As you know
a pentester does not live only of hacking, breaking, and destroying things.
After these pleasant activities, the results of your job must be prepared and presented.
This is the reporting time. Most of the technical professionals find it boring, annoying, and repetitive. And they are right! LOL That was my motivation to write this post.
Let’s start taking a look at Serpico. https://github.com/SerpicoProject/Serpico
The developers named it as SimplE RePort wrIting and COllaboration tool. In my judgment, the tool is powerful and makes the tasks incredibly easier for the professional.
This is the reporting time. Most of the technical professionals find it boring, annoying, and repetitive. And they are right! LOL That was my motivation to write this post.
Let’s start taking a look at Serpico. https://github.com/SerpicoProject/Serpico
The developers named it as SimplE RePort wrIting and COllaboration tool. In my judgment, the tool is powerful and makes the tasks incredibly easier for the professional.
Unfortunately,
like any other tool, Serpico has some limitations like IF statements inside a table
in the report template. For me, it did not well. But of course, it is not a roadblock. The idea
here is to not explain how to user Serpico, it will be your homework since the
documentation is fully available on the link above. Pay attention to how the Serpico
META Language works in depth.
Also, the text editors are your allied(or enemy) to perform this task. They also have limitations, principally when it is necessary to manipulate tables. The Microsoft Word (in my case) is not able to create dynamic tables, for example, table conditionally formatted.
Also, the text editors are your allied(or enemy) to perform this task. They also have limitations, principally when it is necessary to manipulate tables. The Microsoft Word (in my case) is not able to create dynamic tables, for example, table conditionally formatted.
Serpico
without difficulties generates tables like that for your report:
Vulnerability name
|
Impact
|
Exploitability
|
SQL Injection
|
4
|
3
|
Command Injection
|
4
|
4
|
Server Information Leak
|
1
|
8
|
Serpico stores the Impact/Risk and exploitability as numbers, from 0 Informational to 4 Critical.
But some times the template approved by your customer/company requires the impact, and the exploitability(whatever) must be the word related to the number. For example, the impact 4 must be the word Critical, and the exploitability 8 must be Very Easy. Also, the cell must be colored accordingly to a predetermined rate like impact 1, the cell must be blue, and exploitability 8 must be green.
For this given table, making these
changes are easy, but imagine if you have a table with dozen vulnerabilities. Coloring
these cells, and change the text becomes boring and annoying.
To solve it, a macro is required.
Sub colourExploitability()
To solve it, a macro is required.
Sub colourExploitability()
Dim ce As Word.Cell
If
Selection.Information(wdWithInTable) Then
For Each ce In Selection.Tables(1).Range.Cells
If IsNumeric(Left(ce.Range.Text, Len(ce.Range.Text) - 1)) And
(ce.Range.Italic) Then
If Val(ce.Range.Text) = 5 Then
ce.Shading.BackgroundPatternColor =
RGB(192, 0, 0)
ce.Range.Text = "Very Easy(5)"
End If
If Val(ce.Range.Text) = 4 Then
ce.Shading.BackgroundPatternColor =
wdColorRed
ce.Range.Text = "Easy(4)"
End If
If Val(ce.Range.Text) = 3 Then
ce.Shading.BackgroundPatternColor =
wdColorOrange
ce.Range.Text = "Moderate(3)"
End If
If Val(ce.Range.Text) = 2 Then
ce.Shading.BackgroundPatternColor =
RGB(146, 208, 80)
ce.Range.Text = "Difficult(2)"
End If
If Val(ce.Range.Text) = 1 Then
ce.Shading.BackgroundPatternColor =
wdColorGreen
ce.Range.Text = "Very
Difficult(1)"
End If
If Val(ce.Range.Text) > 5 Then
ce.Shading.BackgroundPatternColor =
wdColorBlue
ce.Range.Text = "WRONG VALUE"
End If
End If
Next
End If
End Sub
Basically what this macro does is:
Sweeping the table
Check if the cell is numeric and italic ( My conditions. Of course, you can change it)
Sweeping the table
Check if the cell is numeric and italic ( My conditions. Of course, you can change it)
If IsNumeric(Left(ce.Range.Text,
Len(ce.Range.Text) - 1)) And (ce.Range.Italic)
Check if the number matches my other condition.
Check if the number matches my other condition.
If Val(ce.Range.Text) = 5
If matched, it changes the cell value and background-color.
ce.Shading.BackgroundPatternColor = RGB(192, 0, 0)
If matched, it changes the cell value and background-color.
ce.Shading.BackgroundPatternColor = RGB(192, 0, 0)
ce.Range.Text = "Very Easy(5)"
Notice the BackgroundPatternColor it’s possible to use RGB colors as above or predefined colors listed here: https://docs.microsoft.com/en-us/dotnet/api/microsoft.office.interop.word.wdcolor?view=word-pia
Notice the BackgroundPatternColor it’s possible to use RGB colors as above or predefined colors listed here: https://docs.microsoft.com/en-us/dotnet/api/microsoft.office.interop.word.wdcolor?view=word-pia
Save the macro and create a shortcut
to execute it. Click on the table, press the shortcut, and see the magic
happens.
Another tip to make your job faster
is to Create Drop-Down List Content Controls.
By default, it's not possible to add custom fields to Serpico. For example, if you need to add an OWASP category to each vulnerability.
After you create this control and position it in the right place(in the template), Serpico will generate it for each vulnerability you have added to the report. You just need to select the proper category after the report being generated.
By default, it's not possible to add custom fields to Serpico. For example, if you need to add an OWASP category to each vulnerability.
After you create this control and position it in the right place(in the template), Serpico will generate it for each vulnerability you have added to the report. You just need to select the proper category after the report being generated.
If you are looking for more professional
documents, my friend Julio created a really great repository of public reports.
https://github.com/juliocesarfort/public-pentesting-reports
Also, thanks to my other friend Pedro, he added a chart feature, as Serpico is open source.
https://www.linkedin.com/in/pedro-cavalcante-975a61b3
Also, thanks to my other friend Pedro, he added a chart feature, as Serpico is open source.
https://www.linkedin.com/in/pedro-cavalcante-975a61b3
Conclusion:
After some time using Serpico and applying these
tricks, it's possible to reduce between 60-80% of the time reporting. It means
this time can be converted to more cool activities like destroying some applications.
