.

pen test documentation

<<

DataDwarf

User avatar

Newbie
Newbie

Posts: 31

Joined: Wed Jul 25, 2012 4:43 pm

Post Tue Aug 07, 2012 7:01 pm

Re: pen test documentation

Rescinded
Here is a short blog post from HackaServer that talks about writing a pentest report.

http://blog.hackaserver.com/howto-complete-a-penetration-test-report-guideline/

They also have an example report of a pentest against Metasploitable.

http://blog.hackaserver.com/howto-complete-a-penetration-test-report/
Last edited by DataDwarf on Wed Aug 08, 2012 5:16 pm, edited 1 time in total.
<<

jjwinter

User avatar

Jr. Member
Jr. Member

Posts: 80

Joined: Mon Mar 05, 2012 10:33 pm

Post Tue Aug 07, 2012 8:17 pm

Re: pen test documentation

Looks like my B.A. in English will have a use someday after all...
<<

LT72884

User avatar

Jr. Member
Jr. Member

Posts: 99

Joined: Thu Oct 15, 2009 3:11 pm

Location: Utah

Post Tue Aug 07, 2012 10:04 pm

Re: pen test documentation

Jamie, how you gonna do the report engine?

im interested in how that is going to work.
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Wed Aug 08, 2012 3:37 am

Re: pen test documentation

LT72884 its somthing I am working on not sure best way to do it yet was thinking having it as web app so mysql backend with php or somthing GUI. I am trying think best way to do it as I want it to be really flexible and grow as a project that everyone can get involed in.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Wed Aug 08, 2012 11:17 am

Re: pen test documentation

Jamie.r This is something I've been working on for awhile. One of the directions I'm starting to shift more in favor of is using a wiki as the collection point and then populating report with data from the wiki. If you include the ability for team collaboration and a place to upload tool output and then have a way to reference within your reporting engine that has substantial value.

I'd be happy to talk to you about some of the work I've done here if you think it might be helpful. Unfortunately my mechanisms currently are pretty ugly, generate an infopath form, copy and paste into word, customize content and then convert to protected pdf. I know some consultant firms use custom spreadsheets for this and believe it or not get some pretty amazing results out of Excel. I'm moving in a similar direction as you but I think I'm going to implement as a Rails app.

What I'd really love to see here is some good collaboration tools and proper version control for the report. Also need to consider the sensitivity of the data and storage/encryption needs and how you plan to purge or dispose of the data once no longer needed.

Also, if you have not looked at http://dradisframework.org/demo.html already I highly suggest you check it out. It may already meet most of your needs.
Last edited by tturner on Wed Aug 08, 2012 11:21 am, edited 1 time in total.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Wed Aug 08, 2012 2:20 pm

Re: pen test documentation

Cool I have seen dradis before I am still trying do some ground work I know how I want it laid out it just picking the right tools for the job. As far as encryption goes and deleting data this would be down to the person using it.

I think my plan is to have it so you download it and install it locally that way you are kinder using the tools in your own secure environment. As I say its all still idea in my head really need to get some time sit down draw up some plans of how its all gonna work just trying get some idea from the security community on if it be useful as don't want spend time and no one uses it.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Wed Aug 08, 2012 4:32 pm

Re: pen test documentation

DataDwarf wrote:Here is a short blog post from HackaServer that talks about writing a pentest report.

http://blog.hackaserver.com/howto-complete-a-penetration-test-report-guideline/

They also have an example report of a pentest against Metasploitable.

http://blog.hackaserver.com/howto-complete-a-penetration-test-report/


Just checked out this sample report and it's an excellent example.... of what NOT to do. I don't have time to take the deep dive as I'm getting ready to hit the road, but an executive summary with technical terms is a poor executive summary. Nmap output and other tool output in the report is just bad. That stuff belongs in an appendix, far too much copy and paste here for my liking. I'll try to take the time to followup on this with more explicit examples and recommendations in the next day or two, but this is NOT a good report.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Wed Aug 08, 2012 4:48 pm

Re: pen test documentation

oh wow that report is shocking
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

DataDwarf

User avatar

Newbie
Newbie

Posts: 31

Joined: Wed Jul 25, 2012 4:43 pm

Post Wed Aug 08, 2012 5:10 pm

Re: pen test documentation

tturner wrote:Just checked out this sample report and it's an excellent example.... of what NOT to do. I don't have time to take the deep dive as I'm getting ready to hit the road, but an executive summary with technical terms is a poor executive summary. Nmap output and other tool output in the report is just bad. That stuff belongs in an appendix, far too much copy and paste here for my liking. I'll try to take the time to followup on this with more explicit examples and recommendations in the next day or two, but this is NOT a good report.


I didn't mean to lead anyone astray. This one from Offensive Security may be a better example:

http://www.offensive-security.com/penetration-testing-sample-report.pdf

also this paper from SANS on writing a report:

http://www.sans.org/reading_room/whitepapers/bestprac/writing-penetration-testing-report_33343
Last edited by DataDwarf on Wed Aug 08, 2012 5:12 pm, edited 1 time in total.
<<

LT72884

User avatar

Jr. Member
Jr. Member

Posts: 99

Joined: Thu Oct 15, 2009 3:11 pm

Location: Utah

Post Wed Aug 08, 2012 6:59 pm

Re: pen test documentation

@jamie. i would ue the template or engine for more than just pen testing by the way. As a mechanical engineer, i will be writing reports probably weekly if not daily.

I think a reporting engine will be awesome for more than just pen test engineers

as for calaborating, google docs is good at that. there is also a program like google docs but can be ran privatly on a LAN for a business(thought that doesnt help you but still pretty cool)

@ datadwarf. dude, you didnt lead us astray, just gave some awesome info of what not to do. This forums totally reminds me of a thomas edison style forum. try and try again until you suceed. I have found it is very importatnt to take notes like mr edison as well. if you get a chnace to see some of his writings, you will be impressed. he wrote everything down and i mean everything.
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 370

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Thu Aug 09, 2012 1:16 am

Re: pen test documentation

thanx great resources but u can write ur pentest report in issaf standards
CEH - HackingDojo Shodan - CCNA - MCITP - Offensive Security WIFU - LPIC - MTCNA - SECURITY+
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Thu Aug 09, 2012 3:45 am

Re: pen test documentation

I think doing a report and getting it right is the hardest part of the job as this what the client pays for...
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Thu Aug 09, 2012 1:05 pm

Re: pen test documentation

Pimping my own blog at http://sentinel24.com/blog/ where I just made a post on this topic. Plan on doing some more here as I am developing a separate wiki on pentest business issues (including scoping, reporting, insurance, customer relationships, quality management, etc)

And jamie.R - yes it's the hardest and the most important. I've always heard that the report should take more time than the test itself. It's not just gathering data and writing a report, what the customer is really paying you for is analysis and interpretation of that data. As I've heard @mmurray say, they are paying you for your wisdom. (sorry if I butchered your quote Mike!  ;))
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Thu Aug 09, 2012 3:10 pm

Re: pen test documentation

Cool post and like you website
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 370

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Thu Aug 09, 2012 7:18 pm

Re: pen test documentation

DataDwarf wrote:
tturner wrote:Just checked out this sample report and it's an excellent example.... of what NOT to do. I don't have time to take the deep dive as I'm getting ready to hit the road, but an executive summary with technical terms is a poor executive summary. Nmap output and other tool output in the report is just bad. That stuff belongs in an appendix, far too much copy and paste here for my liking. I'll try to take the time to followup on this with more explicit examples and recommendations in the next day or two, but this is NOT a good report.


I didn't mean to lead anyone astray. This one from Offensive Security may be a better example:

http://www.offensive-security.com/penetration-testing-sample-report.pdf

also this paper from SANS on writing a report:

http://www.sans.org/reading_room/whitepapers/bestprac/writing-penetration-testing-report_33343

In Offensive Security they didnt write any info about servers like ip or port scanning result but i always did that in my reports is it wrong?
CEH - HackingDojo Shodan - CCNA - MCITP - Offensive Security WIFU - LPIC - MTCNA - SECURITY+
PreviousNext

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software