welcome to cyber ery. I'm Raymond Evans, and I will be your subject matter expert for Cyber Aires, web at penetration testing course. In this video, we will be discussing report creation. What will be covered? We're gonna discuss what to include the details and the artifacts, what to consider, such as the audience, time classification
and any supporting documentation report. Creation is very important.
It's important because
if you don't have a good report built when you're going into a company to perform a job or or leaving a company after performing a job and giving them the results, you can look amateurish in their eyes, especially that initial report coming on.
with the initial report coming on,
you are going to want to put in your planning. So what steps did you take? Thio planets out. What assets did you look at? What reports? As you look at, who did you contact things like that. You want to show them that you had a good plan going into this
and you want to show what your methodology was throughout this planning, You wanna have your assumptions. So things like
this is the assumed I p range that we're going into this is assumed kind of environment, Lennox or Windows environment that we're going into.
they have Web servers that are running Web applications were assuming that there's some kind of database server
things like that. You want to put all these assumptions in there that you have about the environment. So that way, when you come in, you show them your planning and then you discuss your assumptions, anything can be
clarified right then and there. That may be wrong. Or maybe right, You're also gonna put a clear cut objective in there.
You just don't want to say, Hey, I'm here to pen test. You want to say
assets X, Y and Z for these kind of vulnerabilities.
So the OSS top 10 or you
our worry about crossing scripting So our objectives justifying cross site scripting. You don't want to leave your objective open and it
leaving it open, and it leaves a certain layer of uncertainty with the customer.
They don't know if you're going thio
their network or break some assets on the network.
if you're actually just going to do certain types of tests.
So have a clear cut objective in your report. When you are coming on to the to the site and you're giving a introduction report to whoever you're working for anyone discuss your methodology. So
did you use the hacker methodology? If not, if you have your own kind of methodology, explain that. Tell them what exact steps you have taken so far.
What steps come next? And then what's the future of this
If you have a clear cut methodology
laid out, Then again, you're gonna look knowledgeable, and it's going to put the customer at ease. And with that methodology, you wanna build a timeline. So things like
Okay, we are going to have our
introduction here. Our introduction report.
eight o'clock to whatever time we're gonna plug into the network from this time to this time, we're going to
then run scans X y Z test. This business, you know, have a built out timeline. So that way,
when you are performing actions of the network,
some idea of one certain things will be happening, and
this could also be given to their I T departments that way. Their I T department isn't freaking out like Oh, my God.
I see a cross site scripting attempt or I see a simple injection attempt. We're being attacked when they could look at that timeline. Say, whoa,
We're doing a lunchtime sequel injector, right?
This is probably them. And then they can double check with you real quick before throwing up all the red flags and freaking out. So these are some of the things you would want in your initial report going into the job. You would also wanna have these and a executive report of some sort at the end of the assessment as well.
So at the end of assessment, you could say, Hey, this is what we briefed you. This is where we were going to dio and then move on to what you actually did, doing what you actually found. So when you do find something and when you were building a report of what you found, you wanna include all of the affected assets. So what exactly
which machines exactly had this?
What were we able to find on this? You want to put things like what the L s is the operating system service version of the item that got
affect it. If a vulnerability is found, you will want to put in the sea via E i d. S. This allows the customer to quickly look up with the vulnerability as and when they And if they hopefully they dio have their i t department take care of it. That I t department, looking at this report came
Look at the c v e i d.
And quickly fix it with the suggested recommendations that are provided by the C V database. Along with that, you want an actual impact.
You want to tell them that? Hey,
if this happens and this is executed, then data
of this working me taken, you know,
money from here here and here could be taken.
Um, you could have a down time for X amount of time. You want a clear impact. You want to tell them
this vulnerability is bad and this is exactly why it's bad. Paint a picture for them.
Don't just say, hey, you're vulnerable to this because
and a lot of individuals minds who don't speak technical a lot, they're just going to see that and say Oh, all right. I'll just get my I t department fixes sometime when we got the budget.
No, you want the Let them know that this
these vulnerabilities here are bad, and this is why they're bad, and then you're gonna have an attack Probability. So what that means is you want to include things like
this portion of the application. Well, that portion,
somebody puts a sequel injection in here than this can happen, what's probability of that? Well, the page that it's on
is a page every single user uses, and there's hundreds of thousands of upon hundreds of thousands of users
every hour. So the attack probability is very, very high.
page that you had to Spider and that Paige was hidden within a link within a link within a link within a link
stumble across that page if they were looking for some kind of specialized information,
then then attack probability is gonna be lower. You also wanna have the estimated loss as well,
so you could tell them Hey, if this system is hit,
key terrain on your network. And if this item is hit
visibility to the outside network And if you lose that male, it's gonna take X amount of time for you to bring it back up. Which means X amount of users
and x amount of money could be lost. You wanna have
number in there? An actual monetary number Say this is how much money you can lose if this vulnerability is exploited. And then with that, you won't put recommendations in
Don't just tell them that Hey, you have this vulnerability. Tell them Hey, you have this vulnerability.
This is how likely it is to be attacked. This is how much you're gonna lose. But that's how you fix that. You never wanna walk away from a customer and have the customer scratching their head. Well
says I got a cross site scripting her since I got a sequel Injection. I don't know what to do here. Tell them about foreign validation and things like that. Let them know that this morning but exists. And this is how you fix it
and also have a reference for how to fix it. Many of the CVI databases
if you find a vulnerability and has a C v i d to it will tell you it is. The recommended actions. Were those Web fathers fathers that we covered in earlier videos. They also have recommendations in there, so you can also pull recommendations from that have a very comprehensive report
four individuals as you leave their organization.