Pentest Reporting

Transcript

Let’s dive in and look at leveraging the PlexTrac platform in gaining efficiencies when performing penetration test reporting Activities I’ve created a client called Cool Test Project. Within this client, we can create a report. We can choose a report template, which is a collection of the narrative sections as well as the export template and any custom fields that we want to define. We can assign this to multiple operators, give the engagement a start and stop date, and assign it to a reviewer for the peer review quality assurance process. We also have a custom field here called Client short Name.

Now that we’ve established the baseline narrative section for our report, we can look here and see that the narrative sections were filled in based on the report template that we chose. I can leverage Narratives database, which is part of the content library, and select sections of the report that I want to add in that I’ve saved for use in future reports. As an example, these sections could be small snippets of text, or could be large paragraphs and blocks of sections.

I can now drag this in. The UI, where I want this section of the report to appear, can also leverage what we placed in the report earlier in the custom field to replace the values here that are short codes with the text values we put in earlier, we can leverage adding findings in a number of different fashions. Our Writeups database are repositories for finding templates. These writeups are created by you, and they’re for use in many different use cases. The long and the short of it is, if you want to be able to save custom findings for use later, you can do that. Going to my dashboard, I can rapidly navigate to the report that I was working on. Let’s add a finding from a write ups template.

Maybe we’ll pull in a SQL injection finding.

We also have the opportunity to edit the contents of the finding. We’ve created an instance of the finding from our Findings template. Perhaps we want to say this is critical and we want to associate this finding to Assets. I’ll do the bulk paste operation here another method to get those findings into the platform. You could also leverage some of the automated tooling that you’ve used. In this case, we can also do tagging. I’m going to tag these findings as internal as well as the Assets.

I’m going to then bring in some findings from Burp as well. So this is an example of a penetration test that both has an internal and external perspective. Those findings I just brought in from Nessus are internal. Perhaps we want to tag the finding that we manually added as external.

And now when I’m bringing in the findings from Burp, I’m going to tag them as external as well. This allows us to be able to separate them out when we want to work with them in a report.

Another method to leverage the writeups database is called Parser Actions in the Platform. What I’ve done behind the scenes before I uploaded the Nessus file, I navigate to Parser Actions and select the Nessus Parser. I’ve gone in and created a link between these findings and my custom writeups database finding called Insecure Use of Encryption. What this allows you to do is take findings and map them to your own findings. I’ve also taken this one finding and mapped it to my Bad encryption. These writeups override the Tooling’s default output and allows you to put your own custom writeups. This is also an instance of flattening these findings into one finding.

We’ll go back into the report and I’ll show you what that looks like. If we look for the finding Insecure Use of Encryption, we see it here. The output is if we look here, we see the custom description of our finding, recommendations and references, and the severity that we noted it to be. If we look at the evidence, we can see that those multiple findings from Nessus have been compressed into one finding here.

We also have the opportunity to interact with the findings here. I can assign a new status to this finding and say I’m going to work on this finding.

I’ll sign it to myself and put a note into the status.

Now this report is ready for review. I can change the report status to Ready for review. If I’m assigned as the reviewer, I’ll get an email that mentions that this report is ready for review. I can log into the findings, take a look. As I said earlier, you can change all of the different pieces of this findings puzzle. Maybe you need to add new assets, adjust the severity. If we notice in the collaborative user interface here, user account names show who’s working in what section, I have the opportunity to come in and make comments.

I could also track changes, a clean peer review process. I could also come in, for example, if I’ve gone and shown these several findings here and have gone through review, perhaps I want to change all of their status. And I want to say that these are now edits have been made.

Perhaps my workflow is to then go into the report and change to in review. Now the report owner gets an email, says it’s in review. That user can come in, sort by substatuses, look for the edits made and address the comments.

Another interesting activity that we can perform here is one of my favorites that’s copy and paste come in and add my evidence, add that screenshot in, maybe even add commands or script output. We are ready to go. So now we’ve got our readout view. This is a frame up of what the report will look like. We have our narrative section and then the findings associated.

Now it’s time for the report. Once the report has been exported, you have the opportunity to view it. PlexTrac uses the Ginger language and our customer success team can help build out a report that’s going to look exactly like the way you want it to in this case. This report is designed so that findings that are tagged as internal and findings that are tagged as external will show up in their own disparate sections. An example of looking at the sections that have been pulled down. Based on the report template we chose, we’ve got some tables showcasing the findings and then we have our findings for internal penetration testing in detail. This is simply an example of the type of output that you can produce, but really the sky is the limit as far as how you want the data to be displayed.

This is an example of the external penetration test results. I hope you recognize that PlexTrac can really aid you in your efficient in writing your penetration testing reports.