Interested in learning

more about security?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Writing a Penetration Testing Report
Writing a penetration testing report is an art that needs to be learned to make sure that the report has
delivered the right message to the right people. The report will be sent to the target organizations senior
management and technical team as well. For this reason, we, as penetration testers, need to deliver the report
in a way that serves our objective to secure the information. This paper will explain the penetration testing
report writing methodology, based on the author's experiences, describing the report...
Copyright SANS Institute
Author Retains Full Rights
A
D
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Writing a Penetration Testing Report

GIAC (GPEN) Gold Certification
Authoi: Nansoui A. Alhaibi, mhaibi@gmail.com
Auvisoi: Bi Kees Leune
Accepteu: Apiil 6th 2u1u
Abstiact
Wiiting a penetiation testing iepoit is an ait that neeus to be leaineu to make suie
that the iepoit has ueliveieu the iight message to the iight people. The iepoit will
be sent to the taiget oiganization's senioi management anu technical team as well.
Foi this ieason, we, as penetiation testeis, neeu to uelivei the iepoit in a way that
seives oui objective to secuie the infoimation. This papei will explain the
penetiation testing iepoit wiiting methouology, baseu on the authoi's expeiiences,
uesciibing the iepoit content anu uesign. Appenuix A shows a uetaileu example of a
penetiation testing iepoit baseu on the uesciibeu appioach.


!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 2

Nansoui Alhaibi, mhaibi@gmail.com
1. Introduction
A lot of currently available penetration testing resources lack report writing
methodology and approach which leads to a very big gap in the penetration testing cycle.
Report in its definition is a statement of the results of an investigation or of any matter on
which definite information is required (Oxford English Dictionary).
A penetration test is useless without something tangible to give to a client or
executive officer. A report should detail the outcome of the test and, if you are making
recommendations, document the recommendations to secure any high-risk systems
(Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers
especially in IT service/ advisory providers. In pen-testing the final result is a report that
shows the services provided, the methodology adopted, as well as testing results and
recommendations. As one of the project managers at major electronics firm Said "We
don't actually manufacture anything. Most of the time, the tangible products of this
department [engineering] are reports." There is an old saying that in the consulting
business: “If you do not document it, it did not happen.” (Smith, LeBlanc & Lam, 2004)
Many people consider business reports as dry, uninteresting documents, which
take a great deal of time and efforts to prepare. The reality is that they are an essential
part of doing business and one's ability to be proficient in this area is critical to the ability
to pursue commercial success (McCarthy, 1979; Ronstadt, 1984; Thompson, 2003c).
Penetration testing report presents the approach followed and the results of the
vulnerability assessment and penetration test of a target system with a detailed
recommendation of how to mitigate the risks.
Target reader for the penetration testing report will vary, executive summary will
be read by the senior management and the technical details will be read by the IT and/or
information security responsible people. This paper begins with a conventional approach
to develop a penetration testing report starting from collecting information, drafting the
first report and ending with a professional report. As shown in figure 1 the penetration
testing report writing stages are: Report planning, Information collection, writing the first
draft and reviewing and finalization.
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit S

Nansoui Alhaibi, mhaibi@gmail.com




Figure 1: Report Development Stages

Then in section 3, the paper provides the needed content each report normally has,
what each of the contents is used for, and how this will help the target readers of the
penetration testing report understand the content. Finally appendix A has a sample
penetration testing report applying the approach described.
The target reader for this paper is the technical penetration testers that need to
enhance their capabilities in report writing.
For the purpose of this paper, 2 servers have been configured and GPEN.KM will
be the organization name.

!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 4

Nansoui Alhaibi, mhaibi@gmail.com
2. Report Development Stages
As shown in figure 1, these stages show a practice for the development of
penetration testing report.
2.1. Report Planning
Report objectives
Report objectives help the reader to focus on the main points of the penetration
testing and the report e.g. PCI compliance once the objectives are clear both the reader
and the penetration tester(s) will know what exactly the aim of the project. This section
explains why we conduct the penetration testing and the benefit of it. This may be found
in the Request for Proposal, be part of risk analysis, be part of compliance or to know the
current stat of the target testing environment. Sample report objectives can be found in
section 1.2.Project Objectives in Appendix A Sample Penetration Testing Report.
Time
Penetration tester(s) need(s) to exactly mention the testing time for many reasons.
This may include:
• In mission critical infrastructure the organization may need to make sure
some key IT persons are available during the test in case some thing does
wrong e.g. server crash.
• In rapidly changing IT infrastructure, the changes need to be freeze in the
penetration testing scope during the test to make sure that the testing is
exactly assessing the current IT (the penetration testing scope).
• Even though there is no 100% security, the report will show the risks in
the penetration testing scope during this period of time any risks after this
time may arise because of some changes in the IT infrastructure of
changing in the configuration.

Pen Tester needs to make sure that sufficient time is allotted in the project plan.
Sample time table is shown in 1.4.Timeline in Appendix A Sample Penetration Testing
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit S

Nansoui Alhaibi, mhaibi@gmail.com
Report. On the other hand, during the project planning time of the report delivery needs
to be carefully taken into consideration. Divide your report writing into tasks to simplify
things and focus of them. Planning the report will help in delivering an effective report.
Typically, 60% of your time should be spent writing the draft. Pen Tester needs to
consider the client’s acceptance process as well as the fact that it may take longer than
expected.
Consider the target audiences
Penetration testing reports usually have a number of target audiences/audience
groups to reach, so a report will often have a hierarchical structure to support different
levels of details. In designing the report form and style, the following target audience
characteristics should be considered:
• Their need for the report (i.e. operational planning, resource
allocation, approval),
• Position in the organization
• Knowledge of the report topic(i.e. purpose),
• Responsibility or authority to make decision based on the report, and
• Personal demographics (i.e. age, alliances, attitudes).
Report audiences include Information Security Manager, Chief Information
Security Officer, Information Technology Manager and technical teams. More
information about the scope and target audiences can be found also in the scope of work
of the assignment.
Report classification
Since Penetration Testing Report have sensitive information such as, servers IP
addresses and its information, some applications information, vulnerability, threats,
exploits and more, it should be considered to be in every high rank of confidentiality e.g.
TOP SECRET and the report will be dealt with accordingly. The report classification will
be based on the target organization information classification policy.
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 6

Nansoui Alhaibi, mhaibi@gmail.com
Report distribution
The number of copies of the report, the report format (hardcopy, softcopy) and the
delivery procedure should be carefully implemented to control the report distribution and
make sure it only arrives to the right person in the right time based on the need to know
the bases. Type of report delivery, number of copies and report distribution should be
addressed in the scope of work. Hardcopies can be controlled by printing a limited
number of copies attached with its number and the receiver name. Table 1 shows a
sample table that can be utilized to control hardcopies.





Table 1 Penetration Testing Report distribution control

Each copy will formally hand over to the target person. Softcopy needs to be
carefully controlled in a secure server owned by the department that has requested the
penetration testing service. Distributing the softcopy of the report normally will be
controlled by the document owner (report owner) and it will be under his responsibility.
Finally after submitting the report, the penetration tester should delete any available
information that he have and inform the client that all related information has have been
erased (This step should be clearly mentioned and agreed upon in the service agreement
documents. As Andrew Whitaker and Daniel P. Newman (Whitaker & Newman, 2005)
stated that 'your ethical responsibilities do not stop when the test is done, however. After
the test is completed, you should perform due diligence to ensure the confidentiality of
the test results. Some penetration testing firms have known to circulate test results to
other companies as samples of their work. These results contain detailed steps on how to
break into an e-finance website for a particular financial institution and collect sensitive
customer data. You can imagine the shock of the institution when it discovered these
contents being distributed to its competitors! Therefore, as a penetration tester, you are
under an ethical obligation to keep the details of the report confidential. Shred any hard
Copy No Department Name Date


!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 7

Nansoui Alhaibi, mhaibi@gmail.com
copies of the report, and delete all soft copies using an erasing utility such as PGP or
Axcrypt'.
2.2. Information Collection
Due to the nature of penetrating testing and utilizing more than one way, tools,
computers, etc., penetration tester needs to make sure that he collected all the information
in all stages, system used and tools. This will ease his report writing and make all
information that he need available either in each stage, moving to the next stage, using
information and analyzing it either in the penetration testing activity or during report
writing. In case of the penetration testing is conducted by a team, a centralized and secure
location need to be located to share the information.
Collecting the information during the penetration testing stages/steps is a very
important step to be able to write the report. This include, scanning results, vulnerability
assessment, snap shots of the findings and exploits (if any), etc. Pen-tester needs to
consider information collection in all steps that he performs during the test. Pen testers
may utilize some tools such as:
! Taking notes
! Capturing screenshots
! Logging for all activities (This will help in a very critical
infrastructure to proof what the pen-tester did and in case
something happened). In Linux environment to capture all traffic
this command will help: # tcpdump –nn –S 0 –w filename.pcap
2.3. Writing the first draft
Start writing a rough draft report using all relevant information gathered in stage 2.2
using the relevant notes. At this stage, it is highly recommended not to be concerned
about proofreading and editing. Typically, 60% of report writing time will be in writing
the draft.
It may be helpful to use a symbol such as "#" or adding highlights to mark the spot
where pen-tester needs to check back later to edit a paragraph. Delete the symbol once
editing is completed.
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 8

Nansoui Alhaibi, mhaibi@gmail.com
2.4. Review and finalization
Draft needs to be reviewed to enhance it, peer review is highly recommended to have
a second opinion. In case the penetration testing has been conducted by a team, all team
members need to review and/or edit it. Peer review depends on the type of penetration
testing conducted, if it is a black box penetration testing, one of the penetration testing
team needs to review the report. If the test is white penetration testing, someone with
knowledge of the target system will review the report collaboratively. This will lead to
much better results. Report review depends also on the organization's procedure and the
way that they handle the service. After updating the report, QA team may also need to
review it and make sure it follows the company standards.
3. Report Format
This section describes the penetration testing report format and why we need each
subsection. Sample Penetration testing report using the report format described here is
shown in Appendix A.
3.1. Page design
In report planning, page design needs to be decided upon to develop the look and feel
of the report. This includes but not limited to the header and footer content, fonts to be
used and colors. This will be controlled based on how the service provider's document
looks and feels.
3.2. Document Control
Document control will be based on the service provider control of document
procedure. Here are some recommended sections and contents.
Cover Page
This will show the report name, report version, date, the
author/service provider name, cover page may also include document
serial number and target organization name.
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 9

Nansoui Alhaibi, mhaibi@gmail.com
Document Properties
In a small table, this will show the document title, version, author,
penetration testers name, name of persons whom reviewed the report,
approved by whom and the document classification.
Version control
This will show the Version Control for the report. Version control
will track the report changes by recording the change description, report
version, date of the change and the change author.
3.3. List of Report Content
Table of Content
This will list all sections of the report in a sequence with the page
numbers. Typically, for reports with less than 5 pages, a content page is
not necessary. If the report includes some appendices, the titles of these
should be listed but not page numbered.
List of Illustrations
If there are tables or charts included in the report, list them in this
section with page numbers.
3.4. Executive Summary
"Write this after you’ve completed writing the report. Think of what you’d say if
you ran into an executive in the elevator and had one minute to summarize your
findings" (Snedaker, 2006). The Executive Summary summarizes the report content
in a small paragraph containing a statement of the tasks accomplished, methodology
used, high level findings and recommendations. Executive summery target executives
where high level findings/issues need to be raised and recommended solutions need to
be presented. This section normally is written after writing the report.
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 1u

Nansoui Alhaibi, mhaibi@gmail.com
Scope of work
Scope of work clearly identifies the scope of the project, IP
addresses that has been tested, type of penetration testing perform and any
other information that affect the time and budget of the project.
Identifying the scope will help
Project Objectives
Provide the objectives that the organization will gain after knowing
the risks related to the penetration of the target IP addresses/ system or
application and what they will get after mitigating these risks by
implementing the recommendations in the penetration testing report.
The penetration testing objective needs to be linked with the
information security objectives, which are expected to be linked with the
organization's objectives.
If the penetration testing is part of compliance project the report
needs to mention this requirement and how the pen-testing will help to
achieve it.
Assumption
In case there are some assumptions that the pen-tester considers
before or during the test, the assumptions need to be clearly shown in the
report. Providing the assumption will help the report audiences to
understand why penetration testing followed a specific direction.
Timeline
This will show the penetration testing start and end dates. This will
provide the report target audiences with information about:
1- Testing duration
2- The tested IP address's risks, from pen-testing point of view, during
this period only.
3- The pen-tester does not hold any responsibilities if some risk aroused
after this period of time due to some changes in the target systems.
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 11

Nansoui Alhaibi, mhaibi@gmail.com
Summary of Findings
In a glance view show the number of discovered risks based on
priorities. "When you construct the report of your findings, be careful to
avoid statements that are inflammatory, unsupported by the evidence,
speculative, or overly frightening." (Smith et al, 2004).
Summary of Recommendation
Based on the analysis of risks and the high level finding, the high
level recommendation for the target organization need to be described.
3.5. Methodology
This section provides the needed information about how the penetration testing was
conducted. What steps have been followed to collect the information, analyze them, the
risk rating methodology used to calculate the risk for each piece of vulnerability and it
may also contain the tools that the pen-tester used for each stage.
3.6. Detail findings
This section provides detailed information for each finding. Present the findings in
the simplest way as possible. For each finding describe the threat level, vulnerability
rating, analysis of the issue and the impact on the information asset (the IP address) if the
threat agent was able to exploit the vulnerability, Risk Rating and Recommendation.
Each one of these elements will be briefed in the next paragraphs. There are a number of
ways in which results can be presented. Here are a few:
• Tables
• Graphs
• Pie or Bar charts
• Diagrams
Vulnerabilities
For each piece of vulnerability, a clear description should be shown about
the source of the vulnerability, its impact and the likelihoods of the vulnerability
to be exploited. Report should explain the source of the vulnerability and the root
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 12

Nansoui Alhaibi, mhaibi@gmail.com
cause of the problem not the symptom of it. This will mitigate the vulnerability
persistence.
Impact
The report should explain the impact of the vulnerability's exploitation by
the threat agent.
Likelihood
Likelihood is "the probability that a potential vulnerability may be
exercised within the construct of the associated threat environment" (Stoneburner,
Goguen1, & Feringa1, 2002). The report should state the likelihood of a
vulnerability being exploited by the threat source (e.g. a hacker). Practical
penetration tester may think of the likelihood as a combination of ease of access,
level of access gained, difficulty of discovering the vulnerability and exploiting it,
and the value of the asset to the target organization.
Risk evaluation
"Process of comparing the estimated risk against given risk criteria to
determine the significance of the risk "(ISO/IEC Guide 73:2002). Table 3 Risk
Analysis in Appendix A was developed based on NIST.
This is a Special Publication 800-30, which shows one method of risk
analysis and calculation.
Recommendation
"Presenting a piece of vulnerability in your findings without documenting
how the vulnerability could be managed is only half of your security assessment
job. The other half is presenting potential solutions, mitigations, or other
suggestions for reducing or eliminating the vulnerability." (Smith et al., 2004).
Based on the risk rating and the target asset, the penetration tester should
provide an acceptable recommendation with alternatives. For example, for weak
authentication protocols being used to validate accounts for accessing a customer
database through the ASP Web application, pen tester may provide more than
option for mitigating the risk such as:
1-Implement Public Key Infrastructure (PKI) by providing certificate to all users
of the database and require certificate-based authentication on the front-end
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 1S

Nansoui Alhaibi, mhaibi@gmail.com
website in addition to the forms-based authentication on the website. This solution
will require the design and implementation of a PKI and Active Directory.
Additionally, all client operating systems must run Microsoft Windows 2000 or
later.
2- Import the accounts database to Active Directory and implement basic
authentication over SSL on the website. This solution will require the design and
implementation of Active Directory.
3-Continue to use the current custom authentication protocol, which is highly
susceptible to spoofing or man-in-the-middle attacks.
Penetration Tester may also utilize Annex A - Control objectives and controls
ISO/IEC 27001:2005 to select some controls that will help in minimizing the risk
discovered.
3.7. References
It is important to give precise details of all the work by other authors, which has been
referred to within the report. Details should include:
• Author’s name and initials
• Date of publication
• Title of the book, paper or journal
• Publisher
• Place of publication
• Page numbers
• Details of the journal volume in which the article has appeared.
References should be listed in alphabetical order of the authors' names.
Make sure that your references are accurate and comprehensive.
3.8. Appendices
An appendix contains additional information related to the report but which is not
essential to the main findings. This can be consulted if the reader wishes to but the report
should not depend on this. Such information may include the scanning result,
vulnerability assessment results, or other information, which may be useful for the reader.
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 14

Nansoui Alhaibi, mhaibi@gmail.com
3.9. Glossary
Define the meaning of technical terms.

Appendix A shows a Sample report of a penetration testing.
4. References
Whitaker, A., & Newman, D. (2005). Penetration testing and network defense. USA:
Cisco Press.

Smith, B., LeBlanc, D., & Lam , K. (2004). Assessing network security. USA:
Microsoft Press.

Snedaker , S.(2006). It Security project management . Canada: Syngress.
ISO (the International Organization for Standardization) and IEC (the International
Electro-technical (2005). Information security management systems — Requirements
BS ISO/IEC 27001:2005. International Organization for Standardization.

Thompson, A. (2uuS). !"#$%&'("#)"*+',$+-%../+./+01&)"$&&+2."2$-'. Peith :
Nuiuoch Business School.

Stonebuinei, u., Feringa,A., & uoguen, A. (2uu2). 3456+5-$2)(7+-107)2(')."+899:;9+
%)&<+=("(*$=$"'+*1)#$+/.%+)"/.%=(')."+'$2,".7.*>+&>&'$=&+%$2.==$"#(')."&+./+
',$+"(')."(7+)"&')'1'$+./+&'("#(%#&+("#+'$2,".7.*>. uaitheisbuig: National
Institute of Stanuaius anu Technology.
Retrieved December 15,2009 from NIST Web site:
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

The Higher Education Academy. Writing Reports
Retrieved December 15,2009 from The Higher Education Academy Web site:
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 1S

Nansoui Alhaibi, mhaibi@gmail.com
http://www.heacademy.ac.uk/assets/hlst/documents/heinfe_exchange/Blended_Learni
ng_PDP_Materials/5_reportwriting.pdf

The University of Wisconsin, Writer's Handbook
Retrieved December 15,2009, from University of Wisconsin Web site:
http://writing.wisc.edu/Handbook/

Purdue Online Writing Lab, Handbook on report Formats
Retrieved January 10.2010, from Purdue OWL and Writing Lab Web site:
http://owl.english.purdue.edu/owl/resource/726/01/

0xfoiu, ?@/.%#+$"*7)&,+#)2')."(%>. New Yoik: 0xfoiu 0niveisity Piess.

CQ University Australia, Communications Learning Centre
Retrieved December 15, 2009, from CQ University Australia Website:
http://clc.cqu.edu.au/FCWViewer/view.do?page=842

The SANS Institute. (2009). SANS Security 560 Network Penetration Testing and
Ethical Hacking. The SANS Institute.

Payment Card Industry PCI. (2008). Information supplement: requirement 11.3
penetration testing. PCI Security Standards Council, 11.3. Retrieved January 10.2010,
from Payment Card Industry (PCI) Web site:
https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf






!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 16

Nansoui Alhaibi, mhaibi@gmail.com
Appendix A Sample Penetration Testing Report











Black Box Penetration Testing
For GPEN.KM
V1.0
Month dd
th
, yyyy

By: Mansour A. Alharbi







!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 17

Nansoui Alhaibi, mhaibi@gmail.com

Document Properties

Title Black Box Penetration Testing Report
Version V1.0
Author Mansour A. Alharbi
Pen-testers Mansour A. Alharbi
Reviewed By Kees Leune
Approved By Kees Leune
Classification Confidential
Version control
Version Date Author Description
V1.0
Month dd
th
, yyyy
Mansour Alharbi Final Draft













!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 18

Nansoui Alhaibi, mhaibi@gmail.com

Table of Content
CONTENTS ........................................................................................................................ 18
1EXECUTIVE SUMMARY................................................................................................... 20
1.1SCOPE OF WORK.......................................................................................................... 20
1.2PROJECT OBJECTIVES................................................................................................. 20
1.3ASSUMPTION................................................................................................................ 20
1.4TIMELINE..................................................................................................................... 20
1.5SUMMARY OF FINDINGS .............................................................................................. 21
1.6SUMMARY OF RECOMMENDATION ............................................................................. 22
2METHODOLOGY ............................................................................................................. 23
2.1PLANNING.................................................................................................................... 23
2.2EXPLOITATION ............................................................................................................ 24
2.3REPORTING.................................................................................................................. 24
3DETAIL FINDINGS ........................................................................................................... 25
3.1DETAILED SYSTEMS INFORMATION............................................................................ 25
3.2WINDOWS SERVER 192.168.1.75 ................................................................................ 27
4.REFERENCES.................................................................................................................. 32
APPENDIX A NESSUS VULNERABILITY SCANNING REPORTS.......................................... 32











!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 19

Nansoui Alhaibi, mhaibi@gmail.com


List Of Illustrations
List of Tables
Table 1 Penetration Testing Time Line 12
Table 1 Total Risk Rating 12
Table 3 Risk Analysis 16
Table 4 Rating Calculation 16
Table 5 Targets open ports 17
List of Figures
Figure 1 Total Risks 13
Figure 2 Penetration Testing Methodology 15
Figure 3 192.168.1.75 Number of Risks 17
Figure 4 Telnet Service Banner 18
Figure 12 Exploiting RPC using dcom 18
Figure 13 Getting Shell Access 19
Figure 14 Exploiting dcom – metasploit 19
Figure 16 Uploading nc.exe as backdoor 21
Figure 17 Shell command and running nc 22
Figure 18 Downloading SAM file 22






!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 2u

Nansoui Alhaibi, mhaibi@gmail.com

1. Executive Summary
This document details the security assessment (external penetration testing) of
GPEN.KM. The purpose of the assessment was to provide a review of the security
posture of GPEN.KM Internet infrastructure, as well, as to identify potential weaknesses
in its Internet infrastructure.
1.1. Scope of work
This security assessment covers the remote penetration testing of 2 accessible
servers hosted on 192.168.1.75 and 192.168.1.76 addresses. The assessment was carried
out from a black box perspective, with the only supplied information being the tested
servers IP addresses. No other information was assumed at the start of the assessment.
1.2. Project Objectives
This security assessment is carried out to gauge the security posture of GPEN.KM’s
Internet facing hosts. The result of the assessment is then analyzed for vulnerabilities.
Given the limited time that is given to perform the assessment, only immediately
exploitable services have been tested. The vulnerabilities are assigned a risk rating based
on threat, vulnerability and impact.
1.3. Assumption
While writing the report, we assume that both IP addresses are considered to be
public IP addresses, NDA and rules of engagement has been signed and based on the
information gathering phase the company name is GPEN.KM.
1.4. Timeline
The timeline of the test is as below:
Penetration Testing Start Date/Time End Date/Time
Pen Test 1 mm/dd/yyyy mm/dd/yyyy
Table 1 Penetration Testing Time Line
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 21

Nansoui Alhaibi, mhaibi@gmail.com
1.5. Summary of Findings
Value
Number of
Risks
Low 3
Medium 2
High 6
Critical 6
Table 2 Total Risk Rating

Figure 1 Total Risks

GPEN.KM needs to pay more attention to information security. We were able to
access one server in less than one hour. GPEN.KM needs to invest in implementing a
defense-in-depth approach to have multiple layers of security to protect their information
asset. Other areas such as processes and people should be emphasized as well. Systems
and networks hardening and secure configurations, for instance, should be implemented
to strengthen the different layers of security within GPEN.KM .
Below are the high level findings from the external penetration test:
• GPEN.KM lacks a defense in depth (multi-layered) security strategy which if
implemented will help GPEN.KM achieves better security level.
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 22

Nansoui Alhaibi, mhaibi@gmail.com
• We found that both servers are not protected by a firewall and can present a
security risk since the host runs a number of services such as Microsoft terminal
services without being configured for optimal security. GPEN.KM must design
the Firewall policy as follows:
o Apply rules to allow only public services such as mail and web access.
o Apply anti-mapping rules on the border router and primary firewall.
o Allow only authorized IPs to connect to other services or best disable
unneeded services.
• It was obvious that GPEN.KM patch management policy and procedure is either
not existing or not implemented correctly. One of these servers was running
windows 2000 server without any patches. This opened a very high security risk
on the organization.
• Services installed were running with default configuration such as FTP.
Web application hosted in 192.168.1.75 is running multiple security vulnerability
such as SQL injection and XSS. An attacker can gain access to customer
information and manipulate it. GPEN.KM has to implement input validation and
re-design the web application component. Best practice is to have 3-tier design.
At least the application server and DB server should be hosted in deferent servers
and segregated by a firewall.
1.6. Summary of Recommendation
Adopt defense-in-depth approach where GPEN.KM utilizes variety of security
tools/systems and processes to protect its assets and information. Among these:
• Deploy Host Intrusion Prevention Systems –HIPS on servers and desktops,
also enable personal firewall on desktop (such as Microsoft Windows
firewall).
• Perform security hardening on servers in the production environment
especially those in the Internet and/or external DMZs.
• Implement Patch management system(s) to provide centralized control over
fixes, updates and patches to all systems, devices and equipments. This will
minimize overhead on operations team and will elevate security resistance.
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 2S

Nansoui Alhaibi, mhaibi@gmail.com
• GPEN.KM has to implement input validation and re-design the web
application component. Best practice is to have 3-tier design. At least the
application server and DB server should be hosted in deferent servers and
segregated by a firewall.
• Conduct vulnerability assessment at least twice a year and penetration testing
at least once a year or if there is a major change in the information assets.
• Develop and implement a training path for the current IT staff.
2. Methodology

Figure 2 Penetration Testing Methodology
2.1. Planning
During planning we gather information from public sources to learn about target:
- People and culture
- Technical infrastructure
Then, we detect the live system its O.S and determined the running services and its
versions.
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 24

Nansoui Alhaibi, mhaibi@gmail.com
2.2. Exploitation
Utilizing the information gathered in Planning we start to find the vulnerability for each
O.S and service that we discovered after that trying to exploit it.
2.3. Reporting
Based on the results from the first two steps, we start analyzing the results. Our Risk
rating is based on this calculation:

Risk=Threat * Vulnerability * Impact

Threat Low Medium

High Critical
Vulnerability L M H C L M H C L M H C L M H C
Low 1 2 3 4 1 4 6 8 3 6 9 12 4 8 12 16
Medium 2 4 6 8 4 8 12 16 6 12 18 24 8 16 24 32
High 3 6 9 12 6 12 18 24 9 18 27* 36 12 24 36 48
Impact
Critical 4 8 12 16 8 16 24 32 12 24 36 48 16 32 48 64
Table 3 Risk Analysis
L Low 1-16
M Medium 17-32
H High 33-48
C Critical 49-64
Table 4 Rating Calculation
After calculating the risk rating, we start writing the report on each risk and how to
mitigate it.

*Based on our analysis risks that falls under this category will be considered as High.
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 2S

Nansoui Alhaibi, mhaibi@gmail.com
3. Detail findings
3.1. Detailed Systems Information
Open Ports
IP Address System Type OS Information
Port# Protocol
Service
Name
139 Tcp netbios-ssn
21 Tcp ftp
80 Tcp http
135 Tcp Msrpc
389 Tcp Ldap
445 Tcp
open
microsoft-ds
464 tcp
open
kpasswd5?
593 tcp
open
ncacn_http
636 tcp
open
tcpwrapped
1025 Tcp open msrpc
1027 Tcp
open
ncacn_http
1030 Tcp open msrpc
3268 Tcp open ldap
3269 Tcp
open
tcpwrapped
192.168.1.76
Server

Microsoft
Windows Server
2003 Service Pack
1
3389 Tcp
open
microsoft-
rdp

!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 26

Nansoui Alhaibi, mhaibi@gmail.com
80 Tcp HTTP
135 Tcp Msrpc
139 Tcp netbios-ssn
443 Tcp HTTPS
445 Tcp microsoft-ds
1027 Tcp Port exosee
1035 Tcp
Port
mxxrlogin
23 Tcp telnet
53 Tcp DNS
1033 Tcp
Port netinfo-
local
192.168.1.75 Server
Microsoft
Windows 2000
Service Pack 0

135 Udp Port epmap
Table 5 Targets open ports















!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 27

Nansoui Alhaibi, mhaibi@gmail.com
3.2. Windows Server 192.168.1.75







Unsecure service (Telnet) is running:
Threat Level
Medium
Vulnerability
Medium
Analysis
Telnet provides access to the server for remote administration as an example.
Unfortunately telnet traffic is not encrypted. Suspicious users i.e. attacker with and easy
accessible sniffer can sniff the traffic, which may include sensitive data and/or
administrator credentials.
By Telneting to 192.168.1.75, we were able to see telnet service version number 5.00



Figure 3 192.168.1.75 Number of Risks
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 28

Nansoui Alhaibi, mhaibi@gmail.com
Impact
High
Risk Rating
Low
Recommendation
If deemed necessary for this server to be administered remotely, utilize secure
administration tools such as SSH or Secure remote desktop access.
Microsoft RPC Interface Buffer Overrun:
Threat Level
High
Vulnerability
Critical
Analysis
The remote host is running a version of Windows, which has a flaw in
its RPC interface, which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges. An attacker or a worm could use it to gain the control of
this host.
We exploit this vulnerability utilizing a ready exploit available in the internet.

After exploiting this vulnerability we got a shell and as you can see the IP address is the
server IP address.
Figure 4 Telnet Service Banner
Figure 5 Exploiting RPC using dcom
This is just foi uemonstiation puipose if the pen-
testei woulu like to uploau any tool in the taiget
system, a iule of engagement shoulu incluue such a
statement! The tools must be iemoveu aftei the test.
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit 29

Nansoui Alhaibi, mhaibi@gmail.com














We also utilize this vulnerability to upload and download file through meterpreter as
described below:














Figure 6 Getting Shell Access
Figure 7 Exploiting dcom - metasploit
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit Su

Nansoui Alhaibi, mhaibi@gmail.com













Figure 8 Uploading nc.exe as backdoor
We uploaded a tool for further testing



!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit S1

Nansoui Alhaibi, mhaibi@gmail.com
We opened a command shell using meterpreter and ran nc.exe to listen on port
2222/TCP:



















And downloading SAM file for cracking the system passwords offline:
Impact
Critical
Figure 9 Shell command and running nc
Figure 10 Downloading SAM file
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Wiiting a Penetiation Testing Repoit S2

Nansoui Alhaibi, mhaibi@gmail.com
Risk Rating
Critical
Recommendation
Patch the system with latest patches from MS.
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
4. References
Appendix A - Nessus Vulnerability Scanning Reports
Attache nessus scanning file.
Last Updated: January 22nd, 2011
Upcoming SANS Training
Click Here for a full list of all Upcoming SANS Events by Location
MGT442 Information Security Risk Management Beta Test North Charleston, SC Feb 09, 2011 - Feb 10, 2011 Live Event
RSA Conference 2011 San Francisco, CA Feb 13, 2011 - Feb 14, 2011 Live Event
SANS India 2011 Bangalore, India Feb 14, 2011 - Feb 19, 2011 Live Event
North American SCADA 2011 Lake Buena Vista, FL Feb 23, 2011 - Mar 03, 2011 Live Event
SANS Phoenix 2011 Phoenix, AZ Feb 25, 2011 - Mar 02, 2011 Live Event
SANS SEC504 Oman 2011 with FIS Muscat, Oman Feb 26, 2011 - Mar 03, 2011 Live Event
SANS Singapore 2011 Singapore, Singapore Mar 07, 2011 - Mar 19, 2011 Live Event
SANS Wellington 2011 Wellington, New Zealand Mar 07, 2011 - Mar 12, 2011 Live Event
SANS Barcelona 2011 Barcelona, Spain Mar 21, 2011 - Mar 26, 2011 Live Event
SANS 2011 Orlando, FL Mar 26, 2011 - Apr 04, 2011 Live Event
SANS 508 RHUL 2011 Egham, United Kingdom Mar 28, 2011 - Mar 30, 2011 Live Event
The 2011 Asia Pacific SCADA and Process Control Summit Sydney, Australia Mar 31, 2011 - Apr 07, 2011 Live Event
SANS Bali 2011 Nusa Dua, Bali,
Indonesia
Apr 11, 2011 - Apr 16, 2011 Live Event
SANS Northern Virginia 2011 Reston , VA Apr 15, 2011 - Apr 23, 2011 Live Event
SEC434 Log Management Beta OnlineCA Jan 27, 2011 - Jan 28, 2011 Live Event
SANS OnDemand Books & MP3s Only Anytime Self Paced

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Writing a Penetration Testing Report

GIAC (GPEN) Gold Certification !"#$%&'()*+,%"&(!-(!.$*&/01(2$*&/0342*0.-5%2( !670,%&'(8&(9::,(;:"+:(

!55:<#:6'(!<&0.(=#$(>?@?(

!/,#&*5#(

A&0#0+4(*(<:+:#&*#0%+(#:,#0+4(&:<%&#(0,(*+(*&#(#$*#(+::6,(#%(/:(.:*&+:6(#%(2*B:(,"&:( "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! #$*#(#$:(&:<%&#($*,(6:.07:&:6(#$:(&04$#(2:,,*4:(#%(#$:(&04$#(<:%<.:-(C$:(&:<%&#(D0..( /:(,:+#(#%(#$:(#*&4:#(%&4*+0E*#0%+F,(,:+0%&(2*+*4:2:+#(*+6(#:5$+05*.(#:*2(*,(D:..-( G%&(#$0,(&:*,%+1(D:1(*,(<:+:#&*#0%+(#:,#:&,1(+::6(#%(6:.07:&(#$:(&:<%&#(0+(*(D*H(#$*#( ,:&7:,(%"&(%/I:5#07:(#%(,:5"&:(#$:(0+J%&2*#0%+-(C$0,(<*<:&(D0..(:K<.*0+(#$:( <:+:#&*#0%+(#:,#0+4(&:<%&#(D&0#0+4(2:#$%6%.%4H1(/*,:6(%+(#$:(*"#$%&L,(:K<:&0:+5:,1( 6:,5&0/0+4(#$:(&:<%&#(5%+#:+#(*+6(6:,04+-(!<<:+60K(!(,$%D,(*(6:#*0.:6(:K*2<.:(%J(*( <:+:#&*#0%+(#:,#0+4(&:<%&#(/*,:6(%+(#$:(6:,5&0/:6(*<<&%*5$-(

© 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

(A&0#0+4(*(M:+:#&*#0%+(C:,#0+4(N:<%&# >( (

1. Introduction
A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary). A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: “If you do not document it, it did not happen.” (Smith, LeBlanc & Lam, 2004) "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! Many people consider business reports as dry, uninteresting documents, which take a great deal of time and efforts to prepare. The reality is that they are an essential part of doing business and one's ability to be proficient in this area is critical to the ability to pursue commercial success (McCarthy, 1979; Ronstadt, 1984; Thompson, 2003c). Penetration testing report presents the approach followed and the results of the vulnerability assessment and penetration test of a target system with a detailed recommendation of how to mitigate the risks. Target reader for the penetration testing report will vary, executive summary will be read by the senior management and the technical details will be read by the IT and/or information security responsible people. This paper begins with a conventional approach to develop a penetration testing report starting from collecting information, drafting the first report and ending with a professional report. As shown in figure 1 the penetration testing report writing stages are: Report planning, Information collection, writing the first draft and reviewing and finalization.

)*+,%"&(!.$*&/01(2$*&/0342*0.-5%2(
© 2010 The SANS Institute

(

(
Author retains full rights.!

As part of the Information Security Reading Room

567!5895!.#0+4(N:<%&# O( ( Figure 1: Report Development Stages "#$!%&'(#)*)&'+!./0!.$*&/01(2$*&/0342*0.KM will be the organization name.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:. The target reader for this paper is the technical penetration testers that need to enhance their capabilities in report writing. and how this will help the target readers of the penetration testing report understand the content.-5%2( © 2010 The SANS Institute ( ( Author retains full rights.!-. 2 servers have been configured and GPEN.! As part of the Information Security Reading Room . Finally appendix A has a sample penetration testing report applying the approach described.03!0045!.467!:.83!-/. what each of the contents is used for. )*+.! Then in section 3. the paper provides the needed content each report normally has. For the purpose of this paper.%"&(!.0!383.-12!1.

Pen Tester needs to make sure that sufficient time is allotted in the project plan. PCI compliance once the objectives are clear both the reader and the penetration tester(s) will know what exactly the aim of the project.g. • Even though there is no 100% security. This may be found in the Request for Proposal.-5%2( © 2010 The SANS Institute ( ( Author retains full rights. Sample time table is shown in 1.567!5895!.g.03!0045!.83!-/.! As part of the Information Security Reading Room .-12!1. the changes need to be freeze in the penetration testing scope during the test to make sure that the testing is exactly assessing the current IT (the penetration testing scope). these stages show a practice for the development of penetration testing report.%"&(!.Timeline in Appendix A Sample Penetration Testing )*+. Sample report objectives can be found in section 1. This may include: • In mission critical infrastructure the organization may need to make sure some key IT persons are available during the test in case some thing does wrong e. • In rapidly changing IT infrastructure. be part of risk analysis.4. Time "#$!%&'(#)*)&'+!.0!383.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:./0!. server crash. be part of compliance or to know the current stat of the target testing environment. 2.! Penetration tester(s) need(s) to exactly mention the testing time for many reasons.2. This section explains why we conduct the penetration testing and the benefit of it.$*&/01(2$*&/0342*0.Project Objectives in Appendix A Sample Penetration Testing Report.467!:. Report Development Stages As shown in figure 1.#0+4(N:<%&# P( ( 2. the report will show the risks in the penetration testing scope during this period of time any risks after this time may arise because of some changes in the IT infrastructure of changing in the configuration.1. Report Planning Report objectives Report objectives help the reader to focus on the main points of the penetration testing and the report e.!-.

!-.%"&(!. 60% of your time should be spent writing the draft. so a report will often have a hierarchical structure to support different levels of details.467!:. operational planning. Report audiences include Information Security Manager. Information Technology Manager and technical teams. attitudes).! As part of the Information Security Reading Room .83!-/.e. exploits and more. vulnerability. Planning the report will help in delivering an effective report. Pen Tester needs to consider the client’s acceptance process as well as the fact that it may take longer than expected. • Position in the organization • Knowledge of the report topic(i. approval). "#$!%&'(#)*)&'+!. More information about the scope and target audiences can be found also in the scope of work of the assignment.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.g. Typically. In designing the report form and style.567!5895!.03!0045!.$*&/01(2$*&/0342*0. age. some applications information. threats. The report classification will be based on the target organization information classification policy. Divide your report writing into tasks to simplify things and focus of them. servers IP addresses and its information. during the project planning time of the report delivery needs to be carefully taken into consideration. On the other hand. alliances.-5%2( © 2010 The SANS Institute ( ( Author retains full rights. Report classification Since Penetration Testing Report have sensitive information such as. and • Personal demographics (i. Consider the target audiences Penetration testing reports usually have a number of target audiences/audience groups to reach.! • Responsibility or authority to make decision based on the report.0!383. resource allocation. the following target audience characteristics should be considered: • Their need for the report (i. Chief Information Security Officer.-12!1./0!.e.#0+4(N:<%&# Q( ( Report.e. it should be considered to be in every high rank of confidentiality e. )*+. TOP SECRET and the report will be dealt with accordingly. purpose).

#0+4(N:<%&# =( ( Report distribution The number of copies of the report.03!0045!. softcopy) and the delivery procedure should be carefully implemented to control the report distribution and make sure it only arrives to the right person in the right time based on the need to know the bases.-12!1. the report format (hardcopy. you are under an ethical obligation to keep the details of the report confidential. Finally after submitting the report.! carefully controlled in a secure server owned by the department that has requested the penetration testing service. however. the penetration tester should delete any available information that he have and inform the client that all related information has have been erased (This step should be clearly mentioned and agreed upon in the service agreement documents.$*&/01(2$*&/0342*0. Newman (Whitaker & Newman. You can imagine the shock of the institution when it discovered these contents being distributed to its competitors! Therefore. As Andrew Whitaker and Daniel P. Softcopy needs to be "#$!%&'(#)*)&'+!. Some penetration testing firms have known to circulate test results to other companies as samples of their work. Type of report delivery.! As part of the Information Security Reading Room . Shred any hard )*+.467!:.-5%2( © 2010 The SANS Institute ( ( Author retains full rights. Table 1 shows a sample table that can be utilized to control hardcopies. Copy No Department Name Date Table 1 Penetration Testing Report distribution control Each copy will formally hand over to the target person. Distributing the softcopy of the report normally will be controlled by the document owner (report owner) and it will be under his responsibility./0!.567!5895!.%"&(!. number of copies and report distribution should be addressed in the scope of work.!-. 2005) stated that 'your ethical responsibilities do not stop when the test is done. you should perform due diligence to ensure the confidentiality of the test results. as a penetration tester. Hardcopies can be controlled by printing a limited number of copies attached with its number and the receiver name. These results contain detailed steps on how to break into an e-finance website for a particular financial institution and collect sensitive customer data. After the test is completed.83!-/.0!383.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.

This include. system used and tools.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.. Writing the first draft Start writing a rough draft report using all relevant information gathered in stage 2.pcap 2.-12!1.567!5895!. Delete the symbol once editing is completed. This will ease his report writing and make all information that he need available either in each stage. In Linux environment to capture all traffic this command will help: # tcpdump –nn –S 0 –w filename. In case of the penetration testing is conducted by a team. Pen-tester needs to consider information collection in all steps that he performs during the test. etc. 60% of report writing time will be in writing the draft. Information Collection Due to the nature of penetrating testing and utilizing more than one way.-5%2( © 2010 The SANS Institute ( ( Author retains full rights.! ! Taking notes ! ! Capturing screenshots Logging for all activities (This will help in a very critical infrastructure to proof what the pen-tester did and in case something happened).83!-/.0!383. and delete all soft copies using an erasing utility such as PGP or Axcrypt'.#0+4(N:<%&# R( ( copies of the report. snap shots of the findings and exploits (if any). etc.%"&(!.467!:. Collecting the information during the penetration testing stages/steps is a very important step to be able to write the report. tools.03!0045!. it is highly recommended not to be concerned about proofreading and editing. At this stage. computers.2 using the relevant notes.! As part of the Information Security Reading Room . 2.!-. )*+. vulnerability assessment. using information and analyzing it either in the penetration testing activity or during report writing. Typically. a centralized and secure location need to be located to share the information. Pen testers may utilize some tools such as: "#$!%&'(#)*)&'+!.3. moving to the next stage. It may be helpful to use a symbol such as "#" or adding highlights to mark the spot where pen-tester needs to check back later to edit a paragraph./0!. penetration tester needs to make sure that he collected all the information in all stages.$*&/01(2$*&/0342*0. scanning results.2.

Document Control Document control will be based on the service provider control of document procedure. report version. 3.-5%2( © 2010 The SANS Institute ( ( Author retains full rights.! 3. If the test is white penetration testing.03!0045!. one of the penetration testing team needs to review the report.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.1./0!. Cover Page This will show the report name.467!:. Peer review depends on the type of penetration testing conducted. Report review depends also on the organization's procedure and the way that they handle the service. Report Format This section describes the penetration testing report format and why we need each subsection. cover page may also include document serial number and target organization name. fonts to be used and colors. QA team may also need to review it and make sure it follows the company standards.!-. "#$!%&'(#)*)&'+!. 3. Sample Penetration testing report using the report format described here is shown in Appendix A.83!-/. Here are some recommended sections and contents.-12!1. After updating the report.2.! As part of the Information Security Reading Room . This will be controlled based on how the service provider's document looks and feels. someone with knowledge of the target system will review the report collaboratively. This includes but not limited to the header and footer content.4.%"&(!.0!383. Review and finalization Draft needs to be reviewed to enhance it. Page design In report planning.#0+4(N:<%&# S( ( 2. )*+. This will lead to much better results. if it is a black box penetration testing. In case the penetration testing has been conducted by a team. peer review is highly recommended to have a second opinion.567!5895!. page design needs to be decided upon to develop the look and feel of the report. the author/service provider name. date.$*&/01(2$*&/0342*0. all team members need to review and/or edit it.

2006). Typically. Think of what you’d say if you ran into an executive in the elevator and had one minute to summarize your findings" (Snedaker. This section normally is written after writing the report. Version control will track the report changes by recording the change description.! As part of the Information Security Reading Room . 3.! List of Illustrations If there are tables or charts included in the report.03!0045!.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:. methodology used. If the report includes some appendices.%"&(!. "#$!%&'(#)*)&'+!. for reports with less than 5 pages.467!:.-12!1. this will show the document title. The Executive Summary summarizes the report content in a small paragraph containing a statement of the tasks accomplished.4. date of the change and the change author. 3. name of persons whom reviewed the report.0!383./0!.!-. author. approved by whom and the document classification. Version control This will show the Version Control for the report. Executive summery target executives where high level findings/issues need to be raised and recommended solutions need to be presented. the titles of these should be listed but not page numbered. penetration testers name.83!-/. List of Report Content Table of Content This will list all sections of the report in a sequence with the page numbers. version.567!5895!.3. a content page is not necessary.-5%2( © 2010 The SANS Institute ( ( Author retains full rights.#0+4(N:<%&# T( ( Document Properties In a small table. report version. high level findings and recommendations. )*+. list them in this section with page numbers.$*&/01(2$*&/0342*0. Executive Summary "Write this after you’ve completed writing the report.

during this period only. Identifying the scope will help Project Objectives Provide the objectives that the organization will gain after knowing the risks related to the penetration of the target IP addresses/ system or application and what they will get after mitigating these risks by implementing the recommendations in the penetration testing report.Testing duration 2.The pen-tester does not hold any responsibilities if some risk aroused after this period of time due to some changes in the target systems. IP addresses that has been tested.-12!1. which are expected to be linked with the organization's objectives. )*+.! Assumption In case there are some assumptions that the pen-tester considers before or during the test. 3. type of penetration testing perform and any other information that affect the time and budget of the project.!-. the assumptions need to be clearly shown in the report. Providing the assumption will help the report audiences to understand why penetration testing followed a specific direction.The tested IP address's risks. If the penetration testing is part of compliance project the report needs to mention this requirement and how the pen-testing will help to achieve it. This will provide the report target audiences with information about: 1.567!5895!.#0+4(N:<%&# @?( ( Scope of work Scope of work clearly identifies the scope of the project.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.83!-/.%"&(!. The penetration testing objective needs to be linked with the information security objectives.467!:.! As part of the Information Security Reading Room .-5%2( © 2010 The SANS Institute ( ( Author retains full rights. from pen-testing point of view.0!383.$*&/01(2$*&/0342*0. "#$!%&'(#)*)&'+!. Timeline This will show the penetration testing start and end dates./0!.03!0045!.

%"&(!. 3. unsupported by the evidence.-12!1. analysis of the issue and the impact on the information asset (the IP address) if the threat agent was able to exploit the vulnerability. What steps have been followed to collect the information." (Smith et al. speculative. Present the findings in the simplest way as possible. Summary of Recommendation Based on the analysis of risks and the high level finding. 3.! This section provides detailed information for each finding.567!5895!. "When you construct the report of your findings. be careful to avoid statements that are inflammatory.6. Report should explain the source of the vulnerability and the root )*+.03!0045!.! As part of the Information Security Reading Room .!-. vulnerability rating. Risk Rating and Recommendation. its impact and the likelihoods of the vulnerability to be exploited. Each one of these elements will be briefed in the next paragraphs. analyze them.-5%2( © 2010 The SANS Institute ( ( Author retains full rights.0!383. Here are a few: • • • • Tables Graphs Pie or Bar charts Diagrams Vulnerabilities For each piece of vulnerability.$*&/01(2$*&/0342*0. the risk rating methodology used to calculate the risk for each piece of vulnerability and it may also contain the tools that the pen-tester used for each stage.5. Detail findings "#$!%&'(#)*)&'+!. Methodology This section provides the needed information about how the penetration testing was conducted./0!. or overly frightening.467!:. a clear description should be shown about the source of the vulnerability. 2004). the high level recommendation for the target organization need to be described.83!-/.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:. For each finding describe the threat level. There are a number of ways in which results can be presented.#0+4(N:<%&# @@( ( Summary of Findings In a glance view show the number of discovered risks based on priorities.

For example. & Feringa1. for weak authentication protocols being used to validate accounts for accessing a customer database through the ASP Web application. Impact The report should explain the impact of the vulnerability's exploitation by the threat agent.g.! Analysis in Appendix A was developed based on NIST. difficulty of discovering the vulnerability and exploiting it.567!5895!.#0+4(N:<%&# @>( ( cause of the problem not the symptom of it.-12!1. Recommendation "Presenting a piece of vulnerability in your findings without documenting how the vulnerability could be managed is only half of your security assessment job. This will mitigate the vulnerability persistence. or other suggestions for reducing or eliminating the vulnerability. This is a Special Publication 800-30.%"&(!.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.03!0045!. which shows one method of risk analysis and calculation. pen tester may provide more than option for mitigating the risk such as: 1-Implement Public Key Infrastructure (PKI) by providing certificate to all users of the database and require certificate-based authentication on the front-end )*+." (Smith et al.$*&/01(2$*&/0342*0./0!. Based on the risk rating and the target asset.0!383. Likelihood Likelihood is "the probability that a potential vulnerability may be exercised within the construct of the associated threat environment" (Stoneburner. a hacker).. The other half is presenting potential solutions. the penetration tester should provide an acceptable recommendation with alternatives. Table 3 Risk "#$!%&'(#)*)&'+!. and the value of the asset to the target organization. Practical penetration tester may think of the likelihood as a combination of ease of access.!-.-5%2( © 2010 The SANS Institute ( ( Author retains full rights.467!:. mitigations. Risk evaluation "Process of comparing the estimated risk against given risk criteria to determine the significance of the risk "(ISO/IEC Guide 73:2002). 2004). The report should state the likelihood of a vulnerability being exploited by the threat source (e.! As part of the Information Security Reading Room . Goguen1.83!-/. level of access gained. 2002).

References It is important to give precise details of all the work by other authors. This solution will require the design and implementation of Active Directory.83!-/. 2.-5%2( © 2010 The SANS Institute ( ( Author retains full rights. vulnerability assessment results.Import the accounts database to Active Directory and implement basic authentication over SSL on the website.!-. Additionally.%"&(!.-12!1. 3. or other information.567!5895!.Control objectives and controls ISO/IEC 27001:2005 to select some controls that will help in minimizing the risk discovered. Penetration Tester may also utilize Annex A .8.#0+4(N:<%&# @O( ( website in addition to the forms-based authentication on the website. which has been referred to within the report. This can be consulted if the reader wishes to but the report should not depend on this.467!:.! As part of the Information Security Reading Room .! • Author’s name and initials • Date of publication • Title of the book.03!0045!. which may be useful for the reader. )*+.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:. paper or journal • Publisher • Place of publication • Page numbers • Details of the journal volume in which the article has appeared. which is highly susceptible to spoofing or man-in-the-middle attacks. all client operating systems must run Microsoft Windows 2000 or later./0!. Details should include: "#$!%&'(#)*)&'+!.$*&/01(2$*&/0342*0.7. Make sure that your references are accurate and comprehensive. Appendices An appendix contains additional information related to the report but which is not essential to the main findings. 3-Continue to use the current custom authentication protocol.0!383. 3. References should be listed in alphabetical order of the authors' names. Such information may include the scanning result. This solution will require the design and implementation of a PKI and Active Directory.

International Organization for Standardization.%+1(!-(U>??OV-(!"#$%&'("#)"*+'. D..(2006).(X5$%%. References Whitaker.$+-%.%4H-( Retrieved December 15. D./+01&)"$&&+2. Assessing network security.0!383.! BS ISO/IEC 27001:2005./"&4'([*#0%+*. Snedaker .7. & Newman. LeBlanc.0+:. B.".-5%2( © 2010 The SANS Institute ( ( Author retains full rights.-12!1.9+ %)&<+=("(*$=$"'+*1)#$+/.. Appendix A shows a Sample report of a penetration testing.#0+4(N:<%&# @P( ( 3."&+.gov/publications/nistpubs/800-30/sp800-30. Canada: Syngress."+'$2. (2005).#0#"#:(%J(X#*+6*&6. USA: Cisco Press.==$"#('). Penetration testing and network defense.83!-/.((( \+. Writing Reports Retrieved December 15.$*&/01(2$*&/0342*0.!-.(*+6(C:5$+%.".%+)"/. 4.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:./+ '.467!:.567!5895!."+899:..%=(')./0!.*>-(Y*0#$:&. S.03!0045!./+&'("#(%#&+("#+'$2..*>+&>&'$=&+%$2.( X#%+:/"&+:&1(Y-1 Feringa1!-1(Z(Y%4":+1(!-(U>??>V-(3456+5-$2)(7+-107)2(')."(7+)"&')'1'$+.pdf The Higher Education Academy.! As part of the Information Security Reading Room . Information security management systems — Requirements "#$!%&'(#)*)&'+!. USA: Microsoft Press. (2004). Smith. ISO (the International Organization for Standardization) and IEC (the International Electro-technical (2005). ( C$%2<.2009 from The Higher Education Academy Web site: )*+.2009 from NIST Web site: http://csrc.7. It Security project management . A.nist. K.9.%"&(!.$+"(').."2$-'-(M:&#$('( )"&6%5$(W". & Lam ./+. Glossary Define the meaning of technical terms.

.ac.edu/Handbook/ Purdue Online Writing Lab.uk/assets/hlst/documents/heinfe_exchange/Blended_Learni ng_PDP_Materials/5_reportwriting.3 penetration testing.+#)2')./0!.$*&/01(2$*&/0342*0.2009. The SANS Institute.au/FCWViewer/view.wisc."(%>-([:D(^%&B'(]KJ%&6(_+07:&. from CQ University Australia Website: http://clc. Communications Learning Centre Retrieved December 15. (2008). Payment Card Industry PCI. from Purdue OWL and Writing Lab Web site: http://owl. 2009.03!0045!.-12!1.pdf ( ( )*+.567!5895!.%#+$"*7)&. (2009). Retrieved January 10.edu. Writer's Handbook Retrieved December 15.pdf The University of Wisconsin.! As part of the Information Security Reading Room .english.0!383.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.83!-/. Handbook on report Formats Retrieved January 10.-5%2( © 2010 The SANS Institute ( ( Author retains full rights.3.org/pdfs/infosupp_11_3_penetration_testing.2010.! The SANS Institute. SANS Security 560 Network Penetration Testing and Ethical Hacking.#0+4(N:<%&# @Q( ( http://www.467!:.CQ University Australia.edu/owl/resource/726/01/ ]KJ%&61(?@/. 11.pcisecuritystandards.%"&(!.2010.0#H(M&:. from Payment Card Industry (PCI) Web site: https://www.!-.do?page=842 "#$!%&'(#)*)&'+!.heacademy. PCI Security Standards Council.purdue. from University of Wisconsin Web site: http://writing. Information supplement: requirement 11.cqu.

#0+4(N:<%&# @=( ( Appendix A Sample Penetration Testing Report Black Box Penetration Testing For GPEN. Alharbi )*+.! By: Mansour A.-5%2( © 2010 The SANS Institute ( ( Author retains full rights.0!383.KM V1. yyyy "#$!%&'(#)*)&'+!.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.567!5895!.$*&/01(2$*&/0342*0.!-.0 Month ddth.03!0045!.83!-/.! As part of the Information Security Reading Room ./0!.%"&(!.467!:.-12!1.

! As part of the Information Security Reading Room . Alharbi Mansour A./0!.! Final Draft Month ddth.467!:.567!5895!.83!-/.$*&/01(2$*&/0342*0.0!383.03!0045!.-12!1.-5%2( © 2010 The SANS Institute ( ( Author retains full rights. yyyy Mansour Alharbi )*+.#0+4(N:<%&# @R( ( Document Properties Title Version Author Pen-testers Reviewed By Approved By Classification Black Box Penetration Testing Report V1. Alharbi Kees Leune Kees Leune Confidential Version control Version Date Author Description V1.0 Mansour A.%"&(!.0 "#$!%&'(#)*)&'+!.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.!-.

2WINDOWS SERVER 192........ 3..... 18 1EXECUTIVE SUMMARY .... 27 4........................................ 21 1...........................! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:....... 20 1...................../0!....................................1D"#$!%&'(#)*)&'+!................................. 20 1................................................................................................. 20 1............................................................ 32 APPENDIX A NESSUS VULNERABILITY SCANNING REPORTS ..3ASSUMPTION ........................................................... 23 2. 23 2.............................................................................................................................................................................................................................................#0+4(N:<%&# @S( ( Table of Content CONTENTS ..........6SUMMARY OF RECOMMENDATION ........2EXPLOITATION ................................................. 24 2.................................................................................................3REPORTING .............................................................1PLANNING ......-12!1...................5SUMMARY OF FINDINGS ........-5%2( © 2010 The SANS Institute ( ( Author retains full rights......! 25 ETAILED SYSTEMS INFORMATION ..%"&(!....567!5895!.....................................................REFERENCES .................................83!-/..........................................................................0!383................................................................... 20 1................................4TIMELINE ......................................... 25 3...................................................2PROJECT OBJECTIVES ................................................. 20 1...................467!:.................... 24 3DETAIL FINDINGS ....................168...........................................................................1..................................03!0045!.............. 22 2METHODOLOGY ..................................$*&/01(2$*&/0342*0....................................................................................!-... 32 )*+.......................75 ...........................! As part of the Information Security Reading Room .......1SCOPE OF WORK ...................................................

03!0045!.-12!1.467!:.#0+4(N:<%&# @T( ( List Of Illustrations List of Tables Table 1 Penetration Testing Time Line 12 Table 1 Total Risk Rating 12 Table 3 Risk Analysis 16 Table 4 Rating Calculation 16 Table 5 Targets open ports 17 List of Figures Figure 1 Total Risks 13 Figure 2 Penetration Testing Methodology 15 Figure 3 192.-5%2( © 2010 The SANS Institute ( ( Author retains full rights.! Figure 4 Telnet Service Banner 18 Figure 12 Exploiting RPC using dcom 18 Figure 13 Getting Shell Access 19 Figure 14 Exploiting dcom – metasploit 19 Figure 16 Uploading nc.83!-/.1./0!.exe as backdoor 21 Figure 17 Shell command and running nc 22 Figure 18 Downloading SAM file 22 )*+.168.$*&/01(2$*&/0342*0.%"&(!.0!383.567!5895!.!-.! As part of the Information Security Reading Room .! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.75 Number of Risks 17 "#$!%&'(#)*)&'+!.

%"&(!. The assessment was carried out from a black box perspective. vulnerability and impact. with the only supplied information being the tested servers IP addresses. Given the limited time that is given to perform the assessment.-12!1.!-. Executive Summary This document details the security assessment (external penetration testing) of GPEN.03!0045!. we assume that both IP addresses are considered to be public IP addresses. 1. as well. The result of the assessment is then analyzed for vulnerabilities./0!. Assumption While writing the report.KM. Timeline The timeline of the test is as below: Penetration Testing Pen Test 1 Start Date/Time mm/dd/yyyy Table 1 Penetration Testing Time Line )*+. The vulnerabilities are assigned a risk rating based on threat. The purpose of the assessment was to provide a review of the security posture of GPEN.! As part of the Information Security Reading Room .0!383. 1.75 and 192. as to identify potential weaknesses in its Internet infrastructure.4.#0+4(N:<%&# >?( ( 1. only immediately exploitable services have been tested. NDA and rules of engagement has been signed and based on the information gathering phase the company name is GPEN.168.1.$*&/01(2$*&/0342*0.KM.KM’s "#$!%&'(#)*)&'+!.83!-/.467!:.KM Internet infrastructure. 1.76 addresses. Project Objectives This security assessment is carried out to gauge the security posture of GPEN. No other information was assumed at the start of the assessment.! Internet facing hosts. Scope of work This security assessment covers the remote penetration testing of 2 accessible servers hosted on 192.-5%2( © 2010 The SANS Institute End Date/Time mm/dd/yyyy ( ( Author retains full rights.1. 1.2.1.3.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.567!5895!.168.

#0+4(N:<%&# >@( ( 1.-5%2( © 2010 The SANS Institute ( ( Author retains full rights.03!0045!. GPEN.%"&(!. Other areas such as processes and people should be emphasized as well.5. Summary of Findings Value Low Medium High Critical Number of Risks 3 2 6 6 Table 2 Total Risk Rating "#$!%&'(#)*)&'+!.KM lacks a defense in depth (multi-layered) security strategy which if implemented will help GPEN.KM achieves better security level.! Figure 1 Total Risks GPEN.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:./0!.-12!1.KM needs to invest in implementing a defense-in-depth approach to have multiple layers of security to protect their information asset. for instance. should be implemented to strengthen the different layers of security within GPEN.83!-/.! As part of the Information Security Reading Room .KM needs to pay more attention to information security. Below are the high level findings from the external penetration test: • GPEN.!-.0!383.567!5895!. We were able to access one server in less than one hour. Systems and networks hardening and secure configurations. )*+.467!:.$*&/01(2$*&/0342*0.KM .

83!-/.75 is running multiple security vulnerability such as SQL injection and XSS. GPEN.03!0045!.#0+4(N:<%&# >>( ( • We found that both servers are not protected by a firewall and can present a security risk since the host runs a number of services such as Microsoft terminal services without being configured for optimal security. Summary of Recommendation Adopt defense-in-depth approach where GPEN. • It was obvious that GPEN.0!383.1. o Allow only authorized IPs to connect to other services or best disable unneeded services. Web application hosted in 192.%"&(!. Among these: • Deploy Host Intrusion Prevention Systems –HIPS on servers and desktops.168.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.KM patch management policy and procedure is either not existing or not implemented correctly.! As part of the Information Security Reading Room .KM has to implement input validation and "#$!%&'(#)*)&'+!. Implement Patch management system(s) to provide centralized control over fixes. Best practice is to have 3-tier design./0!. This will minimize overhead on operations team and will elevate security resistance.! re-design the web application component.467!:.-5%2( © 2010 The SANS Institute ( ( Author retains full rights.567!5895!.-12!1. One of these servers was running windows 2000 server without any patches. GPEN. This opened a very high security risk on the organization. An attacker can gain access to customer information and manipulate it. 1.!-. • Services installed were running with default configuration such as FTP. o Apply anti-mapping rules on the border router and primary firewall. )*+. also enable personal firewall on desktop (such as Microsoft Windows firewall).$*&/01(2$*&/0342*0. • • Perform security hardening on servers in the production environment especially those in the Internet and/or external DMZs.KM utilizes variety of security tools/systems and processes to protect its assets and information. At least the application server and DB server should be hosted in deferent servers and segregated by a firewall. updates and patches to all systems. devices and equipments.KM must design the Firewall policy as follows: o Apply rules to allow only public services such as mail and web access.6.

Best practice is to have 3-tier design. 2.567!5895!.! Figure 2 Penetration Testing Methodology 2.0!383.S and determined the running services and its versions.1.03!0045!.%"&(!. we detect the live system its O.$*&/01(2$*&/0342*0. Planning During planning we gather information from public sources to learn about target: People and culture Technical infrastructure Then. Develop and implement a training path for the current IT staff.! As part of the Information Security Reading Room .KM has to implement input validation and re-design the web application component.!-./0!. )*+.83!-/. Methodology "#$!%&'(#)*)&'+!.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.467!:. • • Conduct vulnerability assessment at least twice a year and penetration testing at least once a year or if there is a major change in the information assets.-5%2( © 2010 The SANS Institute ( ( Author retains full rights. At least the application server and DB server should be hosted in deferent servers and segregated by a firewall.-12!1.#0+4(N:<%&# >O( ( • GPEN.

0!383. we start writing the report on each risk and how to mitigate it./0!. Reporting Based on the results from the first two steps.!-.03!0045!.83!-/.2. *Based on our analysis risks that falls under this category will be considered as High.! Critical 4 8 12 16 8 16 24 32 12 24 36 48 16 32 48 64 Table 3 Risk Analysis L M H C Low Medium High Critical Table 4 Rating Calculation After calculating the risk rating.3. Our Risk rating is based on this calculation: Risk=Threat * Vulnerability * Impact Threat Vulnerability Impact Low Low L M H 1 2 4 3 6 C 4 8 Medium L M 1 4 4 8 H 6 C 8 High L 3 M 6 H 9 C Critical L M 8 H C 12 4 24 8 12 16 Medium 2 12 16 6 12 18 16 24 32 High 3 6 9 12 6 12 18 24 9 18 27* 36 12 24 36 48 "#$!%&'(#)*)&'+!.%"&(!.$*&/01(2$*&/0342*0.#0+4(N:<%&# >P( ( 2. 1-16 17-32 33-48 49-64 )*+.467!:.! As part of the Information Security Reading Room . 2.S and service that we discovered after that trying to exploit it. Exploitation Utilizing the information gathered in Planning we start to find the vulnerability for each O. we start analyzing the results.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.-12!1.-5%2( © 2010 The SANS Institute ( ( Author retains full rights.567!5895!.

/0!.03!0045!. Detailed Systems Information Open Ports IP Address System Type OS Information Port# Protocol 139 21 80 135 389 445 464 Tcp Tcp Tcp Tcp Tcp Tcp tcp Service Name netbios-ssn ftp http Msrpc Ldap open microsoft-ds open kpasswd5? open "#$!%&'(#)*)&'+!.%"&(!.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.567!5895!.0!383.83!-/.76 Server Windows Server 2003 Service Pack 1 636 1025 1027 1030 3268 3269 tcp Tcp Tcp Tcp Tcp Tcp open tcpwrapped open msrpc open ncacn_http open msrpc open ldap open tcpwrapped open 3389 Tcp microsoftrdp )*+.1.#0+4(N:<%&# >Q( ( 3.467!:.! As part of the Information Security Reading Room . Detail findings 3.!-.! 593 tcp Microsoft ncacn_http 192.$*&/01(2$*&/0342*0.-12!1.-5%2( © 2010 The SANS Institute ( ( Author retains full rights.168.1.

#0+4(N:<%&# >=( ( 80 135 139 443 445 Microsoft 192.$*&/01(2$*&/0342*0.-12!1.03!0045!.83!-/.1.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:./0!.0!383.-5%2( © 2010 The SANS Institute ( ( Author retains full rights.168.75 Server Windows 2000 Service Pack 0 1035 23 53 1033 135 Table 5 Targets open ports "#$!%&'(#)*)&'+!.%"&(!.467!:.! Tcp Tcp Tcp Tcp Udp 1027 Tcp Tcp Tcp Tcp Tcp Tcp HTTP Msrpc netbios-ssn HTTPS microsoft-ds Port exosee Port mxxrlogin telnet DNS Port netinfolocal Port epmap )*+.! As part of the Information Security Reading Room .!-.567!5895!.

567!5895!.-5%2( © 2010 The SANS Institute ( ( Author retains full rights. attacker with and easy accessible sniffer can sniff the traffic.1.-12!1.467!:.$*&/01(2$*&/0342*0. Windows Server 192.75 Number of Risks Unsecure service (Telnet) is running: Threat Level "#$!%&'(#)*)&'+!.0!383.168.03!0045!.#0+4(N:<%&# >R( ( 3. which may include sensitive data and/or administrator credentials.83!-/.! As part of the Information Security Reading Room . Suspicious users i.! Medium Vulnerability Medium Analysis Telnet provides access to the server for remote administration as an example.%"&(!.168.1.75 Figure 3 192. Unfortunately telnet traffic is not encrypted.2.00 )*+.!-.e./0!.75. we were able to see telnet service version number 5. By Telneting to 192.1.168.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.

#:&(D%".#-( Critical "#$!%&'(#)*)&'+!.(0+(#$:(#*&4:#( .! As part of the Information Security Reading Room .(2".#(J%&(6:2%+.83!-/.6(0+5./0!.#*#:2:+#a(C$:(#%%. We exploit this vulnerability utilizing a ready exploit available in the internet. which has a flaw in its RPC interface.(I".567!5895!.#(/:(&:2%7:6(*J#:&(#$:(#:. Figure 5 Exploiting RPC using dcom After exploiting this vulnerability we got a shell and as you can see the IP address is the server IP address.6(. An attacker or a worm could use it to gain the control of this host."6:(.!-.! Analysis The remote host is running a version of Windows.H.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.#:21(*(&". utilize secure administration tools such as SSH or Secure remote desktop access.(0.#&*#0%+(<"&<%.467!:..0B:(#%("<.#0+4(N:<%&# >S( ( Figure 4 Telnet Service Banner Impact High Risk Rating Low Recommendation If deemed necessary for this server to be administered remotely. which may allow an attacker to execute arbitrary code and gain SYSTEM privileges.:(%J(:+4*4:2:+#(.03!0045!.-12!1.%"&(!.:(0J(#$:(<:+` #:.$*&/01(2$*&/0342*0. )*+.%*6(*+H(#%%.0!383. Microsoft RPC Interface Buffer Overrun: Threat Level High Vulnerability C$0."5$(*( .$%".-5%2( © 2010 The SANS Institute ( ( Author retains full rights.

-12!1.%"&(!.!-.#0+4(N:<%&# >T( ( Figure 6 Getting Shell Access We also utilize this vulnerability to upload and download file through meterpreter as described below: "#$!%&'(#)*)&'+!.metasploit )*+.83!-/.467!:.567!5895!.! Figure 7 Exploiting dcom ./0!.03!0045!.! As part of the Information Security Reading Room .$*&/01(2$*&/0342*0.-5%2( © 2010 The SANS Institute ( ( Author retains full rights.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.0!383.

-5%2( © 2010 The SANS Institute ( ( Author retains full rights./0!.467!:.#0+4(N:<%&# O?( ( "#$!%&'(#)*)&'+!.! As part of the Information Security Reading Room .$*&/01(2$*&/0342*0.exe as backdoor We uploaded a tool for further testing )*+.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.%"&(!.03!0045!.! Figure 8 Uploading nc.-12!1.567!5895!.0!383.83!-/.!-.

/0!.83!-/.$*&/01(2$*&/0342*0.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.#0+4(N:<%&# O@( ( We opened a command shell using meterpreter and ran nc.%"&(!.567!5895!.exe to listen on port 2222/TCP: "#$!%&'(#)*)&'+!.03!0045!.! As part of the Information Security Reading Room .-5%2( © 2010 The SANS Institute ( ( Author retains full rights.467!:.0!383.! Figure 9 Shell command and running nc And downloading SAM file for cracking the system passwords offline: Figure 10 Downloading SAM file Impact Critical )*+.!-.-12!1.

References Appendix A .03!0045!.467!:.! )*+.!-.! As part of the Information Security Reading Room ./0!.com/technet/security/bulletin/MS03-039.83!-/.Nessus Vulnerability Scanning Reports Attache nessus scanning file.-12!1.%"&(!.$*&/01(2$*&/0342*0.mspx 4. http://www.microsoft.0!383.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! (A&0#0+4(*(M:+:#&*#0%+(C:.567!5895!.-5%2( © 2010 The SANS Institute ( ( Author retains full rights.#0+4(N:<%&# O>( ( Risk Rating Critical Recommendation Patch the system with latest patches from MS. "#$!%&'(#)*)&'+!.

2011 Barcelona. 2011 Feb 26. 2011 Jan 27. 2011 . 2011 .Apr 07. 2011 . 2011 .Mar 03. 2011 Anytime . AZ Muscat. 2011 . New Zealand Mar 07. 2011 Feb 25. Indonesia Reston .Mar 03. United Kingdom Mar 28.Last Updated: January 22nd. Spain Orlando. Bali. 2011 Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location MGT442 Information Security Risk Management Beta Test RSA Conference 2011 SANS India 2011 North American SCADA 2011 SANS Phoenix 2011 SANS SEC504 Oman 2011 with FIS SANS Singapore 2011 SANS Wellington 2011 SANS Barcelona 2011 SANS 2011 SANS 508 RHUL 2011 The 2011 Asia Pacific SCADA and Process Control Summit SANS Bali 2011 SANS Northern Virginia 2011 SEC434 Log Management Beta SANS OnDemand North Charleston. 2011 . 2011 Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Self Paced Wellington.Apr 16. 2011 .Apr 04. Australia Nusa Dua. 2011 . 2011 .Mar 12. 2011 Feb 14. FL Mar 21. India Lake Buena Vista. 2011 Sydney. 2011 .Jan 28. 2011 . CA Bangalore.Mar 26. 2011 . 2011 Mar 07.Mar 30. VA OnlineCA Books & MP3s Only Mar 31.Mar 19.Feb 10. 2011 . FL Phoenix. 2011 Apr 11.Mar 02. 2011 . 2011 Mar 26. 2011 Feb 23. 2011 .Apr 23.Feb 14.Feb 19. Oman Singapore. 2011 Egham. 2011 Apr 15. 2011 Feb 13. Singapore Feb 09. SC San Francisco.

Sign up to vote on this title
UsefulNot useful