I think most experienced organizations have their own boiler plate report formats that they use. From a technical perspective here is what I do. 1.) Take screenshots of everything -- you can always delete the meaningless ones later 2.) Run a keystroke logger - great for jogging your memory when you put in long sessions and forget things 3.) Keep vi, pico, notepad, whatever running in a window to make constant notes -- these aren't for the client but more for you to jot down things that might be important later or needed in the report. The format of the report needs to reflect what the client wanted to get out of the Pen-Test. There is zero value in providing a 1000 pager full of stuff you know the client won't read. In general here is what you should have; Abstract (explaining the work and why the client wants the work, their pains etc..) Executive Summary (basically an overview of what was found focusing on what it means to the business. The person reading the exec summary won't care about the technical details but only the business impact and the high risk items. Risk Analysis - Detailed (more technical details on your findings along with remediation advise. Various appendices - (all your relavent screenshots and keystroke logs, nmap out put ect... Sometimes, companies will put in a "Next Steps" section which is usually just an attempt to sell more work but sometimes helpful. On Sat, 23 Aug 2003, Gerald Cody Bunch wrote: > Date: Sat, 23 Aug 2003 15:57:23 -0400 > From: Gerald Cody Bunch <gbunchat_private> > To: pen-testat_private > Subject: Pen-Test startup help > > This may or may not be 100% on topic, but I believe that it would fit in > good. From what I have read pen-tests are supposedly well documented > from the start (or should be) and some form of report generated at the > end. My question is, what templates/procedures do the members of this > list use? Are there any standards for documentation, and/or publicly > available templates/procedures? > > Thanks, > > Gerald Cody Bunch > gbunchat_private > > > --------------------------------------------------------------------------- > Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier > technical IT security event. Modeled after the famous Black Hat event in > Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. > Symantec is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com > ---------------------------------------------------------------------------- > -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The people you are after are the people you depend on. We develop your apps, we back up your data, we route your packets, we defend you while you sleep. DO NOT FUCK WITH US. nmrc.org -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Aug 24 2003 - 13:45:45 PDT