Mike's random thoughts and ramblings

Penetration Test Report Horror Stories

A friend posted a link to this great story on "The World's Worst Penetration Test Report" this morning. Reading someone else's horror story reminded me of the particularly horrible experience that drove me to write a full-day class on Pen Test Reporting and Analysis that I gave at CanSecWest and BSides Las Vegas two years ago.

We had outsourced some work with an extremely high-profile client to a relatively well-known penetration tester who had great references. He worked on it for a couple of weeks, and told us that he hadn't come up with much. But he sent us "the report" anyway.

It was clear from the report that he had outsourced the work as well... probably to someone who didn't speak much English.

The report started with an "Executive Summary" that was a cut and paste of the description of the organization from Wikipedia. It even ended with:

-- from Wikipedia


The report then followed up with 3 pages of description of what was done that included a whois lookup and an "external attack" section. This is (verbatim) that section:

After performing the reconnaissance in the previous steps, {Name of Penetration Tester} proceeded to identify targets to launch a series of exploit attempts against the network. These attempts included exploitation of services and flaws in any applications exposed to the Internet.

We began the identification of potential targets by port scanning the IP range. Discovering potential targets with open ports and services assists us in discovering what’s exploitable on the target network. Our port scan returned very little exploitable information. All ports were either closed or filtered.

I distinctly remember reading that last paragraph three times.

But this is the true kicker - I actually grabbed a screenshot of the Findings Matrix because I couldn't do it justice any other way:

Worst Penetration Test Report Finding Section Ever

Suffice it to say, we re-did the entire penetration test ourselves, and the client never knew any differently.

After that, I couldn't help but write a class on how to structure and report on testing in a rational and reasonable way.

Share this post

About the author

Michael Murray

Michael Murray