Note Taking for Hackers

Hacking is a loop of information gathering, attack planning, and attack excution, then more information gaterhing, planning, and executing. Keeping track of all the information can be challanging at times. There’s multiple schools of thought here but on in particular that I like to use. Mind Mapping.

Why is Note Taking Important

Note taking is in my opinioins one of the most important steps in the information gathering process when starting an attack. The goal of information gathering is to enumerate the attack surface and find possilbe vulnerabilities. It also helps you remember where you were if you have to walk away from a hack and come back to it later.

Types of Note Takeing Tools

No matter how you like to take notes it is important that they are organized. Whether that be a node based scheme like CherryTree, Zim, or Microsoft Onenote, a mind map style like xmind, or the nextcloud mindmap app, or just a folder with text files that you can easily grep through. In any case organization is key to be able to quickly find the information you want and need. I personally use the mindmap style, nextcloud’s if I’m online, and xmind if I’m not, so in the next section I’ll go over what I do when poking at a box.

How I Take Notes

Folder Structure

First it’s important to see the folder structure I have for Hacking stuff in general. I keep it synced on next cloud so I can save my notes and everything acrossed all my computers. The first folder is just called “Hacking” and is kept in my nextcloud folder to ensure it gets synced. I then have two folders inside, one for tools, and one for notes tips and tricks. I’ll focus on the notes tips and tricks folder for now.
Inside the notes tips and tricks folder I have a few more to categorize the type of notes I keep. Notes for Certs, Notes for CTFs, and Notes for Real World. I’ll focus on the CTF folder, but they’re all layed out similiarly. Inside the CTF folder I have a folder for each CTF platform I participate in, and inside those a folder for each machine/challange. For example in the HTB folder I have a folder for the machine passage. Inside each challange/machine folder I have 2 folders, one for exploits and one for notes. I’ll keep any exploits I find that work or that I’m testing in the exploit folder, and all my notes including my nmap scan in the notes folder, that’s also where I keep my mind map. So now let’s talk about the mind map

Mindmap Structure

I create a new mindmap through which ever tool I’m going to use, usually Nextcloud’s mindmap app. As the primary node I have either the ip address or hostname of what I’m currently attacking. off of that I have 3 child nodes, ports open, users, and L00T.

Off of Ports Open I have a new node for each port I discovered and off of that I have the name of the service running on that port, or in the case of webservers the web technology running on that port. off of that I have nodes for what ever I find. For example if I find an RCE exploit for that web technology, I’d create a new node called RCE Exploit and add a note to it that contains the URL to the exploit I discovered. Then after I run the exploit I’d create a new node called Loot where I’d store any useful information in the form of a note. For example I’d store any password hashes I find, as well as their cracked contenets if I can crack them.

Off of the Users Node I’d create a new node for each user I discover, and if I find any useful information about the user, or that I can use I’ll put in on that node in the form of a note. For exmaple if I find out that Paul has a private SSH key I’ll keep that as a note.

Off of the L00T node I have a new node for each type of loot I get, for example if I find ssh keys like above I’d create a node for ssh keys, then a node for each user I found ssh keys for. Then on the user node off of the sshkeys node I’d create a note and copy the sshkeys into it. this is illustrated in the screen shot below: CTF_MindMap

The notes I mention are attached to nodes, which display this icon


and the notes look like this on the left hand side:


For Real World Pentests

Real world pentests I come at a bit differently that just CTFs. I use the same principals, but the mindmap has to be able to contain all my notes so I have it set up a bit differently, basically what I did for CTFs still holds true, excpet that’s for each computer I start poking at instead of the primary node. see the screenshot below. Real_World_MindMap

Bringing it Back to Hacking

Well this whole thing was about hacking…. so there’s nothing really to bring it back to besides to say note taking should be an integrated part of your methodolgy and even when you don’t think you’ll need to take notes you should still do it just to get the repition in and to practice good practices making it muscle memory. Sorry that one was a bit short, especially after such a long gap inbetween posts. Trust me my next one is going to have much much more content. It’s going to intoduce the basic idea behind one of the two major projects I’m working on. The first one being a flaw in Windows that allows for full AV bypass, the second one being a stealthy way to port scan servers of interest on the network without tripping IPS/IDS sensors. Neither project