Reporting Documentation

🛡️ Methodology Checklist

• Set up engagement folder structure (00_scope through 11_archive) before testing
• Capture all screenshots: YYYY-MM-DD_HHMM_[HOST]_[FINDING]_desc.png
• Record all commands run with timestamps in testing notes
• Document scope exceptions and any deviations
• Note all evidence locations in engagement tracker spreadsheet
• Include snapshot-in-time disclaimer in report introduction
• Verify evidence completeness before beginning report drafting

---

🎯 Operational Context

Use when: Engagement complete or milestone reached — document findings with sufficient technical detail for both executive and technical audiences. Think Dumber First: Start the report template on day 1, not day 15. Fill findings as you discover them. Screenshots are evidence — capture them in the moment, not from memory. Every exploited vulnerability needs: PoC command, screenshot of impact, affected asset list. Skip when: N/A — documentation is always required.

---

⚡ Tactical Cheatsheet

Command	Tactical Outcome
mkdir -p engagement/{00_scope,01_admin,02_scans,03_enum,04_exploitation,05_privesc,06_lateral-movement,07_credentials,08_screenshots,09_findings,10_report,11_archive}	Create standard engagement folder structure
script -a engagement/01_admin/terminal-session-$(date +%F-%H%M).log	Start terminal logging session
sudo nmap -Pn -sS -sV -sC -oA engagement/02_scans/nmap-initial [TARGET_IP]	Nmap with all output formats saved (-oA)
sudo nmap -Pn -p- --min-rate 5000 -oA engagement/02_scans/nmap-full-tcp [TARGET_IP]	Full TCP port scan with output preserved
date | tee engagement/03_enum/[TARGET_IP]/timestamp.txt	Timestamp evidence at each host
whoami /all > whoami-all.txt; hostname > hostname.txt; ipconfig /all > ipconfig-all.txt	Save Windows proof artifacts
tar -czvf engagement-backup-$(date +%F).tar.gz engagement/	Daily evidence backup archive
rsync -avh engagement/ /mnt/shared/engagement/	Sync evidence to backup storage
curl ifconfig.me	Confirm current public IP for source IP documentation
ip addr show tun0	Get VPN IP for metadata documentation

---

🔬 Deep Dive & Workflow

Engagement Folder Structure

engagement/
├── 00_scope/
│   ├── signed_scope.pdf
│   ├── rules_of_engagement.pdf
│   ├── in_scope_targets.txt
│   ├── out_of_scope_targets.txt
│   ├── source_ips.txt
│   └── testing_window.txt
├── 01_admin/
│   └── testing_metadata.md
├── 02_scans/          ← nmap -oA output (3 files per scan)
├── 03_enum/           ← per-host enumeration output
├── 04_exploitation/
├── 05_privesc/
├── 06_lateral-movement/
├── 07_credentials/
├── 08_screenshots/
├── 09_findings/       ← one file per finding + tracker
├── 10_report/
└── 11_archive/

Testing Metadata Template

# Testing Metadata
 
## Engagement
- Client: [CLIENT_NAME]
- Type: Internal / External / Web App / AD
- Tester(s): [TESTER_NAME]
- Testing Window: [START_DATE] to [END_DATE]
 
## Source IPs
- VPN IP: [VPN_IP]
- Public IP: [PUBLIC_IP]
- Internal Testing Host: [INTERNAL_IP]
 
## Special Considerations
- Testing over VPN: Yes/No
- EDR/AV status: Enabled/Disabled/Unknown
- Explicit exclusions: [OUT_OF_SCOPE_HOSTS]

Evidence Quality Standards

Evidence Type	Required	Screenshot Alone Sufficient?
Command output	Yes	No — need raw output too
Target ownership proof	Yes	Yes (if URL/hostname visible)
Privilege proof (whoami)	Yes	Yes + hostname context
Credential capture	Yes	No — need packet capture or raw file
Exploitation impact	Yes	Preferred with terminal output

Screenshot naming: YYYY-MM-DD_HHMM_[HOST]_[FINDING]_description.png

Key Reporting Principles

• Snapshot disclaimer: “This report represents a snapshot in time during the testing period.”
• Source IPs: Document all VPN/public/internal IPs used for testing.
• Scope from file: nmap -Pn -iL 00_scope/in_scope_targets.txt — never scan from memory.
• Exclusions: Always ask client for explicit out-of-scope systems (fragile/OT/regulated).
• Incident preservation: If client claims outage, immediately archive: timestamps, scope docs, scan output, source IPs.

Screenshot Checklist

Take screenshots at:

✓ Initial access
✓ Successful authentication
✓ Exploit execution
✓ Privilege escalation (whoami /priv, id)
✓ Sensitive file access
✓ Domain compromise (domain admin whoami)
✓ Flag/proof capture
✓ Configuration proof (registry, config file)

Findings Tracker Template

| ID | Finding | Host(s) | Severity | Status | Evidence |
|----|---------|---------|----------|--------|----------|
| F-001 | [FINDING_NAME] | [HOST] | Critical/High/Medium/Low | Draft | [PATH] |

---

🛠️ Troubleshooting & Edge Cases

Problem	Cause	Fix
Screenshot evidence lost	Terminal closed before capture	Use script command to log entire session: script -a /tmp/engagement.log; keep running throughout
Cannot reproduce finding for documentation	Exploit required specific timing	Document the conditions; note intermittent reproducibility; include error conditions too
Executive summary too technical	Audience mismatch	Executive summary = business impact + risk rating; Technical section = commands + screenshots; keep separate
Finding severity unclear	CVSS vs contextual risk	CVSS gives base score; adjust for environment: DA-level impact is Critical regardless of CVSS
Remediation too generic	Copy-paste recommendations	Tailor recommendations to client environment: specific GPO names, CIS benchmark control numbers, vendor docs

---

📝 Reporting Trigger

Finding Title: Penetration Test Report — Comprehensive Finding Documentation Impact: N/A — reporting process documentation. Root Cause: N/A — operational reference. Recommendation: Use structured report template with Executive Summary, Scope, Methodology, Findings (CVSS-scored, with PoC and remediation), and Appendices. Ensure each finding maps to a specific asset with reproducible evidence. Provide both immediate remediation steps and strategic recommendations.

---

🔗 Related Nodes

• Reporting_Findings_Types
• Linux_PrivEsc_Enumeration
• Windows_PrivEsc_Enumeration