Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5

Video Description

• What to include o Details o Artifacts • What to consider o Audience o Time o Classification • Supporting documentation

Video Transcription

00:04
welcome to cyber ery. I'm Raymond Evans, and I will be your subject matter expert for Cyber Aires, web at penetration testing course. In this video, we will be discussing report creation. What will be covered? We're gonna discuss what to include the details and the artifacts, what to consider, such as the audience, time classification
00:22
and any supporting documentation report. Creation is very important.
00:27
It's important because
00:30
if you don't have a good report built when you're going into a company to perform a job or or leaving a company after performing a job and giving them the results, you can look amateurish in their eyes, especially that initial report coming on.
00:50
So
00:50
with the initial report coming on,
00:53
you are going to want to put in your planning. So what steps did you take? Thio planets out. What assets did you look at? What reports? As you look at, who did you contact things like that. You want to show them that you had a good plan going into this
01:10
and you want to show what your methodology was throughout this planning, You wanna have your assumptions. So things like
01:18
this is the assumed I p range that we're going into this is assumed kind of environment, Lennox or Windows environment that we're going into.
01:26
We're assuming that
01:30
they have Web servers that are running Web applications were assuming that there's some kind of database server
01:38
things like that. You want to put all these assumptions in there that you have about the environment. So that way, when you come in, you show them your planning and then you discuss your assumptions, anything can be
01:51
clarified right then and there. That may be wrong. Or maybe right, You're also gonna put a clear cut objective in there.
01:57
You just don't want to say, Hey, I'm here to pen test. You want to say
02:00
I'm here to look at
02:02
assets X, Y and Z for these kind of vulnerabilities.
02:07
So the OSS top 10 or you
02:13
our worry about crossing scripting So our objectives justifying cross site scripting. You don't want to leave your objective open and it
02:21
leaving it open, and it leaves a certain layer of uncertainty with the customer.
02:27
They don't know if you're going thio
02:30
accidentally break
02:31
their network or break some assets on the network.
02:35
Or, you know,
02:37
if you're actually just going to do certain types of tests.
02:40
So have a clear cut objective in your report. When you are coming on to the to the site and you're giving a introduction report to whoever you're working for anyone discuss your methodology. So
02:55
did you use the hacker methodology? If not, if you have your own kind of methodology, explain that. Tell them what exact steps you have taken so far.
03:05
What steps come next? And then what's the future of this
03:09
assessment?
03:10
If you have a clear cut methodology
03:14
laid out, Then again, you're gonna look knowledgeable, and it's going to put the customer at ease. And with that methodology, you wanna build a timeline. So things like
03:24
Okay, we are going to have our
03:28
introduction here. Our introduction report.
03:31
Ah,
03:32
eight o'clock to whatever time we're gonna plug into the network from this time to this time, we're going to
03:39
then run scans X y Z test. This business, you know, have a built out timeline. So that way,
03:47
when you are performing actions of the network,
03:51
your customer has
03:53
some idea of one certain things will be happening, and
03:58
this could also be given to their I T departments that way. Their I T department isn't freaking out like Oh, my God.
04:04
I see a cross site scripting attempt or I see a simple injection attempt. We're being attacked when they could look at that timeline. Say, whoa,
04:13
it's noon.
04:14
We're doing a lunchtime sequel injector, right?
04:18
This is probably them. And then they can double check with you real quick before throwing up all the red flags and freaking out. So these are some of the things you would want in your initial report going into the job. You would also wanna have these and a executive report of some sort at the end of the assessment as well.
04:38
So at the end of assessment, you could say, Hey, this is what we briefed you. This is where we were going to dio and then move on to what you actually did, doing what you actually found. So when you do find something and when you were building a report of what you found, you wanna include all of the affected assets. So what exactly
04:58
which machines exactly had this?
05:00
What were we able to find on this? You want to put things like what the L s is the operating system service version of the item that got
05:10
affect it. If a vulnerability is found, you will want to put in the sea via E i d. S. This allows the customer to quickly look up with the vulnerability as and when they And if they hopefully they dio have their i t department take care of it. That I t department, looking at this report came
05:29
Look at the c v e i d.
05:30
And quickly fix it with the suggested recommendations that are provided by the C V database. Along with that, you want an actual impact.
05:42
You want to tell them that? Hey,
05:45
if this happens and this is executed, then data
05:50
of this working me taken, you know,
05:54
money from here here and here could be taken.
05:56
Um, you could have a down time for X amount of time. You want a clear impact. You want to tell them
06:02
this vulnerability is bad and this is exactly why it's bad. Paint a picture for them.
06:09
Don't just say, hey, you're vulnerable to this because
06:13
and a lot of individuals minds who don't speak technical a lot, they're just going to see that and say Oh, all right. I'll just get my I t department fixes sometime when we got the budget.
06:24
No, you want the Let them know that this
06:27
these vulnerabilities here are bad, and this is why they're bad, and then you're gonna have an attack Probability. So what that means is you want to include things like
06:36
users are using
06:39
this portion of the application. Well, that portion,
06:44
if
06:46
somebody puts a sequel injection in here than this can happen, what's probability of that? Well, the page that it's on
06:55
is a page every single user uses, and there's hundreds of thousands of upon hundreds of thousands of users
07:02
every hour. So the attack probability is very, very high.
07:06
Now, if it's some
07:09
page that you had to Spider and that Paige was hidden within a link within a link within a link within a link
07:16
and
07:17
a user would only
07:20
stumble across that page if they were looking for some kind of specialized information,
07:26
then then attack probability is gonna be lower. You also wanna have the estimated loss as well,
07:30
so you could tell them Hey, if this system is hit,
07:36
this is a
07:38
piece of
07:39
key terrain on your network. And if this item is hit
07:43
and you were lose
07:46
visibility to the outside network And if you lose that male, it's gonna take X amount of time for you to bring it back up. Which means X amount of users
07:55
and x amount of money could be lost. You wanna have
08:00
a
08:01
number in there? An actual monetary number Say this is how much money you can lose if this vulnerability is exploited. And then with that, you won't put recommendations in
08:15
Don't just tell them that Hey, you have this vulnerability. Tell them Hey, you have this vulnerability.
08:20
It's really bad.
08:22
This is white bad.
08:24
This is how likely it is to be attacked. This is how much you're gonna lose. But that's how you fix that. You never wanna walk away from a customer and have the customer scratching their head. Well
08:35
says I got a cross site scripting her since I got a sequel Injection. I don't know what to do here. Tell them about foreign validation and things like that. Let them know that this morning but exists. And this is how you fix it
08:52
and also have a reference for how to fix it. Many of the CVI databases
08:56
if you find a vulnerability and has a C v i d to it will tell you it is. The recommended actions. Were those Web fathers fathers that we covered in earlier videos. They also have recommendations in there, so you can also pull recommendations from that have a very comprehensive report
09:15
four individuals as you leave their organization.

Up Next

Web Application Penetration Testing

In this web application penetration testing course, SME, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on course that will require you to set up your own pentesting environment.

Instructed By

Instructor Profile Image
CyDefe
Instructor