Note taking methodology for pentesting

28289/01/28

Sam V.

For pentesting, note taking is key, it can help save time in the long run, and sometimes it can even make the difference in some audits.

There are lots of good resources and tools for quickly getting the right commands and knowing what to do. After doing a lots of CTFS I found that the more organized information and methodology you have, the quicker you will be when performing audits.

Here are some notes and methodologies that really helped me perform well for my OSCP certification and audits, it can be helpful to some people, but everyone is different so that is why I recommend building your own notes and methodologies from various inputs.

Custom notes

This is by far the best thing to do in my opinion, when you are used to your notes you can quickly navigate through these, and you can write things you will not see elsewhere.

For example here’s a repo with some of my notes:

Mindmaps

Mindmaps are really good to visually see where you are at, and what is left to do during a pentest. I like to use some really well made mindmaps, for things involving a lot of steps like full enumeration and AD pentesting.

Wikis and lists

Online wikis and public lists are so good for learning new stuff, or to quickly try things you have never done before. The amount of information might be overwhelming sometimes, but when you are stuck and do not know what to do next, it can help you a lot.

Enumeration

Having a good enumeration methodology is in my opinion by far one of the most important things to have. You can spend hours learning how to exploit a flaw once you spotted it, but if you never saw it in the first place, you might miss a lot of things.

I have one enumeration checklist that I use for almost everything, once used to it becomes a routine. My enum note may be disorganized for some people, but I am so used to it, and I know how to quickly go through all of it .

If possible I use aliases and use these aliases in commands to save time, and if I have to enum different targets I just spawn another terminal.

export IP=10.11.1.141
nmap -sC -sV -T4 -Pn $IP > simple.txt

I also like to store output in a file, so I can go back on it later.

Sharing data and files over the network

Aliases

I have a lots of aliases for pretty much everything, once you are used to CTF and some types of machines, you can just use the (almost) same commands all the time:

export IP=10.11.1.141
nmap -sC -sV -T4 -Pn $IP > simple.txt
# enum
alias nsimple='nmap -sC -sV -T4 -Pn $IP > simple.txt'
alias nhardcore='sudo nmap -sSVC --script=vuln* -Pn -p- -T5 -oA scan $IP > hardcore.txt'
alias nudp='sudo nmap -sU -sV -sC -n -F -T4 $IP > udp.txt'
alias nsmb='nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse,smb-vuln*  $IP > smb.txt'
alias nnfs='nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount $IP'
alias nsmtp='nmap -p 25 --script=smtp-enum-users,smtp-open-relay,smtp-commands $IP'

## python server port 80
alias serv='sudo python3 -m http.server'

# searchsploit
alias sp='searchsploit'

I even have aliases to quickly spawn my notes and txt files containing commands, you could also just cat and grep these files to get the right command once you really know your notes:

# Doc
alias cracking='vim /home/gento/sync/oscp/cracking/hash.txt '
alias enum='vim  /home/gento/sync/oscp/enum.txt'
alias exploits='vim  /home/gento/sync/oscp/exploits.txt'
alias revshells='vim  /home/gento/sync/oscp/revshells/revshells.txt'
alias revshells='vim  /home/gento/sync/oscp/revshells/revshells.txt'
alias privesc='vim  /home/gento/sync/oscp/privesc/methodo.txt'
alias pullandpush='vim /home/gento/sync/oscp/windows/pullandpush.txt'

Use containers or similar tools for time consuming tools setup or installation

Some tools can be used in seconds, but others will be a pain to setup. To avoid loosing time, I really like to use containers for example for pentesting active directories with bloodhound:

bloodhound-python -d heist.offsec -u enox -p california -ns 192.168.209.165  -c all
xhost + && sudo docker run -it --rm -v /tmp/.X11-unix/:/tmp/.X11-unix -e DISPLAY=$DISPLAY --network host --device /dev/dri/card0 --name bloodhound bannsec/bloodhound

With this I can quickly use a pre-made boodhound setup, and avoid configuration issues and save a lot of time. I alows me to quickly setup a bloodhound server and redirect the display with xhost. After that I just have to use sharphound on the target machine and move the json to bloodhound with docker cp.

Document your exploits, and quickly build these or make them available on a machine or a remote server

Documenting exploits can be very time consuming, and may seem pointless, but you may face issues you might not see on the internet when compiling or using your exploit. Some environments will be very different, and if you document this you will know what to do exactly when you face this new env.

One good thing to do is also setup a remote server with binaries and precompiled exploits with their respective code files, so you can quickly pull and use these exploits on your target machines.

Get your reverse shells for all languages and situations

Sure you can build reverse shells using metasploit or online website, but if you really know what kind of reverse shells you will need, you will save a lot of time.

For Php, I almost always use pentestmonkey revshell as it worked almost everywhere,it did not required a lot of tweaking. But sometimes you will really have to play with the commands and arguments to make a reverse shell that will work.