Introduction

At the conclusion of the test, a report is developed to describe identified vulnerabilities, present a risk rating, and give guidance on how to mitigate the discovered weaknesses in its efforts to improve its security posture. Furthermore, the report should be structured in a way to clearly communicate what was tested, how it was tested, and the results of the testing.

This section is intended to define the base structure for a penetration test report, although it is highly encouraged to use your own format based on your needs.

Structure

A penetration test report comprises mainly two parts: the executive summary and the technical information.

• Confidentiality statement: A brief explanation of the document's importance and the consequences of its disclosure.

• Disclaimer: Statement explaining that you are not responsible for new vulnerabilities that might appear in the future and were not found during the assessment.

• Executive summary

  • Synopsis: It should be a paragraph or small set of paragraphs for a no tech-savvy person explaining the major weaknesses you have found during the test in general terms.

  • Observed security strengths: Highlight security measures the client should maintain.

  • Risk Rating:

• Technical report

  • Scope: Should contain the assets the client wanted to test for each hired service, adding any extra information provided for the client such as credentials.

    • Hosts

    • Ports

    • Provided credentials

  • < SERVICE >: Depending on the service contracted by the client, it will have a different structure.

  • < Footprinting >: Show all the information obtained about the company categorised.

    • Company domains and subdomains

    • Public contact information

    • Public files metadata

    • Employees (Names, roles, emails, leaked credentials...)

  • < Pentesting | vulnerability assessment >: The reporting of this type of test has different approaches: explaining all the steps narratively from the enumeration phase to the post-exploitation stage or focusing directly on the vulnerabilities found their exploitation without emphasising the enumeration and situational awareness phases.

    • Hostname - IP

      • Ports (TCP):

      • Ports (UDP):

      • Operating system:

    • Description: Description of what has been exploited.

    • CVSS Base Score: CVSS Calculator

    • Criticality: To help you better decide which vulnerabilities should be fixed first: (Low, Medium, High)

    • Proof of Concept (PoC): Detailed steps to exploit the vulnerability.

    • Mitigations: Recommendations about how to solve the vulnerability.

  • House cleaning

• WiFi report: All the steps involving a WIFI penetration test exercise.

• Appendix

  • Changes during the test: List evidence that appeals to the change in the testing objectives.

  • Meaning severity scale: Explain what is based on the criticality of each vulnerability.

Report Example

The source code and the script to generate the PDF can be found in this GitHub Repository.

Reporting Tools

As an alternative you can use tools such as PwnDoc or GhostWriter, where you can manage your clients and project information, register their infrastructure such as servers, domains, etc.,manage vulnerability templates and use report templates, and everything on a multi-user friendly environment.

References

• Public pentest reports

• Sample penetration testing report [Offensive-Security]

• Pentest report [itpro]

• Security Sample Pentest Report - [TCM]

• Reporting [PTES]