Lab Instructions

Pentesting Methodology

Follow these written lab steps in order. Run one command at a time and verify output before moving on.

Back to Course

Lab objective

Module 6: Pentesting Methodology. Include crypto in recon: enumerate cipher suites and TLS versions on a lab target. Only run against systems you own or have permission to test.

Command

N/A

Expected result: You have run a cipher suite enum (e.g. Nmap or testssl) and can interpret the results.

Step 1 - Cipher suite enumeration with Nmap

Against a lab host with an SSL/TLS service (e.g. HTTPS on 443): run nmap --script ssl-enum-ciphers -p 443 <target_ip>. Review the output: TLS version, cipher suites offered, and key exchange. Identify any weak ciphers (e.g. RC4, export, or NULL) if present.

Command

nmap --script ssl-enum-ciphers -p 443 <target_ip>

Expected result: You see a list of supported TLS versions and cipher suites for the target.

Step 2 - Optional: testssl.sh

If testssl.sh is available (e.g. from GitHub), run it against https://<lab_target>. It gives a readable report of protocol versions, ciphers, and common issues (e.g. weak cert, POODLE).

Command

./testssl.sh https://<lab_target>

Expected result: You have a report of the target's TLS configuration and any findings.

Step 3 - Document for methodology

Document the cipher suite and TLS version findings as part of your recon phase. Note what you would recommend (disable weak ciphers, enforce TLS 1.2+).

Command

N/A

Expected result: Your notes include crypto recon results and simple remediation advice.

Open Lab Video