Documenting your Pentest

I had a friend ask me today, how I document my pentests. Truthfully, I suck at documenting my pentests and shamefully, I have never fully documented a pentest as in tracking every command executed, every tool used, every machine attacked, every packet sent. Mind you, most of my pentests have been for small companies that typically do not have an incident response team and if something bad happens, one of the two or three sysadmins asks if it was my fault and they believe me when I say no.

Unfortunately, this style of pentesting can lead to a big liability. If a system goes offline while you are testing then you will likely get blamed. What if you shut down access to a revenue generating web server or an assembly line? What if it costs the company thousands or tens of thousands of dollars to bring the system back online? Would you be able to prove that you did not take system down?

So, thinking about all this, I turned to the oracle of infosec information, Twitter, and Twitter did not disappoint. Below is a list of tools and ideas for documenting your pentest.

Network Level Documentation

Buy or build a network tap and use tcpdump or Wireshark/Tshark to capture all data coming to/from your machine(s).

Command Level Documentation

Use script to log all console output.
Use Metasploit’s spool command to record all Metasploit activity.
Both Burp and ZAP record all session information. Save the session before closing down.

Report Level Documentation

Dradis Framework
MagicTree
KeepNote
Growly Notes

If you know of any other tools or methods for documenting a penetration test, please leave a comment and let me know. Also, thanks @Glesec, @crimondi, @g00bler, @IsaiahMc, and @etdsoft for your help.