.

Penetration Test Report

<<

fx0ne

Newbie
Newbie

Posts: 7

Joined: Mon Jul 06, 2009 11:57 am

Post Mon Jul 06, 2009 5:31 pm

Penetration Test Report

Hi all,

I have been an ethical hacker for about 6 years but mainly operating out of Africa where PT is still being regarded as some sort of "black magic". Most of our clients are big financial institutions and a conglomerates.

I have been a passive member of this forum for some time now and would like to share with you a VA/PT report framework that i came up with from my experience consulting in this field. I do not know how reports are structured in other parts of the world, but i do know that other than the engagement itself, the report serves to justify the derived value around these parts.

I have googled for sample reports but to say i came up short is a masterpiece of understatement. What i found were either too verbose and grandiose or downright narrow in scope missing out salient but pertinent details in mostly  audacious attempts at describing all the technical input and results  - Detailed layout, logical flow and visual analysis are conspicuous only by their absence.

I have always believed that in order to get inside the mentality, first we have to jettison the PT myth. Furthermore I am also of the opinion that a VA/PT report should be as simple and clear as it is concise  and should cut across all strata of audience not just the technically minded.

All these put together led me to put up what is the first draft of the Open Source Security Assessment Report (OSSAR v 0.5). This is something that will be updated as often as i can with new information. I will kindly request members to download it and give an objective opinion on the material. I am very much interested in what this community thinks. Comments (+ve or -ve), suggestions and modifications are welcomed.

This is a VA/PT report for a fictitious bank called eClipse Bank PLC carried out by another fictitious company Cynergi Solutions Inc. All names, URLs, IPs, etc are fictitious. Some of the vulnerabilities discussed have actually occurred for real but i have replaced all the pesky details.

It can  be downloaded here http://uploading.com/files/E5MHOS2U/ossar_v0.5.pdf.html

Thanks
Last edited by fx0ne on Mon Jul 06, 2009 5:33 pm, edited 1 time in total.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Mon Jul 06, 2009 6:29 pm

Re: Penetration Test Report

I'm going to have to take a closer look and read through it, but right away I can say that I'm pretty sure you can't be using the 'LPT' logos/images in an "open source" report....
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Jul 07, 2009 12:44 am

Re: Penetration Test Report

I will take a closer look too when I have some more time. However, I can already say that such a project is much appreciated and welcomed.

Some time ago I searched for some sample reports but did not find many free resources. One I found is from Offensive Security which can be found here.
Another one which is OSSTMM (Open Source Security Testing Methodology Manual) also includes the things a report should contain and is also widely used in Europe. It can be read here.
Third one I would like to mention is the Penetration Testing Framework which can be found here and inlcudes also some interesting things.
Sometimes it may be that the report itself is not included in the above mentioned and others, but it is said what is to be expected - with this information it should be possible to create your own report.

Although I like to pick the "best" things out of each and use it for my own reports, clients often like to stick to one, e.g. the OSSTMM.

I am really looking forward to read you approach. Thanks for sharing.
<<

fx0ne

Newbie
Newbie

Posts: 7

Joined: Mon Jul 06, 2009 11:57 am

Post Tue Jul 07, 2009 1:41 am

Re: Penetration Test Report

@BillV

Thanks for the observation. I will remove the LPT images in the upcoming version.

@awesec

Thanks expecting your feedback
<<

fx0ne

Newbie
Newbie

Posts: 7

Joined: Mon Jul 06, 2009 11:57 am

Post Tue Jul 07, 2009 2:14 am

Re: Penetration Test Report

An amended copy of ossar can be downloaded here.

http://www.digitalencode.net/ossar/ossar_v0.5.pdf

Thanks
<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Tue Jul 07, 2009 2:50 am

Re: Penetration Test Report

Will have a look. Dont forget that the OWASP Testing Guide has some information on witting reports too.

EDIT---

Good example. Im not sure about using a real test for the report?! Or is that just for realism?

This document contains confidential and proprietary information.
It is intended for the exclusive use of eClipse Bank .
Unauthorized use or reproduction of this document is prohibited
Last edited by ethicalhack3r on Tue Jul 07, 2009 2:56 am, edited 1 time in total.
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Jul 07, 2009 3:27 am

Re: Penetration Test Report

This is a VA/PT report for a fictitious bank called eClipse Bank PLC carried out by another fictitious company Cynergi Solutions Inc. All names, URLs, IPs, etc are fictitious. Some of the vulnerabilities discussed have actually occurred for real but i have replaced all the pesky details.


;)
<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Tue Jul 07, 2009 3:53 am

Re: Penetration Test Report

awesec wrote:
This is a VA/PT report for a fictitious bank called eClipse Bank PLC carried out by another fictitious company Cynergi Solutions Inc. All names, URLs, IPs, etc are fictitious. Some of the vulnerabilities discussed have actually occurred for real but i have replaced all the pesky details.


;)


:-\ I should have read a little more. lol
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Tue Jul 07, 2009 8:51 am

Re: Penetration Test Report

Thanks for taking the time to share your sample report. Like you say (and rightly so in some cases) there are not many sample reports available freely on the web, but most companies if you approach them will give you a sample.

I have has a look through and I did think the content was good, as people come to expect from these reports. Personally I did think that there was the occasionaly use of images without justification. I know a picture speaks a thousand words, but perhaps some additional commentry to accompany the imaging would help.
Finally perhaps I missed it, but the results dont give any detail as to if you exploited the vulnerabilities, or if the rating is just adapted from the Vuln scanners you have used. I know many organisations dont like what I call a true pen test and dont want things to be exploited, but on some occasions you may come across couter controls that may actually reduce the rating of a found issue.

I am probably being to picky as I see alot of these reports, but good work and thanks again for sharing, I am sure it will help out some of the readers.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Jul 07, 2009 11:08 am

Re: Penetration Test Report

Welcome to EH-Net and thanks for the nice contribution to the comunity at-large.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

fx0ne

Newbie
Newbie

Posts: 7

Joined: Mon Jul 06, 2009 11:57 am

Post Tue Jul 07, 2009 12:11 pm

Re: Penetration Test Report

@ dalepearson

Thanks for the comments. Your observations are well noted. Some of the vulnerabilities were exploited especially as regards the web application and were given risk ratings accordingly and the false positives were duly tested and risk ratings lowered

@ don

Thanks.
<<

fx0ne

Newbie
Newbie

Posts: 7

Joined: Mon Jul 06, 2009 11:57 am

Post Thu Oct 15, 2009 12:16 pm

Re: Penetration Test Report

I have been a bit busy lately but recently made some amendments to OSSAR (v1.0) based on the feedback received from forum members. I'm pretty sure I have omitted some suggestions because of my pressing schedule. Therefore, in addition to posting both the pdf copy, an editable version in Open Office odt format is also provided. The documents can be downloaded here:

https://sourceforge.net/projects/ossar/ ... f/download
https://sourceforge.net/projects/ossar/ ... t/download

Cheers
Last edited by fx0ne on Tue Oct 20, 2009 9:48 am, edited 1 time in total.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software