lptv4 module 43 penetration testing report and documentation writing

ECSA/LPT

EC CouncilModule XXXXIII

EC-Council Penetration Testing Report and Documentation WritingDocumentation Writing

Penetration Testing Report

The report’s goal is to show the organization that your teamThe report s goal is to show the organization that your teamhonestly wants to improve the company’s security posture– bear this in mind when writing the report.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Documentation Writing

Documentation report should contain the final result andd i if h bl if d d i hrecommendations to rectify the problem if occurred during the

penetration testing process.

• Summary of the test execution.• Scope of the project

The document report includes:

• Scope of the project.• Result analysis.• Recommendations.• Appendixes.pp

After documentation, submit the document to the client and get thesignature from them and keep a copy of the report



signature from them and keep a copy of the report.

Summary of Execution

The summary should provide a short, high-level overview of the test.y p g

It should contain the client’s name, testing firm, date of test, and so on.

Information about the targeted systems and applications.Information about the targeted systems and applications.

End-user test results.

Examine all exploits performedExamine all exploits performed.

The summary should include details of discovered vulnerabilities.



Scope of the Project

Scope of the project should include the IP address rangesthat are tested and mentioned in the contract.

S f th j t h ld i l d

• Examining whether social engineering has employed or not.• Examining whether public or private networks are tested or

Scope of the project should include:

• Examining whether public or private networks are tested ornot.

• Examining whether Trojans and backdoor softwareapplications are permitted or not.applications are permitted or not.



Result Analysis

The results analyzed should include:

• Domain name and IP address of the host.• TCP and UDP ports.

y

TCP and UDP ports.• Description of the service.• Details of the test performed.• Vulnerability analysis.Vulnerability analysis.



Recommendations

If you simply run a handful of tools and provide a report,y p y p p ,then the company will never want to see you again.

R d ti t th i it i i t t f thRecommendations to their security is very important for thereport to be accepted by the customer.



Appendices

Appendices should include:

• Contact information.• Screen shots

Appendices should include:

• Screen shots.• Log output.



Test Reports on Network

Network penetration testing should i l d th f ll i t

• Executive report• Active report

include the following reports:

• Active report• Host report• Vulnerability report• Payment Card Industry (PCI) reporty y ( ) p



Executive Report

Generate reports for various hosts, users, and vulnerabilities thatp , ,were identified, targeted, and exploited during the test process.



Activity Report

Generates a detailed report for various executed exploits.Generates a detailed report for various executed exploits.


All Rights Reserved. Reproduction is Strictly Prohibited Source: http://www.coresecurity.com

Host Report

Generate a detailed report on various hosts that were tested.Generate a detailed report on various hosts that were tested.



Vulnerability Report

Generate report on various vulnerabilities that were pexploited effectively during the penetration testing process.



Payment Card Industry (PCI) ReportReport

Display the results of vulnerabilities that are performed bythe Payment Card Industry (PCI) data security standard.



Client-Side Test Reports

Client-side penetration testing shouldi l d h f ll i

• Client-side penetration reportU t

include the following reports:

• User report



Client-Side Penetration Test ReportReport

Provide report for client side test that includes the email template sent,exploit launched, test result, and details about the compromisedexploit launched, test result, and details about the compromisedsystems.


All Rights Reserved. Reproduction is Strictly Prohibited Source: “http://www.coresecurity.com

User Report

Provide information about which links were clicked, when the linksli k d d h h li k d h li kwere clicked, and who have clicked the link.

Display summarized report on all the users who were identified andtargeted during the testing processtargeted during the testing process.



Source: “http://www.coresecurity.com

Test Reports on Web ApplicationsApplications

Web application penetration testingh ld i l d h f ll i

• Web application vulnerability report:• Provides detailed report on every vulnerability that were found

should include the following reports:

• Provides detailed report on every vulnerability that were foundduring the testing process.

• Web application execution report:• Provides summarized report of every vulnerable web page foundp y p g

during the penetration testing process.



Web Application Testing Report

Source: “http://www.coresecurity.com



Writing the Final Report

Writing the final report does not have to be the responsibility of oneg p p yperson.

I lti l t b ill t ib t t th t lIn many cases, multiple team members will contribute to the actualwriting of the final report.

Assign the writing responsibility according to the abilities of individualteam members.



Creating the Final Report

Final report delivery date

The cover letter

The executive summary:

• Organization synopsis• Purpose for the evaluation • System description • System description • Summary of evaluation • Major findings and

recommendations



recommendations• Conclusion

Report Format

Your final report must always be in PDF format, unlessp y ,otherwise requested by your customer.



Delivery

Deliver the report personally and avoid sending the p p y greport by emails or CD-ROM.

A printed report is the best format.



Report Retention

The pen-test information is very sensitiveThe pen test information is very sensitive.

You should only store it for a certain period of time (30–45d i i l)days is typical).

You should be able to answer questions during this period.You should be able to answer questions during this period.

After the 30–45 days, you should destroy the informationfrom your storagefrom your storage.

This clause is usually mentioned in the contract with thecustomer before the engagement begins



customer before the engagement begins.

Summary

Pentest reports on discovered vulnerabilities, available options,d i d irecommendations, and suggestions.

Recommendations make the most important part of the reportf th t i l t f i i th t k itfor the user to implement for improving the network security.

A pen tester should hand over the sensitive information within 45days or should destroy from the storagedays or should destroy from the storage.

Create a final report, documenting the test findings.

Deliver the report to the concerned officer.



lptv4 module 43 penetration testing report and documentation writing

Documents