A complete guide on Penetration Testing Report
By Sourojit Das, Community Contributor - June 14, 2023
What is Penetration Testing?
A penetration test, also known as a pen test, is a simulated cyber attack against a computer system to identify exploitable flaws. In the context of web application security, penetration testing is typically employed to complement a web application firewall (WAF).
These vulnerabilities may exist for a variety of reasons, including misconfiguration, insecure code, inadequately designed architecture, or disclosure of sensitive information. The output is an actionable report that describes each vulnerability or chain of vulnerabilities exploited to obtain access to a target, along with the exploit steps, details on how to fix the vulnerabilities, and additional recommendations. Each discovered vulnerability is designated a risk rating that can be used to prioritise remediation tasks.
Why is Penetration Testing Important?
Penetration testing reveals vulnerabilities that would not have been discovered by other methods, such as vulnerability scanning. As a result of the manual, human analysis, false positives are filtered out. In addition, it demonstrates what access can be acquired and what data can be obtained by attempting to exploit discovered vulnerabilities as a real-world attacker would. This effectively demonstrates the actual risk of a successful exploit given each vulnerability exploited to obtain entry.
Penetration Testing will also examine the cyber defenses of an organization. It can be utilized to evaluate the efficacy of web application firewalls (WAF), intrusion detection systems (IDS), and intrusion prevention systems (IPS). When a penetration test is in progress, these systems should generate alerts and activate the organization’s internal procedures, resulting in a response from the internal security operations teams.
From the perspective of the management team, committing to an ongoing cyber security budget may be viewed as yet another expense with limited return on investment (ROI) visibility.
This is especially true for organizations that are not engaged in the riskier areas of application development or ecommerce, such as mid-sized manufacturing, transport, or construction companies, and believe they are not a desirable target for cybercriminals.
Cyber security vulnerabilities that make national or even international headlines are frequently the result of a targeted, malicious hacking attack. Less widely reported are the ubiquitous, low-profile breaches (often inadvertent and opportunistic in nature) that increasingly affect small and medium-sized businesses.
This trend appears to be the result of the increased automation of cyber-attacks (targeting anyone and everyone) and the introduction of new vulnerabilities as a result of the adoption of new technology and working practices, such as remote working and Bring Your Own Device (BYOD), such as laptops, tablets, and smartphones.
In a rapidly evolving technological landscape, organizations of all sizes must not only keep up with the rate of innovation, but also the resultant information security risks.
Cyber security and information security management are rapidly becoming the responsibility of management teams, not just the IT department.
These organizations recognize that cyber security and information security are, ultimately, the same as any other risk they encounter in their business and must be managed accordingly, regardless of whether the risk is legal, operational, financial, etc. They recognize that not only can they not afford to bury their heads in the sand, but that excellent security practices and compliance are a competitive advantage.
For businesses (mostly SMEs) that have not yet adopted a more proactive approach to cyber security, complacency can be catastrophic. With the rise of automated cyberattacks, you can no longer assume that cybercriminals will not target your company.
The amended Australian Privacy Act mandated disclosure of cyber vulnerabilities to regulators and shareholders beginning in February 2018 and can result in sanctions of up to $1.8 million for organisations and up to $360,000 for each board member.
Read More: Guide to Android Penetration Testing
What is the Penetrating Testing Report format
A penetration test report provides a comprehensive summary of the system’s vulnerabilities. In addition, it includes recommendations for patching, hardening, and restricting the functionality of systems when necessary. The objective is to identify problem areas and implement a solution.
Consider the following elements prior to writing a pentest report:
- Specify the objectives of penetration testing
- Understand the plausible effects of a breach
- Describe the assessment procedure and any pertinent techniques
The following sections should be included in the penetration testing report:
- Executive summary – The pentesting report should begin with a summary of your findings geared towards company executives. This should be written in non-technical language so that non-security professionals can comprehend the significance of the discovered vulnerabilities and what the organisation must do to fix them.
- Details of discovered vulnerabilities – Describe the vulnerabilities discovered, how they were discovered, and how an adversary can exploit them. Testers need to keep it concise and, if possible, use language that security professionals, developers, and non-technical roles can comprehend.
- Impact on the business – Now that it is evident which vulnerabilities exist, testers must analyse their effect on the business. It is best to use the Common Vulnerability Scoring System (CVSS) to rank the severity of the vulnerabilities, and explain which critical systems each vulnerability affects. It is also best to provide a technical walkthrough of the impact if the vulnerability is exploited on the specific organization.
For instance, when performing penetration testing on a financial application, describe what each vulnerability would enable attackers to do. What particular files would they be able to view, and what operations would be permitted? They might be able to conduct financial transactions. It is essential for decision-makers to comprehend this in order to effectively manage remediation efforts.
- Exploitation difficulty – In this section, testers provide additional information on how they discovered and exploited each flaw. They provide a distinct rating for exploitability, such as Easy, Medium, or Hard. In conjunction with the severity of the vulnerabilities, the organisation can use this information to prioritise repairs.
- Remediation recommendations – The most essential aspect of a pentesting report is its remediation recommendations, which explain to the organisation how to fix the vulnerabilities you discovered. The primary reason a company invests in penetration testing is to determine how to address its most serious vulnerabilities. Testers must provide detailed remediation instructions for all affected systems.
To improve the efficacy of the recommendations, testers should conduct research to determine the most effective solution for each situation. For instance, one system’s vulnerability can be readily patched, whereas another system may not support patching and must be isolated from the network.
- Strategic recommendations – This is beyond addressing the specific vulnerabilities, advising the organisation on how to enhance its security practices.
For instance, if the organisation did not detect the penetration test, suggest that they implement a more effective monitoring strategy. If testers observe that the organisation grants user accounts excessive privileges, suggest a more effective access control strategy.
How to write Penetrating Testing Report efficiently: Example
This section will deal with the effective presentation of a Penetration testing report:
1. The Executive Summary
The executive summary must contain an overview of the engagement and the high-level test outcomes. It can also provide an overall risk rating dependent on a particular risk matrix, and some risk recommendations.
Client X contracted company Y to perform Penetration testing for the security controls in their IT systems to understand how effective those controls are. The company will also provide estimates of how susceptible the system is to data exploitation or breach.
- High-Level Test Outcomes
The purpose of the internal penetration test is to simulate the network-level actions of a malicious actor who has obtained access to the internal network zone.
Overall, CLIENT’s critical infrastructure presents a high-risk attack surface with major critical vulnerabilities that enable complete root access to multiple systems.
Both the EPO server and the Remote Desktop Server were vulnerable to EternalBlue; a remote terminal was opened on both by exploiting the SMBv1 vulnerability with a publicly available exploit module that remotely attacked the spoolsv.exe service over port 445 (SMB).
- Overall Risk Rating
It can be represented using risk matrix as shown below:
Security Risk Matrix
Have a point-wise, prioritised list of recommendations, for e.g
- Patch essential systems (Microsoft Security Bulletin MS17-010 – Essential).
- Conduct Vulnerability Scans at least monthly (scan-patch-scan)
- Change passwords (10+ complex characters) on all systems containing ePHI.
2. Test Scope and Method
This section details the scope of the penetration tests carried out as well as the exact methods followed.
- Extent of Testing
The Client commissioned the Testing Company to perform the following penetration testing services:
- Technical pen testing at the network level against nodes in internal networks.
- Technical network-level penetration testing of internet-facing hosts.
- Social Engineering and phone-based phishing against CLIENT staff.
- Social Engineering and email phishing directed at CLIENT employee accounts.
- Test Scope Summary
Within the parameters of the penetration test were the following information environment zones:
- Internal Network: Example, the general internal networks of the Client
- External Network: The publicly accessible networks of the Client
Internal Phase Summary and Actions Taken
The ISA of TEST COMPANY conducted various reconnaissance and enumeration operations. Scanners for ports and vulnerabilities, along with other reconnaissance operations, uncovered significant security flaws.
The most worrisome vulnerabilities allow complete system takeover on critical servers, most notably the McAfee Security server, which if compromised could render the endpoint security for the entire internal network inoperable or ineffectual.
After compromising the server, a directory traversal was performed to seek for crucial data. The analyst was able to identify a large number of directories containing private patient information as well as a large number of other data that would fall under HIPAA and PCI compliance.
External Phase Summary and Actions Taken
The external phase of the penetration test focused on publicly accessible assets. Reconnaissance and monitoring were performed to identify potential entry points and malicious modifications to the systems.
Using Burp Suite and the network scanner NMAP, attacks were launched from the TEST COMPANY network over the Internet against CLIENT’s externally accessible assets.
The Conclusions section will contain a summary of the most likely scenarios for security compromise, and the implications of the same.
For example, represented below is a likely scenario and its implication to the client:
- Scenario: Most likely, an assailant would initiate an attack against CLIENT using social engineering techniques. Given that ETERNALBLUE is readily exploitable and that this is the most successful type of attack, this is the most likely compromise of the entire system. An ideal first target would be the McAfee Security Server; once an attacker has gained root access to this system, they can disable all the security controls and systems in place, allowing for much more evasive traversal of the internal network and potentially creating more targets without the hindrance of security systems.
- Implication: Based on the preceding testing activities, the overall average risk level is EXTREME. On critical security and file servers, it is trivial to compromise the entire system. These servers contain a plethora of important and confidential files that, if compromised, place the CLIENT at risk for hefty fines and significant business impact.
Best Practices to write Penetration Testing Report
The following recommended practices can assist teams in producing a successful pentesting report:
- Knowing about the architecture – It is essential to understand how the system works, how it collects and manages data in the background, how it interacts with other services and handles user requests,etc before starting the test.
- Note the positive as well as the negative – do not solely focus your reports on the organisation’s security flaws. If there are well-secured areas or an attempted attack that was blocked by security tools, make a notation of this so the organisation can determine which parts of its defences are effective.
- Write the report as testing occurs – it is preferable to write the report as testers conduct the penetration test, as opposed to waiting until the end to begin writing. While testing, capturing screenshots, and recording events as they occur, draft the report. At the conclusion of the examination, the team will have a comprehensive record of your experiences, which you can then organise into your final report.
- Document your methods – each penetration tester has a unique methodology, and it is best to share the methods with the report’s consumers.
For e.g How has the team conducted reconnaissance? Why did testers attempt this particular assault and not others? Have testers utilised a particular framework, such as NIST or SANS? This information should be incorporated into the report, as it can enhance the credibility and significance of the findings.
- Clearly define the scope; it is essential to define the scope of the penetration test in order to satisfy your client and avoid ethical and legal issues.If testers do something outside the agreed-upon scope of the penetration test, they may incur legal liability.
Over the next ten years, penetration testing is likely to evolve from straightforward attack paths to multi-attack chain scenarios that flow into adversarial emulation, requiring penetration testers to adapt to the threat landscape (Red Team engagements).
As a result of enhanced secure coding techniques, active defences, and oversight, external exploitation will decline. Over the past five to seven years, we have witnessed a significant increase in the use of fraud to gain the initial access required to cause damage and effect.
Regardless of Penetration testing, QA processes rely heavily on the utilization of a real device cloud. It is impossible to identify all potential flaws that a user may encounter without actual device testing. Bugs that are not discovered cannot be monitored, traced, or resolved. In addition, without accurate defect data, software quality assurance metrics cannot be used to establish baselines or measure success. This applies to both manual and automated testing methods.
The majority of large organizations use BrowserStack’s cloud-based Selenium grid of more than 3000 actual browsers and devices to execute all necessary tests under real-world conditions. On the BrowserStack cloud, manual testing is also straightforward to perform. Register for free, choose the appropriate device-browser combinations, and begin testing.