want spend time and no one uses it.

[tturner]

Here is a short blog post from HackaServer that talks about writing a pentest report.

http://blog.hackaserver.com/howto-complete-a-penetration-test-report-guideline/

They also have an example report of a pentest against Metasploitable.

http://blog.hackaserver.com/howto-complete-a-penetration-test-report/

Just checked out this sample report and it's an excellent example.... of what NOT to do. I don't have time to take the deep dive as I'm getting ready to hit the road, but an executive summary with technical terms is a poor executive summary. Nmap output and other tool output in the report is just bad. That stuff belongs in an appendix, far too much copy and paste here for my liking. I'll try to take the time to followup on this with more explicit examples and recommendations in the next day or two, but this is NOT a good report.

[Jamie.R]

oh wow that report is shocking

[DataDwarf]

Just checked out this sample report and it's an excellent example.... of what NOT to do. I don't have time to take the deep dive as I'm getting ready to hit the road, but an executive summary with technical terms is a poor executive summary. Nmap output and other tool output in the report is just bad. That stuff belongs in an appendix, far too much copy and paste here for my liking. I'll try to take the time to followup on this with more explicit examples and recommendations in the next day or two, but this is NOT a good report.

I didn't mean to lead anyone astray. This one from Offensive Security may be a better example:

http://www.offensive-security.com/penetration-testing-sample-report.pdf

also this paper from SANS on writing a report:

http://www.sans.org/reading_room/whitepapers/bestprac/writing-penetration-testing-report_33343

[LT72884]

@jamie. i would ue the template or engine for more than just pen testing by the way. As a mechanical engineer, i will be writing reports probably weekly if not daily.

I think a reporting engine will be awesome for more than just pen test engineers

as for calaborating, google docs is good at that. there is also a program like google docs but can be ran privatly on a LAN for a business(thought that doesnt help you but still pretty cool)

@ datadwarf. dude, you didnt lead us astray, just gave some awesome info of what not to do. This forums totally reminds me of a thomas edison style forum. try and try again until you suceed. I have found it is very importatnt to take notes like mr edison as well. if you get a chnace to see some of his writings, you will be impressed. he wrote everything down and i mean everything.

[Cyber.spirit]

thanx great resources but u can write ur pentest report in issaf standards

[Jamie.R]

I think doing a report and getting it right is the hardest part of the job as this what the client pays for...

[tturner]

Pimping my own blog at http://sentinel24.com/blog/ where I just made a post on this topic. Plan on doing some more here as I am developing a separate wiki on pentest business issues (including scoping, reporting, insurance, customer relationships, quality management, etc)

And jamie.R - yes it's the hardest and the most important. I've always heard that the report should take more time than the test itself. It's not just gathering data and writing a report, what the customer is really paying you for is analysis and interpretation of that data. As I've heard @mmurray say, they are paying you for your wisdom. (sorry if I butchered your quote Mike!  )

[Jamie.R]

Cool post and like you website

[Cyber.spirit]

Just checked out this sample report and it's an excellent example.... of what NOT to do. I don't have time to take the deep dive as I'm getting ready to hit the road, but an executive summary with technical terms is a poor executive summary. Nmap output and other tool output in the report is just bad. That stuff belongs in an appendix, far too much copy and paste here for my liking. I'll try to take the time to followup on this with more explicit examples and recommendations in the next day or two, but this is NOT a good report.

I didn't mean to lead anyone astray. This one from Offensive Security may be a better example:

http://www.offensive-security.com/penetration-testing-sample-report.pdf

also this paper from SANS on writing a report:

http://www.sans.org/reading_room/whitepapers/bestprac/writing-penetration-testing-report_33343

In Offensive Security they didnt write any info about servers like ip or port scanning result but i always did that in my reports is it wrong?