4.4
Documenting Technical Findings
Each finding in a pentest report follows a consistent structure. This makes findings scannable, comparable, and actionable for the team that has to fix them.
A complete finding includes:
Title. Clear and specific. Not “Kerberos Issue” — instead: “Weak Service Account Passwords Enable Kerberoasting Attack.”
Severity rating. Using a consistent rubric (CVSS, or a custom rubric like the one used in NavSec Labs environments). The rating drives prioritization.
Description. What the vulnerability is and how it was exploited. Technical but clear.
Evidence. Screenshots, command output, and documentation proving the vulnerability exists. This is where your Module 3 documentation pays off.
Business impact. What could happen if this vulnerability were exploited by a real attacker? This is what turns a technical finding into a business risk.
Remediation. Specific, actionable steps to fix the issue. Prioritized. With context about effort and trade-offs.
The severity rubric you’ll use in NavSec Labs paid environments is included in the artifact download. Learn it now — it’s the framework you’ll apply to every finding you document.
Five findings from the Navigating Security Corp engagement need severity ratings. Use the rubric to rate each one and justify your choice.
Rate Finding Severity
severity-rating
Assign a severity rating to each finding using the provided rubric. Select your rating, then see the consultant's assessment.
Kerberoastable Service Account with Weak Password
svc_adbackup had its TGS ticket cracked in 6 minutes using a standard wordlist. This account is a member of Backup Operators and holds DCSync replication rights on the domain root.
Complete Attack Path to Domain Admin via DCSync
BloodHound confirmed a two-step path from the initial low-privilege account (t.chigubhu) to full domain compromise: Kerberoast svc_adbackup → DCSync via DS-Replication-Get-Changes-All rights → extract krbtgt hash → Golden Ticket.
Excessive Domain Admin Group Membership
The Domain Admins group contains 9 members. At most 2 are expected (built-in Administrator and one named admin). Members include stale accounts, service accounts, and role-inappropriate accounts that should not hold Domain Admin privileges.
No Account Lockout Policy Configured
The Default Domain Policy has the account lockout threshold set to 0, allowing unlimited password attempts against any domain account.
AS-REP Roastable Account — Kerberos Pre-Authentication Disabled
svc_monitor has 'Do not require Kerberos pre-authentication' set. An AS-REP hash was retrieved and exported for offline cracking. The hash was not cracked within the testing window.