HomePenetration Testing in 5 DaysDay 1
Day 1 of 5
⏱ ~60 minutes
Penetration Testing in 5 Days — Day 1

Pen-Test Methodology & Setup

Professional penetration testing follows a repeatable methodology that protects both the tester and the client. Today you set up your lab environment, learn the industry-standard phases, and understand the legal frameworks that govern the work.

PTES and OWASP Testing Standards

The Penetration Testing Execution Standard (PTES) defines seven phases: pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. OWASP's Testing Guide adds web-specific methodology. Following a standard ensures consistency across engagements and demonstrates professionalism to clients.

Building a Kali Linux Lab

Kali Linux is the industry standard attack distribution — 600+ pre-installed security tools. Set it up in VirtualBox with a host-only adapter for isolation. Create snapshots before each exercise. Complement Kali with a Windows 10 victim VM and Metasploitable 2 for a complete lab. The VulnHub site offers hundreds of downloadable vulnerable VMs.

Scoping and Rules of Engagement

Before any testing, define: in-scope IP ranges and domains, out-of-scope systems, testing window (dates/times), escalation contacts, and what to do if you find critical issues mid-test. The Rules of Engagement (RoE) document is your legal protection. Without it, penetration testing is computer crime.

bash
# Verify Kali tools are current
sudo apt update && sudo apt full-upgrade -y

# Check key tools are available
nmap --version
metasploit-framework --version || msfconsole --version
burpsuite &

# Create a project directory structure
mkdir -p ~/pentest/client-name/{recon,scans,exploits,loot,report}
cd ~/pentest/client-name

# Start logging everything
script -a ~/pentest/client-name/session.log

# Document your lab IP layout
ip addr show eth0
arp -n
💡
Use a dedicated pentest VM that you snapshot before each engagement. This gives you a clean, known-good baseline and lets you roll back if something goes wrong.
📝 Day 1 Exercise
Set Up Your Pentest Lab
  1. Install VirtualBox and download the Kali Linux VM image from kali.org/get-kali
  2. Create a host-only network adapter named 'PentestLab' in VirtualBox settings
  3. Attach Kali and Metasploitable 2 to the same host-only network
  4. Verify connectivity: ping Metasploitable from Kali
  5. Create your project directory structure and start a session log

Day 1 Summary

  • PTES defines 7 phases from pre-engagement to reporting
  • Kali Linux is the standard penetration testing distribution
  • Scoping and RoE documents are legal requirements, not optional bureaucracy
  • Lab isolation prevents accidental attacks on production systems
  • VulnHub and HackTheBox provide legal practice targets
Challenge

Write a one-page mock Rules of Engagement document for a fictional client engagement. Include scope, exclusions, testing window, and escalation procedures.

Next →
Day 2: Web Application Testing
Finished this lesson?