Writing the Report
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
writing the report.
I want to objectives are to understand how to best prepare to write the penetration test report, identify why taking good notes is imperative to writing a good report and explain why attention to detail is vital when submitting the report.
So you will be exhausted. At least I was taking over SCP and the stress and not being able to sleep well.
So you're gonna be very tired after the lab environment. So take a nap. Please take a nap. You've earned it and it will help you think better when it comes time to writing the report.
Um, I think in both cases where I wrote the report, I took like three or four hour nap and that was enough to start writing the report.
If you're one of the lucky people and finish early, definitely, I use that time to walk through the environment and my steps to reproduce to write the report, which really, really helps write the report as opposed to going back to your notes.
So you should know how you're gonna write your report. You should have already done this in the P. W. K. Labs in preparation for submitting the lab report.
So also, if this is not your first attempted OS CPU can reuse your notes, I, I reused my notes. Um, and I actually told the person watching like, hey, this is my notes from another attempt and not cheating here. I'm looking at my notes from before and they understood that
Also don't reinvent the wheel. You may have a really great format. You maybe be a professional pen tester and have your own format that you want to use. Use that if you're comfortable with it, use. But I would definitely look at the off *** report and make sure yours is modeled after. There's, there's also this markdown format available. I've not used it. I've heard some people say that they really liked it.
So that's something you're interested in. Just know that that's out there and available
in my opinion, I think if they provide a sample report, um that's what I'm gonna use and that's what I have used.
So hopefully you took really good notes because the worst feeling is when you get done with the SCP and you go to sit down and write the report and like what did I just, Right, so that's why this, the note taking section was really important and why I like to take notes for things like hack the box of the P. W. K. Labs
is that helps prepare me for oh, SCP day because I know that I need to take better notes. So when I look back in my notes, when I'm in the pen 200 P WK environment and I'm like, what was I writing that helps me hone in on, you know what I should use? Should I use one note is one note effective is right putting everything into a word doc
effective. No, it's not. I can tell you that for at least for me it wasn't.
So that's why I think it's really important to take notes. I even like hack the box. Uh take notes on those boxes as well. So hopefully you have done enough reps that by the time you write your report for, Oh, SCP, uh this will be old hat for you. You already know what to do.
All right. Don't forget to scan all the boxes. One of the parts at least in the, in the offset lab sample lab report
is enumeration and writing all the open ports. That's something I forgot to do. In my first attempt to know SCP is scan all the ports and that's why I told you when you do your end maps can do all the ports tack. Pitak to scan all the ports. You can also try UdP as well. Um So don't, don't forget you UdP as well.
So when you find a vulnerability, we looked at C. V. Details, I really like that website but if you do find a public vulnerability, research it and figure out the severity of it.
Um And also don't forget to look at the fixes for the vulnerability which is typically on the vendor website. And that's again why like cbe details because they provide that type of information for you. But do not forget to recommend how to fix the vulnerability. If you're a customer, you want to know that information.
So like I said, if if I could go back and re rewrite my severity is, I would um Typically I will go off of public information on how severe vulnerability is,
but it also helps to know the environment it's in as well. So if you want to use a calculator, it's on first dot org website. Cbss calculator. If you really want to show like a numerical score or how you arrived at that conclusion, you can definitely use CVS s for that
screenshots. I take a lot of screenshots. Like I said, you don't have to put every single screen shot in the report. You do have to put your local dot txt, your proof dot txt as well as the I. P. Addresses in them from when I'm recording this. That's what you have to do again. Check the F. A. Q. And and the exam guide to make sure that that's still current.
Um I have snag it, it's $50 I love it. Um You can do arrows, you can highlight things, you can blur things. So for me snag it is really great. I also use just native word, adding, editing software um and Microsoft word and that worked fine as well. But
I do other things especially like in the bug bounty world or professionally
uh pen testing then I really really think snag it is the way to go.
Okay so after you write your report, take some time away from the computer. Don't don't just let your eyes glaze over
and want to get in as quickly as possible. I made that mistake and I wanted to turn in another report and I did and I learned that you can't do that. So you have one shot here. So that's why it's really important. You know you spend all this time hacking the planet and
you know getting all the proof and local files so don't mess it up on the report, make sure that you pay attention to detail and you include the correct screenshots for the proof and the local file as well as the I. P. Address.
And also make sure you zip it correctly. They give you an example how to zip your report. This is the exam report. You can do the lab report in the same format but ensure that it is exactly as they want it to be.
And that's why I say measure twice cut once, make sure that you read the exam guide. This is the current link right now. But I read that thing before lab day, I read that thing during lab day and I read that thing right before I submitted the report to make sure that I'm doing things correctly because you don't want to have spent all that time and money
just to mess up and not submit your report correctly.
So like I told you before I submitted my report, I'm like I wanted to change some things. I submitted a second one and they said nope one, that's it. And that's in the F. A. Q. That's in the exam guide. So if I would have read that carefully, I would have noticed that
waiting is very hard. So once you submit your report and you wait, it is excruciating. I remember I wake up in the middle of the night, check my phone, see if I got an email. And at three AM sure enough three days afterwards I got the email saying I passed on my third attempt. So they say 10 business days, they did that quicker for me.
But uh that was a really great moment when I got the results saying I passed of course when I didn't pass the other two tight. Well
I didn't do the report the first time but the second time.
Yeah, it does really suck when you find out that you didn't pass.
So if you do fail you can ask them, you can ask for advice. They gave me advice. It was pretty general on what to do
but you know why not? Why not? See if they may give you some kind of guidance on what you should work on.
I also found it very helpful to read blogs of people who also took three or four times, you know even two times.
Um and and talked about their failure and how they learned. I think that was very helpful in pumping me up to take the SCP again.
So in summary, we should now understand how to best prepare to write the penetration test report, identify why taking good notes is imperative to writing a good report and explain why attention to detail is vital when submitting the report.
Understanding the Hacker Mindset
Tips on Harnessing the Hacker Mindset
Offensive Penetration Testing Practice Exam