LPTv4 Module 43 Penetration Testing Report and Documentation Writing

ECSA/LPT
EC Council
EC-Council
Module XXXXIII
Penetration Testing
Report and
Documentation Writing
Penetration Testing Report

The report
reportss goal is to show the organization that your team
honestly wants to improve the companys security posture
bear this in mind when writing the report.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Documentation Writing
Documentation report should contain the final result and
recommendations
d i
to rectify
if the
h problem
bl
if occurred
d during
d i
the
h
penetration testing process.
The document report includes:
Summary of the test execution.

Scope of the project.
project
Result analysis.
Recommendations.
Appendixes.
pp
After documentation, submit the document to the client and get the
signature from them and keep a copy of the report.
report
EC-Council
Summary of Execution
The summaryy should p
provide a short, high-level
g
overview of the test.
It should contain the clients name, testing firm, date of test, and so on.
Information about the targeted systems and applications.
End-user test results.
Examine all exploits performed.
performed
The summary should include details of discovered vulnerabilities.
EC-Council
Scope of the Project

Scope of the project should include the IP address ranges
that are tested and mentioned in the contract.
S
Scope
off the
th project
j t should
h ld include:
i l d
Examining whether social engineering has employed or not.
Examining whether public or private networks are tested or
not.
Examining whether Trojans and backdoor software
applications are permitted or not.
EC-Council
Result Analysis
The results analyzed
y
should include:
EC-Council
Domain name and IP address of the host.

TCP and UDP ports.
Description of the service.
Details of the test performed.
Vulnerability analysis.
Recommendations
If yyou simply
p y run a handful of tools and p
provide a report,
p ,
then the company will never want to see you again.
Recommendations
R
d ti
t their
to
th i security
it is
i very important
i
t t for
f the
th
report to be accepted by the customer.
EC-Council
Appendices
Appendices should include:
Contact information.
Screen shots.
shots
Log output.
EC-Council
Test Reports on Network

Network penetration testing should
i l d the
include
th ffollowing
ll i reports:
t
EC-Council
Executive report
Active report
Host report
Vulnerability report
y
Card Industryy ((PCI)) report
p
Payment
Executive Report
Generate reports
p
for various hosts,, users,, and vulnerabilities that
were identified, targeted, and exploited during the test process.
EC-Council
Activity Report
Generates a detailed report for various executed exploits.
EC-Council
Source: http://www.coresecurity.com
Host Report
Generate a detailed report on various hosts that were tested.
EC-Council
Vulnerability Report
Generate report
p
on various vulnerabilities that were
exploited effectively during the penetration testing process.
EC-Council
Payment Card Industry (PCI)

Report
Display the results of vulnerabilities that are performed by
the Payment Card Industry (PCI) data security standard.
EC-Council
Client-Side Test Reports

Client-side penetration testing should
i l d the
include
h following
f ll i reports:
Client-side penetration report
User
U
reportt
EC-Council
Client-Side Penetration Test

Report
Provide report for client side test that includes the email template sent,
exploit launched, test result, and details about the compromised
systems.
EC-Council
User Report
Provide information about which links were clicked, when the links
were clicked,
li k d and
d who
h have
h
clicked
li k d the
h link.
li k
Display summarized report on all the users who were identified and
targeted during the testing process.
process
EC-Council
Test Reports on Web

Applications
Web application penetration testing
should
h ld include
i l d the
h following
f ll i reports:
Web application vulnerability report:
Provides detailed report on every vulnerability that were found
during the testing process.
Web application execution report:

Provides summarized report
p
of everyy vulnerable web p
page
g found
during the penetration testing process.
EC-Council
Web Application Testing Report
EC-Council
Writing the Final Report

Writing
g the final report
p
does not have to be the responsibility
p
y of one
person.
IIn many cases, multiple
lti l team
t
members
b
will
ill contribute
t ib t to
t the
th actual
t l
writing of the final report.
Assign the writing responsibility according to the abilities of individual
team members.
EC-Council
Creating the Final Report

Final report delivery date
The cover letter
The executive summary:
Organization synopsis
Purpose for the evaluation
System description
Summary of evaluation
Major findings and
recommendations
Conclusion
EC-Council
Report Format
Your final report
p
must always
y be in PDF format,, unless
otherwise requested by your customer.
EC-Council
Delivery
Deliver the report
p
p
personallyy and avoid sending
g the
report by emails or CD-ROM.
A printed report is the best format.
EC-Council
Report Retention
The pen
pen-test
test information is very sensitive.
sensitive
You should only store it for a certain period of time (3045
d
days
i typical).
is
i l)
You should be able to answer questions during this period.
After the 3045 days, you should destroy the information
from your storage.
storage
This clause is usually mentioned in the contract with the
customer before the engagement begins.
begins
EC-Council
Summary
Pentest reports on discovered vulnerabilities, available options,
recommendations,
d i
and
d suggestions.
i
Recommendations make the most important part of the report
f the
for
th user to
t implement
i l
t for
f improving
i
i the
th network
t
k security.
it
A pen tester should hand over the sensitive information within 45
days or should destroy from the storage.
storage
Create a final report, documenting the test findings.
Deliver the report to the concerned officer.
EC-Council
EC-Council
EC-Council

LPTv4 Module 43 Penetration Testing Report and Documentation Writing

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

LPTv4 Module 43 Penetration Testing Report and Documentation Writing

Загружено:

Авторское право:

Доступные форматы

ECSA/LPT

Penetration Testing Report

Summary of the test execution.

Scope of the Project

Domain name and IP address of the host.

Test Reports on Network

Payment Card Industry (PCI)

Client-Side Test Reports

Client-Side Penetration Test

Test Reports on Web

Web application execution report:

Web Application Testing Report

Writing the Final Report

Creating the Final Report

Вам также может понравиться