I know you have been there. On an external pentest that takes twice as long to write a report than it did to test that one IP address. Or maybe you are buried neck deep in an internal that is 3000 IPs, and you are struggling to keep track of all of the findings. One of my main gripes with most pentesting companies I have been involved in the reporting process is the area that could stand to become more efficient. By utilizing tools to help expedite your engineers report writing it could in turn allow businesses to save time and in turn process more customers. In the past I have written significantly on how to integrate penetration testing tools with the Faraday IDE. Which is nice because it gives you the ability to integrate tools into the actual environment, but I have discovered another tool set that doesn't require the integration of tools and allows for quicker reporting.
PlexTrac claims from their website that it helps Simplify security and reporting. The quote goes on to describe the benefits of PlexTrac by generating cybersecurity and pentest reports in half the time. Eliminate dreadful document formatting and present your reports in a simple web-based format. PlexTrac provides a central platform to store and track all write-ups, assessments, and reports over time, including: pentests vulnerability scans, and more. PlexTrac streamlines the process for testers and teammates to resolve issues while reducing knowledge gaps for future assessments.
I was fortunate enough to get a free trial demo from PlexTrac to play around with. In order to truly test the powers of this I decided to use the Open source vulnerable web app that I blogged about in the past Juice Shop. I will demonstrate how PlexTrac could help speed up and make your penetesting business more efficient. However, I will note that PlexTrac has an extensive amount of functionality, and will be impossible to cover all of it within a single blog post. Therefore, I will be tailoring the majority of this blog post around how I would use PlexTrac on a day-to-day basis.
Disclaimer: I know it might seem like I am affiliated with PlexTrac or getting a kick back in some way, but I am not. I am simply demoing a product that looks valuable to my workflow.
Right off the bat one of the key features I was intrigued from was PlexTrac's online cloud service. No setup needed to begin working, no extensive documentation to read through to get right into the reporting. I know many pentest companies are going to have issues with leaving all of their customer data just sitting out on the Internet, which is why PlexTrac has also given the ability to host on-site if you are an Enterprise customer. Upon logging in you will see the screenshot below which has a nice heads up display of the different portions of the application.
Working from the side bar top to bottom the first piece of functionality is the Clients section. This is where PlexTrac will allow you to create, edit, or view different clients you are working work with. For this exercise I will be utilizing the OWASP's Juice Shop for my new client. As you can see from the screenshot below creating a new client is a breeze. You can even drag and drop customer logos which will be used later in the report generation.
Now that the new customer has been created it will be visible in the All Clients page as seen in the screenshot below.
Another feature of PlexTrac is the Create A New Assessment tab. This allows you to manage and view assessments. Since I am not a certified QSA this does not apply to my workflow as much, but I have worked at pentesting companies in the past that would really benefit from being able to use the PCI questionnaires and even create custom assessments. That way you could send a non-certified PCI to collect data, and then return to the QSA for report writing. It would allow for consistent data collection and report writing for your PCI assessments.
Now onto my favorite part of PlexTrac the Create New Report section. If I had been able to use something like PlexTrac's I estimate I could have saved a large number of engineer hours but cutting down the total reporting phase of each assessment. By clicking the bright blue New Report button allows you to jump straight into new report generation. From there you can select from the drop down of the already created clients. You can choose the Report Name, and report template. Since PlexTrac allows for creation of custom Report templates, you could simply create a new template for each individual assessment module, and customize it as what the customer purchased.
The report section also ties into the WriteupsDB which is an awesome section of PlexTrac. The application has already pre-loaded many findings from the Burp Suite findings, and the CIS top 20. However, it also allows to add custom findings. So for all of you pentesting companies out there still using Excel documents to edit, manage, and view your findings you should really check out PlexTrac. The screenshot below shows the WriteupsDB dashboard.
Adding a new custom write-up is as easy as clicking the bright blue button and filling in the 5 fields.
As we return to the report writing section we have several options for getting findings into the report. Custom findings allow for us to add new findings that might not already be in the WriteupsDB. Of course simple addition from the WriteupsDB is also available, and then finally my favorite option is to add From Tools.
As you can see from the screenshot above, PlexTrac has the ability to import from a variety of tools, and this list is continually expanding with development. By selecting a tool and then uploading a file PlexTrac will parse the file and will remove any duplicates, and automatically apply findings that correlate to the WriteupsDB. Talk about a time saver! For the sake of this blog post I have performed a quick Burp Suite scan of the OWASP Juice Shop and exported it as a XML format. The screenshot shows the new Burp Suite 2.1 performing a crawl and audit of the Juice Shop.
Of course without more manual exploitation, this is all of the findings Burp Suite found, but for the sake of this demonstration it will be enough. Make sure that when reporting you export the Burp Suite findings as an XML format. As well, it should be noted that with Burp Suite community edition you cannot export findings therefore Burp Suite Professional is required for PlexTrac.
Once the upload has finished you can see from the screenshot below that PlexTrac automatically assigned the findings that it can correlate from the WriteupsDB.
PlexTrac also does a great job of displaying findings in a high-level which can be great for Executives or board members that only want to track the remediation and risk levels of the company. As you can see from the screenshot below, simply clicking the Readout View will make some nice and pretty graphs for that real wow factor.
Now that we have finished entering in all of our findings and it's time to deliver to the customer! PlexTrac helps us by providing multiple export methods that can be sent directly to the customer.
Selecting the PDF, which is most commonly what is delivered to customers that way they cannot edit the document after delivery. As you can see from the screenshot below that PlexTrac automatically will generate the PDF for you and ask where you would like to save it. Opening the PDF will have all of the information provided from the New Report Section.
Not a fan of the default template? No worries, PlexTrac has the ability to create custom templates using a variety of variable injection points. This can help create beautiful reports that can be reproducible quickly!
This is only scratching the surface of PlexTrac and there are many more features that could not be covered in this single blog post. Features such as editing the custom reports with built-in variables that will help more robust exported documents. As well the new BETA feature Analytics which allow pentesters to view statistics and trends across all the client reports that have been built. This can help formulate where research and sales needs to be focused on.
I highly recommend reaching out to the PlexTrac team in order to ask for a demo to see if this phenomenal tool can help your business cut time and save money! Until next time keep on reporting!
Credits and Inspiration: