Hacker Kayra
  • 📍Introduction Page
  • ⭐Learning Process
    • 🧠Learning Mindset
    • 🖇️Learning Dependencies
    • 🧮Learning Process
  • 🔠Fundamentals
    • 🛜Networking Fundamentals
    • 🐧Linux Fundamentals
    • 🪟Windows Fundamentals
    • 🕵️Active Directory
    • 🕸️Introduction to Web Applications
    • 🗃️Other Useful Concepts
      • Regular Expressions (RegEx)
    • Cyber Security Products
      • Lab Setup
      • ✅Fortigate Firewall
      • MDM Lab
      • IAM Lab
      • PAM Lab
      • DLP Lab
  • 🧰Tools
    • Nmap
    • Nessus
    • Ffuf
    • Hydra
    • John The Ripper
  • ✍️Write Ups
    • 🗃️Hack The Box Machines
      • 🐧Linux
        • Code
    • 🗃️Proving Grounds Boxes
      • 🐧Linux
        • Stapler
        • eLection
        • Loly
        • Blogger
        • Potato
        • Amaterasu
        • Exfiltrated
        • Pelican
        • Astronaut
        • Cockpit
        • Levram
        • Extplorer
        • LaVita
        • pc
        • Scrutiny
        • Zipper
        • Flu
        • Twiggy
        • Codo
        • Crane
        • Hub
        • BlackGate
        • Boolean
        • ClamAV
        • PayDay
        • Snookums
        • Bratarina
        • Nibbles
      • 🪟Windows
        • Algernon
        • AuthBy
        • Craft
        • Kevin
        • Squid
        • Jacko
        • DVR4
        • Hepet
        • Shenzi
        • Nickel
        • Slort
        • MedJed
        • Active Directory
          • Access
          • Vault
    • 🪪Certificates
      • Certified Professional Penetration Tester (eCPPTv3)
      • Web Application Penetration Tester eXtreme (eWPTXv3)
    • 🚩CTF Events
      • Cyber Hub 2025 CTF
  • 📚Study Notes
    • Penetration Tester (HTB CPTS)
      • Penetration Testing Process
      • Reconnaissance, Enumeration & Attack Planning
        • Network Enumeration with Nmap (Continue Here)
        • Footprinting (Just Do Formatting)
        • Vulnerability Scanning (Check)
        • File Transfers
        • Using the Metasploit Framework
        • Web Information Gathering
        • Shells & Payloads
      • Exploitation & Lateral Movement
        • Attacking Common Services (Just Do Formatting)
        • Password Attacks
        • Active Directory Enumeration & Attacks (TBC)
        • Pivoting, Tunneling, and Port Forwarding
      • Web Exploitation
        • Using Web Proxies (Check)
        • Attacking Web Applications With Ffuf (Check)
        • Login Bruteforcing
        • Cross-Site Scripting (XSS)
        • Command Injection
        • SQL Injection
        • File Upload Attacks
        • File Inclusion
        • Web Attacks (Check)
        • Attacking Common Applications (Check)
      • Post-Exploitation
        • Linux Privilege Escalation
        • Windows Privilege Escalation (TBC)
      • Documentation & Reporting
  • 🧑‍💻Other
    • Leet Code
      • Quick Guide: Big-O Notation
      • Problem 01 - Two Sum
    • Data Structure & Algorithms (DSA)
  • 🗄️Archive/Backup/Bin
    • Sysmon Usecases (IBM)
    • 🐧Linux Fundamentals (TryHackMe)
      • Introduction
      • Basic Commands
      • Wildcards & Operators
      • Permissions
      • Common Directories
      • Terminal Text Editors
      • General/Useful Utilities
    • 🪟Windows Fundamentals (TryHackMe)
      • Introduction
      • The File System
      • User Accounts
      • Settings & Control Panel & Task Manager
      • System Configuration
    • Active Directory (TryHackMe)
      • Breaching Active Directory
    • FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
      • Book 2 - Intrusion Analysis
        • Credential Theft
        • Event Log Analysis for Responders and Hunters
    • Certified Threat Hunting Professional (eCTHPv2)
      • Threat Hunting: Hunting the Endpoint & Endpoint Analysis
        • Event IDs, Logging, & SIEMs
    • OSCP
      • Report Writing
      • ✅Passive Information Gathering
      • ✅Active Information Gathering
      • ✅Vulnerability Scanning
      • Introduction to Web Application Attacks
      • Common Web Application Attacks
        • ✅Cross-Site Scripting (XSS)
        • ✅Directory Traversal
        • ✅File Inclusion
        • ✅File Upload Vulnerabilities
        • Command Injection
        • SQL Injection Attacks
        • Client Side Attacks
      • ✅Locating Public Exploits
      • ✅Exploiting Walkthrough
      • Fixing Exploits
      • ✅Antivirus Evasion
      • Password Attacks
      • Windows Privilege Escalation
      • Linux Privilege Escalation
      • Port Redirection and SSH Tunneling
      • Tunneling Through Deep Packet Inspection
      • The Metasploit Framework
      • Active Directory Introduction & Enumeration
      • Attacking Active Directory Authentication
      • Lateral Movement in Active Directory
      • Assembling the Pieces
      • Other General Information
    • ⚡Port Swigger (Web Penetration Testing)
      • ✅Information Disclosure
      • ✅Path Traversal (Directory Traversal)
      • ✅OS Command Injection
      • Business Logic Vulnerabilities
      • ✅Authentication
      • ✅Access Control
    • Certified Bug Bounty Hunter (CBBH)
      • Web Requests
        • HTTP Fundamentals
    • Getting Started
      • Introduction
      • Pentesting Basics
    • Certified Penetration Testing Specialist (CPTS)
      • Introduction
        • ✅Penetration Testing Process
          • Penetration Testing Overview
          • Laws & Regulations
          • Penetration Testing Process
          • Pre-Engagement
          • Information Gathering
          • Vulnerability Assessment
          • Exploitation
          • Post-Exploitation
          • Lateral Movement
          • Proof-of-Concept
          • Post-Engagement
          • Practice
          • Academy Module Layout
        • Getting Started with Hack The Box (HTB)
      • Reconnaissance, Enumeration & Attack Planning
        • ✅Network Enumeration with Nmap
          • Enumeration & Introduction to Nmap
          • Host Discovery
          • Host and Port Scanning
          • Saving The Results
          • Service Enumeration
          • Nmap Scripting Engine
          • Scanning Performance
          • Firewall and IDS/IPS Evasion
        • Footprinting
        • ✅Information Gathering - Web Edition
          • Introduction
          • Passive Information Gathering
          • Active Information Gathering
        • Vulnerability Assessment
        • File Transfers
        • Shells & Payloads
        • Using the Metasploit Framework
      • Exploitation & Lateral Movement
        • Password Attacks
        • Attacking Common Services
        • Pivoting, Tunneling, and Port Forwarding
        • Active Directory Enumeration & Attacks
      • Web Exploitation
        • Using Web Proxies
        • ✅Attacking Web Applications with Ffuf
        • ✅Login Brute Forcing
        • SQL Injection Fundamentals
        • SQLMap Essentials
        • Cross-Site Scripting (XSS)
        • File Inclusion
        • File Upload Attacks
        • Command Injections
        • Web Attacks
        • Attacking Common Applications
      • Post-Exploitation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
      • Reporting & Capstone
        • Documentation & Reporting
        • Attacking Enterprise Networks
    • Old Active Directory
    • Tib3rius Privilege Escalation
      • Linux Privilege Escalation
    • HTB Archived Write-Ups (Check)
      • Irked
      • Nibbles
      • Brainfuck
      • Lame (Check)
    • 📋Cheat Sheets
      • Penetration Testing Cheat Sheet (In Progress)
Powered by GitBook
On this page
  • Documentation and Reporting in IT
  • Evidence
  • Storage
  • Types of Reports
  • Report Content
  • Executive Summary
  • Summary of Recommendations
  • The Attack Chain
  • Findings
  • Appendices
  • Tips and Tricks
  • Client Communication
  • Report Review Meeting
  1. Study Notes
  2. Penetration Tester (HTB CPTS)

Documentation & Reporting

Documentation and Reporting in IT

  • Strong documentation and reporting skills are important in all areas of IT, not just penetration testing. While technical expertise is valuable, the ability to effectively communicate your findings is equally important.

  • In penetration testing, the report is often the only part of the assessment the client sees. This report is based on our notes, tool outputs, and logs.

  • Being thorough and detailed in your notetaking is always beneficial.

  • Although there's no one-size-fits-all approach to notetaking due to the unique nature of each project, the following structure covers the essential elements and can be tailored to fit your specific needs and workflow:

    • Attack Path: A clear outline of the entire attack path, supported by screenshots.

    • Credentials: A centralized location for compromised credentials and secrets.

    • Findings: Create a subfolder for each finding, including detailed descriptions, evidence such as screenshots, and command outputs.

    • Service Enumeration & Vulnerability Scan Research: Notes on scanned items and a history of actions taken to avoid redundancy.

    • Web Application Research: Notes on interesting web application findings, such as subdomains and notable directories.

    • AD Enumeration Research: Documentation of steps taken and interesting findings related to Active Directory.

    • OSINT: Tracking of noteworthy OSINT findings.

    • Administrative Information: Details about points of contact, project managers, rules of engagement, etc.

    • Scoping Information: All scope-related data, including IP addresses, CIDR ranges, URLs, VPN credentials, etc.

    • Activity Log: High-level tracking of all assessment activities for potential event correlation.

    • Payload Log: Records of payloads used, including uploaded files and their hashes for future reference.

  • There are numerous notetaking applications available, such as CherryTree, Notion, Obsidian, and GitBook.

  • When choosing a notetaking application, consider whether the data is stored in the cloud or locally. While cloud storage may be suitable for CTFs or practice, it’s recommended to keep data local for actual engagements.

  • Logging your commands is extremely helpful when creating the report. Tools like Tmux Logging can facilitate this process.

  • In addition to your commands, document all artifacts such as files and accounts. Record the host’s IP address, timestamp of changes, location of changes, application or service name, and account name. Also, note whether the artifact was cleaned or if the customer needs to handle it.

Evidence

  • Always include evidence for each finding, such as screenshots and reproduction steps.

Storage

  • It’s beneficial to organize your project directory to mirror your notetaking structure. For example, using the command:

mkdir -p <Project-Name>/{Admin,Deliverables,Evidence/{Findings,Scans/{Vuln,Service,Web,'AD Enumeration'},Notes,OSINT,Wireless,'Logging output','Misc Files'},Retest}
  • This creates a structured directory as follows:

├── Admin
├── Deliverables
├── Evidence
│   ├── Findings
│   ├── Logging output
│   ├── Misc Files
│   ├── Notes
│   ├── OSINT
│   ├── Scans
│   │   ├── AD Enumeration
│   │   ├── Service
│   │   ├── Vuln
│   │   └── Web
│   └── Wireless
└── Retest
  • When taking screenshots, always redact sensitive information such as credentials or PII. Consider using terminal output instead of screenshots, as this allows for easier redaction, removal of unnecessary information (using <SNIP>), and highlighting of important details with different styling, like red or bold text.

  • Remember, the client trusts you to protect sensitive information. For instance, if you discover a vulnerability granting access to a directory with sensitive customer data, it’s better to screenshot the directory listing rather than the files themselves.

Types of Reports

  • While we provided a general notetaking structure earlier, it’s adaptable. The specific format of notes and reports will vary depending on the type of assessment.

  • For instance, a report for an automated vulnerability scan differs from a penetration testing report, and network penetration testing reports differ from web penetration testing reports.

  • Retesting reports also require a unique format, focusing solely on verifying previous findings rather than assessing the entire system or new features. Some prefer updating the original report with status tags for each finding (e.g., resolved, unresolved, partial), while others issue a new report with comparison content and an updated executive summary.

  • Occasionally, we may discover a critical flaw necessitating immediate client notification. In such cases, a draft report may be issued, especially for directly exploitable vulnerabilities exposed to the internet. These notifications should be concise, allowing technical staff to quickly address the issue.

  • Every element in the report should serve a purpose, avoiding unnecessary information that could overwhelm the reader.

Report Content

Executive Summary

  • The Executive Summary is a critical component of the report, intended for non-technical stakeholders responsible for budgeting and decision-making. It should be concise and accessible.

Tips for the Executive Summary:

  • Use specific metrics rather than vague terms (e.g., use exact numbers instead of "multiple").

  • Keep it brief, ideally less than 1.5-2 pages.

  • Describe accessed resources in non-technical terms (e.g., "accessed HR documents" instead of "accessed DC").

  • If feasible, provide a general estimate of the effort required for remediation.

  • Avoid recommending specific vendors; suggest technologies instead (e.g., "install an EDR" not "install CrowdStrike EDR").

  • Do not use acronyms or reference technical sections of the report.

  • Use layman’s terms for technical concepts (e.g., "a protocol for secure remote administration" instead of "VPN" or "SSH").

Summary of Recommendations

  • Including a Summary of Recommendations or Remediation Summary is advisable. This section should outline short, medium, and long-term recommendations based on the findings and the client’s current environment.

  • Each recommendation should be linked to a specific finding and should only include actionable items related to the reported findings. For example, if a missing patch is identified, the short-term recommendation is to apply the patch, while the long-term recommendation might involve reviewing and improving patch and vulnerability management processes to prevent recurrence.

The Attack Chain

  • Sometimes the situation might require detailing the attack chain, such as the steps to gain initial access, move laterally, and compromise the domain. Presentation styles may vary, but an effective approach is to begin with a summary of the attack chain, followed by a step-by-step walkthrough supported by command outputs and screenshots for clarity.

Findings

  • Following the Executive Summary, the Findings section is paramount, providing the core content of the report. Detailed findings enable technical teams to reproduce and address issues effectively.

Each finding should include:

  • A description of the finding and the affected platforms.

  • The potential impact if the finding remains unresolved.

  • A list of affected systems, networks, environments, or applications.

  • Recommendations for remediation.

  • Reference links for further information on the finding and its resolution.

  • Steps to reproduce the issue, accompanied by collected evidence.

Tips When Writing the Findings

  • Consider the client’s perspective when presenting information. For web application vulnerabilities, provide payloads or code snippets that can be copied and tested, rather than just screenshots.

  • Ensure that evidence is irrefutable. For example, to demonstrate cleartext transmission due to basic authentication, include a screenshot of the login prompt with fake credentials and a Wireshark capture showing the cleartext credentials in the authentication request.

  • Recommendations should be specific and actionable. Avoid vague suggestions like "Reconfigure your registry settings to harden against X." Instead, provide detailed instructions, such as:

    • "To fully remediate this finding, update the following registry hives with the specified values. Exercise caution and test changes in a controlled environment before widespread implementation.

    • [List the full paths to the affected registry hives]

    • Change value X to value Y."

  • Include external references for each finding, preferring vendor-agnostic sources that are concise and from reputable websites. If possible, contribute your own insights through blogging or other publications.

Appendices

  • Certain appendices are essential for every report, while others are included based on the assessment’s specifics.

Essential Appendices:

  • Scope: Details the assessment’s scope, including URLs, network ranges, facilities, etc.

  • Methodology: Describes the consistent and thorough process followed during the assessment.

  • Severity Ratings: If not using standard severity scales like CVSS, define the criteria for your severity levels.

  • Biographies: For PCI compliance assessments, include biographies of the assessment personnel to demonstrate their qualifications.

Dynamic Appendices:

  • Exploitation Attempts and Payloads: Document your actions to help distinguish between your testing and potential real attacks.

  • Compromised Credentials: List compromised accounts if numerous, or note if all domain accounts were affected, to guide client remediation.

  • Configuration Changes: Itemize any changes made to the client’s environment, allowing them to revert changes and mitigate introduced risks.

  • Additional Affected Scope: For findings affecting numerous hosts, reference an appendix with a comprehensive list, possibly in a table format.

  • Information Gathering: For external penetration tests, provide data on the client’s external footprint, such as whois data, domain information, subdomains, emails, and accounts from public breach data.

Tips and Tricks

  • Utilize templates for each assessment type to streamline report creation.

  • If using Word, consider macros for automation.

  • Leverage reporting tools like Ghostwriter, Dradis, VECTR, WriteHat, or SysReptor to simplify the process.

  • Craft your report to tell a story, explaining the significance and impact of findings.

  • Write the report progressively during the assessment, not just at the end.

  • Maintain organization by keeping notes and evidence in chronological order.

  • Provide ample evidence without being overly verbose.

  • Enhance screenshots with annotations (e.g., using Greenshot) and include explanations as needed.

  • Redact sensitive information, including passwords, hashes, and client-sensitive data.

  • Edit tool outputs to remove unprofessional elements (e.g., "Pwn3d!" from CrackMapExec).

  • Ensure proper grammar, spelling, and consistent formatting; define acronyms upon first use.

  • Use clear, focused screenshots without extraneous screen elements.

  • Prefer raw command outputs over screenshots when possible, ensuring console screenshots are opaque and professional.

  • Implement a quality assurance (QA) process with at least one, preferably two, reviewers. QA should focus on minor corrections rather than major revisions.

  • Adhere to a style guide for consistency across reports.

  • Enable autosave in notetaking and word processing tools to prevent data loss.

  • Automate repetitive tasks where feasible.

Client Communication

  • At the engagement’s outset, send a start notification email containing:

    • Tester’s name

    • Engagement type and scope description

    • Source IP address for testing (public for external tests, internal for internal tests)

    • Anticipated testing dates

    • Primary and secondary contact information (email and phone)

  • Conclude each testing day with a stop notification, potentially including a high-level summary of findings to prepare the client for the final report.

  • Maintain open communication throughout the engagement. For example:

    • If additional external assets are discovered, consult the client about expanding the scope.

    • Upon finding critical vulnerabilities, pause testing and notify the client for guidance.

    • Be transparent about any issues, such as unresponsive hosts.

  • You should be able to provide precise documentation of your activities if questioned.

Report Review Meeting

  • After delivering the report, allow the client time to review it (typically a week) and schedule a meeting to discuss findings, answer questions, and gather feedback.

PreviousWindows Privilege Escalation (TBC)NextOther

Last updated 22 days ago

📚