When I first started down my Pentesting path I was taking terrible notes. Now that I'm doing much more complicated testing, I find maybe I am overdoing it on the notes. What you are sharing here is extremely helpful when trying to figure out what to pick out and put into a nice clean report. It's a real skill to do these properly so props to you. Thanks for sharing.
Heath, you are killing it. Thank you for your efforts and time to improve the cybersecurity workforce! I am hooked and your videos are helping to set the path.
Thanks. Another great vid! I've started on a similar journey as you - just finished my second year doing my cybersecurity degree and started offering advice on TH-cam for starters in the field. Keep up the great content buddy!
Very very good i will use this to learn. I have one question; I know basic concepts on pentesting, I've got my own setup of vmware etc, where would you direct individuals like me to push into cyber security i.e. further learning, types of entry level occupational positions, etc. Even a brief reply would go a long way, your content is extremely helpful, thank you.
The recommendation of not using words in passwords is something I disagree with, a string or random words is super hard to guess or crack as long as it's more than one word.
Scott Rainville Not true, that’s why Kali includes very reliable dictionaries to crack passwords with. Long random characters are the most difficult to crack, especially over 24+ chars.
@@c1ph3rpunk Of course, using a long random character password is technically stronger than a password of the same length with words. Problem is, it's not practical. Try telling your users that their Windows passwords need to be 20+ random characters long. 20+ characters, let's say, with all random words is far more memorable and still hard as hell to crack. There's about 500,000 words in the English language with names and slang, generating even just every two-word combo is a wordlist of 500,000^2 lines. At 5 bytes a word (a low estimate), that's over 1TB of passwords, with most of them not making the length requirement. Three words long? Forget it.
Richard Christian I’ve involved the testers in remediation meetings so the fix team understands what needs to be done but generally pen testers aren’t admins and don’t patch/fix things. Most sec companies either have people that can help with that part (not the testers) or can recommend someone to assist.
Delroy Batt I’ve paid anywhere from $5k to $150k for various tests, it all depends on how much, what, where and how things are being tested. I’ve seen large ones that were in the area of $250k but they were massively thorough and included detailed app testing of banking system components.
Delroy Batt np, off the top of my head, I had an external of several subnets that was really just a vulnerability assessment, not a test, and it was $15k. Purpose there was to validate our internal findings of our external exposure, mainly a compliance checkbox to show we had a second set of eyes on our own scans. Did another one that was more of a mock real-time attack on a SWIFT transfer system to see if our SIEM system and various controls would in fact detect a spear-phish based attack against that wire transfer system, that one was in the $45k range or so. It’s all money very well spent, we constantly find things in tests we didn’t know about or find on our own, that’s why we test.
I hope you enjoyed this video! If so, please consider dropping a like and subscribing.
250 likes zero dislikes that's what makes you different from other cyber channels you give exact information needed👏👏👏
Don't jinx it :P
When I first started down my Pentesting path I was taking terrible notes. Now that I'm doing much more complicated testing, I find maybe I am overdoing it on the notes. What you are sharing here is extremely helpful when trying to figure out what to pick out and put into a nice clean report. It's a real skill to do these properly so props to you. Thanks for sharing.
Heath, you are killing it. Thank you for your efforts and time to improve the cybersecurity workforce! I am hooked and your videos are helping to set the path.
Thanks. Another great vid! I've started on a similar journey as you - just finished my second year doing my cybersecurity degree and started offering advice on TH-cam for starters in the field. Keep up the great content buddy!
Thank you! Good luck on the TH-cam and cyber journeys!
Great vid and super info once again....Good luck with your new ventures Maverick
Thanks, Scott!
You are the first one that i have seen do a video on a report. i found it interesting. can you do one on note taking while doing a test.
thanks, this will help heaps with basing a framework for my reports
Very very good i will use this to learn. I have one question; I know basic concepts on pentesting, I've got my own setup of vmware etc, where would you direct individuals like me to push into cyber security i.e. further learning, types of entry level occupational positions, etc. Even a brief reply would go a long way, your content is extremely helpful, thank you.
Very informative sir, thanks alot. If possible could you also please make one course on Bug hunting like you made zero to hero for network pentesting.
I'm not a bug bounty hunter by trade. I think there are better content creators out there for that topic :)
Thanks Mr. Heath for everything !
I complete your Course practical ethical hacking .. 25/7/2020
What is your software tool to write the report?
Do you use Microsoft Word?
I have problems to find a good tool for write the report.
Hi Adam, many many thanks for sharing that great video and also for sharing the amazing penetration testing template!
Heath, What about a internal pentest report?
very useful video, keep doing the great job
I noticed you've included a classical book by Jon Erickson (Hacking: Art of Exploitation). Is it still relevant in 2023?
Loveing this video. Learnt a lot. Thanks!
Do we need to include every step by step screenshots in the PT report as in a CTF writeup?
Hi Cyber Mentor can you please provide the first proposal you send at the company please .
Thank you, this is an amazing template!
The recommendation of not using words in passwords is something I disagree with, a string or random words is super hard to guess or crack as long as it's more than one word.
Scott Rainville Not true, that’s why Kali includes very reliable dictionaries to crack passwords with. Long random characters are the most difficult to crack, especially over 24+ chars.
@@c1ph3rpunk Of course, using a long random character password is technically stronger than a password of the same length with words. Problem is, it's not practical. Try telling your users that their Windows passwords need to be 20+ random characters long. 20+ characters, let's say, with all random words is far more memorable and still hard as hell to crack.
There's about 500,000 words in the English language with names and slang, generating even just every two-word combo is a wordlist of 500,000^2 lines. At 5 bytes a word (a low estimate), that's over 1TB of passwords, with most of them not making the length requirement. Three words long? Forget it.
@@scottrainville8303 Everywhere I've been the past 3 years has deployed password managers for everyone.
@@c1ph3rpunk That's good, but you can't use a password manager for logging into Windows with your domain creds.
ManageEngine Pro does and couple it with a 2FA, I’ve used both RSA and Duo at that stage.
Song that you used in the outro? I like the sound and if its from a band, would love to know which one.
This is great thank you so much! Id love to connect on Linkedin.
Thanks for the video, this was great info.
Thanks! I'm glad you enjoyed it.
which methodologie did u work with ?
Thank you 🙏👏👏
Very informative video 👍🏼
Thank you
Thank you!
Nice information. Thank you!
Thank you!
ty for the video and the template
Thank you
thanks man!
Sir, Do you have any idea about pwndoc?
Should a penetration tester be involved is carrying out remediation or should it be done by the companies IT?
Richard Christian I’ve involved the testers in remediation meetings so the fix team understands what needs to be done but generally pen testers aren’t admins and don’t patch/fix things. Most sec companies either have people that can help with that part (not the testers) or can recommend someone to assist.
What Darren said is accurate. We will guide you in the right direction, but ultimately, the customer performs the remediation.
i cannot find the default password of phpmyadmin ,can you make a vedio on that ?
What would be the budget or fees charged for the services?
Delroy Batt I’ve paid anywhere from $5k to $150k for various tests, it all depends on how much, what, where and how things are being tested. I’ve seen large ones that were in the area of $250k but they were massively thorough and included detailed app testing of banking system components.
Darren Young wow, thanks brother I appreciate
Delroy Batt np, off the top of my head, I had an external of several subnets that was really just a vulnerability assessment, not a test, and it was $15k. Purpose there was to validate our internal findings of our external exposure, mainly a compliance checkbox to show we had a second set of eyes on our own scans. Did another one that was more of a mock real-time attack on a SWIFT transfer system to see if our SIEM system and various controls would in fact detect a spear-phish based attack against that wire transfer system, that one was in the $45k range or so. It’s all money very well spent, we constantly find things in tests we didn’t know about or find on our own, that’s why we test.
Darren Young you got any social media platform I can privately dm you cause wow I appreciate it
@youngd241 on Twitter
Link to the sample report is not working. You get to the download page but it just takes you in a circle.
It seems okay for me? github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report
great video
Thank you!
t. v reports
cooooooooooooooooooooooooooooooooooooool
Sir
The docx is corrupt.
First