10-10-2020

361

Learn the art of report writing in penetration testing

In penetration testing, report writing is a comprehensive task that includes methodology, procedures, proper explanation of report content and design, detailed example of testing report, and tester’s personal experience. Once the report is prepared, it is shared among the senior management staff and technical team of target organizations. If any such kind of need arises in future, this report is used as the reference.

Why is a penetration test report so important?

Never forget, penetration testing is a scientific process, and like all scientific processes it should be repeatable by an independent party. If a client disagrees with the findings of a test, they have every right to ask for a second opinion from another tester. If your report doesn’t detail how you arrived at a conclusion, the second tester will have no idea how to repeat the steps you took to get there. This could lead to them offering a different conclusion, making you look a bit silly and worse still, leaving a potential vulnerability exposed to the world.

Your efforts will go to waste if you won’t record your results. To become a successful white hat hacker, you should know how to write good reports. In this part of the book, you’ll discover important tips, tricks, and techniques in writing reports for penetration tests.

Report Planning

Report planning starts with the objectives, which help readers to understand the main points of the penetration testing. This part describes why the testing is conducted, what are the benefits of pen testing, etc. Secondly, report planning also includes the time taken for the testing.

 

Main Elements of a Report

Goals – Describe the purpose of your test. You may include the advantages of

penetration testing in this part of the report.

 

Time – You should include the timestamp of the activities you will perform. This

will give an accurate description of the network’s status. If a problem occurs later

on, the hacker can use the timestamps of his activities to determine the cause of the

issue.

 

Audience – The report should have a specific audience. For example, you may

address your report to the company’s technical team, IT manager, or CEO.

 

Classification – You should classify the document since it contains sensitive data.

However, the mode of classification depends on your client.

 

Distribution – Your report contains confidential information. If a black hat hacker

gets access to that document, the network you were meant to protect will go down.

Thus, your report should indicate the total number of copies you made as well as

the people to whom you sent them. Each report must have an ID number and the

name of its recipient.

 

Information Collection

Because of the complicated and lengthy processes, pen tester is required to mention every step to make sure that he collected all the information in all the stages of testing. Along with the methods, he also needs to mention about the systems and tools, scanning results, vulnerability assessments, details of his findings, etc.

Penetration tests involve long and complex processes. As a result, you need to describe every piece of information that you’ll collect during the attack. Describing your hacking techniques isn’t enough. You should also explain your assessments, the results of your scans, as well as the output of your hacking tools.

 

Writing the First Draft

Once, the tester is ready with all tools and information, now he needs to start the first draft. Primarily, he needs to write the first draft in the details – mentioning everything i.e. all activities, processes, and experiences.

Creating Your First Draft Write the initial draft of your report after collecting all the information you need. Make sure that this draft is full of details. Focus on the processes, experiences, and activities related to your test.

 

Proofreading

 Typographical and/or grammatical errors can ruin your report. Thus, you need to review your work and make sure that it is error-free. Once you’re satisfied with your output, ask your colleagues to check it. This approach will help you produce excellent reports.

 

Review and Finalization

Once the report is drafted, it has to be reviewed first by the drafter himself and then by his seniors or colleagues who may have assisted him. While reviewing, reviewer is expected to check every detail of the report and find any flaw that needs to be corrected

Content of Penetration Testing Report

Following is the typical content of a penetration testing report −

Executive Summary

  • Scope of work
  • Project objectives
  • Assumption
  • Timeline
  • Summary of findings
  • Summary of recommendation

Methodology

  • Planning
  • Exploitation
  • Reporting

Detail Findings

  • Detailed systems information
  • Windows server information

References

  • Appendix

 

 

Related Posts

Meet Raspberry Pi Killer - The DFRobot LattePanda

Want to build your own data center virtually ? Try GNS3

What is GNS3? GNS3 (Graphical Network Simulator) is an open source software that simulate complex networks while being as close as possible to the way real networks perform. All of this without having dedicated network hardware such as routers and switches. This software provides an intuitive graphical user interface to design and configure virtual networks, it runs on traditional PC hardware and may be used on multiple operating systems, including Windows, Linux, and MacOS X. GNS3 is used by hundreds of thousands of network engineers worldwide to emulate, configure, test and troubleshoot virtual and real networks. GNS3 allows you to run a small topology consisting of only a few devices on your laptop, to those that have many devices hosted on multiple servers or even hosted in the cloud.