Module 7

During the entire time you are performing a Pentest an open line of communication should be maintained. This helps to make sure you are staying within the scope and meeting the needs of the client. A clearly defined communication path should be in place. This helps you understand and know who you should be communicating with throughout the test.  Make sure you have:

• Primary Contact: A person that is aware of the day-to-day happenings of the test.

• Technical Contact: A person that can help with any tech issues or if you have questions.

• Emergency Contact: A person who is available 24/7 in case of an emergency (like you bring down a critical server by accident).

There are three things that could cause you to communicate with your contacts.

1. Completing a define portion of the test: You reached a defined milestone and will start to work on the next one. This should be discussed and relayed to the company.

2. A critical issue discovered: During your testing you find a critical issue and it should be resolved ASAP. This needs to be relayed to the company.

3. An indicator of compromise found: During your testing you find clues that a system has already been compromised. Testing should halt right away and inform management and activate their cybersecurity incident response team/process.

The final report does not have a template that you can follow. Though, the organization you are working for might have one that you wish to use.  No matter what, you should make sure that your report includes the following items:

• Executive Summary

• Scope Details

• Methodology

• Finds and Remediation

• Conclusion

• Appendix

It is extremely important that this final report be handled with care. It contains a lot of information that could put the organization at risk. The report should only be transmitted using an encrypted protocol and the report itself should be encrypted. If the report is printed make sure it gets destroyed properly! 

Probably the most important section of the report. This section is probably what a majority of the people will read. This section of the report is usually written for the C-suite executives, so recall they are not technical and should be written in a method that they can easily understand and process what needs to be done. Even though this is the first section that should appear in the report it is best practice to write this section last. When you write the rest of the report first it helps you to finalize your findings, determine your findings and recommendations. 

This section just documents the scope that was outlined and agreed upon. Think of this as away of documenting that for historical purposes. Make sure any scope changes are included.

This section is where you can get down to the technical details and clearly outline what you did. Make sure you are included any type of test you included, the tools used and any observations that you found. You can be technical in this section as the audience that will read this will be technical staff and developers. Even though, you can get technical do not include code snipets, reports or other results. This can be included in the appendix and referenced accordingly. Keep in mind you want the report readable and including reports and results of scans will reduce the readability of the document. 

Make sure this section is extremely detailed. Another person should be able to take your methodology and repeat the steps to get to the same results. 

This section is the fun part! This section describes any and all security issues you found. Not only do you state the issues you found, but you need to provide a solution to fix them. This section should contain a detailed write up of the vulnerability, provide a rate using a known reference framework (CVSS for example), prioritize the risk and provide the impact it could have on daily business operations. 

Your findings might include some or all of the following:

• Shared local administrator credentials

• Weak password complexity

• Plaintext passwords

• No multifactor authentication

• SQL Injections

• Unneeded services

This section you just wrap everything up. Summarize your findings and make sure to provided recommendations for future work. Remember, you got paid to do this, so you want to keep that revenue stream open. The conclusion should also contain a comparison of the risk rating identified in the report to what the organization risk tolerance. Recall, not everything that is found can be fixed. The company has a finite amount of resources and this can help them prioritize. 

Any findings, results or reports that were generated during the test can be included in this section. 

The report has been delivered and discussed, but your job is not done yet. You need to make sure to remove any tools, backdoors, accounts or anything else you created during your testing. You do not want to leave behind something that could be an issue for the organization in the future. 

Also, if you worked with a team in performing this test the team should meet and discuss what they learned, what can be improved and discuss anything else while the client is not in the room. This is a safe space for the team to discuss anything that can be helpful during the next test. 

Below find several example PenTest Reports that you can view to gain a better understanding of the details that should be included:

• https://purplesec.us/wp-content/uploads/2019/12/Sample-Penetration-Test-Report-PurpleSec.pdf

• https://underdefense.com/wp-content/uploads/2019/05/Anonymised-Infrastructure-Penetration-Testing-Report.pdf

• https://www.getastra.com/blog/wp-content/uploads/2021/06/Astra-Security-Sample-VAPT-Report.pdf