Penetration Testing Report Tutorial

(Disclaimer: My report structure might be different from other people and organizations.)

After Red Teamer has completed the technical part, they need to prepare a Penetration Testing Report to raise their finding to the client.

Firstly, the report will need to have a guideline on how to use the report so that the client will be able to understand the report.

Sample of the guideline can write such as below:

Those are the <number> section that you will able to see on the report
Section 1: .............
Section 2: .........
Section 3: ...........

Next, we need to define the Risk Rating which will be assessing the risk that might be involved in the system and activities of the business.

HIGHTotal host compromise.  Any vulnerability that provides an attacker with access into the network or host, gains superuser access or bypasses a security system. The vulnerability that opens the possibility of immediate unauthorized access into a machine with privileges to modify and create information within the system; breaches the confidentiality, integrity and availability of the network or system. Further impact of this level of vulnerability may: affect the operations of the business unit cause service disruption or denial of service cause potential attacker to obtain control over devices and infrastructure
MEDIUMNetwork and system setting and configuration can be changed which could lead to network or host compromise Vulnerability which provides unauthorized access to information residing on a network or system without privileges to modify/alter the information; it breaches the confidentiality and availability of the network or system. Further impact of this level of vulnerability may: affect the performance of supporting systems of the business unit, however, does not cause a denial of service or service disruption caused partial disclosure of information
LOWReconnaissance.  Any vulnerability which does not typically yield valuable information or control over a system but instead gives the attacker knowledge that may help the attacker find and exploit other vulnerabilities. A vulnerability that provides malicious user access to information residing on a system, for reconnaissance which can be used to launch attacks to the system; it breaches the confidentiality and availability of the network or system. These vulnerabilities usually do not have any direct impact on the affected device.

After that, we also can include some Executive Summary and brief the activity that the Red Teamer has done during the Testing activity

The activity that needs to brief on the report can be something such as:

  • Web Application Penetration Testing
  • Network Vulnerabilty Penetration Testing
  • Internal Penetration Testing & External Pentration Testing
  • Server Hardening Assessment
  • Network Review (If it’s one of the scope)

Aside from that mentioned above, the Red Team also need to include the Scope that they have been assigned by the client.

Sample of Vulnerability that found during the Testing activity

Below is the sample of the Vulnerability template that we can raised to the client

High Risk

Medium Risk

On top of the table, we need to mention the Vulnerability that we found during our testing. Next column, we need to inform which device is been affecting by this Vulnerability. We also need to provide some evidence like a screenshot of the POC( Proof Of Concept).

We also need to write some description of the Vulnerability so that the client will understand the Vulnerability pretty much better. Additional, we also need to insert the Risk Rating on the table with CVSS Scoring

Lastly, we need to give some recommendations or solutions to fix the Vulnerability