Introduction to Documentation & Reporting
Introduction can be skipped for note taking but should be read.
Preparation
Notetaking & Organization
Note this is structured for a global pentest mission and should be adapted to specific needs and context. Major structural points to retain are the following (adapt single file or folder depending on the results). All of these can be regrouped in a VM and not necessarily in the same tree structure.
| Categorie | Description |
|---|---|
| Attack Path | Chain of actions used to compromise hosts, AD domain etc… Screenshots, command output to facilitate the report writing. |
| Credentials | Given credentials and the ones you found. |
| Findings | Can be linked to Attack Path during notes. Separate information found. Should be more detailed resources and note than Attack path combined. |
| Vulnerability Scan Research | Output of tools, both quick win and not resulting in anything are mandatory. Useful to show work if nothing interesting has been found during mission, very important to show the client the work has been done. |
| Service Enumeration Research | Enumeration scan results, keep screenshot and store file output for the scope given. It’s a proof of work done again. |
| Web Application Research | This is depends on context. If the mission scope is a web pentest this is not necessary since this will be your whole scope. |
| AD Enumeration Research | Same thing, as for WebApp, if the mission is an internal pentest scope with AD this shouldn’t be necessary. |
| OSINT | Not usual however it could serve in RT. |
| Administrative Information | Specific contextual administration information to a mission, Project Manager and clients contacts etc… |
| Scoping Information | Everything related to defined scope such as IP, URL, path, domain, creds |
| Activity Log | Making sure your actions are log, be it by saving your burpsuite project, history commands etc… |
| Payload Log | Note Payloads used and exploited, make sure to have a hash for each payload uploaded so it can be found and handled. |
| I use Obsidian to note everything since it also can be loaded from classic configuration and a templated folder. |
About logging
To avoid getting fucked over by clients who wants to put the blame on us for any problem happening, we need to make sure we log our activity. I’m using Tmux in my workflow so the Tmux logging recommendation is welcomed.
This part of the workflow note will be explained in my tmux setup.