A pentest without written authorization is a crime, not a test. Start with scope and rules of engagement, understand the phases, and build a legal lab to practice in.
Why: the only thing separating a penetration test from a criminal intrusion is written authorization — a signed scope and rules of engagement defining exactly what you may test, when, and how. When: never touch a target without this document in hand; "I was just checking" is not a defense. Where: professional testing happens under a contract, a bug-bounty program’s scope, or on systems you own.
Before ANY testing, a signed authorization must define:
[ ] SCOPE — exact IPs/domains/apps in scope (and what's OUT of scope)
[ ] RULES OF ENGAGEMENT — allowed techniques, times, rate limits
[ ] no DoS / no data destruction / no social-engineering unless agreed
[ ] emergency contacts + a "stop" procedure
[ ] handling of any sensitive data you encounter
No signed authorization = no test. This is the law, not etiquette.Why: a penetration test follows a repeatable methodology — recon, scanning, exploitation, post-exploitation, reporting — so coverage is systematic rather than ad-hoc. When: work the phases in order; each feeds the next. Where: frameworks like PTES and the MITRE ATT&CK tactics formalize this; the goal is always to find and document risk so it can be fixed.
RECON ─► SCANNING ─► VULN ID ─► EXPLOITATION ─► POST-EXPLOIT ─► REPORT
(passive (active (map to (prove it, (impact, (findings +
OSINT) nmap) CVEs) in scope) privesc) fixes)
The point is not to "hack" — it's to demonstrate real risk so the
organization can remediate it. The REPORT is the deliverable.Why: you practice these techniques on machines you own, never on the internet — a local lab with an attack box (Kali) and deliberately-vulnerable targets lets you learn safely and legally. When: set this up before the later lessons; every command in this course targets your lab. Where: Metasploitable, VulnHub VMs, and HackTheBox/TryHackMe provide authorized targets by design.
# A safe, legal practice lab (isolated host-only network, no internet bridge):
# Attack box: Kali Linux VM
# Target: Metasploitable 2/3, or VulnHub / HackTheBox / TryHackMe VMs
# Verify you're hitting your OWN lab target before running anything:
ip addr # confirm the host-only network
ping -c1 192.168.56.101 # your lab target's IP
# Keep the lab OFF any bridge to real networks. Practice here, only here.