As painful as it may seem, every step of the penetration test must be properly documented. This enables not only accurate and repeatable results, but also the ability for someone to double-check the work and ensure nothing was missed during testing. As penetration testing is becoming more common, testing teams are becoming more segmented and specialized. There may be one person on a team who is specialized in application penetration testing and another who is a post-exploitation genius. One thing that does not change from role to role is the need for proper documentation and reporting.
Luckily, there are tools available to the community that reduce the overall pain of documenting every single step, command, and result of a penetration test. With proper usage of these tools, documentation will become second nature.
This chapter introduces the usage of tools and techniques that can make documenting the testing progress less painful and report writing easier:
- Simple text editors
- Revisiting Dradis—time to collaborate
- A report overview
Before we get started with the fun stuff, we need to review the basics. These methods are tried and true and seldom go wrong. Efficiency aside, these methods just work.
Nearly everything discussed in this book has been possible via the Kali command line. Now, wouldn't it be nice to just have every single input and output recorded for you? Obviously, this will not be the pinnacle of penetration testing record keeping, but having such a log could end up saving you trouble in the long run.
# script pentest.log
The Linux script command will log most of the commands used during testing.