Clear organization plays a crucial role in our penetration tests, regardless of their scale and focus. Having a convenient and understandable workspace structure saves tremendous time and effort, allowing quick navigation even through large volumes of data. This is important not only for the pentester but also for subsequent transfer of results to the team or client. Proper documentation is key to effective communication and process transparency.
In this article, we’ll examine best practices for setting up a laboratory for effective and comfortable pentesting:
- Creating a tree directory structure
- Large project organization features
- Secure storage of collected artifacts
- Using password managers
- Finding documentation and note-taking
- Automation of routine actions
This material will be useful for both beginners and experienced experts as a checklist. And in the second part, we’ll analyze specialized tools and frameworks for pentest management in detail – Faraday, Dradis, Lair, and others.
Corporate infrastructures are usually heterogeneous: Windows coexists with Linux, different DBMSs and web servers are present. Therefore, it makes sense to structure the workspace immediately according to pentest phases and target operating systems.
Here’s an example of such approach:
Penetration-Testing
├── Pre-Engagement
├── Linux
│ ├── Information Gathering
│ ├── Vulnerability Assessment
│ ├── Exploitation
│ ├── Post-Exploitation
│ └── Lateral Movement
├── Windows
│ ├── Information Gathering
│ ├── Vulnerability Assessment
│ ├── Exploitation
│ ├── Post-Exploitation
│ └── Lateral Movement
├── Reporting
└── Results
The content of each directory should correspond to its phase:
- Pre-Engagement: NDA, work plan, client data.
- Information Gathering: scanning results (nmap, masscan), subdomain lists, emails.
- Vulnerability Assessment: vulnerability scanner reports (Nessus, Nikto), discovered attack vectors.
- Exploitation: shells, payloads, successful attack PoCs.
- Post-Exploitation: memory dumps, hashed and plain passwords, files.
- Lateral Movement: host access keys, persistence scripts.
- Reporting: detailed and brief reports with notes.
- Results: final presentations and demonstrations.
The presented nomenclature is not dogmatic and can vary depending on the methodology (OWASP, PTES, etc.) or internal team agreements. The main thing is to decide on the structure at the start and consistently follow it.
Also pay attention to file naming:
- Use meaningful names (nmap-full-tcp_01-05-2023.nmap).
- Include file creation date/time.
- Add tags for grouping by type/phase (_passwords).
Organization in Large Projects
In complex projects with multiple target networks, teams, or extended testing cycles, it’s useful to make additional segmentation:
By clients and networks:
Penetration-Testing
├── Client-A
│ ├── Network-1
│ │ ├── Linux
│ │ └── Windows
│ ├── Network-2
│ │ ├── Linux
│ │ └── Windows
│ └── VPN
├── Client-B
│ ├── Segment-1
│ └── Segment-2
└── Client-C
├── Subsidiary-1
└── Subsidiary-2
By sprints/iterations:
Network-1
├── Sprint-1_01-05-2023
│ ├── Linux
│ └── Windows
├── Sprint-2_16-05-2023
│ ├── Linux
│ └── Windows
└── Sprint-3_01-06-2023
├── Linux
└── Windows
Additionally, it’s recommended to:
- Store project data in a Git repository. This ensures versioning and simplifies collaboration. It’s useful to follow standard branching – main for release versions, separate branches for development (dev) and specific features. And Git’s tagging system is convenient for marking key stages/findings.
- Create templates for typical documents – reports, presentations. Saves time and standardizes deliverables.
- Maintain a unified registry of found vulnerabilities in tabular form. Makes it easier to track their status and progress.
- Automatically generate reports based on scanning data using scripts. Reduces manual work.
Artifact Storage and Security
“Artifacts” collected during pentesting (application source code, configuration files, memory and database dumps, passwords) may contain private information and traces of real compromises. The volume of this data sometimes amounts to gigabytes or even terabytes.
Therefore, it’s important to store them on a separate secured machine without internet access. You can use customized Live CD/USB with encryption (VeraCrypt) or partitions with LUKS.
Such isolated storage provides several advantages:
- Reduces the risk of client confidential data leakage.
- Prevents workstation infection through saved malware.
- Ensures evidence integrity when detecting traces of real breaches.
- Separates working files from testing tools and exploits.
Password Managers
Implementing a reliable password manager is a mandatory item in any security specialist’s checklist. It solves problems of creating unique passwords, prevents reuse, automates authentication.
Practical advice – create a separate password manager account for pentests. Before starting work, enable two-factor authentication and generate a strong master password (at least 12-14 characters).
Several current solutions:
- LastPass – convenient synchronization, autofill, shared vaults for teams.
- KeePass – open-source, cross-platform, supports plugins.
- 1Password – can store SSH keys, confidential documents, software licenses.
- Bitwarden – open-source, has premium plan for companies with event auditing and reports.
If the article is intended for a wide audience, it’s worth mentioning basic security recommendations:
- Avoid simple and easily guessable master passwords.
- Activate two-factor authentication (2FA) wherever possible.
- Don’t transmit passwords in open chats/email, use encryption.
Documentation and Notes
Documenting findings and actions is one of the pillars of professional pentesting. Everything needs to be recorded: from found vulnerabilities and passwords to ideas for further research.
Useful tools:
- Notebooks with Markdown support: Obsidian, Notion, CherryTree.
- The advantage is that notes in
.mdformat can be stored in the same Git repository of the project. Convenient for collaboration and versioning.
- The advantage is that notes in
- Online boards for diagrams and mind maps: draw.io, Miro.
- Services for saving code snippets: GitHub Gists, Pastebin.
- Software for screenshots and screencasts: Greenshot, ScreenToGif.
To avoid wasting time on formatting routines, use ready-made templates for records by testing phases/objects.
Process Automation
Any pentest consists of monotonous routine operations that take time and attention. Automate them using scripts!
Here are examples of such tasks:
Several real mini-cases:
- Launch website scanning using OWASP ZAP or Arachni and immediately import results into the vulnerability table.
- Collect open ports and services using Nmap and Masscan, then automatically enrich this data with information from Shodan and Censys.
For automation, use a language you’re familiar with – Bash, Python, PowerShell. But don’t forget to provide clear comments for your scripts, so you won’t have to decipher your own code later.
In more advanced cases, penetration tests (or at least part of them) are integrated directly into the development pipeline (CI/CD). But this goes beyond standard pentesting and deserves a separate review.
Conclusions
A well-thought-out and consistent workspace organization is an essential foundation for any pentester regardless of experience and specialization.
Key points:
- Define a clear directory structure and follow it.
- Keep vulnerable artifacts on a separate secured machine.
- Use a password manager for secure storage.
- Document your findings, actions, and results.
- Automate routine operations using scripts.
For beginners, I recommend going through all the described points as a checklist when initially setting up the laboratory. By laying the right foundation from the start, you’ll significantly simplify your further professional growth.
Experienced professionals can use these tips to review their established practices. Analyze and optimize processes – with each new project, the structure can and should evolve. The path to mastery consists of continuous improvement of personal security hygiene.
In the next article, we’ll dive deep into specialized tools for pentest management – Faraday, Dradis, Lair. We’ll analyze their features, advantages, and disadvantages. See you then!
