Lab 1 Identify Open Ports and Services

Tool Used

Nmap (Download)

Objective

Discover open ports and services running on a target system.

Setup Conditions

  • Attacker machine (Kali Linux recommended)

  • Target machine (e.g., Metasploitable2, vulnerable Ubuntu server)

  • Both machines should be on the same network or routed properly

Steps

  1. Launch a terminal on the attacker machine.

  2. Run the command: nmap -sV 192.168.1.100

    • -sV enables version detection.

  3. Observe the output to identify open ports and services.

Example Output Analysis

  • Port 22/tcp open ssh OpenSSH 7.4

  • Port 80/tcp open http Apache httpd 2.4.18

Case Study

  • Scenario: Assessing a small business web server.

  • Action: Run nmap -sV and detect Apache 2.4.18 on port 80.

  • Next Step: Search for vulnerabilities in this version via Exploit-DB or searchsploit.

  • Result: Identify a relevant CVE for future exploitation.

Key Takeaway

Port scanning and service enumeration are foundational to penetration testing.

Lab 2 Detect Target Operating System

Tool Used

Nmap (Download)

Objective

Identify the operating system of the target machine.

Setup Conditions

Same as Lab 1

Steps

Run: nmap -O 192.168.1.100

  • -O enables OS detection.

Example

  • Detected OS: Windows XP SP3

Case Study

  • You detect Windows XP and plan to exploit MS08-067 using Metasploit.

Key Takeaway

Knowing the OS helps tailor exploits and reduce risk.

Lab 3 Discover Hidden Web Directories

Tool Used

Gobuster (Download)

Objective

Identify hidden directories on a web server.

Setup Conditions

  • Target running HTTP server

Steps

Run:
gobuster dir -u http://192.168.1.100 -w /usr/share/wordlists/dirb/common.txt

Example

  • Discovered: /admin/ directory

Case Study

  • Finding /admin/login.php sets up a future brute-force attempt.

Key Takeaway

Directory enumeration reveals hidden entry points in web apps.

Lab 4 Vulnerability Scan with Nessus

Tool Used

Nessus (Download)

Objective

Scan for vulnerabilities in exposed services.

Setup Conditions

  • Nessus installed and configured

Steps

  1. Start a full scan on the target IP

  2. Review the vulnerability report

Example

  • SSLv3 detected → POODLE vulnerability (CVE-2014-3566)

Case Study

  • Use scan results to prepare for downgrade attack.

Key Takeaway

Automated scans quickly uncover security weaknesses.

Lab 5 Exploit SMB (EternalBlue)

Tool Used

Metasploit (Download)
Exploit Code: exploit/windows/smb/ms17_010_eternalblue

Objective

Gain remote access via a vulnerable SMB service.

Setup Conditions

  • Target: Windows 7 with SMB vulnerability

Steps

  1. Launch Metasploit

  2. Set exploit parameters: set RHOST 192.168.1.20

  3. Run the exploit

Example

  • Result: Meterpreter session opened

Case Study

  • Internal test finds outdated SMB service → exploit → access

Key Takeaway

Legacy vulnerabilities like EternalBlue remain a threat if unpatched.

Lab 6 Exploit Apache Struts Vulnerability

Tool Used

Metasploit (Download)
Exploit Code: exploit/multi/http/struts2_content_type_ognl

Setup Conditions

  • Apache Struts version 2.3.15.1 running on target

Steps

  1. Load the Metasploit module

  2. Set URI and RHOST

  3. Launch the exploit

Case Study

  • Exploiting Apache Struts leads to remote code execution.

Key Takeaway

Outdated frameworks often contain critical vulnerabilities.

Lab 7 Capture NTLM Hashes with Responder

Tool Used

Responder (Download)

Setup Conditions

  • Attacker and victim on same broadcast domain

Steps

  1. Run: python Responder.py -I eth0

  2. Wait for a name resolution request

  3. Capture the NTLM hash

Case Study

  • A misconfigured host leaks NTLM hash when resolving fileserver.local

Key Takeaway

Misconfigurations can leak credentials without direct exploitation.

Frequently Asked Questions

What tools do I need for beginner-level pentesting tasks?

Nmap, Wireshark, Metasploit, Hydra, and Gobuster are essential tools. They're pre-installed in Kali Linux and ideal for learning.

How do I build a safe lab environment?

Use VirtualBox or VMware to run Kali Linux and vulnerable machines like Metasploitable or DVWA in a private network.

Is it legal to perform these attacks on public networks?

No, penetration testing must be done with explicit permission. Always use a legal lab environment.

What common errors should I avoid in pentesting?

Avoid skipping recon, blindly launching attacks, or forgetting to document findings and timestamps.

How can I move from intermediate to advanced pentesting?

After mastering the basics, study binary exploitation, exploit development, and red team tactics with tools like Cobalt Strike.

Conclusion

These 7 guided penetration testing exercises are perfect for learners advancing through beginner and intermediate levels. Each task simulates real-world scenarios in a secure lab, helping learners build essential skills for ethical hacking. Continue to practice responsibly and document your findings to become a proficient penetration tester.