Controlled environments only: owned VMs, CTF boxes, DVWA/Juice Shop, Metasploitable, lab hashes, and written authorization. No public targets. No stolen data.
01 / Network Recon Chain
apeiron@kali:~$ mkdir -p ops/target01/{scans,loot,notes}
apeiron@kali:~$ cd ops/target01
apeiron@kali:~/ops/target01$ ip -brief address
lo UNKNOWN 127.0.0.1/8
eth0 UP 192.168.64.6/24
apeiron@kali:~/ops/target01$ ip route
default via 192.168.64.1 dev eth0
192.168.64.0/24 dev eth0 proto kernel scope link src 192.168.64.6
apeiron@kali:~/ops/target01$ nmap -sn 192.168.64.0/24 -oN scans/00-hosts.txt
Nmap scan report for 192.168.64.1
Host is up.
Nmap scan report for 192.168.64.6
Host is up.
Nmap scan report for target.lab
Host is up.
apeiron@kali:~/ops/target01$ nmap -sV -sC target.lab -oN scans/01-basic.txt
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH
80/tcp open http Apache httpd
445/tcp open smb Samba smbd
apeiron@kali:~/ops/target01$ nmap -p- --min-rate 2500 target.lab -oN scans/02-fulltcp.txt
Discovered open port 22/tcp
Discovered open port 80/tcp
Discovered open port 445/tcp
Discovered open port 8080/tcp
apeiron@kali:~/ops/target01$ nmap -sV -sC -p 22,80,445,8080 target.lab -oN scans/03-deep.txt
# refine only confirmed ports, avoid wasting probes on dead space
Scan Logic
-sn host discovery
-sV service version detection
-sC default NSE scripts
-p- all 65535 TCP ports
-oN normal report output
sequence:
discover → basic scan → full TCP → deep service scan
Operator Read
22/tcp remote access surface
80/tcp web attack surface
445/tcp SMB enumeration surface
8080 alternate web/admin surface
Only continue against lab/owned targets.
02 / Web Surface Mapping
apeiron@kali:~/ops/target01$ curl -I http://target.lab
HTTP/1.1 200 OK
Server: Apache/2.4.x
X-Powered-By: PHP/7.x
Set-Cookie: PHPSESSID=lab-session
apeiron@kali:~/ops/target01$ whatweb http://target.lab
Apache, PHP, Cookies, HTML5, Login-Page
apeiron@kali:~/ops/target01$ mkdir -p scans/web
apeiron@kali:~/ops/target01$ gobuster dir -u http://target.lab -w /usr/share/wordlists/dirb/common.txt -o scans/web/gobuster-common.txt
/admin (Status: 301)
/login (Status: 200)
/uploads (Status: 200)
/backup (Status: 403)
/server-status (Status: 403)
/robots.txt (Status: 200)
apeiron@kali:~/ops/target01$ ffuf -u http://target.lab/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200,301,302,403 -o scans/web/ffuf.json
admin [Status: 301]
uploads [Status: 200]
backup [Status: 403]
dev [Status: 302]
apeiron@kali:~/ops/target01$ curl http://target.lab/robots.txt
User-agent: *
Disallow: /backup
Disallow: /dev
Disallow: /admin
apeiron@kali:~/ops/target01$ nikto -h http://target.lab -o scans/web/nikto.txt
# misconfiguration sweep against controlled web target
Web Targets
/admin authentication surface
/uploads file-handling surface
/backup sensitive directory candidate
/robots.txt hidden-path clue source
/dev staging/dev leak candidate
Next Probes
apeiron@kali:~$ curl -s http://target.lab/login | head
apeiron@kali:~$ grep -Ri "password" loot/ 2>/dev/null
apeiron@kali:~$ exiftool loot/* 2>/dev/null
# collect clues, do not attack public apps
03 / Password Audit Lab
apeiron@kali:~/hash-lab$ cat sample_hashes.txt
5f4dcc3b5aa765d61d8327deb882cf99
098f6bcd4621d373cade4e832627b4f6
25d55ad283aa400af464c76d713c07ad
apeiron@kali:~/hash-lab$ hashid sample_hashes.txt
[+] Possible Hashs: MD5
apeiron@kali:~/hash-lab$ john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt sample_hashes.txt
Loaded 3 password hashes
password (?)
test (?)
12345678 (?)
apeiron@kali:~/hash-lab$ john --show --format=raw-md5 sample_hashes.txt
?:password
?:test
?:12345678
3 password hashes cracked
apeiron@kali:~/hash-lab$ hashcat -m 0 sample_hashes.txt /usr/share/wordlists/rockyou.txt --status
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Recovered........: 3/3
Cracking Logic
1. identify hash type
2. choose correct mode
3. run controlled wordlist audit
4. record weak patterns
5. recommend stronger password policy
Do not use stolen/leaked hashes.
Hashcat Modes
-m 0 MD5
-m 100 SHA1
-m 1000 NTLM
-m 1400 SHA2-256
-a 0 straight attack
--status live progress
04 / Linux Enumeration After Foothold
www-data@target:/var/www/html$ whoami && id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@target:/var/www/html$ hostname && uname -a
target
Linux target 5.x.x x86_64 GNU/Linux
www-data@target:/var/www/html$ ip a && ip route
eth0: 192.168.56.110/24
default via 192.168.56.1
www-data@target:/var/www/html$ ss -tulnp 2>/dev/null
tcp LISTEN 0 128 0.0.0.0:22
tcp LISTEN 0 128 0.0.0.0:80
tcp LISTEN 0 80 127.0.0.1:3306
www-data@target:/var/www/html$ find /var/www -type f -name "*.php" 2>/dev/null | head
/var/www/html/config.php
/var/www/html/login.php
/var/www/html/upload.php
www-data@target:/var/www/html$ grep -Ri "password\|passwd\|db_" /var/www 2>/dev/null
/var/www/html/config.php:$db_pass='lab-password';
Enumeration Questions
user: who am I?
groups: what permissions do I inherit?
kernel: old/vulnerable?
network: internal-only services?
webroot: credentials or configs?
sudo: allowed commands?
files: writable paths?
05 / Privilege Escalation Vector Checks
www-data@target:/tmp$ sudo -l
Sorry, user www-data may not run sudo on target.
www-data@target:/tmp$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/find
/usr/bin/bash
www-data@target:/tmp$ find / -writable -type d 2>/dev/null | head
/tmp
/var/tmp
/dev/shm
/opt/scripts
www-data@target:/tmp$ cat /etc/crontab
* * * * * root /opt/scripts/backup.sh
www-data@target:/tmp$ ls -la /opt/scripts/backup.sh
-rwxrwxrwx 1 root root 124 May 18 04:00 backup.sh
# lab interpretation: writable root-executed script is an escalation candidate
Vector Order
sudo -l
SUID binaries
cron jobs
writable root scripts
credentials in configs
PATH hijack checks
internal services
kernel research
Do Not Publish
real credentials
real private IPs
private tokens
real client data
working abuse scripts
unauthorized target details
06 / Recon Automation Skeleton
#!/bin/bash
TARGET=$1
BASE="ops/$TARGET"
SCANS="$BASE/scans"
NOTES="$BASE/notes"
if [ -z "$TARGET" ]; then
echo "usage: ./recon-chain.sh target.lab"
exit 1
fi
mkdir -p "$SCANS" "$NOTES"
echo "[+] target: $TARGET"
echo "[+] workspace: $BASE"
nmap -sV -sC "$TARGET" -oN "$SCANS/basic.txt"
nmap -p- --min-rate 2500 "$TARGET" -oN "$SCANS/full_tcp.txt"
PORTS=$(grep "/tcp" "$SCANS/full_tcp.txt" | awk -F/ '{print $1}' | paste -sd, -)
if [ -n "$PORTS" ]; then
echo "[+] exposed ports: $PORTS"
nmap -sV -sC -p "$PORTS" "$TARGET" -oN "$SCANS/deep.txt"
fi
{
echo "# TARGET: $TARGET"
echo "# DATE: $(date)"
echo ""
echo "## FILES"
ls -la "$SCANS"
} > "$NOTES/summary.md"
echo "[+] complete"
Run Log
apeiron@kali:~/tools$ chmod +x recon-chain.sh
apeiron@kali:~/tools$ ./recon-chain.sh target.lab
[+] target: target.lab
[+] workspace: ops/target.lab
[+] exposed ports: 22,80,445,8080
[+] complete
Purpose
This script organizes lab recon artifacts.
It does not exploit targets.
It creates repeatable scan folders, output files, and notes for authorized environments.