Lab - Explore PenTest Reports

Objectives
Review examples of penetration testing reports and build your own report format based on
examples and pentesting notes.
 Part 1: Review Publicly Available Penetration Testing Reports
 Part 2: Develop Your Own Report Format
 Part 3: Create your Pentesting Report

Background / Scenario
At the conclusion of a security test, a penetration testing report is produced that presents a
detailed analysis of the organization’s security risks. The report will cover many aspects of the
organization’s security posture, vulnerabilities, high and low priority concerns, and suggested
remediations. In addition, penetration testing reports are an important part of maintaining
regulatory compliance. The reports provide evidence that the organization takes measures to
assess its infrastructure and sensitive data security.
When it comes to creating the penetration testing report, most penetration testing
professionals will start with a company template and then customize the tone and organization
based on the type of testing conducted and the desired deliverable. However, care still needs
to be taken to use the preferred tone and style.
In this lab, you will complete a report from the relevant information gathered during a
penetration testing engagement performed by Protego Security Solutions. The client who will
receive the report is Pixel Paradise Inc. an electronic games creator.

Required Resources
 PC or mobile device with internet access

Instructions

Part 1: Review Publicly Available Penetration Testing Reports

There are many sources on the internet for free penetration testing reports.
a. Navigate to https://github.com/santosomar/public-pentesting-
reports. This displays a sampling of public pentesting reports.
Search on the web for “example penetration testing reports.” You should find additional
examples.
b. Select and review at least three different reports. Make notes detailing the sections included
in the reports and the type of information included in each.
Note: Try to find reports that contain comprehensive penetration testing results for a client
company. Reports regarding the security of software, technologies, or systems are not
relevant to our needs in this lab.

What sections do the review reports have in common?

ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 1 of
Cisco Public
 Executive Summary – Provides a high-level overview of the findings, impact, and main
recommendations for non-technical stakeholders.

Scope and Objectives – Details the scope of the test, including the systems and areas
covered, and the objectives set for the assessment.

Methodology – Describes the testing approach and tools used, often referencing frameworks
like NIST, PTES, or OWASP.

Findings and Analysis – Lists discovered vulnerabilities, categorized by severity, with technical
details for each.

Recommendations – Provides remediation steps to address each vulnerability and improve

overall security.

Conclusion – Summarizes the outcomes, reiterates key vulnerabilities, and may include
follow-up recommendations for future testing.

What is the purpose of the executive summary? Who do you think that section is intended
for?

The purpose of the executive summary is to provide a concise overview of the

penetration test results, highlighting critical findings and recommended actions without
technical detail. It allows decision-makers, like senior management or executives, to
quickly understand the key risks and necessary actions. This section is intended for
non-technical stakeholders who may not need detailed information but require an
understanding of the overall security posture and the potential business impact of the
findings.

ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 2 of
Cisco Public
Lab - Explore PenTest Reports

Part 2: Develop Your Own Report Format

There are many ways to write a penetration test report. As you know, most penetration test
reports share the same key sections. In this part of the lab, you will create your own pentesting
report format by creating an outline of the major sections of the report. You can also use
subheadings.

Section 1: Create your report structure.

a. Review your notes from Part 1 and build an outline of the sections you will include in
your report. Your outline should consist of major headings and sub-headings as required.

What major sections will you include in your report?

Title Page, Executive Summary, Table of Contents, Scope and Objectives, Methodology,
Findings and Analysis, Recommendations, Conclusion, Appendices.

b. Create your outline in the table below using your major sections or headings. If you need
more space, recreate the table on another piece of paper. You can also use outline
numbering if you wish.
For each heading or subheading, describe the contents that will be found under that
heading. One approach is shown in the sample answer. You are free to use other
formats if you want.

Heading/Subheading Contents

Title Page Contains report title, date, client name (e.g., Pixel
Paradise Inc.), and penetration testing provider’s
information (e.g., Protego Security Solutions).
Executive Summary Overview of test objectives, significant findings,
and major recommendations. Geared towards
senior management and non-technical
stakeholders.
Table of Contents Lists all major sections and sub-sections with page
numbers.
Scope and Objectives Describes what systems, applications, and
networks were tested. Outlines testing goals, such
as identifying vulnerabilities and assessing security
awareness.
Methodology Explains the testing approach, including tools used
(e.g., Nmap, ZAP) and frameworks (e.g., OWASP).
Provides a high-level overview of the steps taken.
Findings and Analysis Detailed vulnerabilities section, with each finding
labeled as high, medium, or low risk. Includes
descriptions, impact, affected areas, and proof of
concept.
Recommendations Specific steps to mitigate each vulnerability. For
example, enhancing password policies, configuring
firewalls, or securing IoT devices.
Conclusion Summarizes the effectiveness of the current
security measures and emphasizes any urgent
actions.
Appendices Raw data, screenshots, vulnerability scan outputs,
ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 3 of 12
Cisco Public
Lab - Explore PenTest Reports
or other supporting materials. Provides technical
data for IT/security teams.

ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 4 of 12
Cisco Public
Lab - Explore PenTest Reports

Section 2: Assign content to report sections.

Now that you have your report structure, label the rows in the information column with your
headings. The table contains notes from the penetration test conducted by Protego for their
client Pixel Paradise.
Note that the information is not in the order that it will appear in in the report. You will organize
it in the next section. In addition, some information could be combined under the same
heading. For example, two rows of information could both appear under a Recommendations
heading. The first row is done for you.

ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 5 of 12
Cisco Public
Lab - Explore PenTest Reports

Report Section Information

Recommendations General:
 Hire cybersecurity manager.
 Strengthen admin security controls – policies
and user agreements, penalize unauthorized
devices and pages.
Specific:
 Annual user security awareness training
 Periodical testing with phishing emails and other SE
attacks
 Remove rogue server and hidden page.
 Investigate who modified firewall rules.
 Discipline personnel involved.
 Establish and enforce Windows policies regarding
ad hoc shares.
 Create an enforce password policy within
Windows domains.
 Further audit AD and SMB for other vulnerabilities
 Implement secure coding training.
 Improve input form validation to mitigate injection.
 Use parameterized queries to segregate
backend databases from web input.
 Use randomized GUIDs for user ids, do not expose
user ID info in user profiles.
 Change default credentials and remove banner
info from video controller.
 Replace cameras with secure models that enable
software updates, implement update program
Executive Summary
 Company has growing pains that have led to some
severe vulnerabilities, this must change with new
success.
 Security posture must be modernized to ensure
continued success and business continuity.
 New staff will implement comprehensive security
program

ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 6 of 12
Cisco Public
Lab - Explore PenTest Reports
Scope and Objectives
Goals:
 Assess web platform security.
 Test employee security awareness.
 Assess web applications: community forum and
digital store.
 Internal network vulnerability for sensitive file
access, damage, and theft
 Possible vulnerabilities from IoT or other devices

ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 7 of 12
Cisco Public
Lab - Explore PenTest Reports

Report Section Information

Findings and Analysis

 Seven staff clicked on links in phishing emails
 Several staff visited fake website with logging
software
 Undocumented server discovered with
address block scanning; weak password
enabled admin access.
 Internal network accessed through rogue
webserver, ownership discovered, firewall
configured to allow access from outside
 Hidden webpage found with poor input validation
on input form, vulnerable to command, code, and
SQL injection. SQL injection revealed user data.
 Community forum used static GUID for user ID,
found user IDs included in user profiles, IDOR to
access user accounts
 Internal network has unprotected or weakly
protect ad hoc shares (SMB); lateral movement
possible
 Shodan scan indicated presence of
interconnected surveillance video
controller/recorder. Banner showed model and
sw version info. default credentials provided
access, the camera model sw not updatable
Methodology
Processes:
 Staff tested with phishing emails and duplicate
websites; our honeypot ran a logging JavaScript
to record visits
 DNS foot printing of web domains, address block
scanning to identify other servers, GVM/OpenVas,
Nikto, and ZAP scans
 From unauthorized access to internal network
scanned with Nmap, Bloodhound (AD), and
enum4Linux and Nmap SMB scripts. smbclient used
to transfer files.
 Web apps scanned with automated vuln. scanners,
manual testing of inputs for injection vulns.
 Shodan to identify internet facing devices, internal
network scanned with Nmap to id. other connected
devices.

ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 8 of 12
Cisco Public
Lab - Explore PenTest Reports

Report Section Information

Recommendations
General:
 Hire cybersecurity manager.
 Strengthen admin security controls – policies
and user agreements, penalize unauthorized
devices and pages.
Specific:
 Annual user security awareness training
 Periodical testing with phishing emails and other SE
attacks
 Remove rogue server and hidden web page.
 Investigate who modified firewall rules.
 Discipline personnel involved.
 Establish and enforce Windows policies regarding
ad hoc shares.
 Create an enforce password policy within
Windows domains.
 Further audit AD and SMB for other vulnerabilities
 Implement secure coding training.
 Improve input form validation to mitigate injection.
 Use parameterized queries to segregate
backend databases from web input.
 Use randomized GUIDs for user ids, do not expose
user ID info in user profiles.
 Change default credentials and remove banner
info from video controller.
 Replace cameras with secure models that enable
software updates, implement update program
Executive Summary
 Company has growing pains that have led to some
severe vulnerabilities, this must change with new
success.
 Security posture must be modernized to ensure
continued success and business continuity.
 New staff will implement comprehensive security
program.
Testing Scope
 Contracted to comprehensive black box training.
 Black box testing
 Security personnel aware of some tests
 All internet devices and networks in scope,
intrusive testing and exploitation on dev servers,
notify staff of intensive scans of external servers

ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 9 of 12
Cisco Public
Lab - Explore PenTest Reports

Section 3: Organize your Pentesting Report

You have now assigned your information to sections of your report. Now it is time to write the
report.
Put the information in the table in the order in which it should appear in your report. Follow
your notes and examples to do so.

Part 3: Create Your Pentesting Report

Using the information in the table, write your report based on your notes. The notes are only
fragments. You should add language so that your report uses the same style as the reports
that you reviewed in Part 1. A sample report that uses the same information is available below
for your review.
Some considerations:
 Always be aware of your audience and their needs. If you are not sure who the audience
will be, consult the penetration testing agreement or the project manager who is
responsible for the penetration test. Remember that not all stakeholders have the same
needs.
 Consider the tone of the report. Should you sound informal and friendly, or should you
sound formal and academic? Some organizations have preferences for this. If you are in
doubt, read archived past reports or ask.
 Your writing should be succinct. It is not necessary to use fancy language or to try to sound
sophisticated. Clarity is more important than style. In addition, be considerate of the
stakeholder’s time when reading the report. Consult examples or ask your manager about
the desirable length of your report.

Reflection Question
Why are good reporting and documentation skills important to a penetration tester?

Note: The Sample Report is provided to show you one way of transforming notes into a final report.
There are many ways that you can do this using your own style and structure. Most penetration
testing companies have their own standards for the style and structure of their reports and will
likely require your work to conform to those standards.

ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 10 of
Cisco Public
Lab - Explore PenTest Reports

Example completed report:

Protego Security Solutions, Inc.

Penetration Testing Report for Pixel

Paradise Inc.
June 27, 2023

Executive Summary
Protego Security Solutions was engaged by Pixel Paradise Inc. to provide comprehensive block-
box penetration testing of their web servers, web applications, internal network, and employee
security awareness. Most testing was black-box except in some cases access was provided to
the developer platform for more disruptive tests. In addition, security personnel were aware
that vulnerability scanning of their web servers was to occur so that the scans were not
blocked.
Purpose and Scope
Pixel Paradise is concerned about cybersecurity preparedness because they anticipate that a
new product, to be released soon, will greatly increase their internet exposure. According to
Pixel Paradise’s stated concerns, we defined the goals of the penetration test as follows:
 Assess security of the Pixel Paradise web platform including all internet-facing services.
 Assess security of the Pixel Paradise customer community and digital storefront applications.
 Assess security of Pixel Paradise sensitive data and product builds on their internal network.
 Determine security awareness of employees at Pixel Paradise through social engineering
tests.
 Determine any vulnerabilities introduced by the use of other connected (IoT) devices in the
Pixel Paradise facility.
All internet-facing devices and internal networks were approved as subject to testing. The web
applications were approved for scanning, but more intrusive testing was to be conducted in an
internal development environment. Security staff required notification regarding intense
scanning of external servers, so the scans were not blocked.
Summary of Results and Recommendations
A high-level summary of the results of the penetration tests appears here. For more detailed
information, refer to the Test Results and Recommendations sections of this report.
 Seven personnel clicked on various phishing links including one that executed
remote code. The possibility of successful malware attacks is high.
 A rogue webserver (unknown to IT and security personnel) was found running in the internal
network; however, it appears that the corporate firewall had been configured to permit
external access. This server had various vulnerabilities that permitted access to the internal
network and disclosure of a password file. This presents an unacceptable level of risk to the
company and steps should be taken to remove the server from the network and investigate
personnel responsible for its presence.
 A hidden webpage that included an insecure input field was discovered. The insecure
field permitted various SQL and code injection attacks and disclosure of sensitive
information.

ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 11 of
Cisco Public
Lab - Explore PenTest Reports
 Video surveillance equipment was found to use well-known default login credentials.
Embedded software is not updatable/patchable.
Due to the level of risk discovered in the network and applications, we recommend that a Pixel
Perfect create and staff the position of Director of Cybersecurity, or similar, to enhance security
operations and policies.

ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 12 of
Cisco Public
Lab - Explore PenTest Reports

Testing Process and Procedure

The testing process followed accepted processes and frameworks as defined by penetration
testing and cybersecurity testing organizations. We combine approaches by drawing on the
strengths of NIST 800-115, PTES, OSSTMM, OWASP, and PTES processes and procedures.
a. Staff Security Awareness
Pixel Paradise upper management expressed concern about the possibility of theft or loss
of assets due to ransomware and other malware downloads. Testing was undertaken to
assess the degree of cybersecurity awareness of employees.
Social engineering tools were utilized to create a multi-pronged campaign that primarily
used phishing emails and imitation websites. In one case, an embedded link in a phishing
email sent users to a honeypot website, maintained by Protego, which executed a
JavaScript application that recorded visits. This application simulated remote execution of
malicious software.
b. Internet-Connected Servers
DNS foot printing tools and techniques were first used to discover details of the Pixel
Paradise web presence. Scanning of adjacent address blocks was also carried out in order
to discover unknown and unregistered servers. Automated vulnerability scans were
conducted using Greenbone Vulnerability Manager/OpenVas, Zed Attack Proxy (ZAP), and
Nikto. We were required to establish a preset time period for Nikto scanning in order that
security personnel would not take measures to block the scan.
c. Internal Network
Access was gained to the internal network and Active Directory enumeration and
exploitation were achieved with the Nmap and Bloodhound tools. Additional SMB
enumeration was conducted with enum4linux and Nmap SMB-related testing scripts.
Exploitation was achieved with smbclient, which allowed file transfers between the
testing VM and hosts on the network.
d. Web Applications
Web applications were scanned with the web application scanners noted above and manually
tested for various other vulnerabilities.
e. Other Connected Devices
Shodan was used to identify any devices that were detectable from the internet. Access
was gained to the internal network and Nmap scans conducted to identify IoT devices.
These devices were then researched to learn about their security features, and well-known
credentials were used to gain access. Those devices were then challenged to achieve
login to verify software versions and device details.

Test Results
Test results revealed a number of serious vulnerabilities that present serious risk to Pixel
Perfect. While these vulnerabilities are serious, they are fairly easily mitigated.
a. Staff Security Awareness
A multi-pronged phishing campaign resulted in seven employees clicked potentially
malicious links. Several employees also visited imitation websites that were constructed to
lure employees into to submitting user credentials.
b. Internet-Connected Servers
Public address block scanning revealed the presence of an undocumented webserver that
was reachable over the internet. The server was easy to penetrate though automated
password challenges that followed a common passwords rainbow table. Admin access
provided. Once inside, investigation indicated that the server was setup for personal use by
ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 13 of
Cisco Public
Lab - Explore PenTest Reports
[name redacted]. The server housed personal information, family pictures, and other
information that led to identification of the server owner. The server hosted a server for an
insecure remote access application that eventually provided testers with access to the
internal network. This should be a serious breach of policy.

ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 14 of
Cisco Public
Lab - Explore PenTest Reports

A hidden webpage that was apparently used by developers for connectivity testing was
found on the primary corporate webserver. This page included an input form for IP
addresses that was meant to execute the ping command when the input was posted. The
input box was not protected with any sort of input validation. The field was vulnerable to
command, code, and SQL injection attacks. The backend database contains sensitive user
data that was fully available to SQL commands injected into the form.
c. Web Applications
Web application scans and manual testing indicated vulnerabilities in the community forum
and storefront applications. Testing indicated that inputs in the login form were only
partially implemented through HTML tag removal. However, more advanced SQL injected
yielded an error message that identified the SQL server type and version. While it was
outside of the scope of the test to access real user data through the form, further testing
indicated that SQL injection vulnerabilities are present.
The community forum was tested for vulnerabilities. It was found that the forum is
vulnerable to insecure direct object reference attacks. After login, users are identified by a
GUID that is included with every web transaction. The GUIDs are exposed in the URLs for
user profile pages meaning that the GUID can be lifted and used in forged URLs that permit
actions to be executed as other users.
d. Internal Network
Access was gained to the network through a remote access vulnerability that was
discovered on the rogue webserver described above. From there enumeration of
network devices was achieved using Active Directory and SMB enumeration tools.
These tools revealed unprotected or weakly protected shares that could be exploited to
enable lateral movement through the network.
e. Other Connected Devices
Shodan scans indicated the presence of an internet-connected security monitoring system.
Banner information divulged the model number and version of this device, which acts as a
server for five video surveillance cameras that are distributed around the facility. Following
this information, the default passwords were found for this device. A script automated to
challenge the login using the passwords and default usernames available on the network
provided access to the cameras. Further work would have probably resulted in access to the
general internal network through this device. The cameras were found to be a model that is
not capable of software updates or patches. While the current revision of the camera
software does not appear to have known vulnerabilities, there is no guarantee that this will
be the case in the future.

Recommendations
The following recommendations should be considered to enhance the Pixel Paradise overall
security posture. Each recommendation is assigned a priority that corresponds to the severity of
the vulnerability and the urgency with which it should be remediated. The priority ratings are as
follows:

Rating Meaning

Less urgent - Remediation can be deferred for a period of time while

1 addressing higher priorities.

2 Urgent – Remediation should be undertaken after high priority issues are addressed.

3 Highly urgent. Address issues immediately.

a. General Recommendations.
ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 15 of
Cisco Public
Lab - Explore PenTest Reports
1) Staff a dedicated cybersecurity manager position. Considering the current haphazard
security posture and the increased risks associated with increasing success of the
company’s products, a formal dedicated security position is strongly recommended.
Priority 2.

ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 16 of
Cisco Public
Lab - Explore PenTest Reports

2) Strengthen administrative security controls by creating and distributing rigorous user

policies and agreements. Establish enforceable consequences for all behaviors that
increase the threat landscape for the company, including rogue hardware and
unauthorized web portals. Priority 2.
3) Conduct regular security audits to document the corporate network security posture over
time.
Priority 3.
b. Staff Security Awareness
Some staff are vulnerable to social engineering attacks.
1) Conduct annual user security training using established professional curricula. Priority 3
2) Conduct occasional security tests using social engineering tools to evaluate the
state of security awareness among staff. Priority 3
c. Internet Connected Servers
An unauthorized device and web page were found facing the internet.
1) Immediately remove the rogue server from the network. Priority 1
2) Investigate who altered the firewall rules to allow connectivity to the server. If
necessary, determine how access to the firewall configuration was gained. Take
disciplinary action. Priority 1
3) Remove the hidden web page and investigate the potential presence of other sensitive
documents or vulnerable server misconfiguration. Priority 1
d. Internal Network
The internal network is vulnerable to post-exploitation lateral movement.
1) Use Windows management tools to establish and enforce policies regarding the
creation of ad hoc shares on all workstations. Priority 2
2) Create and enforce password policies for password length and complexity for all user
accounts.
Priority 2
3) Audit SMB and Active Directory for further security issues. Priority 2
e. Web Applications
Various vulnerabilities were identified in Pixel Paradise web applications.
1) Implement training and automated source code scanning for secure coding practices.
Priority 3
2) Use robust input validation to prevent any type of injection attacks. Priority 1
3) Segregate the web application from direct access to backend databases by using
parametrized queries to further mitigate injection attacks. Priority 1
4) Remove user GUIDs from forum posts and randomize GUIDs for user identification
after initial authorization so that GUIDs always change. Priority 1
f. Other Connected Devices
An insecure network surveillance system was discovered during reconnaissance. Exploitation
revealed various vulnerabilities.
1) Immediately change all user credentials on video surveillance devices. Priority 1
2) Replace existing cameras with devices that have enhanced security features such as
the ability to update software over the network, update management, configurable
ports, and minimal server processes. Priority 3
ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 17 of
Cisco Public
Lab - Explore PenTest Reports
3) Ensure that the cameras do not provide information banners to internet probes. Priority 2

ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 18 of
Cisco Public
Lab - Explore PenTest Reports

Summary
Pixel Paradise faces security challenges as it scales up. Previous flexibility in network
management has led to vulnerabilities that could disrupt operations if exploited. To protect
assets and ensure business continuity, Pixel Paradise must adopt a robust cybersecurity
program, led by dedicated personnel.
Reflection
Good reporting and documentation skills are essential for penetration testers as they communicate critical security
insights and recommendations in an accessible manner. Clear documentation ensures that technical findings are
understood by all stakeholders, enabling informed decision-making and effective remediation planning.

ã 2023 - 2024 Cisco and/or its affiliates. All rights reserved. Page 19 of
Cisco Public