From: Shenk, Jerry A (jshenk@decommunications.com)
Date: Wed Dec 27 2006 - 23:07:03 EST
I see you got a response on the first question...on the second
question...the difference between "plain hacking" and "pen-testing" is
permission and the report. You're doing the right think trying to come
up with a good write-up. Being able to write it up is a necessary
skill...and it's a lot of work. The first one is the hardest too.
You probably want an executive summary...a single page, maybe two...not
more than two pages. Then something on the methodology...that's
basically a very broad discussion of how you did it including some of
the thought process. Then you might want a section on vulnerabilities
and exploits - vulnerabilities are points of exposure and exploits are
places where you got stuff that you shouldn't have been able to get. In
the lists of vulnerabilities and exploits, you should probably have a
paragraph or two discussing what it really means and some possibilities
for remediation. I think you ought to end with a summary. I include a
timeline between the methodology and the vulnerabilities...the point of
that is so that the company can go back to their logs and look through
them to learn what they should have seen so that it can be a learning
experience for them. Then an appendix can have screen shots, lists of
ports and other stuff to support the rest of the paper but split out so
that it doesn't mess up the readability of the paper.
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Nikolaj
Sent: Wednesday, December 27, 2006 6:28 AM
To: pen-test@securityfocus.com
Subject: Some help on methodologies and reports
I would like to ask a few question concerning some aspects of
penetration testing.
A friend setup a little lan to mimic an ISP. He has different services -
ranging from mysql to nagios etc. I was able to penetrate one of the
server which let me to another and so forth. Eg. I penetrated his
network. Now I want to create a legit report, so that it looks like a
real one. Can you give me links or some hints on what should one such
report include? Maybe there are drafts somewhere.
I feel that what I did was more plain hacking than just pen testing.
What are the differences between them, except the business relationship.
Regards.
**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:30 EDT