Kali Linux includes a small selection of reporting tools that can be used for organizing how a team captures information, as well as some encryption utilities. Here is a brief overview of some of the tools that could benefit your Penetration testing practice.
Dradis is an open source framework for information sharing. Dradis provides a centralized repository of information to keep track of what has been done and still needs to be completed. Dradis can collect information from team members, provide tools such as Nessus and Qualis, as well as importing information such as vulnerability lists.
To open Dradis, navigate to Reporting Tools | Documentation and select Dradis. Dradis is accessed using a standard Internet browser, simplifying collaboration between groups of people. To start a session, select New Project for the Meta-Server and provide a password that will be shared between team members.
To login, create a name and provide a password. This will put you in the main dashboard. Check out the wizards and demo videos to learn more about using Dradis in your services.
KeepNote is a note-taking application. You can store many note types and quickly view everything using a notebook hierarchy with rich text and image formatting. KeepNote can be found under Reporting Tools | Documentation and selecting KeepNote.
CaseFile is a visual intelligence application used to determine the relationships and real world links between hundreds of different types of information. This makes information gathering and analyzing relationships easy for investigations.
MagicTree is a Penetration Tester productivity tool designed for data consolidation, querying, external command execution, and report generation. Information is stored in a tree structure, making it easy to identify results from previous exercises and format for reporting purposes.
CutyCapt is used to capture Webkit's web page rendering into a variety of bitmap and vector formats which include SVG, PDF, PS, PNG, JPEG, TIFF, BMP, and GIF.
Following are example reports you can use as templates for building deliverables for your customers:
Penetration Testing report for CUSTOMER from SERVICE PROVIDER:
Note
This document contains information from SERVICE PROVIDER that is confidential and privileged. The information is intended for the private use of CUSTOMER. By accepting this document you agree to keep the contents in confidence and not copy, disclose, or distribute this without written request to and written confirmation from SERVICE PROVIDER. If you are not the intended recipient, be aware that any disclosure, copying, or distribution of the contents of this document is prohibited.
Document details:
Company: CUSTOMER
Document: Penetration Testing report
Date:
Classification: Public
Recipient: Company, name, title
Document history:
Date: Version, author, comments
1.0 Draft
2.0 Review
Contents:
1 Executive Summary ................................................................ 4
1.1 Summary ............................................................................. 4
1.1.1 Approach .......................................................................... 4
1.2 Scope ................................................................................. 5
1.3 Key findings ............................................................................. 6
1.3.1 Vulnerability A ................................................................... 6
1.3.2 Vulnerability B ................................................................... 6
1.3.3 Vulnerability C.................................................................... 7
1.4 Recomendations ................................................................ 8
1.5 Summary ............................................................................ 10
2 Technical report ................................................................. 12
2.1 Network security ............................................................... 12
2.1.1 ITEM 1 ................................................................... 12
2.1.2 ITEM 2 ................................................................... 14
2.2 Web application vulnerabilities ............................................ 16
3 Conclusion ........................................................................ 21
Appendix ............................................................................... 22
Executive Summary
1.1 Summary
CUSTOMER has assigned the task of carrying out Quarterly Penetration Testing of <domain>, to SERVICE PROVIDER.
This Penetration Test was performed during <Date>. The detailed report about each task and our findings are described as follows.
The purpose of the test is to determine security vulnerabilities in the configurations and web applications running on the servers specified as part of the scope of work. The tests are carried out assuming the identity of an attacker or a user with malicious intent.
1.1.1 Approach
- Perform broad scans to identify potential areas of exposure and services that may act as entry points.
- Perform targeted scans and investigation to validate vulnerabilities found from targets identified during broad scans.
- Test identified components to gain access.
- Identify and validate vulnerabilities.
- Rank vulnerabilities based on threat level, loss potential, and likelihood of exploitation.
- Perform research and development activities to support analysis. Identify issues of immediate consequence and recommend solutions.
- Provide recommendations to enhance security.
- Transfer knowledge.
During the network level security checks, we attempted to probe ports present on various servers and detect services running with the existing security holes, if any. At the web application level, we checked the web servers' configuration and logical errors in the web application itself.
1.2 Scope
The scope of this Penetration Test was limited to the following IP addresses.
<IP address list>
<IP address list>
<IP address list>
1.3 Key findings
This section provides a summary of the critical issues discovered during the Penetration Testing engagement.
1.3.1 Vulnerability A
Explanation of vulnerability found.
Recommendation to remediate vulnerability.
1.3.2 Vulnerability B
Explanation of vulnerability found.
Recommendation to remediate vulnerability.
1.3.3 Vulnerability C
Explanation of vulnerability found.
Recommendation to remediate vulnerability.
1.4 Recommendations
SERVICE PROVIDER recommends CUSTOMER develop a plan of action to address problems discovered during this assessment.
Recommendations in this report are classified as tactical or strategic. Tactical recommendations are short term fixes to help elevate the immediate security concerns. Strategic recommendations focus on the overall environment, future directions, and introduction of security best practices. A highlight of the recommendations follows:
1.4.1 Tactical Recommendations
- Recommendation 1
- Recommendation 2
- Recommendation 3
- Recommendation 4
- Recommendation 5
1.4.2 Strategic Recommendations
- Proactive security assessments: As part of security best practices; CUSTOMER should ensure that any major changes to their Internet facing infrastructure have another external security assessment. This is a precautionary to the impact from changes made as recommended from this document.
- Intrusion Detection / Prevention (IDS/IPS): Networks exposed to potentially hostile traffic should implement some capability to detect intrusions. Investigate an IDS solution for the network.
- Automated network access control: Best practice is automating the control of whom and what is permitted specific network access.
1.5 Tabular Summary
The following table summarizes the System's Vulnerability Assessment:
|
Category |
Description | ||
|---|---|---|---|
|
Systems vulnerability assessment summary | |||
|
Number of Live Hosts |
100 | ||
|
Number of Vulnerabilities |
35 | ||
|
High, medium, and info severity vulnerabilities |
21 |
6 |
8 |
2.1 Network Security
2.1.1 ITEM 1
Description:
Service Running: SMTP, HTTP, POP3, HTTPS
Service Version Details:
Analysis
Description
Severity Level
Medium
2.1.2 ITEM 2
REPEAT
Summary description
References: http://www.weblink.com
2.2 Web application vulnerabilities
|
Risk Description |
Threat Level |
Potential Corporate Loss |
Likelihood of Exploitation |
Recommendation |
|---|---|---|---|---|
|
Vulnerability A |
Severe |
Potential Loss |
Possibility of being compromised |
Remediation |
|
Vulnerability B |
Severe |
Potential Loss |
Possibility of being compromised |
Remediation |
|
Vulnerability C |
Severe |
Potential Loss |
Possibility of being compromised |
Remediation |
|
Vulnerability D |
Moderate |
Potential Loss |
Possibility of being compromised |
Remediation |
|
Vulnerability E |
Moderate |
Potential Loss |
Possibility of being compromised |
Remediation |
|
Vulnerability F |
Low |
Potential Loss |
Possibility of being compromised |
Remediation |
|
Vulnerability G |
Low |
Potential Loss |
Possibility of being compromised |
Remediation |
|
Vulnerability H |
Low |
Potential Loss |
Possibility of being compromised |
Remediation |
Experience has shown that a focused effort to address the problems outlined in this report can result in dramatic security improvements. Most of the identified problems require knowledge of and commitment to good practices rather than high-level technical skillsets.
Appendix
This section provides the screenshots of the known vulnerabilities presented in the observations and findings table.
Penetration Test report
Customer:
Address
Contact information
Service Provider:
Address
Contact information
PENETRATION TEST REPORT – Customer
Table of Contents
Executive Summary
Summary of results
Attack Narrative
Network Vulnerability Assessment
Webserver Vulnerability Assessment
Privilege Escalation
Maintaining Access to Compromised Targets
Domain Privilege Escalation
Database Content Exploitation
Attacker Control of Customer Transactions
Conclusion
Recommendations
Risk Rating
Appendix A: Vulnerability Detail and Mitigation
Vulnerability A
Vulnerability B
Vulnerability C
Vulnerability D
Appendix B: List of Changes made to Archmake Systems
Appendix C: About Offensive Security
Executive Summary
SERVICE PROVIDER has been contracted to conduct a Penetration Test against CUSTOMER's external web presence. The assessment was conducted in a manner that simulated a malicious actor engaged in a targeted attack against the company with the goals as follows:
- Identifying if a remote attacker could penetrate CUSTOMER's defenses
- Determining the impact of a security breach on:
- The integrity of the company's security
- The confidentiality of the company's information
- The internal infrastructure and availability of CUSTOMER's information systems
The results of this assessment will be used by CUSTOMER to drive future decisions as to the direction of their information security program. All tests and actions were conducted under controlled conditions.
Summary of results
Network Reconnaissance was conducted against the address space provided by CUSTOMER with the understanding that this range of targets would be considered the scope for this engagement. It was determined that the company maintains a minimal external presence, consisting of an external web site and other services identified by SERVICE PROVIDER during Reconnaissance of CUSTOMER.
While reviewing the security of the primary CUSTOMER website, it was discovered that a vulnerable plugin was installed. This plugin was successfully exploited, leading to administrative access. This access was utilized to obtain interactive access to the underlying operating system, and then escalated to root privileges.
SERVICE PROVIDER was able to use administrative access was to identify internal network resources. A vulnerability in an internal system was leveraged to gain local system access, which was then escalated to domain administrator rights. This placed the entire infrastructure of the network under the control of the attackers.
Attack Narrative
<Network Vulnerability Assessment Details>
<Webserver Vulnerability Assessment Details>
<Privilege Escalation Details>
<Maintaining Access to Compromised Targets Details>
<Domain Privilege EscalationDetails>
<Database Content ExploitationDetails>
Conclusion
In the course of the external Penetration Test, CUSTOMER suffered a cascading series of breaches that led to conditions that would directly harm the company as well as its customers.
The specific goals of the Penetration Test were stated as follows:
- Identify if it is possible for a remote attacker to penetrate CUSTOMER's cyber defenses
- Determine the impact of a security breach on:
- The integrity of the company's systems.
- The confidentiality of the company's customer information.
- The internal infrastructure and availability of customer's information systems.
Based upon services provided, it was determined that a remote attacker would be able to penetrate CUSTOMER's defenses. The initial attacker vector is identified as critical, because it can be discovered remotely through automated scanning. The impact from exploiting such vulnerabilities could cripple CUSTOMER's network and brand.
Recommendations
We commend CUSTOMER for being proactive in managing technology risk and network security through procuring our services. Due to the impact to the overall organization as uncovered by this Penetration test, appropriate resources are recommended to be allocated to ensure that remediation efforts are accomplished in a timely manner. While a comprehensive list of items that should be implemented is beyond the scope of this engagement, some high-level items are important to mention:
- Implement a patch management program: Many identified vulnerabilities could be avoided with proper patch management. We recommend following the guidelines outlined in NIST SP 800-408 as a source for developing security policies for proper patch management. This will reduce the risk of running vulnerable systems.
- Enforce change control across all systems: Common vulnerabilities are caused by human error. Many misconfiguration issues could be avoided through a strong change and control process on all active systems.
- Leverage multifactor and role-based access control: Some critical systems were found leveraging password security as the only means of validating authorized individuals. Best practice is having at least two forms of authentication, along with limiting administration account access.
- Restrict access to critical systems: Critical systems should be isolated from other systems using whitelists, ACLs, VLANs, and other means. The design concept of least privilege will limit the amount of damage an attacker can inflict using a compromised resource. Consult NIST SP 800-27 RevA11 for guidelines on achieving a security baseline for IT systems.
Risk Rating
The overall risk identified by SERVICE PROVIDER for CUSTOMER is broken down between Critical and Low, defined as follows. SERVICE PROVIDER identified three critical vulnerabilities that were used to gain access to CUSTOMER's internal network.
The current risk level of systems tested, based on the highest risk level of findings in systems is Critical during the testing, a total of three (3) Critical, two (2) Medium, and two (2) Low vulnerabilities were identified.
Appendix: Vulnerability Detail with Mitigation
<Vulnerability A information>