Module 3

3.3

Documenting As You Go

Documentation is the difference between a smooth report-writing phase and a painful one. Every experienced pentester will tell you the same thing: if you document well during testing, the report almost writes itself. If you don’t, you spend twice as long trying to reconstruct what you did from memory and incomplete notes.

Good engagement documentation has four elements:

Timestamps. Every significant action logged with a timestamp. This matters for the testing timeline in the report and for any incident investigation if something goes wrong.

Commands and output. The exact command you ran and the relevant output. Not just “ran Nmap” — the full command with flags and the key findings from the output.

Screenshots. Annotated. Labeled. Every screenshot should have a caption explaining what it shows and why it matters. An unlabeled screenshot is useless two weeks later when you’re writing the report.

Context notes. Brief notes explaining why you did something and what you concluded. “Ran Kerberoasting because initial BloodHound showed 3 SPNs on service accounts” is infinitely more useful than just the Kerberoast output.

The evidence collection template you can download from this lesson gives you a structured format for all four elements. Use it from day one of any engagement.

On the right, you’ll see two versions of documentation for the same finding from the Navigating Security Corp engagement. Identify which is the professional version and what’s missing from the other.

Challenge

Compare Documentation Quality

compare-evaluate

Both panels document the same Kerberoasting finding from the Navigating Security Corp engagement. One is professional-grade. The other has problems. Review both and answer the questions below.

Documentation A

Kerberoast attack successful. Got hash for svc_adbackup. Cracked it with hashcat — password was Backup2024!. Used it to get into DC01.

[screenshot_014.png]

Documentation B

2026-03-24 14:22 EST — Kerberoasting

Command: GetUserSPNs.py navigatingsecurity.corp/t.chigubhu -request -dc-ip 10.1.1.10

Result: Retrieved TGS ticket for svc_adbackup (SPN: WINSRV/svc-backup.navigatingsecurity.corp)

Cracking: hashcat -m 13100 tgs_hash.txt /usr/share/wordlists/rockyou.txt
Cracked in 6 minutes. Password: Backup2024!

Context: svc_adbackup holds DS-Replication-Get-Changes-All rights on the navigatingsecurity.corp domain root naming context. Compromising this account enables a DCSync attack — dumping all domain credential hashes including krbtgt without requiring interactive logon to DC01. This is a direct, two-step path from t.chigubhu (Domain Users) to full domain compromise.

[screenshot: GetUserSPNs output showing svc_adbackup SPN and hash — kerberoast_svc_adbackup.png]
[screenshot: DCSync rights confirmed in BloodHound — dcsync_rights_confirmed.png]

Question 1 of 2

Which version is professional-grade documentation?

Question 2 of 2

What is the most critical element missing from the weaker version?