Penetration testing can be fun. You get to PWN all the things. You get to solve puzzles. But when it is all done, it’s time to write the report for the client.
If you’ve never written a penetration test report, this post is for you. What I did is exploited SOME of the vulnerabilities in Metasploitable 2 and created a sample penetration test report.
The sample report: http://gameofpwnz.com/uploads/documents/Metasploitable_Report.docx
Here are some things to make sure you include:
- Executive Summary (Keep in mind who your audience is)
- Scope (This should have been determined during pre-engagement)
- Methods (What is your penetration methodology or formula?)
- Risk Rating (A risk rating is important in determining which risks need to be mitigated and which could possibly be accepted)
- Impact (What happens if an attacker exploits the vulnerability?)
- Remediation (Exploitation is fun, but we need to help the blue team know what the corrective actions would be to mitigate the issue)
Screenshots and steps to reproduce are great for showing the client how you were able to exploit the vulnerability. It also allows the client to check their fixes when they try to reproduce.
This report template is not the actual report template I use in penetration testing, but it’s something I’m willing to share. Feel free to use it. Also, feel free to leave comments about what else you think should be added or any other recommendations.