The document provides a comprehensive overview of penetration testing, contrasting it with security audits and vulnerability assessments. It outlines various methodologies for conducting penetration tests, alongside guidelines for reporting the findings effectively, emphasizing the need for standardized reporting and comparison systems. Future work includes enhancements to the penetration testing process and tools.

1. Penetration testing
reporting and methodology
Rashad Aliyev
PhD. Lourdes Peñalver
Cordoba, Spain
25.09.2015
Keywords: PenTest, Penetration Testing, Network testing, bug bounty, InfoSec, Cyber Secyrity

2. What is Penetration testing
2Penetration testing reporting and methodology * CEH Materials

3. Why Penetration testing?
3Penetration testing reporting and methodology
Security Audit Vulnerability
Assessment
Penetration
Testing
A security audit just
checks whether the
organization is
following a set of
standard security
policies and
procedures
A vulnerability
assessment focuses
on discovering the
vulnerabilities in the
information system but
provides no indication
if the vulnerabilities can
be exploited or the
amount of damage that
may result from the
successful exploitation
of the vulnerability
Penetration testing is a
methodological
approach to security
assessment that
encompasses the
security audit and
vulnerability
assessment and
demonstrates if the
vulnerabilities in
system can be
successfully exploited
by attackers

4. Audit vs Penetration testing?
4Penetration testing reporting and methodology
Audit Penetration testing
Check set of standards Find vulnerabilities
- Foot printing
- Exploiting
Create report by standards Generate report

5. Types
5Penetration testing reporting and methodology
• Internal, External(1)
• Blackbox, Whitebox(2), Greybox(3)
• Announced, Unannounced(1)
• Passive, Active scans
• Automated, Manual(1)
1. CEH course modules
2. A Penetration Testing Model. Federal Office for Information Security (BSI), Bonn. P14
3. Using w3af to achieve automated penetration testing by live DVD/live USB. P1-2

6. Methodologies
6Penetration testing reporting and methodology
• Planning, Discovery, Exploiting, Reporting*
• Preparation, Anonymity, Foot Printing, Analysis, Exploiting, Reporting,
Advisory**
• Preparation, Reconnaissance, Analysis of Information / Risks, Active
Intrusion Attempts, Final Analysis / Clean-Up***
• Planning, Discovery, Attack, Reporting****
* A. Bechtsoudis, N. S. Aiming at Higher Network Security Through Extensive Penetration Tests IEEE Latin America Transactions, 2012,
10, 1752 - 1756
** Parvin Ami, A. H. Seven Phrase Penetration Testing Model International Journal of Computer Applications, 2012, 59, 16-20
***Study A Penetration Testing Model Federal Office for Information Security (BSI), 2003
**** Scarfone, K. A.; Souppaya, M. P.; Cody, A. & Orebaugh, A. D. SP 800-115. Technical Guide to Information Security Testing and
Assessment National Institute of Standards and Technology, National Institute of Standards & Technology, 2008

7. Used Methodology
7Penetration testing reporting and methodology
Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means
of access.*
---
* SANS Institute, Penetration Testing: Assessing Your Overall Security Before Attackers Do

8. The Problem
8Penetration testing reporting and methodology
×
Format
×
Compare
×
Systematize
There are not a
standard format
for penetration
testing
There are not a
system for comparing if
you have 2 different
reports.
There are not a
method to help us to
do reports and
generating one

9. Report format - Styles
American Psychological Association (APA) Style[1]
Page design, Document Control, List of Report Content, Executive
Summary, Methodology, Detail findings, References, Appendices,
Glossary [2]
A Cover Sheet, The Executive Summary, Summary of Vulnerabilities,
Test Team Details, List of the Tools Used, A copy of the original
scope of work, The main body of the report, Final delivery [3]
[1] Thomas Wilhelm. Professional Penetration Testing. Syngress, 2009.
[2] Mansour A Alharbi. Writing a penetration testing report. SANS Institute, April 2010.
[3] Mike Sheward. The art of writing penetration test reports. January 2012.
Penetration testing reporting and methodology

10. Report format – Our Idea
– For top management
• Title page
• Executive Summary
– For technical workers
• Title page
• Executive Summary
• Test Team Details
• Summary of Vulnerabilities
• References,
• Glossary
Penetration testing reporting and methodology

11. Idea
11Penetration testing reporting and methodology
Reporting
- Generate Report
- Compare Reports
Exploiting
- Send attack result
Foot printing
- Upload scan result
- Send bug
- View results
Planning
- Penetration tests
01
02
03
04

12. Site for Penetration testing
12
Planning
Foot printing
Exploiting
www.penteston.com
Penetration testing reporting and methodology
-
-
-
Reporting-

13. 01. Planning
13Penetration testing reporting and methodology
Test name
Scope of Work
Contract or NDA
Conduct (Whitebox, Greybox,
Blackbox)
Type (Internal, External,
Application-layer, Network-layer)
Team detail
01
02
03
04
05
06

14. 02. Foot Printing
14Penetration testing reporting and methodology
- Multiple alerTs
- From one of
scanners
- Upload file
Foot
Printing
- Manual send alert
- Detailed information
about alert
Scan resport Alert

15. 03. Exploiting
15Penetration testing reporting and methodology
Alert Level - Low, Medium or High level of alert
Detailed information about alert
01
02

16. 04. Reporting & Compare
Detailed report for
developers
Short key information's for
managers
Report for managers
Archive
Staff
For compare reports
Compare
Style
Penetration testing reporting and methodology 16

17. Future Work
17
Open beta testing Start analyzing for new
features
Get new features
In process In process In process In process
Penetration testing reporting and methodology
Finish small works on
project

18. Rashad Aliyev
Universitat Politècnica de València
rashad@aliev.info
@alievinfo
Thank you
www.penteston.com