How to write a pentest report

A few month ago i passed the eWPT exam. That is when i realized that doing a pentest report could be hard for people who just broke in to the industry.

This article will try to give some simple steps on how to write a pentest report and important elements that should be in it. It aims to give professionals new to the field some advices on how to write a report for exams or for customers. It can also be used by bug hunters (the vulnerability report part).

This article is small on purpose, i want it to be clear but not too tenuous to read as the process of writing a report can seem scary to newcomers.

Why do we need a report?

A report is the document that will present all your findings and explain to every role of the company you’ve been hired by for the mandate. It will contain the scope previously defined with your customer, high level explainations of the findings and their impact as well as precise technical descriptions of every finding. There are different parts in a report.

The Executive Summary

This is the part where you need to explain for the executive of the company who will read the report. It needs to be high level explainations with no technical details.

It is relevant to add graphs of the findings such as: Vulnerabilities by impact, Attacks by type and Vulnerabilities by cause.

The definitions on Mitre CWE can help you for defining the categories to use in those graphs.

It can comport a global posture on how the findings and attack combinaison could impact your customer’s business.
It can be also useful to include a remediation priority based on your expertise and the prior discussions you had with your customer.

The Vulnerability Report

This is the part where you present each vulnerability you found. I recommend that you order those by severity.

Each vulnerability should have a score that you can calculate using CVSS scores. Here is a calculator. This score takes in account precise metrics to generate a score as close as possible to the impact the vulnerability could have. However, depending on the context of your customer the impact might not be the same, this will be your expertise and the prior conversation that you had with your customer about their business that will help you define the impact for your customer. You don’t need to tamper the CVSS metrics, this is the goal of the remediation priority i mentioned in the previous part.

Here is a way to present it:

  • Severity
  • CVSS score
  • Affected item
  • Description: you have to explain the vulnerability and explain it in the context of your target. For example: « In the context of the support page, some checks were made on the client side, but those checks could be bypassed. »
    Feel free to add resources about the vulnerability
  • Remediation: Here you have to explain how to mitigate the vulnerability. It is always good to add resources from recognized industry standards like OWASP for web pentesting reports.
  • Evidence: Here you need to add proof of the vulnerability. The goal is that the team that will implement the mitigation is able to reproduce the attack. That is why it is important that during the attacking phase you write plenty of notes and take plenty of screens and proofs.

Note: I personaly prefer when each vulnerabilty is presented with the remediation but you can also write a remediation report part right after this.

Useful Resources

Here is a great template done by Andrew Morrison (docx and odt):

  • Pentext is a collection of XML templates, XML schemas and XSLT code, which combined provide an easy way to generate IT security documents including test reports
  • Pentest standards about reporting
  • Radically Open Security provides in their portfolio some reports of project they did. Thoses are good examples.
  • MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
  • CWE is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.
  • OWASP list of vulnerabilities (for web pentesting)
  • Exploit db is a great resource for exploitation
  • National Vulnerability Database by the US CERT

World Tour Podcast Series 1 episode 1: Melanie Rieback, Radically Open Security

Melanie Rieback is co-founder and CEO of Radically Open Security the world’s first not-for-profit computer security consultancy company (see about my internship with them here).

If you want to know more about:

  • The first not for profit computer security consultancy company
  • The vision of Cybersecurity of social entrepreneur

Listen to this podcast! (You can download the file in mp3)

Listen in this page

Listen on Apple Podcasts: https://podcasts.apple.com/fr/podcast/world-tour-podcast-series-1-episode-1-melanie-rieback/id1476926546?i=1000447379627

My internship at Radically Open Security

One of my goal in this ethical hacker challenge was to volunteer for a GREAT organization. This is what I did with Radically Open Security who welcomed me as an intern for six months.

Where did I get this opportunity?

When I started to work in the IT I quickly had concerns about the lack of safety on the Internet. Therefore, my curiosity and thirst for learning led me to wonder about the construction of a safer cyberspace. This quest has shaped the type of company I wanted to be involved with. This is when I discovered the existence of ROS (Amsterdam, Netherlands) and Melanie Rieback in a press article. This initiative was an evidence and in line with the values I want to promote. Transparency is the central point of this company and its business model is a promise of a better social future.

What is Radically Open Security?

« Radically Open Security is the world’s first not-for-profit computer security consultancy company. We are prototyping an innovative new business model – using a Dutch « Fiscaal Fondswervende Instelling » (Fiscal Fundraising Institution) to provide a commercial front-end that sends 90% of our profits tax-free to a backend foundation (Stichting NLnet) that has supported open-source, Internet research, and digital rights organizations for almost 20 years. The other 10% of our profits will go to an employee profit-sharing scheme, in which the secretary accumulates profit-sharing rights as quickly as the CEO. Additionally, due to our low management/overhead costs, we can afford to pay competitive wages to our computer security consultants.  »
At ROS everybody works remotely.
(source: https://radicallyopensecurity.com/business-model.htm)

Wait! Not for profit?

Yes not for profit! Let Melanie Rieback co-founder and CEO explain this to you:

What service do they offer?

  • Penetration testing, ethical hacks and social engineering
  • Malware reversing and analysis
  • Network monitoring and threat detection
  • Forensics
  • CSIRT and incident response
  • Code audits
  • DDoS Testing
  • Cryptographic analysis
  • Custom R&D Projects
  • Workshops, trainings and mentoring
  • Misc: Embedded, Android and RFID Security

(source: https://radicallyopensecurity.com/services.htm)

What did i do?

Participation in the creation of a Capture-The-Flag (CTF) game

ROS helped to build a CTF for the CyberHeroes week of the non profit organization Cyberworkplace (see my article about the CyberHeroes week here).
The theme of the week was Heroes in cyber, I build a list with many heroes from the cybersecurity world, cryptography and cybersecurity resources.

Observation of pentests

I was added to some pentesting channels on RocketChat a chatroom that was used for communication for work purposes. This way, i was able to peek over the shoulders of pentester and see how they work, how they communicate with the client as the pentests are completely available to the clients from the begining to the end (this is one of the core principle of ROS).

Review of pentest reports

I was able to read and review some pentests reports. This really helped me to see how proper pentest reports are build, what pentesters look for while pentesting and which tools they use.

Improvement of the onboarding manual for new staff members

When i onboarded i was provided with an onboarding manual. As i encountered some little problems to set up my work environment i added some entrees in the onboarding manual in order to help future onboarders who had the same configuration i had.

Creation of a wiki page with relevant onboarding information for new staff members

ROS wanted to improve the onboarding process and provide the onboarders resources and useful informations.
This is why i created a wiki page with many resources for every type of positions (project management, software development, pentesting, …). I also added a section for general informations about ROS.
After the set up of this wiki i invited everyone to contribute and share their knowledge with relevant links like their favorite tools that help them in their tasks, great articles they’ve read, anything they would find relevant.

Submission of a process for improving internal training

We wanted to improve the internal training that is why i created a documentation to propose some ideas on the subject.

Helping a coworker with the use of Gitlabs (Radically Open Security’s file storage system)

One of the other intern was new to Gitlabs. As i had previously encountered Git and worked with it, i was able to provide my help.

Organizing folders in Gitlabs

ROS puts their projects and documentation on an internal Gitlabs system. I updated the organization of the folders.

Use of Pentext and XML

« The OWASP PenText XML documentation project can help your software security company produce offers, reports, invoices and generic documents by offering a well-structured and easy to maintain documenting system you can modify to your liking. »
This tool was created by ROS they open sourced it and made it available on Github.
In order to use Pentext you need to know XML.
I really enjoyed using pentext. XML is really useful and you get to generate great looking documents. This saves a lot of work mainly for pentesting reports but it can also be use to save time on other types of reports.

What did I gain from this experience

As I plan to build a company, ROS was an inspiring and innovative model for tomorrow’s companies.
More specifically, I learned how a holocratic system works in a company. This system in which everyone has a place and a voice has been a beautiful discovery.
On a more technical aspect I have used many tools such as Pentext.
Finally, I have appreciated working remotely because it requires a personal work organization that invites to be autonomous and rigorous.

(source cyberheroes week flickr) During the CyberHeroes week i had the opportunity to meet Daan, Steven, Melanie and Anh from ROS.

To go further

CyberHeroes week by Cyberworkplace

During my internship at Radically Open Security, I had the opportunity to help with the building of a CTF made for the CyberHeroes week of Cyberworkplace. I found Cyberworkplace’s initiative so great that I asked if I could volunteer for the CyberHeroes week. Not only did they accepted me as a volunteer, but also as a participant.

What is Cyberworkplace?

Cyberworkplace is a dutch initiative based in Rotterdam. It « is a non-profit initiative that helps reduce the current shortage of cyber security experts in the labor market and provides much-needed 21st-century skills to vulnerable young people (dropouts/ gamers/students, who lack practical experience in their study programs).
The training/lessons given at Cyberworkplace are inspired by modern teaching methods such as peer-to-peer techniques and project-based learning. » (source: https://cyberworkplace.tech/wat-is/)

What is CyberHeroes ?

« CyberHeroes is a one-week training program that brings together twenty talented youngsters from The Netherlands and New Mexico, USA. Together they will be trained in ethical hacking skills to address current security threats. Over the course of one week, they will take on hacker battles, work on CSI-type cyber challenges with local police, study the history of cryptography, learn to fight cyber crime alongside international hackers, and much more. » (source: Cyberheroes booklet)

(source: Cyberheroes flickr)

Day 1: Cryptography and lockpicking

(source: cyberheroes booklet)

Philip Zimmerman made a great talk about cryptography and data protection.
He exposed the evolution of the Internet and its impacts on life privacy.

(source: cyberheroes booklet)

(source: Oscar Koeroo’s slides)

Oscar Koeroo started his workshop by a talk about his work at KPN and how they handled security.
On 2012, KPN got hacked, this year they decided to set up a Security Operation Center to handle better such incidents.
KPN CISO Strategy and policy is made available for everyone here
After this introduction, he started explaining cryptography concepts.
He then detailed RSA encryption.
Finally, we practiced RSA encryption and encrypted with our own messages and numbers.
He mentioned a very good tool to help us for the assignments:
Wolframalpha.

(source: Cyberheroes flickr)

We ended the day with lockpicking, now i really want to buy my own lockpicking set! 😀 It reminded me of the video game called Skyrim, except it is much easier with a joystick^^

Day 2: CTF with Radically Open Security

(source: screen of the CTF platform made by Daan Spitz from Radically Open Security)

In the morning, Daan Spitz was introduced and then we started the CTF. Daan works for Radically Open Security who sponsored the event and gave a CTF that he made.
In the afternoon, Melanie Rieback CEO of Radically Open Security was introduced she presented ROS and gave a great demo talk about cracking passwords.
We cracked the password « TreeHouse1234 » in less than 33 seconds!
Demo and slides can be found on ROS’s github.

(source: Cyberheroes flickr)

Day 3: On a boat with the dutch Police

(source: Cyberheroes flickr)

On day 3, we spent all day at the Seaport Police of Rotterdam.
We had the opportunity to meet Dirk-Jan Grootenboer, Peter Duin and other great police officers. They presented the Seaport Police and their work.
The Cyber Resilience unit has different goals:

  • Awareness of cyber threats and risks by citizens, corporations and other organisations
  • Know how to act: reactive, preventive, pro-active
  • Work together to share knowledge and new opportunities offered by technology
  • Resulting in continuous growth of cyber resiliency
  • From cyber security to cyber resilience
  • From reactive to pro active thinking and acting
  • Catching the advantages of cyber with an open eye for the risks

(source: Police officers talk)

Then, we had a CSI like challenge and a Police Patrol Boat Adventure. We were able to work on our social engineering skills and see the huge port of Rotterdam (largest in Europe).

On the afternoon, Floor Jansen and Marinus Boekelo joined us to present the Hack_Right initiative and explain the amazing take over of Hansa Market a dark web marketplace.
Hack Right is an initiative to help young hackers who commited a small crime, to get back in the right path and use their skills for ethical hacking.
It consists of 4 modules

  1. Restorative justice: if you commit a crime you break your connection with the victim to repair this boundary you have to do something for the community. In this module, cyber criminals are confronted with the damage and possibly even with the victims.
  2. Training: ethical and legal boundaries
  3. Coaching: personal connection between coach and offender. This involves providing longer guidance to the offender, linking them to someone from the community.
  4. Alternative: indicates the opportunities on the labour market and teaches young people where to develop their talents

(source: Floor Jansen’s talk and Mediawijzer’s article)

Day 4: Cybersprint at The Hague Security Delta and US Ambassador residence

In the morning, we worked on « Make it Smart » Maarten van Duivenbode introduced us to smart objects and how to use them. We were able to program lights and their colors.

In the afternoon, we visited Cybersprint at The Hague Security Delta. Cynthia Schouten made an introductive talk and gave us a tour of the campus. We visited: Hogeschool Leiden’s IOT lab, we were introduced to a mixed reality tool that aims to train student in forensics with simulated crime scenes

(source: Cyberheroes flickr)

Then, we visited Splendo that introduced us their smart bikelock project for X-bike.

After the tour, Peter van Eijk who works at the municipality of the Hague presented the Hack Den Haag CTF. A CTF to help the city of the Hague to be more secure.
Finally, Soufian El Yadmani made an amazing talk about his adventure to cybersecurity. He explained that he was hired as a cybersecurity analyst at Cybersprint by winning a CTF. His team and him travel to many CTF competitions.
His secret to be a good ethical hacker? Practice, practice, practice!

After our visit to The Hague Security Delta Campus we went to the US Ambassador’s residence for a reception for the Cyberheroes program. There, Peter Hoekstra the Ambassador of the US, Anouk Vos from Cyberworkplace and Charles Ashley III from Cultivating Coders talked. The Ambassador, is now a proud hacker in a beautiful Cyberworkplace hoodie and the owner of a CyberHeroes medal!

(source: Cyberheroes flickr)

Day 5 and 6: Trip to Leeuwarden, no escape possible

(source: Cyberheroes flickr)

On the last two days of CyberHeroes, we were invited to Leeuwarden for a CTF at the amazing Hacklab.
Leeuwarden is a beautiful historical city in the north of Netherlands that has been European Capital of 2018.
The CTF gave us the opportunity to learn a lot.
After all this hacking, we did we had to go to jail… joking we just spent the night in a former prison: Alibi Hostel


But before going to sleep, we took part in a great escape game made by Henk Van Ee founder of Cybersafety4U in which we had to unlock a hacker’s phone.

(source: Cyberheroes flickr)

To conclude this awesome week, we all got a certificate and a CyberHeroes medal.
Needless to way i was very proud to participate and help for this great adventure.
I would like to take the time to thank Radically Open Security (Melanie and Anh) without whom i would not have heard about Cyberworkplace.
Thanks also to Anouk, Nasya and Maria from Cyberworkplace that welcomed me for this week.
They all made an amazing work and i would definetely recommend everyone who has the opportunity to take part in a week like this.
Volunteer or help Cyberworkplace any way you can, they do such an amazing work for students and cybersecurity lovers.

(source: Cyberheroes flickr) Volunteers for the CyberHeroes week: Adelle, Anh, Maria, Anouk, Me, Nasya

To go further: