sábado, 2 de maio de 2020

Pentest reporting: Making the boring faster, easier, and more professional

As you know a pentester does not live only of hacking, breaking, and destroying things. 
After these pleasant activities, the results of your job must be prepared and presented.
This is the reporting time. Most of the technical professionals find it boring, annoying, and repetitive. And they are right! LOL That was my motivation to write this post.

Let’s start taking a look at Serpico.  
https://github.com/SerpicoProject/Serpico
The developers named it as SimplE RePort wrIting and COllaboration tool. In my judgment, the tool is powerful and makes the tasks incredibly easier for the professional.
Unfortunately, like any other tool, Serpico has some limitations like IF statements inside a table in the report template. For me, it did not well.  But of course, it is not a roadblock. The idea here is to not explain how to user Serpico, it will be your homework since the documentation is fully available on the link above. Pay attention to how the Serpico META Language works in depth.

Also, the text editors are your allied(or enemy) to perform this task. They also have limitations, principally when it is necessary to manipulate tables. The Microsoft Word  (in my case) is not able to create dynamic tables, for example, table conditionally formatted.

Serpico without difficulties generates tables like that for your report:
Vulnerability name
Impact
Exploitability
SQL Injection
4
3
Command Injection
4
4
Server Information Leak
1
8

Serpico stores the Impact/Risk and exploitability as numbers, from 0 Informational to 4 Critical.

But some times the template approved by your customer/company requires the impact, and the exploitability(whatever) must be the word related to the number. For example, the impact 4 must be the word Critical, and the exploitability 8 must be Very Easy. Also, the cell must be colored accordingly to a predetermined rate like impact 1, the cell must be blue, and exploitability 8 must be green.
For this given table, making these changes are easy, but imagine if you have a table with dozen vulnerabilities. Coloring these cells, and change the text becomes boring and annoying.

To solve it, a macro is required.

Sub colourExploitability()
Dim ce As Word.Cell
If Selection.Information(wdWithInTable) Then
  For Each ce In Selection.Tables(1).Range.Cells
      If IsNumeric(Left(ce.Range.Text, Len(ce.Range.Text) - 1)) And (ce.Range.Italic) Then
      If Val(ce.Range.Text) = 5 Then
        ce.Shading.BackgroundPatternColor = RGB(192, 0, 0)
        ce.Range.Text = "Very Easy(5)"
      End If
      If Val(ce.Range.Text) = 4 Then
        ce.Shading.BackgroundPatternColor = wdColorRed
        ce.Range.Text = "Easy(4)"
      End If
      If Val(ce.Range.Text) = 3 Then
        ce.Shading.BackgroundPatternColor = wdColorOrange
        ce.Range.Text = "Moderate(3)"
      End If
      If Val(ce.Range.Text) = 2 Then
        ce.Shading.BackgroundPatternColor = RGB(146, 208, 80)
        ce.Range.Text = "Difficult(2)"
      End If
      If Val(ce.Range.Text) = 1 Then
        ce.Shading.BackgroundPatternColor = wdColorGreen
        ce.Range.Text = "Very Difficult(1)"
      End If
       If Val(ce.Range.Text) > 5 Then
        ce.Shading.BackgroundPatternColor = wdColorBlue
        ce.Range.Text = "WRONG VALUE"
      End If
      End If
  Next
End If

End Sub

Basically what this macro does is:

Sweeping the table

Check if the cell is numeric and italic ( My conditions. Of course, you can change it)
If IsNumeric(Left(ce.Range.Text, Len(ce.Range.Text) - 1)) And (ce.Range.Italic)

Check if the number matches my other condition.
 If Val(ce.Range.Text) = 5

If matched, it changes the cell value and background-color.
 ce.Shading.BackgroundPatternColor = RGB(192, 0, 0)
 ce.Range.Text = "Very Easy(5)"

Notice the BackgroundPatternColor it’s possible to use RGB colors as above or predefined colors listed here:  
https://docs.microsoft.com/en-us/dotnet/api/microsoft.office.interop.word.wdcolor?view=word-pia


Save the macro and create a shortcut to execute it. Click on the table, press the shortcut, and see the magic happens.

Another tip to make your job faster is to Create Drop-Down List Content Controls.
By default, it's not possible to add custom fields to Serpico. For example, if you need to add an OWASP category to each vulnerability.

After you create this control and position it in the right place(in the template), Serpico will generate it for each vulnerability you have added to the report. You just need to select the proper category after the report being generated.

If you are looking for more professional documents, my friend Julio created a really great repository of public reports. https://github.com/juliocesarfort/public-pentesting-reports

Also, thanks to my other friend Pedro, he added a chart feature, as Serpico is open source.
https://www.linkedin.com/in/pedro-cavalcante-975a61b3
Conclusion:
After some time using Serpico and applying these tricks, it's possible to reduce between 60-80% of the time reporting. It means this time can be converted to more cool activities like destroying some applications.