Re: Pen-Test startup help

From: hellNbak (hellnbakat_private)
Date: Sun Aug 24 2003 - 12:42:53 PDT

  • Next message: Sasa Jusic: "Firewall assessment"

    I think most experienced organizations have their own boiler plate report
    formats that they use.  From a technical perspective here is what I do.
    
    1.)  Take screenshots of everything -- you can always delete the
    meaningless ones later
    
    2.)   Run a keystroke logger - great for jogging your memory when you put
    in long sessions and forget things
    
    3.)   Keep vi, pico, notepad, whatever running in a window to make
    constant notes -- these aren't for the client but more for you to jot down
    things that might be important later or needed in the report.
    
    The format of the report needs to reflect what the client wanted to get
    out of the Pen-Test.  There is zero value in providing a 1000 pager full
    of stuff you know the client won't read.  In general here is what you
    should have;
    
    Abstract (explaining the work and why the client wants the work, their
    pains etc..)
    
    Executive Summary (basically an overview of what was found focusing on
    what it means to the business.  The person reading the exec summary won't
    care about the technical details but only the business impact and the high
    risk items.
    
    Risk Analysis - Detailed (more technical details on your findings along
    with remediation advise.
    
    Various appendices - (all your relavent screenshots and keystroke logs,
    nmap out put ect...
    
    Sometimes, companies will put in a "Next Steps" section which is usually
    just an attempt to sell more work but sometimes helpful.
    
    On Sat, 23 Aug 2003, Gerald Cody Bunch wrote:
    
    > Date: Sat, 23 Aug 2003 15:57:23 -0400
    > From: Gerald Cody Bunch <gbunchat_private>
    > To: pen-testat_private
    > Subject: Pen-Test startup help
    >
    > This may or may not be 100% on topic, but I believe that it would fit in
    > good.  From what I have read pen-tests are supposedly well documented
    > from the start (or should be) and some form of report generated at the
    > end.  My question is, what templates/procedures do the members of this
    > list use?  Are there any standards for documentation, and/or publicly
    > available templates/procedures?
    >
    >  Thanks,
    >
    >  Gerald Cody Bunch
    >  gbunchat_private
    >
    >
    > ---------------------------------------------------------------------------
    > Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier
    > technical IT security event.  Modeled after the famous Black Hat event in
    > Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    > Symantec is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
    > ----------------------------------------------------------------------------
    >
    
    -- 
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    
    The people you are after
    are the people you depend on.
    We develop your apps,
    we back up your data,
    we route your packets,
    we defend you while you sleep.
    DO NOT FUCK WITH US.
    
    nmrc.org
    
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    
    
    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier 
    technical IT security event.  Modeled after the famous Black Hat event in 
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
    Symantec is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
    ----------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Sun Aug 24 2003 - 13:45:45 PDT