Penetration Test Report

[fx0ne]

Thanks for your comments. Will make modifications as suggested in the next installment.

@lupin

I have adjusted a few things as you mentioned and uploaded a new copy of the report. The location and name remains the same. I used open office writer for the report and excel for the graphs and charts. The network diagram was generated from the nmap scan obtained in xml format with radialnet. This is now part of zenmap.

MOD EDIT: Added working links so that others can find them.
http://inverse.com.ng/ossar/ossar_v1.0.pdf
http://inverse.com.ng/ossar/ossar_v1.0.odt

[imported_cybrsnpr]

Very nice layout and I also want to thank you for sharing the document. I also had difficulty finding something like this to use as a template (or at least an idea generator) when I was starting out.

My only suggestion is to provide a 1 page (or less) "executive summary" at the beginning of the document. Many C-Level guys only have time for a synopsis of whatever issue is presented, hence the 1 pager to get your point across quickly and succinctly. Lower level management will be the ones to digest the full report.

Thanks again for sharing...

Regards...

[m-1-k-3]

quite nice but so many colours in one report?!? I think its a little overhead of colours ...

m-1-k-3

[laffing_man]

I like it, but i think theres a lot more eye candy then it really needs. I'm still a rookie so... just my opinion...

[Gitsnik]

I like it, but i think theres a lot more eye candy then it really needs. I'm still a rookie so... just my opinion...

It's too much eye candy for us, but you don't give pen-test reports to IT teams, you give them to companies, which consist of IT teams AND (most importantly) CEO's, CTO's, managers etc.

I prefer the format of the offensive-security ones, but this is nicely formatted.

I have to say though... it kinda looks like someone took an NSE file and formatted it for their report. This is not necessarily a bad thing, but it is missing a decent breakdown of mitigation for each and every section. You should be recommending at least basic stuff to clean up some of the Low priority issues as well.

[Razeor]

I am going to have to agree with the other guys about the colors. I think the information in the report is good, but its probably worthwhile getting a graphic artist to give it a new skin before giving it to corporate clients.

[lupin]

Hi fx0ne

I think its a great idea to created a shared framework for something like this.

Id agree with one of the other posters that theres a bit too much colour in this particular version. Colour is good to make things stand out, but when overused it looses this ability. Personally Id replace all the orange with a colour closer to grey - one that doesn't "jump out" as much - and I think this will be a big improvement.

Id also agree with one of the other posters that perhaps more information on mitigation of the issues could be included, although I'm not quite sure how well this would work - its obviously dependant on type and version or software used, and how well this can be detected/determined by the Pen Tester. There's also space limitations in the document regarding how much information can be included. I do know that when our technical teams here receive most penetration test reports, there's usually an additional process involved to actually document how to resolve each of the issues identified, and it would be good to reduce this additional work. Maybe providing some links to configuration documentation would be a good compromise?

Do you have any plans to also share the base template for this document - the bit without information specific to the pen testing company (cynergi) and the client (eclipse) and the particular test. In other words it might be good to see both a base template and an example report based on that template.

Id also be curious about the tools used to generate the graphs and network maps and what text editor was used to create the document before it was pdf-ed.

[fx0ne]

Thank you all for the useful feedback. I think there is a general consensus about aesthetic appeal and the use of colour. This has been noted and will be amended in the next release.

@Gitsnik

I actually looked at the offensive security sample report as well while i think it will go down very well with a tech audience, C-level execs may not appreciate it (well like i said this is Africa). I will also try and work on the mitigation techniques and strategies as noted. I'd appreciate it if you can give me a heads up.

@lupin

Thanks for your comments. All observations noted. I will be releasing the base template (in editable formats) as you suggested together with the sample report.

I used Open office writer for the word processing and calc and a bit of excel in creating the charts and graphs. The network diagrams were generated from the nmap xml output with radialnet. This has however been included with zenmap.

Please if you have any other suggestions as to what else can be done to improve it, endeavor to let me know.


Thanks

[lupin]

@lupin

I have adjusted a few things as you mentioned and uploaded a new copy of the report. The location and name remains the same. I used open office writer for the report and excel for the graphs and charts. The network diagram was generated from the nmap scan obtained in xml format with radialnet. This is now part of zenmap.

Yes, its certainly easier to read with some of that Orange gone.

I would suggest that the Executive Summary should contain a quick summation of the results of the report, e.g. "We found x number of High Risk, y number of medium risk and z number of low risk issues, the potential impact to your business is whatever, and the estimated effort to fix is blah, and we recommend you concentrate on this, that and the other first"

I also have a number of other minor cosmetic suggestions, but I don't know how relevant or useful they may be to you. If the intent of this project is mainly to demonstrate how a penetration test report should be structured, then minor tweaking to the look of the thing may not be that helpful, especially considering that users of the template would probably customise the report for their own desired "look and feel" anyway. Anyway, if you want me to post them I will do so.

So whats your plan for progressing this project?

Also, heres a link to the sample report (the location was missing from your first post when I posted this )
http://digitalencode.net/ossar/ossar_v0.5.pdf

[Gitsnik]

@Gitsnik

I actually looked at the offensive security sample report as well while i think it will go down very well with a tech audience, C-level execs may not appreciate it (well like i said this is Africa). I will also try and work on the mitigation techniques and strategies as noted. I'd appreciate it if you can give me a heads up.

It's pretty simple really, take that "Issue Ease" section (or Issue Impact), duplicate it, and start writing in mitigating factors. If, for example, a Win 2003 server is vulnerable to ms08_067_netapi (which is a pretty big damned problem), you make a note:

Vuln: mailserver Priority: High
As noted in section x, y part z server is vulnerable to ms08_067_netapi exploit. As shown in section y, x figure 2 this can lead to a full compromise of the (server). Apply patch KB-BLAH to mitigate this vulnerability.

Or something to that effect (I'm burning the candle at all four ends so to speak, and I can't find one of our pentest reports to base it off of). Flesh it out a bit or refine it as you see fit. It is about going that extra mile to help your client. HTH.