Skip to content

Lab Workflow

A systematic approach to lab practice accelerates learning
Randomly running tools without methodology wastes time. This workflow gives you a repeatable framework for every lab engagement

The Methodology

Reconnaissance -> Enumeration -> Exploitation -> Post-Exploitation -> Reporting

Phase 1: Reconnaissance

Gather information about the target without direct interaction:

# Passive recon
whois target.com
dig target.com ANY
nslookup target.com
theHarvester -d target.com -b google

# Active recon (once you have IP)
nmap -sn 192.168.100.0/24       # Host discovery
nmap -sV -O target               # Version and OS detection
nmap -sC target                  # Default scripts
nmap -p- target                  # Full port scan (65535 ports)

Phase 2: Enumeration

Deep dive into discovered services:

# Web service (port 80/443)
gobuster dir -u http://target -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
nikto -h http://target
whatweb target

# SMB (port 445)
smbclient -L //target -N
enum4linux target
crackmapexec smb target

# SSH (port 22)
ssh-audit target
hydra -l root -P passwords.txt ssh://target

# Database (port 3306/1433)
mysql -h target -u root -p
sqsh -S target -U sa

Phase 3: Exploitation

Exploit the vulnerabilities found during enumeration:

# Manual exploitation
searchsploit apache 2.4.49        # Search for exploit
python exploit.py target 80       # Run exploit

# Metasploit
msfconsole
search apache 2.4.49
use exploit/multi/http/apache_normalized_path
set RHOSTS target
run

# Manual exploit development
# (if no public exploit exists)

Phase 4: Post-Exploitation

After gaining initial access:

# Linux post-exploitation
whoami && id
hostname && ip addr show
uname -a && cat /etc/os-release
sudo -l                         # Check sudo privileges
cat /etc/shadow                 # Dump hashes
find / -perm -4000 -type f     # SUID enumeration
ps aux                          # Running processes
crontab -l                      # Scheduled tasks

# Windows post-exploitation
whoami /all
ipconfig /all
systeminfo
net user
net localgroup administrators
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Phase 5: Reporting

Document everything to reinforce learning:

Target: 192.168.100.10 (Metasploitable 2)
Date: 2025-01-15

Recon:
  - Open ports: 21, 22, 23, 80, 445, 3306
  - OS: Linux 2.6.x

Enumeration:
  - Port 21: vsftpd 2.3.4 (CVE-2011-2523)
  - Port 80: Apache 2.2.8 (PHP/5.2.4)
  - Port 445: Samba 3.0.20 (CVE-2007-2447)

Exploitation:
  - Used: vsftpd 2.3.4 backdoor (CVE-2011-2523)
  - Command: exploit/unix/ftp/vsftpd_234_backdoor
  - Result: Root shell gained

Post-Exploitation:
  - Collected: /etc/shadow, /var/log/auth.log
  - Persistence: Added SSH key

Practice Workflow Template

#!/bin/bash
# Lab practice template
target="$1"
logfile="engagement-$(date +%Y%m%d-%H%M).md"

echo "# Engagement Log" > "$logfile"
echo "## Target: $target" >> "$logfile"
echo "## Started: $(date)" >> "$logfile"

# Phase 1: Recon
nmap -sV -O "$target" -oN recon.txt 2>/dev/null
echo "## Recon Results" >> "$logfile"
cat recon.txt >> "$logfile"

Time Management

  • 30-40% of time on enumeration
  • 30% on exploitation
  • 20% on post-exploitation
  • 10-20% on reporting
  • If stuck for 30+ minutes on one approach, pivot and return