.

Pen-Testing Reporting

<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Thu May 11, 2006 1:53 pm

Pen-Testing Reporting

What type of reports or teamplates do you all use for pen-testing?  We just completed ours for a lawfirm and I am unsure how I am going to report the results.  Any and all suggestions are welcome.  Thanks!
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
<<

oyle

User avatar

Sr. Member
Sr. Member

Posts: 264

Joined: Mon Jan 02, 2006 11:19 am

Location: Cleveland Ohio

Post Sun May 14, 2006 11:29 am

Re: Pen-Testing Reporting

As part of my CCE studies, they give you a sample of a "Chain of Custody" form. Maybe you could change it and use it for pen-testing. It's in Word, don't think it has any kind of copyright or anything. If you want I could send it to you for you to look at it.
MCP, MCP+I, MCSA, MCSE(NT4/W2K), CCNA, CCA, NWCCC, VH-PIRTS, CEH
--------------------
"hackers are like jedi, crackers are like the sith: do not fall prey to the dark side".

From 1337 h4x0r h4ndb00k: "the ten laws of geek", law x
                  -Tapeworm
<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Sun May 14, 2006 12:57 pm

Re: Pen-Testing Reporting

Could you?  That would be great.  Thanks man!
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
<<

tmartin

Recruiters
Recruiters

Posts: 46

Joined: Tue Sep 20, 2005 9:36 pm

Post Wed May 17, 2006 9:23 pm

Re: Pen-Testing Reporting

Here's the info that I find useful:

Risk: H/M/L
Severity: H/M/L
Probability: H/M/L
Remediation effort:H/M/L
Issue: (describe the problem: vulnerability, Host/IP, how it can be exploited
Affected: (identify the affected devices: PIX firewall, PrintServer1, etc.)
Business impact: (like loss of operation services, theft of bandwidth, etc.)
Remediation (How to fix it)

Of course you want an overall summary and a description of the methods used and the IPs/DIDs/etc. that were tested.
<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Thu May 18, 2006 3:40 am

Re: Pen-Testing Reporting

Thanks!  This is a good standardized list of things for these types of scans/assessments.

;D
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
<<

Kev

Post Sat Jun 24, 2006 4:24 pm

Re: Pen-Testing Reporting

The sans site has some basic templates in their reading room if my memory is correct. Also, I like to include a print out from Nessus and then do some pretty graphs with excel. Seems like people like to see a lot of pages with graphs and print outs even if they have no idea of what it means. The key is to include a final page summary that is easier to follow. Put it all in a nice binder and they will feel they got their moneys worth.
<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Sat Jun 24, 2006 8:20 pm

Re: Pen-Testing Reporting

The graphs and printouts are the "executive" reporting righ?  LOL!  It must make them feel special to see all of those pretty charts.  That is a good point about putting it in a binder, more concise that way. 
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!

Return to News Items and General Discussion About EH-Net

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software