Documentation and reporting for pentests

Goals of documentation and reporting

• to produce evidence for the client to attempt to troubleshoot an issue.
• to not scramble to re-do testing after losing evidence or ask a client for more time
• to cover ourselves because any network issues during a penetration test to be blamed on the tester regardless of whether it is a result of their activities.

Notetaking

Concept of notetaking:

Notetaking: collection of piece-wise evidence that will could be put into the final report.

Notetaking Sample Structure:

• Attack Path: An outline of the entire path if you gain a foothold during an external penetration test or compromise one or more hosts (or the AD domain)
• Credentials
• Findings: screenshots and command outputs that are valuable to keep
• Vulnerability Scan Research
• Service Enumeration Research: investigation including failed exploitation
• Web Application Research: web applications including subdomain brute-forcing, scan for common web ports on internal assessments, and run a tool such as Aquatone or EyeWitness to screenshot all applications.
• AD Enumeration Research
• OSINT
• Administrative Information: contact information for other project stakeholders like Project Managers (PMs) or client Points of Contact (POCs), unique objectives/flags defined in the Rules of Engagement (RoE), etc.
• Scoping Information: in-scope IP addresses/CIDR ranges, web application URLs, and any credentials for web applications, VPN, or AD provided by the client.
• Activity Log: High-level tracking of everything you did during the assessment for possible event correlation.
• Payload Log: payloads used (and a file hash for anything uploaded and the upload location)

Tmux logging

Save every single thing that we type into a Tmux pane to a log file.

• 46% of new code is now written by AI
• 55% faster overall developer productivity
• 74% of developers feel more focused on satisfying work