Penetration Testing mailing list archives
RE: Some help on methodologies and reports
From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Wed, 27 Dec 2006 23:07:03 -0500
I see you got a response on the first question...on the second question...the difference between "plain hacking" and "pen-testing" is permission and the report. You're doing the right think trying to come up with a good write-up. Being able to write it up is a necessary skill...and it's a lot of work. The first one is the hardest too. You probably want an executive summary...a single page, maybe two...not more than two pages. Then something on the methodology...that's basically a very broad discussion of how you did it including some of the thought process. Then you might want a section on vulnerabilities and exploits - vulnerabilities are points of exposure and exploits are places where you got stuff that you shouldn't have been able to get. In the lists of vulnerabilities and exploits, you should probably have a paragraph or two discussing what it really means and some possibilities for remediation. I think you ought to end with a summary. I include a timeline between the methodology and the vulnerabilities...the point of that is so that the company can go back to their logs and look through them to learn what they should have seen so that it can be a learning experience for them. Then an appendix can have screen shots, lists of ports and other stuff to support the rest of the paper but split out so that it doesn't mess up the readability of the paper. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nikolaj Sent: Wednesday, December 27, 2006 6:28 AM To: pen-test () securityfocus com Subject: Some help on methodologies and reports I would like to ask a few question concerning some aspects of penetration testing. A friend setup a little lan to mimic an ISP. He has different services - ranging from mysql to nagios etc. I was able to penetrate one of the server which let me to another and so forth. Eg. I penetrated his network. Now I want to create a legit report, so that it looks like a real one. Can you give me links or some hints on what should one such report include? Maybe there are drafts somewhere. I feel that what I did was more plain hacking than just pen testing. What are the differences between them, except the business relationship. Regards. **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.
Current thread:
- Some help on methodologies and reports Nikolaj (Dec 27)
- <Possible follow-ups>
- Re: Some help on methodologies and reports m . delibero (Dec 27)
- Re: Some help on methodologies and reports crazy frog crazy frog (Dec 28)
- RE: Some help on methodologies and reports Shenk, Jerry A (Dec 28)