Here is a great example of the worlds worst penetration test report
The executive summary was a mish-mash of copy-paste from several other penetration test reports. You can easily tell this by several “obvious” key things:
– They mention another customer’s name by accident.
– The voice of the writing switches back and forth between first and third person.
– The summary mentions findings that aren’t in the findings listing.
– The paragraphs of the executive summary are in different fonts.
Have you ever been to a foreign country and ate at a restaurant where the menu is pages and pages of items written in a language that you can’t read or understand? Then you’ve seen the findings section of this report. This section contained goodies like:
"While no issues were found on this portion of the network, issues may or may not exist until they are found."
Yes folks, they have discovered Shrödinger’s Vulnerability.
"There could be ramifications of the test on this database server that have serious ramifications."
Serious ramificaitons are serious, man.
"Enumeration of network was not done due to no remaining hours but all target hosts were targeted."
To quote @krangarajan: “That sounds like consultant speak for ‘I did F**k all'”
"It is recommended that customer remediate all findings based on prioritization in this report."
“All of the findings in this report are marked HIGH. Apparently running FTP on port 21 rates a HIGH with a recommendation of “run FTP on different port like 2121″.”
"Scope of test was to conduct using white box methodology. Testers conducted DMZ test using black box."
That makes sense. The customer wants you to do an authenticated test. Screw that. METASPLOIT it.
"All password hashes for application APPLICATION were discovered and reversed revealing weak hash cryptography."
This would almost be a good finding, except the field tester’s notes in the appendix that clearly state that application APPLICATION didn’t use any hashing and was storing passwords in clear text. This guy was so good he hashed them, cracked them, and then unhashed them?
"Application APPLICATION2 susceptible to XSS attack in login control page. Code responsible located as "..." and was fixed to reduce production exposure of customer."
Hey, who needs a software development lifecycle? He finds, he fixes – I wonder if he checked it into TFS too?”
"Use of NMAP enumeration tool crashed SERVER5 cluster. After repeated times of customer putting SERVER5 cluster back online tool crashed again so further enumeration done with Nessus."
I then kicked my trashcan across the room.
"MySQL configured to allow connections from 127.0.0.1. Recommend configuration change to not allow remote connections."
I used to put stuff like this in pen tests to see if my boss was paying attention.
"Fixing the configuration will no longer allow evil connections by evil connection for configuration of server."
Evil connections are connecting to evil connections to configure my server. Are they evil connections with fricking laser beams attached to their head?
"Microsoft IIS susceptible to CVE-XXXXXXXX. Recommend applying accordingly patch."
Another almost good finding – but according to the appendix, this host is a RHEL 5.x box. Those sysadmins – finding ways to run IIS on linux!! Brilliant!
The three pages at the bottom of the report contained a line-by-line listing of all the findings mentioned in the second part of the report, with prices marked to fix each finding. Yes folks, it’s a menu-o-remediation. This is either brilliant or so ridiculous that it makes my eyes cross. It contained wonderful little gems like this:
"Patch IIS vulnerability CVE-XXXXXX $500 (1 server) Configure PHP.INI with secure settings $390 (1 server)"
I hope this post is a call to arms to both potential penetration test customers and information security professionals alike:
– Do substantial research on any firm that you hire or recommend.
– Always get a sample of work that is properly obfuscated that clearly highlights methodology and practices.
– Insist on penetration test team leadership. If you’re the customer and the penetration test team’s champion at your organization, demand accountability and an ethical approach to providing you with a sound and useful product.