BB King - Hack for Show, Report for Dough

hello and welcome to hack for show report for dough um first let me congratulate you for coming to a talk with such a boring subject no one likes to talk about reporting we always want to talk about the new cool hacks the new cool detection methods and things like that but reporting i think is uh is a topic we need to talk about more so pat yourself on the back from me for coming to this talk my name is brian king um i am at bb hacking and discord places i hang out i'm a pen tester with black hills infosec i've been there for like four or five years somewhere around there now um but what's different is about me is i

i'm actually an artist uh my my education my my undergrad education is a bachelor of fine arts and i think that what i learned in being an artist and having that training is a little different way of seeing things i got my job my first computer job was doing tech support and then i moved into qa testing and then pen testing so maybe a little bit different path than some of you have taken anyhow i thought i would share some stuff from what i've learned along those ways to uh to help you out with your reporting so if you are a pen tester then your report is your product a lot of pen testers and a lot of people i think they

think the pen test is their product and it's part of the product but it's it's not the thing that people pay you for um to be doing a pen test is not something anybody ever wants to hire you to do they want because if you don't give them the report then then there's no benefit right the they you get hired as a pen tester to do a pen test yes but also to tell whoever hired you about what you found and normally we do that with a report and the the report is is not a side effect some people think you know well i'll do the reporting later i'll take my notes as i go

and then i'll do the report at the end and i'll produce you know some artifacts of my testing which will be you know this output from the scanners and those types of things and also the report is an artifact of my testing it is not it is not a side effect it is the primary thing that you're doing when you're testing for pay it's a little different if you're just having a good time if you're doing ctfs or things like that it's obviously different there but if you're doing this as a profession the report is the thing that you're producing they're not paying you to play and have a good time nobody there is nobody on earth who gets

paid to play all these people on this slide here you think of them as players they play sports they play music uh they play they they play roles they're actors they're comedians but even they're not getting paid to play they're getting paid for what they what they bring in they're paying for the result either they're winning games or they're entertaining while they lose games or if they're they're producing music that people want to purchase or they're making people laugh it's it's the side effect of that that's that's what they're getting paid for um i said side effect when with actual performers it's kind of a side effect i think but the ones who are good at it recognize

that the side effect they're having a good time the side effect of that is the actual value that they're producing there's nobody who gets paid literally to play except kids right kids they don't really get paid but that's how they make their living right they get free room and board and their parents encourage them to go out and play yes when you are a child and you're learning something you should play and and it's good that kids get that time right anyway but i'm not talking about kids on the beach i'm talking about you as a pen tester the whatever hacking you do during the test is is interesting and cool for that time but most of those things are going to

get fixed at some point if you're exploiting some vulnerable software that that thing is going to get fixed and that exploit isn't going to work forever if you find something that's misconfigured and that allows you access to something you shouldn't have access to they're going to fix that and you won't be able to do that forever but the report that you write that's that's what lives on beyond the test that's what people are going to go back to to look at to see what happened during this test whether it's the immediate aftermath and they're looking for things to to make corrections things to fix or down the road and they want to see you know did we have a thorough pen test

did we see this vulnerability before the uh pentas reports live forever um one of the funniest things i've seen as a pen tester is uh is previous pen test reports like you get into the internal environment and looking around and shared folders for interesting documents and and whenever you can find the um the folder that has their previous 10 pen test reports in it that's um that's pretty funny anyhow these reports live on for a long long time and some people that's all they're going to see about your reports the people who make decisions about about what you found on your test they're going to look at the report they're not going to call you

you don't want them to call you you want them to be able to look at that report and have that stand on its own because if they have to call you then you have to remember what happened you have to dig out the report yourself you have to go through some some refreshing of your memory what actually happened during that time and it's way better if you can explain it clearly in the report so that the report stands on its own and you don't have to be involved much beyond delivering the report so for these reasons i think that the report matters more than your hacking skills matter you need the hacking skills obviously but i personally would rather have

somebody who can hack pretty well but write really well versus the other way around a hacker who's awesome and just just you know pops things left and right and does these cool new attacks that maybe i never saw before that's interesting but if that person can't explain them to me as a person who's hiring somebody to do that test i don't care i don't care that you're really cool and and you've got new exploits and you can pull off things other people can't pull off if you can't explain it to me in a way that makes it valuable information for me as somebody who's running an environment or developing an application and wants it to be more secure

so when you're doing uh pentas you're telling a story you're you're telling the story of what you see in the environment um you you don't want to tell you don't want to try to show how awesome you are you don't want to john strand says you don't want to try to impress the wizards wizards trying to impress other wizards is is no fun it's a it's a losing game for everybody really you you don't need to do that you don't need to try to impress other people who are hackers you need to you need to describe what you found it feels like you need to impress other people but really really you don't and i think that feeling of needing to

impress other people is where imposter syndrome comes from uh years ago imposter syndrome was something you know a few people found a few people would talk about but now it's like it's everywhere everybody's talks about having imposter syndrome and we all do everybody feels like you know i'm i'm not the best person at this job and maybe maybe you're not i mean if there is a best person that's only one person and the rest of us aren't as good as that person but honestly there isn't a single best person at a job people have different skills they have a different set of skills and that's where you sometimes start to feel like you're inadequate is if you see somebody

else who's doing something awesome that you don't know how to do don't forget there's something awesome you know how to do too and maybe that person doesn't know it but whether that person knows or not doesn't matter you're you're doing the work right as long as you're doing the work you're not an imposter right you don't have to be the best in order to be somebody who does that job only one person can be the best if you even have a good definition for that and i think it's no syndrome to recognize your limits that you have you you know certain things and there's other things that you don't know and when you recognize that

that means that that you're self-aware and that's good it doesn't mean that you're an imposter it doesn't mean you're suffering from a syndrome i know how it feels i know it feels that way i feel the same way sometimes but it's not true it doesn't have to be true when you're doing the testing think about yourself when you come up against a wall think about yourself as somebody that you care about and as somebody that you want to see succeed right because hopefully you do want to see yourself succeed and you do care about yourself so be kind be pat yourself on the back when you find something cool and don't sweat it too much

when you miss something or when somebody else finds something that maybe you wouldn't have found anyhow back to the story the story the report what are you doing when you do the pen test the story is what's interesting to you in the environment that you're testing it's it's it's maybe a sequence of events it's the ups and the downs it's things that work something that didn't work it's alerts that you triggered its techniques you tried that got blocked um i like this this um this methodology flow chart here um it's it's fun sometimes to just google for pen testing methodology and look at the variety the vast variety of different things that people say here's a pen testing methodology

my favorites are the ones that are linear like this like you start with gathering information and then you do your analysis and planning and once you're done with that you do the vulnerability identification and after that you do the exploitation and then you do the risk analysis after you've done the exploitation and then at the end you do the reporting a don't wait till the end to do the reporting and b you're going to flop around from those things you're going to start in one place you're going to move around it's never linear anyway it's just fun so so a good pen test is one where you what is a good pen test to you it's one where you came in and

you got what you came in for you get all the flags you get you get domain admin you get free writing environments maybe you've got the source code for the application that you're trying to test you got room with execution you got some you got in there you just got all the stuff and that's so much fun and it feels so great and that's that's a good pen test um a great pen test though is one i think where you do all those same things and you get nowhere you don't get privilege escalation you don't get the source code for the application you you don't maybe you get like like cross-site request crossfit request forgery you get something like

small and and that's all you get but you have tried all those other things and that's that's great that's great for the the customer because you've just given them this huge list of attacks that aren't going to work in their environment and that's great um there's there's no winning for the tester if you do a great job and get all the stuff that's cool but that's not winning if you do a great job and don't get anything that's not losing and for the customer it's the same thing there's no passing a pen test there's no failing a pen test there's it's just information it's just information so you want to write down in your report

what's interesting about the environment good and bad and and that's that's your report that's what you're in there to do when you're telling the story remember that you have two audiences at least um usually two uh you have you have the story of the the the that the technical people want to hear and you have the story that the business people want to hear so the technical people i imagine them as myself as somebody who has the same interests and roughly the same skills that i have this is maybe somebody who knows a particular technology way better than i do but there's other stuff that i know that maybe they don't know so i try to imagine this person as

myself a couple years ago and when i'm writing down the things for my report i'm writing it in language and terms and with illustrations that would have been helpful to me about two years ago or whenever i was new at this stuff and i want to make sure that that technical person can follow along in my footsteps and that is to say that they can actually recreate the things that i did because i gave them enough information for it so that's useful for them because then they can they can double check and make sure that i saw what i thought i saw and then also once they fixed it they can follow the same steps again and see if the fix

actually worked so it's good for them that way the the business people sometimes we forget about them and sometimes we um we don't give them the credit i think that they deserve these are the people who own the environment but they don't live in the environment these are the people who who use computers only for what they can get out of the computer and not because using the computer is fun uh and it's easy sometimes to think well you know they don't understand they don't get how the computers work it's not bad it's just that that's not their focus they're they're smart people i mean you don't get to be um executive people who are running

organizations and not be some level of smart so so you have to you have to still treat them as smart people just in a different domain than than the domain that you're in and the thing to focus on for the executives i think is to focus on which levers to pull in their environment so is this uh is this a a patching and updating problem that we've got here is this an inventory problem we've got here is this uh staffing for incident response problem we've got here those are the kind of things that they want to know they don't care about your cool command line hacks they want to know what is the cause of the problem

and you know which of my managers can i assign this to to get it fixed so one real quick story just to show you the difference of how you would present the same information to those two different audiences say you got um hash is stolen from a domain controller you got them offline you cracked 85 of them so the technical audience wants to know how did you get those hashes where where did you get them from which system how did you get local admin rights on that system how did you get those out of my environments what were all the things you did that i could have seen that i missed in order to um to achieve

that result show the commands so that that person can recreate those things for the business audience don't mention ntds.did don't don't mention um password hashes as such tell them what you did what did you do you were able to get encrypted passwords for the entire environment you were able to pull them out of the environment you were able to crack 85 percent of them and this shows that your password policy allows people to choose weak passwords and that's the lever they can pull they can pull the password policy lever uh they could maybe pull some monitoring levers through that those both tell the same story but in a different way for a different audience this is this was a actual comment i got

during tech review from one of the reports i did at work and this is what i'm always going for i it was a test there was it was it was a disaster for the customer there there were so many problems and just really kind of basic fundamental things that they weren't doing correctly uh or safely or securely or whatever even by correct right but this the this told me this feedback from internally told me that i did a good job explaining it without being condescending and without beating them up too much i gave them a clear and accurate story that they were able then to receive and read and act on that's what i'm always going

for in my pen test so there is it's hard to talk about security right because everything is a secret you're not allowed to talk to the public about problems you found in a pen test that you did for a customer because that would be bad it's it's good that it is that way but it makes it hard for us to have conversations about real things we end up making stuff up and doing proofs of concept on test systems and those are great as far as they go but they're not ever the whole story so julio here has created a a repository of public pentest reports that's fantastic um it's it's got so many of them in there now it's a big

big repository and it gives you a chance to see what other people are doing when they write reports some of these are real reports that were meant to be public for public audits and things like that some of them are sample reports that have been like redacted intentionally or done up against a test environment so that the person writing the report could showcase their reporting abilities i'm not sure where they all came from but that's where a lot of them a lot of them come from there so i'm using some reports from this in this talk and i suggest that you go take a look at this yourself and and see see what's there just look for look

for good examples if you're bad examples it's a wonderful resource so when you're writing why are you writing you're writing to inform the reader right you're writing so that we can communicate information to them right so here is one sample from one of the reports that's in this repository this is don't focus too much on the words but this tells you what happened what they found they found a weak password policy they show you where they found it there's source code files and line numbers and they tell you the impact why does it matter this is a whole story what i found where i found it why it matters going down a little bit more on this

they um there's they make a claim they say when the um when the user goes to change their password it applies a six character minimum so and then they show you the source code where that happens so here's my claim here's some evidence to support that claim here's some discussion about why i think that claim is important and now you can disagree you could as the receiver of this report you can say that doesn't matter in my environment and that's fine that's your that's your job with the report is to balance different uh requirements security requirements uh usability requirements all that stuff but this report has told you the fact that they found and it has interpreted them from the

point of view of a pen tester and now you have some facts and some data that you can act on here's another one from q53 report they did looked at cryptocap and they talk about math.random they say math.random is not considered predictable or is not considered unpredictable um so i'm starting to ask some questions so who says what do you mean not considered unpredictable what makes it not unpredictable why is that bad it's a little less factual but it still it still makes an argument it still says it makes this claim and it gives you some information to try to back that claim up so this is still this is still good a little less

strong but it's still good another one here we have um pro checkup did an anonymized report and there's a bunch going on here that that i want you to notice in this screenshot there's a lot of information here that's not immediately obvious and the the only thing i did to this was i added the arrows it would have been cool it would have been better i think if the original report had some arrows or something similar to focus your attention but look at all that's packed into this brief little thing here uh on connecting the test equipment to the network that means they brought their own equipment right they're not using something that's already on the network

a dhcp service was available to gain ip addresses okay so they plugged something into the network and they got an ip address and now they could communicate on that network that's useful information right there maybe this network is fine for that maybe it's maybe that's not a problem but maybe it is a network where they only you only want to have authorized known devices on it so right there is something interesting to the reader and then in this screenshot a couple things about this first it's a screenshot as text which is great if your information is text because now you can copy and paste right and it wraps better around page breaks rather than using an image

what do we have here we've got the username and the hostname we've got the hash at the prompt which means what means your root uh and we're on ifconfig for f0 and we find out that we have an uh uh we have an uh ipv4 address and we know what network we're on the hardware address there has been redacted but if it was not then the reader of this report if they had a good inventory might be able to tell for sure if this was one of their systems or not now they already said it's not but mac address is an identifier hardware address is an identifier and that's interesting and the last part here down at the

bottom is the receive bytes and the transmit bytes that this this is interesting and is it's not cut off it's interesting because it tells you it's an active interface um that's not critical right it's we're gonna it's it's safe to assume that you you're probably using this interface that that's how you started your testing but having it there with some data going back and forth not a ton it does show that it's actually active on that interface which is interesting makes it a little bit better a little more readable a little more factual about what the test was doing aside from informing the readers you can use writing to insult the reader and that's something i recommend against

in your pen test reports so here's one a company called mnemonic did an audit of the norwegian voting systems source code and they have this caption here it says the example code was flagged by find security bugs plugin and then it says why is a crypto class using an insecure random generator that's that's not don't ask questions in your report make statements in the report i think what they're saying is that an insecure random number generator is not an appropriate thing to use for something that needs to be cryptographically secure and that would be a better way to say it uh i mean the answer to this question is either we didn't know better or we did

know better and we chose this for some other reason or i mean there's not like a it's not a constructive thing to do it's it's very accusing uh later on here it says you know interestingly the method used in an insecure instance initialized with the time as the seed this seems dubious it means that the bcs might try to guess the seed to predict it's just it doesn't come off well it comes off as a little bit condescending i think other things you can do with your writing accidentally is you can disorient the reader it's easy to make it's easy to make this mistake if you're especially if you're not writing as you go it's easy to lose track of what was

happening um during your test and not explain it in a way that's easy to follow so here's a report from security with the pdo bitcoin exchange this is a short report and i want to be clear that i'm not picking on this tester i think this tester did a great job on the repo on the test i think the report just didn't maybe didn't get enough attention maybe it was um i don't know he did a lot of good work i think and there are things that could be improved on the report is the point i'm trying to make here uh this is page one of the report there's no introduction there's no contest no context for what

we were testing here uh there's there's some code here right away there's uh it talks about the omni-off gem that's vulnerable to state fixation well what is that is that something that's part of the the pdo did they write that is it a third party library uh i don't know what that is and then there's an image tag down here image source equals youngbee.com weibo what what is that i don't understand it's not obvious to me what that image tag is there for and then it says after that the attacker can log into the victim's account um how how do they log into the victim's account i'm not i'm not clear on what's going on

page six of a seven page report it says is a summary says using the first two tricks we're able to hijack the account don't don't call them tricks um maybe say what they were exactly using this vulnerability and that vulnerability then using the 2fa vulnerabilities we can do the following we can we can we can create an sms 2fa using a breach in this controller we can brute force if they're both activated we can brute force this so we can predict the one-time one-time password which means we can steal the coins from any exchange user feels like that's kind of hidden right steal the coins from any exchange user that's like the whole point of the exchange is

to keep those secure right that's a big big deal if you can steal the thing that this service is meant to protect um it kind of kind of gets buried and then at the end it's it says overall it's a very secure exchange and the code quality is high especially because basically everybody else sucks this doesn't follow right i'm i'm confused because on the last page you said i can using these simple vulnerabilities i could steal everybody's coins and now you're saying it's really actually pretty good i i don't understand how those two things jive together so i think if the tester had taken more time to to reread this report and maybe think about how to present the issues i think

it could be more clear but after i read this report i have a lot of questions

what you want to do what you actually want to do in your reports is you want to help the reader understand what you saw when you were testing so that they can make decisions you want to help them understand their environment that you saw as a pen tester you want to help them understand the technical nature of the problems you found in that environment you want them to understand the processes and the structures and the policies and the behaviors that all led to the situations that you were able to exploit and you want to tell them all the things they're doing well all the things that you tried that didn't work summarize those somehow is do they have

uh do they have a great incident response staff and they kept catching you at every turn that's great tell them that do they have a really strong password policy and and it makes password guessing or password sprays really less likely to succeed that's great tell them that too that's all the story the the screenshots in your report are there to illustrate the story they're they're there to make it more clear they're not decorations they don't make the story prettier they make the story better so here's uh a web app i like to use to illustrate this here's a screenshot of a web app that has maybe a security vulnerability in it and maybe this is a screenshot

that would appear in a report that illustrates um this vulnerability do you see what the problem is do you see what it is now maybe how about now now it says that you're not securely connected to this site okay what does that mean not securely connected to this site um now you know probably that it means it's not encrypted but security is not encryption there are other ways your connection could be insecure you could be routing through an insecure network you could be on a coffee shop network there's lots of things that could mean insecure and it's not just encrypted

so this these used to be better um a while ago the firefox and chrome and everybody had an address bar and in the address bar they showed the address of what you were visiting and now they don't do that anymore they're they're taking that stuff away they're taking away the details to make it more user friendly i think is what they say but it's hiding information that's useful and now um actual addresses that used to be in the in the address bar are getting chased away important parts are getting hidden so here what's being hidden is the whole protocol you don't know how it's connecting you know the address but you don't know how it's getting there and

you can you can fix your browser you can make it tell you um the addresses uh in in firefox it's uh browser.urlbar.trim urls tell it don't do that because honestly if you have a url without a protocol at the beginning it's not a url anymore and yeah so fix your browser and this is a better screenshot this tells you you're not securely connected it circles the http part which is what it means here by not secure and it links those two together so this is what i have in my report we started with this the whole thing and we came back down to this very focused very clear you can't misunderstand this one now as i said before you can disagree

all you want you can say that for this site https doesn't matter or we use http on purpose for these other reasons and awesome that's great it's not my application it's not my choice to say you must have encryption it's uh it's just an observation and it's clear and if we can just if we disagree about it now we're disagreeing about something specific so there's two things every screenshot wants to have every screenshot should be helpful and it should be clear helpful means that it's relevant and it adds useful information and it's accurate clear means that it's legible it directs your attention and it's precise so helpful and accurate i'm using as synonyms here and clear and precise as

well so if you come i come from an arts background i like helpful and clear if you come from a math background or a science background maybe accurate and precise are better words for you so accurate means it should be correct it should it should be show what you mean to show and precise means it shouldn't show much else it should be focused narrowly in on what you want to illustrate so as you're taking a screenshot here are some decisions to make do you want the whole browser window or do you want just cropped to just an important part generally if you have the whole chrome of the browser if you have the address bar and the scroll bars and everything

rethink it because those aren't helpful usually do you want a plain screenshot because the issue is just self-evident there or do you need something to direct people's attention with boxes and arrows or things like that how about the text in the screenshot is that readable is it has the image been shrunk down so much that it's too pixelated and you can't read the words or on the other hand is it so big that the words on the screenshot are like bigger than the titles in the text around it you want the text that's important in there to be about the same size as the text that's around it and then do you have just the viewport

or do you include the url as well and i think you should always include the url if you can have it in the address bar and it's readable and that fits with the size and scale of what you want to report that's great if you can't do that then just make sure the url is somewhere in text near the near the screenshot so that it's it's not just floating out there there's a screenshot somewhere i don't know how to get there you want to make sure that your reader knows how to get to the thing that you're showing your screenshot should be composed with a little bit of thought so i said before you don't want to have the

browser chrome and everything this is three different screenshots of the same issue so on the on the left we've got that you know thoughtless kind of thing it's just here's the whole page and this is the issue and here you go and it's hard to read the text is small there's a bunch of stuff in there we don't need it's unfocused it's not awesome the the top right is better it's pulled out just the important part but it's a little bit awkward the composition makes it such that the text is a little bit too small to read there's a bunch of white space or pale blue space in the top right there that's not helpful

if we just shrink the window a little bit this application flows so things start to wrap differently so the bottom right there i've shrunk it small enough that that when it's full size in the in the report you can read all the words there's not a lot of extra white space now you can read the site url you can tell the ip address that it was you can see the time that this was done and you can see you can read all those little um red and green guys that tell you where the problem was you would have thoughtful contrast and there's some controversy over this one and i don't understand why there's controversy over this one

uh dark mode right people like the dark mode and that's fine you can like dark mode all you want and you can use it all you want but in a report you're not the audience it's not for you it doesn't need to look nice to you and also if you're doing reports as uh word documents or as any a pdf or anything the background is going to be white it's going to be white and this huge contrast here this is the same screenshot in uh in bird suites uh dark mode versus regular not dark mode and the one on the right is just it's a little shocking it's a little bit there's too much contrast there it's hard to see what's

going on and actually the burp version of dark mode doesn't have very good contrast either it's all just muddy gray for the most part i'm not the only one who thinks this and people writing pentest reports aren't the only ones who screw it up um this is a published book printed book uh that mobix found where they use dark mode for screenshots and you literally cannot read this i have this book and i've looked at it you cannot make out anything in that screenshot because it's so dark there's no reason for it it's not helpful you want to use thoughtful words you want to explain like i said earlier clearly to you to yourself who you were maybe two years

ago you want to make it obvious how to reproduce the behavior that you're seeing that you're talking about in this section of the report include prerequisites if you have to um put something in your shopping cart and it's a specific thing that has this vulnerability then say that if you have to be on a certain part of the network in order to see the target you're going after say that make it clear which box you were on what system you were on when you did the attack so they can see how that went maybe it doesn't work from the the person who's reading it maybe their system doesn't have the same access that that system had there's a

there's a firewall or a different network something make that clear and stick to the facts don't don't blame don't don't don't call people names don't say why would you do that in the report stick to the facts explain why things are the way they are to you why they appear to you the way they do what you think is important and let them make their own decisions so a couple of screenshots from these reports in julio's repo are these decorations or are these illustrations do they help or are they just taking up space so here's a cryptocat screenshot and we've got a browser there is no address in the address bar uh we've got the

the inspector open so we can see there's a span class has an email address in it i don't know what this is trying to show me uh i i think i'm guessing that that iframe in the middle shouldn't be there because it says evil but there's nothing here that tells me how it got there or why i should worry about it or what it means or which part of this screenshot is even the important part for me to notice so this one's decoration this one i think uh it does tell you what application we're using so that's useful but the specifics of why this screenshot why here i'm i'm lost they did another one of uh mailvelope

and so this is showing us um gmail years ago and again we've got the um we got the developer tools open and we can see there's a there's a script in there there's a script above in the the documents um compose window it says injection in progress this is the attacker's point of view what what is the attacker seeing that that i need to pay attention to if if this is the attacker's point of view they've they've got that that text in the in the uh the text area there why is the um why is the developer's tool thing open is that something they need to do the attack anyway i just i don't know what this is showing me

i don't know how this is supposed to make me understand the issue better ncc group tested php my admin and i picked this screenshot because there are no screenshots in it this this the screenshot of their report they i think they have they must have a policy because there are almost never screenshots in their reports and so that's i disagree i think screenshots are super helpful and to choose not to include them i think is not great i would disagree but they've made a choice and they back it up pretty well this the words that are here are just about as good as you can get without having a screenshot so they're working within the

constraints they have they've got a policy i'm guessing that says no screenshots so how do we make it clear without those and this is a great job of doing that here is one more uh one more screenshot that is just not helpful uh this one says access is granted to 10 10 10 210 as local administrator and it's a screenshot of the entire desktop and what's it trying to show well with the caption above it i think it's trying to show me that i'm logged into 10 10 10 210 as the local administrator but there's nothing in that screenshot that shows me the i p address of the system i'm connected to and the only thing that gives me any

clue that i'm administrator is the title under the start menu there it says administrator now that's just the username right i think it's possible for that to be you can have a user who's named administrator who doesn't have admin rights so it's not a super reliable indicator and even if it was it's a tiny tiny fraction of this whole screenshot all that other stuff is completely unnecessary so i would i would argue that there's a better screenshot that could have been taken to illustrate that you're logged into a particular system with a particular set of privileges and and also this is just way too big it doesn't it doesn't do what it claims to do

and then another anonymized report from pro checkup i love this one because again it's a screenshot of a terminal and it shows you the text it's not an image it shows you who you're logged in as it shows you where you're sshing to so if you ssh to something called spike and you don't give it a username what's the username that you're connecting as it's whatever your current username is right so it's root and we get connected it says last login from mustang and it's got this banner and and we're logged in so it worked so i logged into the system called spike as root and then just to make it extra clear i we typed who am i semicolon another

command and an id because who am i gives you the username who's logged in id gives you the uid which is actually what determines that your root because again you could have a user called root who doesn't have privileges this shows you both of those things and they went so far as to do it on a single line so that this is a more compact screenshot you might just type who am i enter and then id enter and you get the same information but it takes up more space that way so this is a well thought out screenshot that shows you exactly what they want us to see

so in your screenshots you want fact and clarity you want accuracy and precision pay attention to how you you create those things this is a screenshot from one of the reports by red siege they pen tested nakatomi plaza if you can believe that they show in this one they show you the url and is readable it's a good size you can see what that is and the other thing i got an arrow pointing to here these are my arrows not theirs there's a log off button so what if what does that tell you that there's a log off button it tells you that you're logged in so this is a nice compact single screenshot that shows you where i

am it shows you that i'm logged in and it shows you some of the information that i can get access to from that system later in that report they're showing you some http traffic and and again they show it as text not as an image which is great they've got this bold i added the arrows again but they've got bold the system they're connecting to they're using curl with these particular command line options and they're connecting to nakatomi plaza.nope so if you're reading this report you can do that exact same thing you can run that command yourself right now and then the response shows you the the part that they want you to pay attention to

it came back with this strict transport security header and that's what we're talking about so if you run this command now you'll see that same strict transport security header and now we're on the same page now we're seeing the same things and now we can talk about whether we think that's an issue or not so again maybe the last time illustrate don't decorate don't just put a screenshot because you want to have a screenshot put a screenshot in because it helps because it clarifies it tells the story better you want to keep your audience in mind are they going to know what to see in that screenshot or do you need to direct their attention a little bit

more screenshots is better as long as they're not just taking up space uh you're probably going to need boxes and arrows in your screenshots it is it is a rare screenshot that stands for itself and doesn't need any explanation they do exist absolutely but they're rare if you have one without any think for a second and make sure that you think that's the best way you can handle that

formatting issues are another thing that a little bit of attention goes a long way uh you you don't have to make it art but you can make it pretty you can make it consistent uh um when uh i'm i'm kind of old and when word processors first came out that you could do multiple fonts in everybody's reports had 15 different fonts in them just because they could use it and they looked horrible because they were so inconsistent we do that now still when we format things manually like if you're double clicking on a word and you're saying bold or if you're making a heading by making it just bigger and putting an extra carriage return after it you're

doing it wrong and you're making it harder on yourself than you need it to be uh scott hanselman has a series of videos called how to really use microsoft office that are wonderful for this they're brief they're to the point uh he's easy to understand and fun to listen to go watch those but take some time and just see if the way he shows you how to make these things work isn't something that you can add to your little ball of tricks a couple quick good examples from uh julio's repository here to show you some things that i think work well uh and a few that we could just tweak a little bit so in this report

there's a screenshot of uh terminal output and it's on a dark background and i kind of don't like that but that's not why we're talking about this one this one is running gpg commands now raise your hand if you can just type gpg commands off the top of your head and get them right and interpret the output and understand what's going on i don't see any hands so what is going on here uh what's going on here is that they're verifying this signature on this application and they've got what seven eight lines of text and and that's how you're supposed to notice the the important part here is where it says good signature that's that's the key we're checking the

signature we're checking who is the issue or the signature key and we're making sure that it's a good signature so this should be circled something should draw your attention to the fact that there was a good signature and then there's another command that's run we run the dot app image with dash app image signature do you know exactly what that means is that self self-evident what's going on there i don't think it is i think that could be done a little better why did we run that second command what are we supposed to see there here's another and this is just a quick show you why it's better to do terminal output or text images as text instead of

as images because this one got broken across a page boundary the top of there is page 9 the bottom is page 10. if this had been put in as an image there'd be an inch and a half blank space at the bottom of page nine and then page ten would start with the whole screenshot that makes it harder to read a little bit harder to follow so if you have text present it as text and and look it's a light background with dark text like every word processing document ever uh proton vpn windows app the interesting thing about this one is it's not a screenshot but it's telling you exactly what they tested there's a shot

on some of these files that were part of what they tested even of the readme so if you want to if you're trying to fix this or you're trying to recreate these issues you can know exactly what they were looking at and whether you're looking at the same thing or not this is fantastic same application this is some text but it's not shown as text but it's okay here i think because it's small and it's awesome because they highlight the part that's important they use the they use their hex editor itself to do the highlighting they just selected that and it's highlighted nothing had to be done after the screenshot was taken to show you the

important part of it now imagine you got the screenshot but nothing was highlighted what are you supposed to make of this you might you might know as as a tester as somebody who's familiar with looking at hex dumps but not everyone's going to know that your executives certainly aren't going to be familiar with this and your newer technical folks they might not either they might recognize that oh i think that's hex but they might not know how to interpret it so this is a huge help to have that so it doesn't have to be art but you can still make it pretty keep thing use formatting to keep things consistent use it to focus the attention to the right things and

make the computer do it look at those handsome videos and he will help you see how to make word do your work for you a couple of things not to do uh never ever ever copy and paste from a previous report i don't care how small it is the risk that you accidentally include one customer's information in a report that goes to another customer is too high to to benefit the brief time savings of copying and pasting from one report to another so but you say oh but i've seen this issue before i don't want to have to write all those words again i agree don't write it up once generically with no customer information and save that

somewhere and then when you see that same information copy and paste from there just don't copy and paste from another report and also tool output don't ever just assume that the tool output stands on its own either the tools are things that can be bought a lot of them are free so if you're just giving me tool output then what's the value that you're adding as a technical person why should i hire you again if you're just going to run tools that i could run i could pay my employees way less than i pay the consultant to do the same thing so make sure that you're giving context and some analysis and why that's important

not just tool output one more thing that gets overlooked is um is using colors it's generally speaking a bad idea to convey information with color alone and the reason for that is that there are there are people who don't see colors the same way you see colors and colors don't always translate across media and sometimes people still print things out and look at them and sometimes they print them out in black and white and then there's no color so this is a this is from one of the reports in in that repo i showed you and it shows you the the risk ratings and the color they use for those risk ratings on the left

is how it appears in the report on the right is how it would appear to somebody who is who has got the red blind version of color blindness and if you look at that in the key the informational stuff and the high stuff are almost the same they're almost identical so it's not a great useful gradient to use red for bad and green for good so what do you do about it what do you we always red means bad and green means good right and that's a common thing that people use so what do you do instead here's something you can do instead looking at the the red siege report they use color and symbols to to convey

the information so we have uh a red circle with the exclamation point is the highest severity thing so even when you lose the red you still get the exclamation point the orange circle that's solid is the medium one so you still get a solid circle and a half filled circle and an empty circle so using something besides color to redundantly convey the same information makes it more useful in more different places the other thing you can do is you can try to use colors that are still distinguishable even for folks that don't see colors the same way you see them and this is hard because there's less there are different kinds of color blindness and

they don't all manifest the same way so it's difficult to come up with more than two colors really that you can reliably distinguish but here's a report that tried to do that and they did pretty well i think you can those all look pretty different except two and four look pretty similar but that that goes to the point of view something besides color but you can you can do you can choose colors that are more distinguishable the last thing i want to show you really quick i just want to point you at some of these things you can use do in microsoft word to make word better for you a lot of reports are still done in

microsoft word so if you don't use word you can skip this but if you do look into using styles to keep things consistent don't format words and phrases independently with bold and italic and bigger use styles you can use autocorrect to save time so when you type something in that's a misspelling that word knows about it fixes it for you right you can define your own and you can make anything expand into anything else so i have in my word i have some abbreviations uh that i put in as misspellings and the correct spelling is a whole paragraph of text so i type in one little thing and poof i get out i get that whole paragraph

all at once you can use macros for things that aren't trying to pop a shell you can use macros to go through the document and check formatting and clean things up you can use a custom dictionary with words that you that microsoft word would normally complain about spelling wrong to see less of those and a lot of these things get stored in a file called normal.or normal.m and those will carry with you across every new document you create from that installation of microsoft word scott hanselman gets into some of those things but they're worth exploring on your own so auto correct macros custom dictionary those are things that you can google to find how to get started with them and

see if they might be useful for you so as i said before your report matters more than your hacking it really really does without a report the hacking might as well not have happened as far as the people who need to fix it are concerned so pay attention try to do well look at it as you're going and stop for a second look at it again and see does that make sense to me if i wasn't the one who wrote this would i know why that screenshot's there and what i'm supposed to get out of it have i described the issue clearly and fairly and factually so that somebody with different opinions and different priorities than me

can make an informed decision a couple quick references and that is it thank you for coming i'm i think i'm around for any questions