I had a friend ask me today, how I document my pentests. Truthfully, I suck at documenting my pentests and shamefully, I have never fully documented a pentest as in tracking every command executed, every tool used, every machine attacked, every packet sent. Mind you, most of my pentests have been for small companies that typically do not have an incident response team and if something bad happens, one of the two or three sysadmins asks if it was my fault and they believe me when I say no.
Unfortunately, this style of pentesting can lead to a big liability. If a system goes offline while you are testing then you will likely get blamed. What if you shut down access to a revenue generating web server or an assembly line? What if it costs the company thousands or tens of thousands of dollars to bring the system back online? Would you be able to prove that you did not take system down?
So, thinking about all this, I turned to the oracle of infosec information, Twitter, and Twitter did not disappoint. Below is a list of tools and ideas for documenting your pentest.