Skip to Main Content
June 16, 2020

Workflow Improvements for Pentesters

Written by David Boyd
Penetration Testing Security Testing & Analysis

As penetration testers, we are always on the lookout for quality of life improvements. Whether it's scripting, automating some mundane process, or trying to conquer that all-important client report, it is in our very nature to constantly strive to make things better.

One way to advance your art as a pentester is through workflow improvements. A lot of the time, simple changes to your everyday workflow can make all the difference when it comes to things like time management, organization, and overall accomplishments. A few small changes over time can improve your productivity, job satisfaction, and even free up time for other tasks, like blogging or coding.

Here are a few things I’ve found that have really improved my workflow.

Workflow Improvement...Even Willy Wonka Does It

1). Have a better working environment—get (and stay) organized!

If you are like me, you have a folder for everything. Sadly, we get so wrapped up in what we are doing, those folders tend to multiply.

Don't Do This to Yourself

Get organized. Before you even start a new project, create a hierarchical folder structure. I will use something like the client name folder (including the quarter and year), with an ‘engagement type’ or ‘stage of testing’ folder (phishing, internal, external, etc.) inside, and then different folders for loot, tool output, screenshots, etc., inside that.

Folder Layout Example

2.) Find your terminal and maximize it!

There are so many different terminal options to choose from. My daily driver is a Mac, and my preferred terminal is iTerm2 (https://www.iterm2.com/). A lot of folks really enjoy Terminator (https://github.com/software-jessies-org/jessies/wiki/Terminator), and there’s also zshell, with ohmyzsh to make it snazzier (https://ohmyz.sh/). Whatever you use, spend some time to configure the layout, colors, and style. Make sure your output, font size, and style are easy to read when used in screenshots. Stay away from white/gray on black, as that can often blend in with the rest of the report.

On the topic of screenshots, look at what information you want to include in your reporting screenshots from your terminal. At a minimum, I have my terminal set up to show the date, time, and IP address. That way, if a client needs to compare an attack timestamp with their logging and detections at a glance, it's easy to do.

My Terminal at a Glance

Terminal customization can be a blog on all its own, but here is my output, if you’re interested.

Terminal Customization

3.) Learn to multiplex!

To maximize my monitor space, I typically use one terminal session and have a different tab within that terminal session for each task I may need to work on. There may be a tab for starting a VPN, one for SSHing into my password cracker, and one for running console commands.

A lot of terminal options give you the ability to split panes horizontally or vertically, add/switch between terminal windows, label different tabs, color them differently, and more.

Two very popular options for terminal customization and multiplexing are tmux https://github.com/tmux/tmux/wiki and screen https://linux.die.net/man/1/screen.

Screen is very useful when you have multiple consultants working against a single dropbox/tap device, or when you have multiple processes/tools that you need to run and monitor together on separate instances. It is also more user friendly but not as customizable as tmux.

Tmux is very useful when you need to do things like split/label panes, terminal navigation and searching, session attaching/detaching, and context switching, and it also has great community plugin support. IppSec on YouTube has an awesome getting started video, if you’re looking to take the leap.

https://www.youtube.com/watch?v=Lqehvpe_djs

4.) Find your text editor—and get good at it!

The age-old argument, a tale as old as time: Nano vs. VI/Vim vs Emacs vs whatever else. We all know that Nano is king, but you should use whatever you are comfortable with. Spend some time learning the ins and outs of it. Being able to effectively edit that payload or Python script on the fly will save you a lot of headache down the line.

By the way, if you’ve ever been curious about VI/VIM, (or you’ve been stuck forever), the way to exit is to type :q!

The secret is out. Now you know.

VIM < NANO

This is why Nano is king. Much more user friendly.

Seriously though, Daniel Miessler has a great tutorial on learning VIM, if that suits your fancy.

https://danielmiessler.com/study/vim/

Along those lines…

5.) Explore the magic that is better bash aliases and one-liners!

Here at TrustedSec, we have a living document we call better bash aliases. It’s a mixture of all of the different aliases that folks have created/discovered/evolved over the years that make life just a little easier. Have a long, complicated command you run fairly routinely? Create an alias for it! Have a box you SSH into frequently? Create an alias for it! Need to be able to set up and tear down a tunnel several times a day, but don’t want to hit up arrow 50 times to find it (we all do it, and I know you do to!)? Make an alias!

Additionally, a lot of folks don’t utilize the .ssh config file. Taking some time to write out your configs for the most commonly used boxes that you SSH into will save you so much time and effort.

The Power of a Good SSH Config is Not to be Taken for Granted

6.) Find and use a note taking app—and keep it organized!

Take notes—lots of notes! Annotate everything you do during your test. There are a ton of great notebook and note taking apps out there. Some popular ones include GrowlyNotes https://growlybird.com/notes/, OneNote https://www.microsoft.com/en-us/microsoft-365/onenote/digital-note-taking-app, and CherryTree https://www.giuspen.com/cherrytree/.

All of these allow you to customize, do syntax highlighting, add screenshots, and more. I have a baseline tree structure for most objectives that I can copy, paste, and edit depending on the engagement.

Proper Note Taking Will Save Your Bacon

One thing to keep in mind is that some note taking apps constantly want to upload content to the cloud. Make sure that for whatever application you decide to use, this setting is turned off!

Spend a few minutes to customize, organize, and color everything to your liking before your project starts. It will save you a ton of time and hassle down the road. Along those lines…

7.), 8.), and 9.) Log Everything, Screenshot Everything, Take Good Notes!

I kind of cheated and put all of these together, because they are all equally important. During an engagement, it’s easy to go down a rabbit hole, get excited, hit a breakthrough, and find that one path you want to chase for a few hours, that one exploit that needs tinkering, that script that isn’t quite working, or any of a million different little things. Slow down, take a second, take a breath, and take notes. Lots of notes. Log what you did and when you did it. Piping tool output or commands to a file with | or tee is an absolute lifesaver.

Tee is Your Friend

A great way to log everything is with console logging. This command will get you setup nicely.

test "$(ps -ocommand= -p $PPID | awk '{print $1}')" == 'script' || (script -f /var/log/shell/$(date +"%d-%b-%y_%H-%M-%S")_shell.log)

Along those lines, screenshot everything as you go. Print screen, key binds, and apps like screenshot plus or snagit all work well. Just take lots of screenshots and label them well. I use long labels that describe exactly what I’m doing and to what. It’s easy to clean them up and delete what you don’t need later. There is nothing worse than coming in on a Friday to start reporting on the test, only to realize you have to go back and possibly rerun an attack, or a priv esc chain because you forgot that one crucial screenshot.

Save the Future Headache, Screenshot Now!

10.) Start reporting on Monday!

Finally, start reporting on a Monday. “Clean as you go” is taught early on in cooking. Monday Motorpool Maintenance is a regular occurrence in the Army. "A Monday well spent brings a week of content," is a paraphrase of an old saying, but the sentiment still rings true. You will thank yourself if you start reporting when you start your project. Get the baseline shell of your report carved out, fill in the testing details as much as you can from the beginning, and write as you go. I’ll spend a few minutes at the end of each day of testing writing out my walkthrough and fixing/adding my screenshots. This is probably one of the best things I have done to help me with time management in my career. Before, I frantically wrote (sometimes afterhours) a huge 200+ page report all at once. If you take the time to write as you go, by the time reporting comes around, you won’t have this daunting goliath of a task to go through.

Reporting Is Always Looming

I hope these tips help you out! Let us know any tips that have greatly improved your workflow.