Module 12: Report Writing and Post Testing Actions - Exercise 1: Generating Penetration Test Reports and Documenting all of them to KeepNote

Module 12: Report Writing and Post Testing Actions

Objective

The objective this lab is how to prepare a documentation for your penetration testing report.

Scenario

At the end of a penetration test, the tester needs to provide the results of the pentest by preparing a report and submitting it to the clients. This report is the only tangible thing that clients get out of the entire process and therefore making it simple for everyone to understand and yet exhaustive is an art that every penetration tester needs to have. The report is also the basis for clients to get a second opinion if they disagree with the tester’s findings. This can only be done if the process can be duplicated by someone else. Thus, the report needs to be as detailed as possible. Assumptions about target audience’s technical knowledge and their interest should be avoided while drafting this report as they are the root causes of unnecessary confusions between clients and testers. A penetration testing report is written for three types of audiences: top management who are only concerned with the overall security posture of the organization, IT managers who are responsible for individual areas of the IT infrastructure, and IT staff who will ultimately implement the recommendations of the report. As a penetration tester you need to be able to write a report which satisfies all three audiences and leaves no confusion in anybody’s mind about your findings.

Exercise 1: Generating Penetration Test Reports and Documenting all of them to KeepNote

Scenario

KeepNote is a note taking application that allows you to store your notes such as penetration test reports in a simple notebook hierarchy with rich-text formatting, images, and more.
The objective of this lab is to help students learn how to:

• Import Penetration Test Reports from Penetration Test Folder to KeepNote
• Export a Final Penetration Test Report containing all the internal pentest reports

Lab Duration: 40 Minutes

1. Click Kali Linux (External Network).
   If Kali Linux lock screen appears, click on the screen and press Enter. If it does not appear, skip to the next task.
   
2. Type root in the Username field and click Next.
   
3. Type toor in the password field and click Sign In.
   
4. Go to Applications --> 12 - Reporting Tools --> KeepNote. This launches KeepNote application.
   

   If any pop-up appears click OK.

   
5. KeepNote main window appears as shown in the screenshot.
   
6. Select File from the menu bar and click New Notebook….
   
7. A New Notebook window appears, name the Notebook as Luxurytreats Penetration Testing Report, choose a location where you want to save the file (in this lab, root folder) and click New button.
   
8. Click on the Luxurytreats Penetration Testing Report option in the left-pane.
   A new notebook named Luxurytreat Penetration Testing Report has been created as shown in the screenshot.
   
9. Right-click the Luxurytreats Penetration Testing Report node in the left pane and select NewChild Page.
   
10. A new child page will be created. You need to name the page as Document Details and press Enter.
    
11. Select Document Details node from the left pane and in the lower section of KeepNote window, enter the details of the penetration testing report as given below.
    Document Title: Luxurytreats Penetration Testing Report
    Company: X-SECURITY
    Recipient: Luxurytreats
    Date: January 1, 2018
    Classification: Confidential
    Document Type: Report
    Version: 1.0
    Author: John
    Pen testers: Micheal, Marshall, Sean, and Adam
    Reviewed By: Allen and Bacon
    Approved By: Clark
    
12. Right-click the Luxurytreats Penetration Testing Report node in the left pane and select NewChild Page.
    
13. A new child page will be created. You need to name the page as Executive Summary and press Enter.
    
14. Select Executive Summary node from the left pane and in the lower section of KeepNote window and enter the Executive Summary as shown in the screenshot.
    
15. Right-click the Executive Summary child page in the left pane and select New Child Page.
    
16. A new child page will be created. You need to name the page as Target Systems and press Enter.
    In this page, you will be attaching the file that contains the result of nmap subnet scan.
    The file containing the subnet scan is located in root folder.
    
17. Expand the Executive Summary node.
    Right-click on Target Systems node in the left pane and select Attach File… option.
    
18. Attach File… window appears, navigate to rootfolder, select scan.txt file and click Attach button
    
19. You will observe that scan.txt file is attached under Target Systems page. Click on Scan.txt to view the scan result.
    

    The results appearing in your lab may vary from the ones displayed in the screenshot.

    
20. Right-click the Luxurytreats Penetration Testing Report node in the left pane and select NewChild Page.
    
21. A new child page will be created. You need to name the page as Comprehensive Technical Report and press Enter.
    In this report, you will be featuring all the vulnerabilities found during penetration testing, and attach the screenshots/reports of the respective exploitation phenomenon.
    In this lab, we will prepare a report for vulnerability assessment.
    
22. Right-click the Comprehensive Technical Reportchild page in the left pane and select New Child Page.
    
23. A new child page will be created. You need to name the page as Vulnerability Assessment and press Enter.
    
24. Expand Comprehensive Technical Report node in the left pane.
    Select Vulnerability Assessment node under Comprehensive Technical Report and in the lower section of KeepNote window and write a report associated with the vulnerability found in a target (in the earlier labs, for instance, File Upload vulnerability) as shown in the screenshot.
    

    If you have a screenshot, you can also attach it as proof of concept.

    
25. Right-click the Luxurytreats Penetration Testing Report node in the left pane and select NewChild Page.
    In general, vulnerability analysis reports are too lengthy and they disturb the continuity of the penetration test report. Hence, you will be attaching this vulnerability analysis file at the end of the pentest report.
    Assume that you have come to the end of the report. Therefore, you will be attaching the vulnerability analysis file here (under a child page named Appendix).
    
26. A new child page will be created. You need to name the page as Appendix and press Enter.
    
27. Right-click on Appendix node in the left pane and select Attach File… option.
    
28. Attach File… window appears, navigate to rootfolder, select Vulnerability Analysis.html file and click Attach button.
    
29. You will observe that Vulnerability Analysis.html file is attached under Appendixpage as shown in the screenshot.
    
30. Go to the File menu and select Export Notebook --> HTML….
    
31. Export Notebook window appears; specify the Luxurytreats Pen Test Report, choose the location as Desktop and click Export.
    Here, we will change the name because the folder named Luxurytreats Penetration Testing Report will be saved by default at the time of creating a notebook in KeepNote.
    

    You can minimize the Keep Note window.

    
32. Now, the report is saved in the name Luxurytreats Pen Test Report in root folder. Navigate to the Desktop, open Luxurytreats Pen Test Report folder, and double-click index.htmlfile.
    
33. The file opens in the web browser displaying the index of the report in the left pane. You may select each section in the left pane to view a detailed report associated with it in the right pane.
    
34. Click Document Details link in the left pane. You will be displayed with the details of the document in the right pane of the browser window as shown in the screenshot.
    
35. Click the Executive Summary section in the left pane. This displays detailed information regarding the section as shown in the screenshot.
    
36. Expand the Executive Summary node, expand the Target Systems node and then click scan.txtlink. This displays all the machines found during the scan as shown in the screenshot.
    
37. This way, you can create a penetration test report and use it to assess the security posture of an organization.
    Close all the opened windows.
    

In this lab, you have learned how to:

• Import Penetration Test Reports from Penetration Test Folder to KeepNote
• Export a Final Penetration Test Report containing all the internal pentest reports