.

Offensive Security Releases Sample Pen Testing Report

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu Jan 08, 2009 10:25 pm

Offensive Security Releases Sample Pen Testing Report

One thing we often forget to do is talk about deliverables. After all, the client isn't just paying us to show off our skillz. Offensive Security is helping the community by releasing a sample report. Take a look and share your thoughts on this report, your reporting style, your client experiences, etc.



Hope this helps,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Fri Jan 09, 2009 11:06 am

Re: Offensive Security Releases Sample Pen Testing Report

Definitely a very thorough report. Something to aspire to  :P
<<

Chan

Newbie
Newbie

Posts: 32

Joined: Thu Jun 05, 2008 4:38 am

Post Fri Jan 09, 2009 12:16 pm

Re: Offensive Security Releases Sample Pen Testing Report

Nice, I'd been wandering what other people put it theirs. Glad to see I was close to the mark with the one I came up with :)

Very helpful, thanks.
CCNA, 100m Swimming cert.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Sat Jan 10, 2009 10:12 am

Re: Offensive Security Releases Sample Pen Testing Report

Cool! Will have to take a closer look at it and check it out. Nice of them to release something like this... now there should be no excuse for "Nessus results" given back to a client :P lol

BillV
<<

null1

Newbie
Newbie

Posts: 2

Joined: Wed Jan 21, 2009 6:40 am

Post Wed Jan 21, 2009 6:44 am

Re: Offensive Security Releases Sample Pen Testing Report

Absolutly...there should never be an excuse for submitting nessus results in a deliverable.  I have seen many external vulnerability reports and even some of the "top dogs" out there include raw nessus outputs in their reports.  Now, from a tech standpoint it looks extremely sloppy.  However, I would like to know what it looks like from a non-tech user standpoint.
<<

null1

Newbie
Newbie

Posts: 2

Joined: Wed Jan 21, 2009 6:40 am

Post Wed Jan 21, 2009 6:46 am

Re: Offensive Security Releases Sample Pen Testing Report

BTW, I am going to the Off-Sec 101 Pen Test class in March.  Who has gone to this class already and what should I expect to get out of this class?  Thanks.
<<

NickFnord

User avatar

Full Member
Full Member

Posts: 117

Joined: Fri Sep 05, 2008 5:25 am

Post Wed Jan 21, 2009 6:57 am

Re: Offensive Security Releases Sample Pen Testing Report

There's quite an extensive thread Here
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Thu Feb 26, 2009 9:08 am

Re: Offensive Security Releases Sample Pen Testing Report

I do it a bit differently. If there are any glaring (critcal) things that need to be fix I hit on them in the summary prior to the introduction.

In the introduction I include details of the people who worked on the project on the client side. The report needs to live on its own. If they come back and look at the report they can find out who interally were the system admin, project coordinator (etc) contacts.

Their report totally skips the methodology and crams that in with the findings.

I also have a completely separate findings section detailing the following:
Target
Level of risk (Low Med High)
Exploitation Likelihood (Low Med High)
Description
Recommendation(s)

This gives the sys admins a checklist to work off of to fix things. Selecting Low, Medium, or High for the Risk and Likelihood takes some serious thought. The risk may be harder to quantify in a black box test where you don't know what is around that box. Also, you can't just give everything a rating of high. You have to prioritize. The overall risk is based on the Level of Risk and Exploitation Likelihood and uses a matrix similar to this:
http://www.dwi.gov.uk/regs/service/fig4a.gif
I can't find the one the NSA uses, but that is the one I use. The one shown above is similar and hopefully gets my point across.

One final piece of chrome. I highly suggest using the cross-referencing feature of your word processor. You can add piece that say see BLAH and have it fill in the text and work as a link in your pdf viewer. It is a small touch, but demonstrates your attention to detail. It also helps a bit since I break up my sections differently.
twitter.com/timmedin | http://blog.securitywhole.com
<<

COm_BOY

User avatar

Full Member
Full Member

Posts: 129

Joined: Tue Feb 03, 2009 10:40 am

Post Thu Feb 26, 2009 2:13 pm

Re: Offensive Security Releases Sample Pen Testing Report

I personally dont think that the report is in depth . I am going to secure a Client network tomorrow morning and after that pen test would be performed on it by other some other engineers . There are a lot of things involved in Pen testing as I am going through the process of securing the network . But on the other hand this is the most detailed Sample report i have seen so far on the Internet.
It has become appallingly obvious that our technology has exceeded our humanity.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu Feb 26, 2009 2:23 pm

Re: Offensive Security Releases Sample Pen Testing Report

Reports like speeches or sales pitches need to be tailored to the audience. This sample report would be great to those in charge of the technology, but anything more than 1 page is too much for most C-level execs.

Keep that in mind,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

MicroJay

User avatar

Full Member
Full Member

Posts: 101

Joined: Wed Feb 04, 2009 4:19 pm

Post Thu Feb 26, 2009 2:37 pm

Re: Offensive Security Releases Sample Pen Testing Report

Definately agree with Don's statement.  It depends on the audience.
GSEC - GCIH - GSNA - GPEN
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Thu Feb 26, 2009 10:05 pm

Re: Offensive Security Releases Sample Pen Testing Report

don wrote:Reports like speeches or sales pitches need to be tailored to the audience. This sample report would be great to those in charge of the technology, but anything more than 1 page is too much for most C-level execs.

Keep that in mind,
Don


Didn't even notice there wasn't an Exec Summary in there. Usually a good thing to have so the exec can feel good that the money he "gave" you was put to good use.
twitter.com/timmedin | http://blog.securitywhole.com
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue May 26, 2009 6:31 am

Re: Offensive Security Releases Sample Pen Testing Report

I am wondering if there are any other sample pentesting reports available from other companies or individuals?
<<

TalioGladius

Newbie
Newbie

Posts: 5

Joined: Mon Oct 08, 2007 9:11 am

Post Wed Aug 26, 2009 3:13 pm

Re: Offensive Security Releases Sample Pen Testing Report

Great report to go to the Administrators, Engineers, or Technical Managers....but it looks like pure jibberish to anyone else.  Page 5 is about all upper management can understand.
<<

delano

Newbie
Newbie

Posts: 2

Joined: Mon Jun 15, 2009 4:35 pm

Post Sat Aug 29, 2009 12:24 pm

Re: Offensive Security Releases Sample Pen Testing Report

careeracademy's authorized LPT course for ECCouncil claims to have developing such reports as part of the course. I would be interested to hear from someone who has viewed the DVDs?
Is it worth the price tag?
Next

Return to OSCP - Offensive Security Certified Professional

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software