lptv4 module 43 penetration testing report and documentation writing
DESCRIPTION
ECSAv4 Module 00 Student IntroductionTRANSCRIPT
ECSA/LPT
EC CouncilModule XXXXIII
EC-Council Penetration Testing Report and Documentation WritingDocumentation Writing
Penetration Testing Report
The report’s goal is to show the organization that your teamThe report s goal is to show the organization that your teamhonestly wants to improve the company’s security posture– bear this in mind when writing the report.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Documentation Writing
Documentation report should contain the final result andd i if h bl if d d i hrecommendations to rectify the problem if occurred during the
penetration testing process.
• Summary of the test execution.• Scope of the project
The document report includes:
• Scope of the project.• Result analysis.• Recommendations.• Appendixes.pp
After documentation, submit the document to the client and get thesignature from them and keep a copy of the report
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
signature from them and keep a copy of the report.
Summary of Execution
The summary should provide a short, high-level overview of the test.y p g
It should contain the client’s name, testing firm, date of test, and so on.
Information about the targeted systems and applications.Information about the targeted systems and applications.
End-user test results.
Examine all exploits performedExamine all exploits performed.
The summary should include details of discovered vulnerabilities.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scope of the Project
Scope of the project should include the IP address rangesthat are tested and mentioned in the contract.
S f th j t h ld i l d
• Examining whether social engineering has employed or not.• Examining whether public or private networks are tested or
Scope of the project should include:
• Examining whether public or private networks are tested ornot.
• Examining whether Trojans and backdoor softwareapplications are permitted or not.applications are permitted or not.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Result Analysis
The results analyzed should include:
• Domain name and IP address of the host.• TCP and UDP ports.
y
TCP and UDP ports.• Description of the service.• Details of the test performed.• Vulnerability analysis.Vulnerability analysis.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Recommendations
If you simply run a handful of tools and provide a report,y p y p p ,then the company will never want to see you again.
R d ti t th i it i i t t f thRecommendations to their security is very important for thereport to be accepted by the customer.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Appendices
Appendices should include:
• Contact information.• Screen shots
Appendices should include:
• Screen shots.• Log output.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Test Reports on Network
Network penetration testing should i l d th f ll i t
• Executive report• Active report
include the following reports:
• Active report• Host report• Vulnerability report• Payment Card Industry (PCI) reporty y ( ) p
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Executive Report
Generate reports for various hosts, users, and vulnerabilities thatp , ,were identified, targeted, and exploited during the test process.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Activity Report
Generates a detailed report for various executed exploits.Generates a detailed report for various executed exploits.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited Source: http://www.coresecurity.com
Host Report
Generate a detailed report on various hosts that were tested.Generate a detailed report on various hosts that were tested.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited Source: http://www.coresecurity.com
Vulnerability Report
Generate report on various vulnerabilities that were pexploited effectively during the penetration testing process.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited Source: http://www.coresecurity.com
Payment Card Industry (PCI) ReportReport
Display the results of vulnerabilities that are performed bythe Payment Card Industry (PCI) data security standard.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited Source: http://www.coresecurity.com
Client-Side Test Reports
Client-side penetration testing shouldi l d h f ll i
• Client-side penetration reportU t
include the following reports:
• User report
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Client-Side Penetration Test ReportReport
Provide report for client side test that includes the email template sent,exploit launched, test result, and details about the compromisedexploit launched, test result, and details about the compromisedsystems.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited Source: “http://www.coresecurity.com
User Report
Provide information about which links were clicked, when the linksli k d d h h li k d h li kwere clicked, and who have clicked the link.
Display summarized report on all the users who were identified andtargeted during the testing processtargeted during the testing process.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Source: “http://www.coresecurity.com
Test Reports on Web ApplicationsApplications
Web application penetration testingh ld i l d h f ll i
• Web application vulnerability report:• Provides detailed report on every vulnerability that were found
should include the following reports:
• Provides detailed report on every vulnerability that were foundduring the testing process.
• Web application execution report:• Provides summarized report of every vulnerable web page foundp y p g
during the penetration testing process.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Web Application Testing Report
Source: “http://www.coresecurity.com
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing the Final Report
Writing the final report does not have to be the responsibility of oneg p p yperson.
I lti l t b ill t ib t t th t lIn many cases, multiple team members will contribute to the actualwriting of the final report.
Assign the writing responsibility according to the abilities of individualteam members.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Creating the Final Report
Final report delivery date
The cover letter
The executive summary:
• Organization synopsis• Purpose for the evaluation • System description • System description • Summary of evaluation • Major findings and
recommendations
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
recommendations• Conclusion
Report Format
Your final report must always be in PDF format, unlessp y ,otherwise requested by your customer.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Delivery
Deliver the report personally and avoid sending the p p y greport by emails or CD-ROM.
A printed report is the best format.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Report Retention
The pen-test information is very sensitiveThe pen test information is very sensitive.
You should only store it for a certain period of time (30–45d i i l)days is typical).
You should be able to answer questions during this period.You should be able to answer questions during this period.
After the 30–45 days, you should destroy the informationfrom your storagefrom your storage.
This clause is usually mentioned in the contract with thecustomer before the engagement begins
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
customer before the engagement begins.
Summary
Pentest reports on discovered vulnerabilities, available options,d i d irecommendations, and suggestions.
Recommendations make the most important part of the reportf th t i l t f i i th t k itfor the user to implement for improving the network security.
A pen tester should hand over the sensitive information within 45days or should destroy from the storagedays or should destroy from the storage.
Create a final report, documenting the test findings.
Deliver the report to the concerned officer.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited