12 - Reporting & Cleanup
# OverviewThe final phase of any penetration test is twofold: reporting your findings to the client in a clear, actionable format, and cleaning up every artifact, account, backdoor, and tool deployed during the engagement. A brilliant technical compromise means nothing if the client cannot understand the risk and remediate it. A clean network after your test is a non-negotiable professional obligation.
This phase is what separates amateur hackers from professional penetration testers.
# Report StructureA penetration test report typically follows this structure:
# 1. Executive Summary
Audience : C-suite, non-technical stakeholdersLength : 1-2 pagesContent : High-level overview of the engagement, overall risk rating, key findings summary, business impact, and primary recommendations. No technical jargon. Use business language (e.g., "An attacker could access customer payment data" not "SQL injection in the checkout page allowed UNION SELECT extraction").
# 2. Methodology
Audience : Technical managers, IT leadershipContent : The approach taken during the test. Reconnaissance, enumeration, exploitation, post-exploitation, and any constraints or scope limitations. Include tools and frameworks used (OSSTMM, PTES, OWASP). This section builds credibility by showing a structured, professional approach.
# 3. Findings and Risk Ratings
Audience : System administrators, developers, security engineersContent : Each vulnerability presented as a discrete finding with:
Finding ID / Title : Unique identifier and descriptive nameRisk Rating : Critical / High / Medium / Low / Informational (use CVSS or a consistent internal scale)Description : What is the vulnerability, in plain EnglishImpact : What an attacker could achieve by exploiting thisSteps to Reproduce : Exact commands, URLs, and payloads used -- must be reproducible by the client's teamEvidence : Screenshots, console output, proof-of-concept codeRemediation : Specific, actionable steps to fix the vulnerability (not generic "patch your systems")
# 4. Attack Narrative / Kill Chain
Audience : Technical and managementContent : A chronological walkthrough of the most significant attack path(s), showing how individual vulnerabilities were chained together to achieve compromise. This demonstrates the compounding risk of multiple findings.
# 5. Remediation Roadmap
Audience : IT leadership, project managersContent : Prioritized remediation actions organized by criticality and effort. Short-term (immediate patching, configuration changes), medium-term (architecture changes, tooling), and long-term (training, policy, process improvements) recommendations.
# 6. Appendices
Content : Full tool output, raw scan results, detailed network maps, compromised accounts list, all screenshots, and any additional supporting evidence.
# Cleanup ChecklistEvery artifact created during the test must be removed. Use this checklist:
# Accounts and CredentialsArtifact Removal Action User accounts created during testing Disable and/or delete the account. Document the username. SSH keys added to authorized_keys Remove the specific public key entry. Verify with cat ~/.ssh/authorized_keys. Password changes Revert to original password (or have the client reset it). Kerberos tickets (Golden/Silver) Tickets expire, but note that krbtgt hash compromise requires password reset (twice).
# Files and ToolsArtifact Removal Action Tools/scripts copied to target Delete from all directories. Check /tmp, C:\Temp, C:\Users\Public. Web shells placed on servers Delete the file. Verify the web server no longer serves it. Staging directories for exfiltration Delete directories and all contents. Exploit binaries (e.g., mimikatz) Delete. Check alternate data streams (ADS) on Windows. Compiled payloads (meterpreter, etc.) Delete. Log files created by tools Delete tool output and log files.
# System ModificationsArtifact Removal Action Scheduled tasks (schtasks, cron, systemd timers) Remove each task. Verify with schtasks /query or crontab -l. Services created (sc create) Stop then delete the service. Registry modifications (Run keys, WMI subscriptions) Revert to original state. Delete WMI event filters and consumers. SUID binaries deployed Delete the binary. DLLs dropped (DLL hijacking , AppInit) Delete the DLL and revert any config changes. Accessibility feature backdoors (sethc, utilman) Restore original binaries from C:\Windows\System32 backup or clean source. Firewall rule changes Revert to original configuration. ACL modifications (AdminSDHolder, ACL-based persistence) Revert to pre-test state. Document original ACLs before modifying.
# Network and ConnectivityArtifact Removal Action Reverse shell listeners / C2 connections Terminate all active connections. Kill listener processes. SSH tunnels / SOCKS proxies Terminate all tunnels. Remove port forwarding configurations. DNS tunneling infrastructure Shut down DNS server, remove domain/NS record delegations.
# Log Files (Client-Actionable)Recommendation Advise the client to review and preserve logs from the test period for incident response review. Recommend the client rotate any credentials that were exposed or compromised during testing. If Kerberos tickets were forged (golden ticket ), recommend a double krbtgt password reset to invalidate all existing tickets.
# VerificationAfter cleanup, verify completeness:
Revisit each compromised host (if still accessible) and confirm no artifacts remainRun the enumeration scripts again (winpeas, linpeas) and verify no findings were introduced by your testingCheck for lingering sessions : quser (Windows), who / w (Linux)Review your notes : Cross-reference every file you created, account you added, and configuration you changed
# What's in This SectionFile Covers reporting-cleanup-guide.mdDetailed report writing templates for each section, risk rating matrices (CVSS v3.1, custom scales), evidence collection best practices (screenshots, terminal logs, video capture), finding write-up templates, remediation recommendation language, executive summary writing tips, complete cleanup checklists with verification procedures, client communication templates, lessons-learned documentation
# Cross-References
All previous phases feed findings into this section. Every exploit, every credential captured, every lateral movement step, and every privilege escalation becomes a paragraph or finding in the report.
# Key Principle
The report is the product. The client hired you for the report, not for the hack. A penetration test without a clear, professional report is just a break-in. A report that clearly explains impact and remediation, backed by reproducible evidence, is what transforms a technical exercise into business value. And a network left exactly as you found it (minus the identified vulnerabilities) is the bare minimum of professional conduct.