The Worlds Worst Penetration Test Report

Here is a great example of the worlds worst penetration test report

The executive summary was a mish-mash of copy-paste from several other penetration test reports. You can easily tell this by several “obvious” key things:

– They mention another customer’s name by accident.
– The voice of the writing switches back and forth between first and third person.
– The summary mentions findings that aren’t in the findings listing.
– The paragraphs of the executive summary are in different fonts.

Have you ever been to a foreign country and ate at a restaurant where the menu is pages and pages of items written in a language that you can’t read or understand? Then you’ve seen the findings section of this report. This section contained goodies like:

"While no issues were found on this portion of the network, issues may or may not exist until they 
are found."

Yes folks, they have discovered Shrödinger’s Vulnerability.

"There could be ramifications of the test on this database server that have serious ramifications."

Serious ramificaitons are serious, man.

"Enumeration of network was not done due to no remaining hours but all target hosts were targeted."

To quote @krangarajan: “That sounds like consultant speak for ‘I did F**k all'”

"It is recommended that customer remediate all findings based on prioritization in this report."

“All of the findings in this report are marked HIGH. Apparently running FTP on port 21 rates a HIGH with a recommendation of “run FTP on different port like 2121″.”

"Scope of test was to conduct using white box methodology. Testers conducted DMZ test using 
black box."

That makes sense. The customer wants you to do an authenticated test. Screw that. METASPLOIT it.

"All password hashes for application APPLICATION were discovered and reversed revealing 
weak hash cryptography."

This would almost be a good finding, except the field tester’s notes in the appendix that clearly state that application APPLICATION didn’t use any hashing and was storing passwords in clear text. This guy was so good he hashed them, cracked them, and then unhashed them?

"Application APPLICATION2 susceptible to XSS attack in login control page. Code responsible 
located as "..." and was fixed to reduce production exposure of customer."

Hey, who needs a software development lifecycle? He finds, he fixes – I wonder if he checked it into TFS too?”

"Use of NMAP enumeration tool crashed SERVER5 cluster. After repeated times of customer putting 
SERVER5 cluster back online tool crashed again so further enumeration done with Nessus."

I then kicked my trashcan across the room.

"MySQL configured to allow connections from Recommend configuration change to not allow 
remote connections."

I used to put stuff like this in pen tests to see if my boss was paying attention.

"Fixing the configuration will no longer allow evil connections by evil connection for configuration
of server."

Evil connections are connecting to evil connections to configure my server. Are they evil connections with fricking laser beams attached to their head?

"Microsoft IIS susceptible to CVE-XXXXXXXX.  Recommend applying accordingly patch."

Another almost good finding – but according to the appendix, this host is a RHEL 5.x box. Those sysadmins – finding ways to run IIS on linux!! Brilliant!

The three pages at the bottom of the report contained a line-by-line listing of all the findings mentioned in the second part of the report, with prices marked to fix each finding. Yes folks, it’s a menu-o-remediation. This is either brilliant or so ridiculous that it makes my eyes cross. It contained wonderful little gems like this:

"Patch IIS vulnerability CVE-XXXXXX $500 (1 server)
Configure PHP.INI with secure settings $390 (1 server)"

I hope this post is a call to arms to both potential penetration test customers and information security professionals alike:

– Do substantial research on any firm that you hire or recommend.
– Always get a sample of work that is properly obfuscated that clearly highlights methodology and practices.
– Insist on penetration test team leadership. If you’re the customer and the penetration test team’s champion at your organization, demand accountability and an ethical approach to providing you with a sound and useful product.

via it.toolbox

4 thoughts on “The Worlds Worst Penetration Test Report

  • December 31, 2014 at 7:52 am

    Come on guys he got da reports mix up wit another clients, it was about 4am lol but you should at least proof read your report or any document you write like say once.

  • December 11, 2014 at 1:51 am

    How to write a good pentest report?

    • December 12, 2014 at 11:12 am

      well based on the one above, reporting findings from the correct client would be a good start haha

  • December 10, 2014 at 4:13 am

    “Fixing the configuration will no longer allow evil connections by evil connection for configuration
    of server.”

    SIX SIX!


Leave a Reply