4 - Report

Introduction

At the conclusion of the test, a report is developed to describe identified vulnerabilities, present a risk rating, and give guidance on how to mitigate the discovered weaknesses in its efforts to improve its security posture. Furthermore, the report should be structured in a way to clearly communicate what was tested, how it was tested, and the results of the testing.
This section is intended to define the base structure for a penetration test report, although it is highly encouraged to use your own format based on your needs.

Structure

A penetration test report comprises mainly two parts: the executive summary and the technical information.
  • Confidentiality statement: A brief explanation of the document's importance and the consequences of its disclosure.
  • Disclaimer: Statement explaining that you are not responsible for new vulnerabilities that might appear in the future and were not found during the assessment.
  • Executive summary
    • Synopsis: It should be a paragraph or small set of paragraphs for a no tech-savvy person explaining the major weaknesses you have found during the test in general terms.
    • Observed security strengths: Highlight security measures the client should maintain.
    • Risk Rating:
  • Technical report
    • Scope: Should contain the assets the client wanted to test for each hired service, adding any extra information provided for the client such as credentials.
      • Hosts
      • Ports
      • Provided credentials
    • < SERVICE >: Depending on the service contracted by the client, it will have a different structure.
    • < Footprinting >: Show all the information obtained about the company categorised.
      • Company domains and subdomains
      • Public contact information
      • Public files metadata
      • Employees (Names, roles, emails, leaked credentials...)
    • < Pentesting | vulnerability assessment >: The reporting of this type of test has different approaches: explaining all the steps narratively from the enumeration phase to the post-exploitation stage or focusing directly on the vulnerabilities found their exploitation without emphasising the enumeration and situational awareness phases.
      • Hostname - IP
        • Ports (TCP):
        • Ports (UDP):
        • Operating system:
      • Description: Description of what has been exploited.
      • CVSS Base Score: CVSS Calculator
      • Criticality: To help you better decide which vulnerabilities should be fixed first: (Low, Medium, High)
      • Proof of Concept (PoC): Detailed steps to exploit the vulnerability.
      • Mitigations: Recommendations about how to solve the vulnerability.
    • House cleaning
  • Appendix
    • Changes during the test: List of evidence that appeals to the change in the objectives of the testing.
    • Meaning severity scale: Explain what is based on the criticality of each vulnerability.

Report Example

The source code and the script to generate the PDF can be found in this GitHub Repository.
Pentesting-report.pdf
2MB
PDF
Pentesting report example

References