Reporting
Evidence Collection
Proper evidence collection ensures findings are reproducible, defensible, and provide clear proof of vulnerabilities. Document everything as you go.
Warning
Collect evidence during testing, not after. Missing screenshots or logs can make
findings unprovable and may require retesting.
Documentation Strategy
flowchart TD
A[Start Testing] --> B[Enable Logging]
B --> C[Document Each Step]
C --> D[Screenshot Results]
D --> E[Timestamp Everything]
E --> F[Organize Files]
C --> C1[Commands Used]
C --> C2[Output Captured]
C --> C3[Credentials Found]
style A fill:#00ff00,stroke:#000,color:#000
style F fill:#a855f7,stroke:#000,color:#000
Folder Structure
text
# Recommended folder structure
pentest-clientname-YYYY-MM-DD/
├── 01-reconnaissance/
│ ├── nmap_scans/
│ ├── screenshots/
│ └── notes.md
├── 02-enumeration/
│ ├── ad_dump/
│ ├── bloodhound/
│ └── shares/
├── 03-exploitation/
│ ├── screenshots/
│ ├── credentials/
│ └── payloads/
├── 04-post-exploitation/
│ ├── dumps/
│ ├── persistence/
│ └── screenshots/
├── 05-evidence/
│ ├── findings/
│ └── proof/
├── logs/
│ ├── terminal_logs/
│ └── tool_logs/
└── report/
├── drafts/
└── final/# Recommended folder structure
pentest-clientname-YYYY-MM-DD/
├── 01-reconnaissance/
│ ├── nmap_scans/
│ ├── screenshots/
│ └── notes.md
├── 02-enumeration/
│ ├── ad_dump/
│ ├── bloodhound/
│ └── shares/
├── 03-exploitation/
│ ├── screenshots/
│ ├── credentials/
│ └── payloads/
├── 04-post-exploitation/
│ ├── dumps/
│ ├── persistence/
│ └── screenshots/
├── 05-evidence/
│ ├── findings/
│ └── proof/
├── logs/
│ ├── terminal_logs/
│ └── tool_logs/
└── report/
├── drafts/
└── final/Terminal Logging
Script Command (Linux)
bash
# Start logging entire terminal session
script -t 2>timing.txt session.log
# With timestamp in filename
script -t 2>timing_$(date +%Y%m%d_%H%M%S).txt session_$(date +%Y%m%d_%H%M%S).log
# Exit to stop logging
exit
# Replay session
scriptreplay timing.txt session.log
# Alternative: Tmux logging
# In tmux, press Ctrl+b then : and type:
capture-pane -S - ; save-buffer /tmp/tmux.log# Start logging entire terminal session
script -t 2>timing.txt session.log
# With timestamp in filename
script -t 2>timing_$(date +%Y%m%d_%H%M%S).txt session_$(date +%Y%m%d_%H%M%S).log
# Exit to stop logging
exit
# Replay session
scriptreplay timing.txt session.log
# Alternative: Tmux logging
# In tmux, press Ctrl+b then : and type:
capture-pane -S - ; save-buffer /tmp/tmux.logPowerShell Logging
powershell
# Start transcript
Start-Transcript -Path "C:\pentest\logs\session_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt"
# Stop transcript
Stop-Transcript
# Auto-start in profile
# Add to $PROFILE:
$transcriptPath = "C:\pentest\logs\PS_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt"
Start-Transcript -Path $transcriptPath -Append# Start transcript
Start-Transcript -Path "C:\pentest\logs\session_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt"
# Stop transcript
Stop-Transcript
# Auto-start in profile
# Add to $PROFILE:
$transcriptPath = "C:\pentest\logs\PS_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt"
Start-Transcript -Path $transcriptPath -AppendTool-Specific Logging
bash
# Nmap - Save all formats
nmap -sV -sC -oA nmap_scan target
# Metasploit logging
spool /path/to/msf_session.log
# nxc - Auto-logs to ~/.nxc/logs
nxc smb targets.txt -u user -p pass
# Responder - Logs to /usr/share/responder/logs
# Impacket - Use tee
secretsdump.py domain/user@target 2>&1 | tee secretsdump.log
# Burp Suite - Project saves automatically
# Enable logging in Project Options > Misc > Logging# Nmap - Save all formats
nmap -sV -sC -oA nmap_scan target
# Metasploit logging
spool /path/to/msf_session.log
# nxc - Auto-logs to ~/.nxc/logs
nxc smb targets.txt -u user -p pass
# Responder - Logs to /usr/share/responder/logs
# Impacket - Use tee
secretsdump.py domain/user@target 2>&1 | tee secretsdump.log
# Burp Suite - Project saves automatically
# Enable logging in Project Options > Misc > LoggingScreenshot Best Practices
Tip
Screenshots should be clear, timestamped, and include context. Annotate to highlight
the important information.
What to Screenshot
| Finding Type | Required Screenshots |
|---|---|
| Credential Compromise | Tool output, successful login, whoami/hostname |
| Remote Code Execution | Exploit running, shell access, whoami output |
| Sensitive Data | File listing, content (redacted if needed), location |
| Misconfiguration | Configuration panel, vulnerable setting highlighted |
| Network Access | Connection proof, accessible resources, ipconfig/ifconfig |
Screenshot Tools
bash
# Linux - Flameshot (recommended)
flameshot gui # Interactive selection
flameshot full -p /path/to/save/ # Full screen
# Linux - scrot
scrot -s screenshot_$(date +%Y%m%d_%H%M%S).png # Selection
scrot screenshot_$(date +%Y%m%d_%H%M%S).png # Full screen
# Linux - import (ImageMagick)
import -window root screenshot.png
# Windows - Snipping Tool
snippingtool # Or Win+Shift+S
# Windows - PowerShell screenshot
Add-Type -AssemblyName System.Windows.Forms
[System.Windows.Forms.Screen]::PrimaryScreen | ForEach-Object {
$bitmap = New-Object System.Drawing.Bitmap($_.Bounds.Width, $_.Bounds.Height)
$graphics = [System.Drawing.Graphics]::FromImage($bitmap)
$graphics.CopyFromScreen($_.Bounds.Location, [System.Drawing.Point]::Empty, $_.Bounds.Size)
$bitmap.Save("screenshot_$(Get-Date -Format 'yyyyMMdd_HHmmss').png")
}# Linux - Flameshot (recommended)
flameshot gui # Interactive selection
flameshot full -p /path/to/save/ # Full screen
# Linux - scrot
scrot -s screenshot_$(date +%Y%m%d_%H%M%S).png # Selection
scrot screenshot_$(date +%Y%m%d_%H%M%S).png # Full screen
# Linux - import (ImageMagick)
import -window root screenshot.png
# Windows - Snipping Tool
snippingtool # Or Win+Shift+S
# Windows - PowerShell screenshot
Add-Type -AssemblyName System.Windows.Forms
[System.Windows.Forms.Screen]::PrimaryScreen | ForEach-Object {
$bitmap = New-Object System.Drawing.Bitmap($_.Bounds.Width, $_.Bounds.Height)
$graphics = [System.Drawing.Graphics]::FromImage($bitmap)
$graphics.CopyFromScreen($_.Bounds.Location, [System.Drawing.Point]::Empty, $_.Bounds.Size)
$bitmap.Save("screenshot_$(Get-Date -Format 'yyyyMMdd_HHmmss').png")
}Credential Documentation
text
# credentials.txt format
# Keep encrypted or in secure location!
=== CREDENTIALS LOG ===
Date: 2024-11-15 14:32:00
Engagement: ACME Corp Internal Pentest
--- Discovered Credentials ---
[1] Source: LLMNR Poisoning
Timestamp: 2024-11-15 10:15:22
Username: CORP\jsmith
Type: NetNTLMv2 Hash
Hash: jsmith::CORP:1122334455667788:ABC123...
Cracked: Yes
Password: Summer2024!
Evidence: responder_log_20241115.txt, screenshot_01.png
[2] Source: Kerberoasting
Timestamp: 2024-11-15 11:30:45
Username: svc_backup
Type: TGS Hash (RC4)
Hash: $krb5tgs$23$*svc_backup$CORP.LOCAL...
Cracked: Yes
Password: Backup123!
Evidence: getuserspns_output.txt, hashcat_cracked.txt
[3] Source: LSASS Dump (DC01)
Timestamp: 2024-11-15 14:32:00
Username: Administrator
Type: NTLM Hash
Hash: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
Cracked: No
Evidence: mimikatz_dc01.txt, screenshot_12.png# credentials.txt format
# Keep encrypted or in secure location!
=== CREDENTIALS LOG ===
Date: 2024-11-15 14:32:00
Engagement: ACME Corp Internal Pentest
--- Discovered Credentials ---
[1] Source: LLMNR Poisoning
Timestamp: 2024-11-15 10:15:22
Username: CORP\jsmith
Type: NetNTLMv2 Hash
Hash: jsmith::CORP:1122334455667788:ABC123...
Cracked: Yes
Password: Summer2024!
Evidence: responder_log_20241115.txt, screenshot_01.png
[2] Source: Kerberoasting
Timestamp: 2024-11-15 11:30:45
Username: svc_backup
Type: TGS Hash (RC4)
Hash: $krb5tgs$23$*svc_backup$CORP.LOCAL...
Cracked: Yes
Password: Backup123!
Evidence: getuserspns_output.txt, hashcat_cracked.txt
[3] Source: LSASS Dump (DC01)
Timestamp: 2024-11-15 14:32:00
Username: Administrator
Type: NTLM Hash
Hash: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
Cracked: No
Evidence: mimikatz_dc01.txt, screenshot_12.pngFinding Documentation
markdown
# finding_template.md
## Finding: [Title]
### Metadata
- **ID:** VULN-001
- **Date Discovered:** 2024-11-15 14:32:00
- **Severity:** Critical/High/Medium/Low
- **CVSS:** 9.8 (Vector)
- **Status:** Confirmed/Exploited
### Affected Systems
- 10.0.0.10 (DC01.corp.local)
- 10.0.0.11 (DC02.corp.local)
### Description
[Clear description of the vulnerability]
### Steps to Reproduce
1. Step one with exact command
2. Step two
3. Step three
### Evidence
- Screenshot: evidence/finding001_screenshot1.png
- Log file: evidence/finding001_output.txt
- Video (if applicable): evidence/finding001_demo.mp4
### Commands Used
```bash
# Exact commands used
command --option value
```
### Impact
[Business impact description]
### Remediation
[How to fix]
### References
- CVE-XXXX-XXXXX
- https://relevant-link.com# finding_template.md
## Finding: [Title]
### Metadata
- **ID:** VULN-001
- **Date Discovered:** 2024-11-15 14:32:00
- **Severity:** Critical/High/Medium/Low
- **CVSS:** 9.8 (Vector)
- **Status:** Confirmed/Exploited
### Affected Systems
- 10.0.0.10 (DC01.corp.local)
- 10.0.0.11 (DC02.corp.local)
### Description
[Clear description of the vulnerability]
### Steps to Reproduce
1. Step one with exact command
2. Step two
3. Step three
### Evidence
- Screenshot: evidence/finding001_screenshot1.png
- Log file: evidence/finding001_output.txt
- Video (if applicable): evidence/finding001_demo.mp4
### Commands Used
```bash
# Exact commands used
command --option value
```
### Impact
[Business impact description]
### Remediation
[How to fix]
### References
- CVE-XXXX-XXXXX
- https://relevant-link.comVideo Recording
bash
# Linux - OBS Studio (best quality)
obs # Configure and record
# Linux - Simple screen recorder
simplescreenrecorder
# Linux - ffmpeg (command line)
ffmpeg -f x11grab -r 30 -s 1920x1080 -i :0.0 -c:v libx264 -preset ultrafast output.mp4
# Windows - OBS Studio
# Or built-in Game Bar: Win+G
# When to record video:
# - Complex multi-step attacks
# - Timing-sensitive exploits
# - Demo for executive presentation
# - Proof of full attack chain# Linux - OBS Studio (best quality)
obs # Configure and record
# Linux - Simple screen recorder
simplescreenrecorder
# Linux - ffmpeg (command line)
ffmpeg -f x11grab -r 30 -s 1920x1080 -i :0.0 -c:v libx264 -preset ultrafast output.mp4
# Windows - OBS Studio
# Or built-in Game Bar: Win+G
# When to record video:
# - Complex multi-step attacks
# - Timing-sensitive exploits
# - Demo for executive presentation
# - Proof of full attack chainData Handling
Danger
Handle sensitive data according to engagement rules. Encrypt storage, secure transfer,
and delete after retention period.
bash
# Encrypt evidence folder
# Using 7-Zip with AES-256
7z a -p -mhe=on evidence_encrypted.7z evidence/
# Using GPG
tar -czf evidence.tar.gz evidence/
gpg -c --cipher-algo AES256 evidence.tar.gz
# Secure file transfer
# SCP
scp -r evidence.tar.gz.gpg user@secure-server:/path/
# rsync with SSH
rsync -avz -e ssh evidence/ user@secure-server:/path/
# Secure deletion after engagement
# Linux
shred -vfz -n 5 sensitive_file.txt
srm -r evidence/ # Secure rm
# Windows
cipher /w:C:\pentest\evidence\# Encrypt evidence folder
# Using 7-Zip with AES-256
7z a -p -mhe=on evidence_encrypted.7z evidence/
# Using GPG
tar -czf evidence.tar.gz evidence/
gpg -c --cipher-algo AES256 evidence.tar.gz
# Secure file transfer
# SCP
scp -r evidence.tar.gz.gpg user@secure-server:/path/
# rsync with SSH
rsync -avz -e ssh evidence/ user@secure-server:/path/
# Secure deletion after engagement
# Linux
shred -vfz -n 5 sensitive_file.txt
srm -r evidence/ # Secure rm
# Windows
cipher /w:C:\pentest\evidence\Quick Checklist
Before Each Test
- ☐ Create folder structure
- ☐ Start terminal logging
- ☐ Set up screenshot tool
- ☐ Configure tool logging
- ☐ Note start time
For Each Finding
- ☐ Screenshot showing vulnerability
- ☐ Screenshot showing impact/access
- ☐ Command/request that triggered it
- ☐ Timestamp documented
- ☐ Affected system noted
End of Day
- ☐ Stop logging
- ☐ Organize evidence
- ☐ Backup to secure location
- ☐ Update findings notes