Note-Keeping / General Flow

Hey. What’s your usual workflow? How does everyone keep themselves organized in terms of notes, scanning/enumeration results, cred dumps, exploit code, etc…

I’ve personally played with having a directory per box, and using “tee” to preserve tool output, while trying to keep files organized. (ftp-related files in an “ftp” subdirectory, as with ssh, http, rdp, etc…) I’ve also played with keepnote, but am still very unsure as to how I want to structure notes in there.

I feel like it would be helpful as I learn to use good note-taking strategies.

I use KeepNote, for each box I create a folder within that folder I create three subnotes, Enumeration, Exploitation, and PrivEsc – during enumeration I just log everything I find, Exploitation I log all successful exploitation attempts and their results, and privesc I log my route to root.

The main key for me is to make sure to log in full detail the steps to reproduce each scenario as well as a sample of a server response so I can easily jump in and remember the exact scenario.

Another important aspect during the box is to setup a reliable directory structure to keep methodical and organized. For example, I’ve been working on some scripts to build/organize a setup like this:

/sec/
  -> calamity/
      -> Phase-1/
          -> nmap/
               -> targets.txt
               -> outputs to ../results/nmap-results/
          -> dirbust/
               -> urls.txt
               -> outputs to ../results/dirbust-results/
      -> Phase-2/
           -> service:port
                -> exploits/
                -> http-reqres/
                -> etc/
      -> Phase-3/
           -> shell/
               -> reproduction steps to shell
           -> privesc/
               -> reproduction steps to root
      -> results/
          -> nmap-results/
          -> dirbust-results/
          -> data-exfil/
          -> script_to_parse_results.sh

@dostoevskylabs putting us all to shame :wink:

I just use a Onenote stream of consciousness unless I’m required to report in which case my subpages take a similar form to the above. It’s probably not the best, but it’s what I find keeps me ‘in the zone’. Usually my working notes/outputs are just stored in the filesystem of my kali and written up as I make progress.

When I was doing OSCP I also maintained an excel to manage the creds captured from various devices/services.

GitHub - codingo/Reconnoitre: A security tool for multithreaded information gathering and service enum might be another alternative as it automatically creates a directory structure.

@dostoevskylabs said:
I use KeepNote, for each box I create a folder within that folder I create three subnotes, Enumeration, Exploitation, and PrivEsc – during enumeration I just log everything I find, Exploitation I log all successful exploitation attempts and their results, and privesc I log my route to root.

The main key for me is to make sure to log in full detail the steps to reproduce each scenario as well as a sample of a server response so I can easily jump in and remember the exact scenario.

Another important aspect during the box is to setup a reliable directory structure to keep methodical and organized. For example, I’ve been working on some scripts to build/organize a setup like this:

/sec/
  -> calamity/
      -> Phase-1/
          -> nmap/

Nice post, thanks for sharing! I use generally the same type of system, just without KeepNote. Someone recommended it to me, but I found it hard to use and kind of counter-intuitive. That being said, I just use a simple directory structure and try to follow the same rules. I do something like this:

/HTB/
→ FluxCapacitor
→ Scans
—> (All scan tool ouputs)
→ Downloads
—> (All files downloaded during enumeration/discovery)
—> Special Services (WordPress, Joomla, Etc)
→ BufferOverflow/Scripts
→ Calamity
→ Scans …
Etc etc.

Mainly things I find on webservers or open servers in Downloads dir, I keep a open notes.txt file open in nano in a different term in the machine’s base directory…

@dostoevskylabs said:
I use KeepNote, for each box I create a folder within that folder I create three subnotes, Enumeration, Exploitation, and PrivEsc – during enumeration I just log everything I find, Exploitation I log all successful exploitation attempts and their results, and privesc I log my route to root.

The main key for me is to make sure to log in full detail the steps to reproduce each scenario as well as a sample of a server response so I can easily jump in and remember the exact scenario.

I do this exact same thing as well. I have an added sections for lessons learned and useful links that pertains to all links and articles I used to help solve the box. I also do my notes in a write-up style, where I detail exactly what I was doing and thinking before each screenshot.

Sorry I didn’t have notifications to email enabled, but yeah! @likwidsec keepnote is kind of strange but I kind of like it at the same time.

@lowpriv ditto its good to keep notes on what you really took away from a box because those are the less ingrained in your memory.

@booj I love you.

Here are scripts for most of what I do, it’s kind of ugly and hacky atm, don’t judge me. The dirbust scripts are PoC so they kind of work to run multiple campaigns with different wordlists in the background and observe your result after the fact, but they need loads of work.

If you like keepnote I suggest also looking at CherryTree.

Nice input here, i still haven’t really thought of building a good workflow. Is is something you should try to do from the beginning (as a newbie) ?

How would you report your findings on labs/chall that aren’t retired yet ? I wanted to give blogging a try in order to learn all that new stuff more effectively, but I dont want to break the ToS :frowning:

@eval said:
Nice input here, i still haven’t really thought of building a good workflow. Is is something you should try to do from the beginning (as a newbie) ?

Yes, building a good workflow and taking notes is something you should do from the very beginning.

+1 for CherryTree. Another thing I like to do is grab screenshots to document my progress and the major steps involved.

I have a vm dedicated to some services in host only mode. it serves a bunch of docker environments Ive made. One of which is a wiki instance.

I loved keepnote but had major problems reviewing or manipulating anything I put in it from console or any scripts to read easily later. In the way this wiki is formatted it has the same hierarchical structure as keepnote but also comes with some syntax highlighting and file content display/hide. Also hyperlinks to other sections of the wiki or to external addresses.

This way I can organize the entire operation as separate elements (a page for scans, a page for artifacts found on port 80) but still have one page that links them all together for the path I took to root. Since it also contains all of my tradecraft knowledge (basically all the “cool stuff” i found while googling while bored) it can be searched for something I’m missing or those moments you vaguely remember something from some blog in wherever.

Love keepnote, just took a wiki and made it exactly like keepnote but better. Also since its served over my host only, I can configure it to be available in most of my vms at any point. reducing the number of “crap, which version of the file is this” moments.