Pentest_Notes

📝 Reporting & Documentation

Organized notes for penetration testing report writing and documentation. Last Updated: 2026-03-27

---

Overview

The penetration testing report is the primary deliverable of any engagement. A poorly written report diminishes the value of even the best technical work. Documentation should begin from day one, not at the end.

⚠️ CPTS Exam Tip: You MUST submit a professional report as part of the CPTS exam. Budget adequate time for report writing (two days at a minimum).

---

Documentation During Engagement

Checklist

• Configure tmux logging from the start
• Take screenshots of every significant finding
• Document every successful exploit step-by-step
• Record timestamps for all activities
• Save command output to files
• Maintain a running list of credentials found
• Track attack paths (from initial access to objectives)
• Note failed attempts (useful for report completeness)
• Organize notes by host/target

Tmux Logging

# Start tmux session
tmux new -s pentest

# Enable logging (tmux-logging plugin)
# prefix + Shift+P (toggle logging)
# prefix + Alt+Shift+P (save complete pane history)
# prefix + Alt+p (screenshot current pane)

# Logs are saved to ~/tmux-logging/

💡 Pro Tip: Enable tmux logging at the START of every session. You can never have too much documentation.

Note-Taking Tools

Tool	Type	Best For
Obsidian	Markdown-based	Long-term knowledge management, linking
CherryTree	Hierarchical	Structured engagement notes
Notion	Web-based	Collaborative note-taking
Joplin	Markdown-based	Open-source alternative to Obsidian
Flameshot	Screenshot	Annotated screenshots
Greenshot	Screenshot	Windows screenshot tool

Screenshot Best Practices

• Include the terminal prompt showing username and hostname
• Include timestamp in screenshot or filename
• Capture the full command AND its output
• Use annotation to highlight important parts
• Name files descriptively: 01_initial_foothold_sqli_10.10.10.5.png

---

Report Structure

Professional Penetration Test Report Template

1. Cover Page
   - Company logo
   - Report title
   - Client name
   - Date
   - Author
   - Classification (Confidential)

2. Document Control
   - Version history
   - Distribution list
   - Revision table

3. Table of Contents

4. Executive Summary (1-2 pages)
   - Engagement overview
   - Scope summary
   - Key findings summary (high-level)
   - Overall risk rating
   - Top recommendations

5. Scope & Methodology
   - In-scope targets/systems
   - Out-of-scope items
   - Testing methodology used (PTES, OWASP, etc.)
   - Tools used
   - Testing timeline
   - Limitations encountered

6. Findings Summary
   - Table of all findings with severity ratings
   - Risk rating methodology (CVSS)
   - Statistics (findings by severity, by category)

7. Detailed Findings
   For each finding:
   - Finding title
   - Severity (Critical/High/Medium/Low/Informational)
   - CVSS score
   - Affected systems/URLs
   - Description of the vulnerability
   - Proof of Concept (step-by-step with screenshots)
   - Impact assessment
   - Remediation recommendations
   - References (CVE, CWE, OWASP)

8. Attack Narrative / Kill Chain
   - Step-by-step attack path from external to domain admin
   - Network diagram showing pivot points
   - Timeline of attack progression

9. Recommendations Summary
   - Prioritized remediation list
   - Quick wins vs. long-term improvements

10. Appendices
    - Full scan results
    - Tool output
    - Credential list (redacted if needed)
    - Network diagrams
    - Glossary of terms

---

Severity Rating

CVSS v3.1 Scoring Reference

Severity	CVSS Score	Description
Critical	9.0 - 10.0	Immediate exploitation possible, full system compromise
High	7.0 - 8.9	Significant impact, likely exploitable
Medium	4.0 - 6.9	Moderate impact, requires specific conditions
Low	0.1 - 3.9	Minor impact, limited exploitation
Informational	0.0	Best practice recommendation

🔗 CVSS Calculator: https://www.first.org/cvss/calculator/3.1

---

Writing Tips

Executive Summary

• Written for non-technical audience (C-level, management)
• Focus on business impact, not technical details
• Keep it to 1-2 pages maximum
• Lead with the most critical findings
• Include clear, actionable recommendations
• Use business language, avoid jargon

Technical Findings

• Be specific and reproducible
• Include exact URLs, parameters, payloads
• Show step-by-step with screenshots
• Explain the impact clearly
• Provide specific, actionable remediation steps
• Reference industry standards (OWASP, NIST, CIS)

General Writing Rules

• Use active voice
• Be concise — remove unnecessary words
• Proofread thoroughly
• Maintain consistent formatting
• Use numbered steps for procedures
• Avoid assumptions about reader knowledge
• Have someone else review before submission

---

Evidence Collection Checklist

• Screenshot of initial access (whoami, hostname, ip)
• Screenshot of each privilege escalation step
• Screenshot of flags/objectives
• Screenshot of credential discoveries
• Screenshot of each lateral movement step
• Screenshot of domain admin achievement
• Full command output saved to files
• Network diagram created
• Timeline documented

---

Report Templates & Resources

Resource	URL
TCM Security Report Template	https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report
OSCP Report Templates	https://github.com/noraj/OSCP-Exam-Report-Template-Markdown
Offensive Security Report Template	https://www.offensive-security.com/reports/
Public Pentesting Reports	https://github.com/juliocesarfort/public-pentesting-reports

---

Common Pitfalls / Gotchas

• Not documenting from day one — playing catch-up at the end
• Insufficient screenshots (can’t go back to capture them)
• Executive summary too technical
• Missing remediation recommendations
• Not including failed attempts (shows thoroughness)
• Inconsistent formatting
• Not proofreading
• Missing impact statements for findings
• Submitting raw tool output without analysis

References & Further Reading

• PTES Reporting Guidelines
• OWASP Testing Guide - Reporting ```