pentesting data management

[ba8y]

Could you show me how to manage data during pentesting ? 
Text and directory are mine, and they tie me.

[voodoo]

There are many methods to do this.  It comes down to finding a software solution and method that makes sense to you.  I would advise looking into basKet or Dradis.  Dradis is my personal favorite as it allows for easy collaboration.

[Architect]

@noncetonic: That setup is pretty interesting. For pentests and red teaming I used to have two different laptops. One was my home computer which was secured with a fingerprint scanner (not shitty windows fp scanner but a real scanner hooked to it via USB which cost me a few hundred bucks) and a pass phrase, as well as LUKS and the usual. My pentest machine was sort of the same thing but no fp scanner, just killallthehumans (github is your friend if you don't know), which separated the shadow file from the actual system, making it impossible to use without a USB drive which contained a GPG encrypted shadow copy.


I also had a passphrase of 7 words, and Prey anti-theft. Prey was basically the only way to track my setup since I was using Tor for everything, and spoofing my mac, and so no one but NSA could do much in the way of tracing MAC or whatever. This was to make my computer a stealthy pentest machine. Not to mention, when I had free time, I recompiled SSH etc. when allowed, so anybody who was nmapping my shit wouldn't find anything but the name, not the version. There was also a secure anti-fingerprint software I ran that killed any trace of history, logs included, that I defined in a userdb.task file.


I used this setup until a few years ago when my house was broken into and they stole everything.. the laptop was probably DBAN'd and the fp scanner sold on eBay. I found some of my old hardware on random craigslist ads and shit. Was a hard thing to see.

[gray]

Wow, you guys are using some interesting setups, I am going to borrow from your ideas in improving my own!

Although I am not a pentester (yet), I like BasKet Note Pads for note taking and keeping stuff organized. Dradis and MagicTree are also good alternatives, I personally haven't played with them much yet, but seen them used with teams, when multiple people need to share their findings.

I suppose where note taking applications are concerned, it all boils down to what you're comfortable with and how you like to organize your information.

[ba8y]

Thanks for sharing.

@noncetonic:  "Within each client truecrypt archive I would create a folder for every portion of the pentest (internal, external, webapp, physical, etc.) that rested inside of a folder created for the year of the test (many clients want to be tested multiple times a year or at least once every year)."

This is a good idea. What I've done is to create a folder, ex: "2014_07_07_CompanyName", and place all (text, burpsuite log, zip, pictures and so on) here without labels. It's hard to get useful information quickly when the data is big enough.   

Now, [metasploit] + [Dradis / Magictree / Kavsir ] is my choice. Dradis always save the data as an attachment except something supported, and what we need is visual data(ex, text). Magictree is so simple. Kavsir is complex to setup, and we need redo it again and again  when the workplace is changed.   

@Architect: Your ideas can contribute the part "Anonymity".


[Clear structure] and [quick information search] are the keys.