Penetration Testing Narratives
“Tell Me you’re an Elite Pentester Without Telling Me You’re an Elite Pentester.”
By Joseph Pierini
The narrative is where you tell the story of how good you really are.
A penetration test, also known as a “pentest,” is a simulated cyber-attack on a computer system, network, or web application to evaluate the security of the system. A key component of a pentest engagement is the report that is generated, which documents the findings and recommendations for remediation. While all sections of the report are important, the narrative section of a pentest report should be considered the most valuable for building a consulting business.
One of the main reasons the narrative section is so valuable is that it allows the consultant to communicate the engagement in a clear and concise manner. The narrative section should provide a high-level overview of the scope of the test, the methods used, and the results. This section should include an executive summary that highlights the most critical findings and recommendations for remediation. This is particularly important for clients who may not have a strong technical background and need to understand the implications of the findings in layman’s terms.
Go Ahead and Brag a Little.
Another reason the narrative section is so valuable is that it allows the consultant to demonstrate their expertise and knowledge. A good narrative section should not only document the findings, but also provide context and explain the significance of the findings. The consultant should be able to explain the technical details in a way that is easy to understand, while also demonstrating their deep understanding of the subject matter. This can help to establish the consultant as a trusted advisor and build trust with the client.
The narrative section also allows the consultant to show their value beyond the pentest. By providing a clear and actionable recommendations, the consultant can help the client to improve their security posture and reduce the risk of a successful cyber-attack. Additionally, the consultant can provide follow-up services such as remediation support, security assessments, and training. This can help to establish a long-term relationship with the client and generate ongoing revenue for the consulting business.
But, Nothing Great Ever Comes That Easy
Writing the perfect narrative takes some effort. Even with AI and ChatGPT, you won’t be able to have the narrative written for you. You need to begin by establishing a practice of maintaining daily run logs. It’s with these you will be able to craft a step-by-step narrative outlining and describing the complete attack chain. Unfortunately, capturing the output of all your tools requires a combination of automated log capture and manual note taking. Some logging can be performed using the “screen” command with the -L flag, or the script command with the — log-out out flag, but there will be a need to capture screenshots of GUI tools.
I’ve talked with a few pentesters that liked to capture screen shots of their desktop every 30 seconds. You can use gnome-screenshot, scrot, or imagemagick with a little bash to create a movie of your pentesting activities. These low frame per minute movies almost ensure you’ll never miss capturing a critical screenshot of an attack technique.
Now, I preferred to have my evidence from command line attacks embedded as text instead of screenshots. That way even a Jr Windows Administrator could follow along and reproduce the steps. By taking the magic and mystery out of the pentest results, clients were also more likely to see our reports as something that could really happen, as opposed to edge cases performed by “hackers with magic boxes” (a client actually said that!).
AttackForge Keeps It Polished and Professional
I recommend using AttackForge for managing the descriptions of commonly performed techniques. For example, many of my tests included attacking wireless configurations utilizing 802.1x authentication. We would put something like this in each narrative:
“The Client has deployed WPA2 Enterprise utilizing PEAP/EAP-TLS with authentication integrated with Active Directory. However, we observed environments where a misconfiguration downgrades the configuration to EAP-TTLS (Tunneled Transport Layer Security). EAP-TLS is designed to provide strong authentication but does not require that each user be issued a certificate. Instead, only the authentication servers are issued certificates. User authentication is performed by password, and the password credentials are transported in a securely encrypted tunnel established based upon the server certificates. In this configuration, it is possible for an attacker to spoof an access point and trick the user in to exposing their credentials. When integrated with Active Directory, it is possible for an attacker to obtain the credentials necessary to join the wireless network and gain access to the corporate network.”
AttackForge would have allowed me to write it up once and add it to a narrative template that could be chosen whenever we used this attack as part of our attack chain. Every tester on the team would use the same language, eliminating the need to write a description from scratch. By having pre-written descriptions, I could have reduced QA time as well. AttackForge ReportGen, which is their reporting engine for custom reports, has lots of flexibility for how this information gets used in the reports. By the way, this is a free tool — you can download it from https://attackforge.com/reportgen.html
Build Trust with Your Client So They Call You and Not Your Competition
In conclusion, the narrative section of a pentest report is the most valuable for building a consulting business. It allows the consultant to communicate the findings in a clear and concise manner, demonstrate their expertise and knowledge, provide actionable recommendations for remediation, and show their value beyond the pentest. By focusing on the narrative section, a consultant can establish themselves as a trusted advisor, build trust with the client, and generate ongoing revenue for the consulting business.
If you would like to learn more about AttackForge and see how it can help your organization become your client’s trusted advisor, visit https://buy.attackforge.io/ and be up and running in under 2 minutes.