1
00:00:10,300 --> 00:00:16,780
Let us start the last section of this wonderful cause till now, you have seen how to carry out a penetration

2
00:00:16,780 --> 00:00:23,740
test, different ways of getting out a penetration test, exploding target information gathering and

3
00:00:23,740 --> 00:00:25,320
scanning and so more.

4
00:00:25,960 --> 00:00:30,820
But after this, you should be able to present the findings and document it properly.

5
00:00:31,180 --> 00:00:34,660
And there comes the need of writing up penetration testing report.

6
00:00:35,540 --> 00:00:41,570
In this section, we will learn how to write a proper penetration testing report, and I will be explaining

7
00:00:41,570 --> 00:00:45,360
the 10 template of writing up additional testing report.

8
00:00:45,680 --> 00:00:48,770
So let us start now.

9
00:00:48,800 --> 00:00:52,210
What are some key factors in order to present a good report?

10
00:00:52,940 --> 00:00:59,550
Now, first, your report should be simple, clear and understandable in any penetration test.

11
00:00:59,570 --> 00:01:03,140
The report is the most crucial part of writing.

12
00:01:03,140 --> 00:01:06,680
A good report is the key to successful penetration testing.

13
00:01:07,980 --> 00:01:15,690
Presentation of the report is also important how those photos, appropriate forms, will spaced margins,

14
00:01:16,440 --> 00:01:21,940
images, etc. should be created and selected properly with great care.

15
00:01:22,590 --> 00:01:28,530
Now, for example, if you are using a rare form for the hearing, every hearing in the document should

16
00:01:28,530 --> 00:01:29,570
be in that state.

17
00:01:30,690 --> 00:01:33,030
The report should be well-organized.

18
00:01:35,460 --> 00:01:38,260
Correct, spelling and grammar is very important.

19
00:01:38,790 --> 00:01:45,030
A misspelled word leaves a very negative impact upon the person who is reading your report.

20
00:01:45,300 --> 00:01:50,910
So you should make sure that proofreading your report and performing spell checking before submitting

21
00:01:50,910 --> 00:01:53,580
it to the client is an important task.

22
00:01:54,630 --> 00:02:01,440
Always make sure that you use a consistent voice and style in writing a report, changing the voice

23
00:02:01,440 --> 00:02:03,200
or create confusion in the reader.

24
00:02:03,810 --> 00:02:08,670
So you should choose one voice and style and stick it throughout your report.

25
00:02:09,960 --> 00:02:13,620
Now, make sure you spend time on eliminating false positives.

26
00:02:14,340 --> 00:02:20,370
Now, if you use an automated scanner, it may generate some false positives when the readings that

27
00:02:20,370 --> 00:02:23,910
are actually not present are known as false positives.

28
00:02:25,160 --> 00:02:31,520
Now, these false positives will always be there no matter what you do, so it is your job to perform

29
00:02:31,520 --> 00:02:37,410
a manual test again on the target and then verify the penalties which are actually present.

30
00:02:38,090 --> 00:02:41,810
And this would enhance the credibility of your report.

31
00:02:43,400 --> 00:02:52,100
Perform a detailed analysis of the vulnerability to find out its root cause a screenshot of raw HDB

32
00:02:52,100 --> 00:02:59,480
request or the screenshot that demonstrates the evidence of finding would give a clear picture to the

33
00:02:59,480 --> 00:03:00,920
developer of the status.

34
00:03:04,940 --> 00:03:09,440
Now, it is important that you should understand the audience while writing a report.

35
00:03:09,860 --> 00:03:14,810
It's not like the entire report is just in terms of technical.

36
00:03:14,990 --> 00:03:20,900
So understanding the audience that would be reading your penetration testing report is a very crucial

37
00:03:20,900 --> 00:03:22,530
part of the penetration test.

38
00:03:23,630 --> 00:03:28,510
Now, we can divide the audience into following three categories, which you can see on the screen.

39
00:03:29,120 --> 00:03:31,530
The first one is the executive class report.

40
00:03:32,090 --> 00:03:37,190
The second is a management class report and the last is a developer report.

41
00:03:38,370 --> 00:03:44,350
While writing a report, you must understand which audience will read which part of your report.

42
00:03:44,910 --> 00:03:52,260
For instance, let's consider the company's CEO would not be interested in which exploit you used to

43
00:03:52,260 --> 00:03:55,770
gain access to a particular machine or venerability.

44
00:03:56,280 --> 00:04:02,760
And on the flipside, your developers are not at all interested in overall risks and potential losses

45
00:04:02,760 --> 00:04:03,510
to the company.

46
00:04:03,810 --> 00:04:07,040
They are just interested in which exploits you have used.

47
00:04:07,530 --> 00:04:14,760
So while writing a report, it would be very important to write a report keeping in mind with these

48
00:04:14,760 --> 00:04:15,870
three types.

49
00:04:16,740 --> 00:04:19,440
The first one is the executive class report.

50
00:04:20,800 --> 00:04:28,270
This category includes the CEO of the company, since they have a very tedious schedule and most of

51
00:04:28,270 --> 00:04:33,850
the times they have less technical knowledge, that would end up leading a very small portion of the

52
00:04:33,850 --> 00:04:34,340
report.

53
00:04:34,750 --> 00:04:41,290
For example, if your vulnerability may result in 10 billion dollar loss, then they are interested

54
00:04:41,290 --> 00:04:42,440
in reading that part.

55
00:04:42,850 --> 00:04:47,680
They are not interested in reading which vulnerability you have used to exploit the flaw.

56
00:04:49,320 --> 00:04:56,340
So specifically, the executive summary remediation report, etc., these people end up reading a very

57
00:04:56,340 --> 00:05:03,840
small, small part of a report and hence they're interested only on the business impact now, which

58
00:05:03,840 --> 00:05:08,760
we will discuss later in the schools while demonstrating a proper template of a report.

59
00:05:09,790 --> 00:05:18,040
Now, let us move on to management class, which includes the CISO, that is chief information security

60
00:05:18,040 --> 00:05:24,690
officers, and the CISSP, that is chief certified system security professional.

61
00:05:25,120 --> 00:05:30,560
Now, since they are the ones who are responsible for implementing the security policy of the company.

62
00:05:31,030 --> 00:05:36,490
They will probably be more interested in reading about the overall strengths and weaknesses of the report.

63
00:05:37,090 --> 00:05:42,960
For example, if you spotted a vulnerability, they might be interested in reading which vulnerability

64
00:05:42,970 --> 00:05:44,650
was exposed and how it works.

65
00:05:44,650 --> 00:05:45,090
Alerted.

66
00:05:46,270 --> 00:05:49,410
Last comes the technical class or the developer report.

67
00:05:50,420 --> 00:05:56,660
Now, this report includes a security manager and developers who would be interested in reading your

68
00:05:56,660 --> 00:06:03,410
report thoroughly, they would investigate your report as they are responsible for patching the vulnerabilities

69
00:06:03,560 --> 00:06:08,400
found and for making sure that the necessary patches are implemented.

70
00:06:08,840 --> 00:06:16,730
So let us consider an example of you exploiting a crippling vulnerability and injection injection.

71
00:06:17,060 --> 00:06:23,780
Now, when you write a report for the executive class, you just have to write how much loss the company

72
00:06:23,780 --> 00:06:26,990
will face in terms of amount or in terms of users.

73
00:06:27,260 --> 00:06:33,800
And on that figure, the CEO of the company is more interested in how when it comes to management class

74
00:06:33,800 --> 00:06:40,490
report, you will include rich venerability was exploited, how it was exploited and what can be the

75
00:06:40,490 --> 00:06:45,800
business impact, and a bit more technical knowledge like the description of the vulnerability.

76
00:06:46,220 --> 00:06:52,160
And when it comes to developers report, you have to mention everything right from which expert you

77
00:06:52,160 --> 00:06:58,970
used, which because you used which statements ask queries were used, the screenshots, the proof of

78
00:06:58,970 --> 00:07:05,000
concept references and etc. everything should be included in developer report.

79
00:07:05,180 --> 00:07:11,450
In the next lecture, we are going to get into the essentials of reporting fees in which I will teach

80
00:07:11,450 --> 00:07:13,220
you about the structure of a report.

81
00:07:13,850 --> 00:07:16,570
We have discussed what a good report should look like.

82
00:07:16,610 --> 00:07:22,310
I pointed out that knowing your audience is very important, that one of the key factors about a good

83
00:07:22,310 --> 00:07:29,240
report is that it should meet the needs for each audience and be presented in a clear and understandable

84
00:07:29,240 --> 00:07:29,640
manner.

85
00:07:30,350 --> 00:07:36,530
The next major part of writing a report is the analysis where we perform risk assessment and calculate

86
00:07:36,530 --> 00:07:40,480
the overall risk to the organization based upon our findings.

87
00:07:40,820 --> 00:07:47,600
So in the next lecture, we will see how to write a report and its components of penetration testing

88
00:07:47,600 --> 00:07:48,050
report.